]> git.ipfire.org Git - thirdparty/bind9.git/commitdiff
[master] renumber chapters now that the former chapter 5 is gone
authorEvan Hunt <each@isc.org>
Tue, 23 Jan 2018 17:52:04 +0000 (17:52 +0000)
committerEvan Hunt <each@isc.org>
Tue, 23 Jan 2018 17:52:04 +0000 (17:52 +0000)
53 files changed:
doc/arm/Bv9ARM-book.xml
doc/arm/Bv9ARM.ch01.html
doc/arm/Bv9ARM.ch02.html
doc/arm/Bv9ARM.ch03.html
doc/arm/Bv9ARM.ch04.html
doc/arm/Bv9ARM.ch05.html
doc/arm/Bv9ARM.ch06.html
doc/arm/Bv9ARM.ch07.html
doc/arm/Bv9ARM.ch08.html
doc/arm/Bv9ARM.ch09.html
doc/arm/Bv9ARM.ch10.html
doc/arm/Bv9ARM.ch11.html
doc/arm/Bv9ARM.ch12.html
doc/arm/Bv9ARM.ch13.html [deleted file]
doc/arm/Bv9ARM.html
doc/arm/Bv9ARM.pdf
doc/arm/man.arpaname.html
doc/arm/man.ddns-confgen.html
doc/arm/man.delv.html
doc/arm/man.dig.html
doc/arm/man.dnssec-cds.html
doc/arm/man.dnssec-checkds.html
doc/arm/man.dnssec-coverage.html
doc/arm/man.dnssec-dsfromkey.html
doc/arm/man.dnssec-importkey.html
doc/arm/man.dnssec-keyfromlabel.html
doc/arm/man.dnssec-keygen.html
doc/arm/man.dnssec-keymgr.html
doc/arm/man.dnssec-revoke.html
doc/arm/man.dnssec-settime.html
doc/arm/man.dnssec-signzone.html
doc/arm/man.dnssec-verify.html
doc/arm/man.dnstap-read.html
doc/arm/man.genrandom.html
doc/arm/man.host.html
doc/arm/man.mdig.html
doc/arm/man.named-checkconf.html
doc/arm/man.named-checkzone.html
doc/arm/man.named-journalprint.html
doc/arm/man.named-nzd2nzf.html
doc/arm/man.named-rrchecker.html
doc/arm/man.named.conf.html
doc/arm/man.named.html
doc/arm/man.nsec3hash.html
doc/arm/man.nslookup.html
doc/arm/man.nsupdate.html
doc/arm/man.pkcs11-destroy.html
doc/arm/man.pkcs11-keygen.html
doc/arm/man.pkcs11-list.html
doc/arm/man.pkcs11-tokens.html
doc/arm/man.rndc-confgen.html
doc/arm/man.rndc.conf.html
doc/arm/man.rndc.html

index 6fbab7b0c728f504b8367092528799b0aa5689c6..384eda73358f3ac986dc7bf06f66834380a4e718 100644 (file)
@@ -2455,7 +2455,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
     </section>
   </chapter>
 
-  <chapter xml:id="Bv9ARM.ch06"><info><title><acronym>BIND</acronym> 9 Configuration Reference</title></info>
+  <chapter xml:id="Bv9ARM.ch05"><info><title><acronym>BIND</acronym> 9 Configuration Reference</title></info>
 
     <para>
       <acronym>BIND</acronym> 9 configuration is broadly similar
@@ -16578,7 +16578,7 @@ HOST-127.EXAMPLE. MX 0 .
       </section>
 
     </chapter>
-    <chapter xml:id="Bv9ARM.ch07"><info><title><acronym>BIND</acronym> 9 Security Considerations</title></info>
+    <chapter xml:id="Bv9ARM.ch06"><info><title><acronym>BIND</acronym> 9 Security Considerations</title></info>
 
       <section xml:id="Access_Control_Lists"><info><title>Access Control Lists</title></info>
 
@@ -16902,7 +16902,7 @@ allow-query { !{ !10/8; any; }; key example; };
       </section>
     </chapter>
 
-    <chapter xml:id="Bv9ARM.ch08"><info><title>Troubleshooting</title></info>
+    <chapter xml:id="Bv9ARM.ch07"><info><title>Troubleshooting</title></info>
 
       <section xml:id="common_problems"><info><title>Common Problems</title></info>
 
@@ -16973,11 +16973,11 @@ allow-query { !{ !10/8; any; }; key example; };
       </section>
     </chapter>
 
-    <appendix xml:id="Bv9ARM.ch09"><info><title>Release Notes</title></info>
+    <appendix xml:id="Bv9ARM.ch08"><info><title>Release Notes</title></info>
       <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes.xml"/>
     </appendix>
 
-    <appendix xml:id="Bv9ARM.ch10"><info><title>A Brief History of the <acronym>DNS</acronym> and <acronym>BIND</acronym></title></info>
+    <appendix xml:id="Bv9ARM.ch09"><info><title>A Brief History of the <acronym>DNS</acronym> and <acronym>BIND</acronym></title></info>
       <para xml:id="historical_dns_information">
        Although the "official" beginning of the Domain Name
        System occurred in 1984 with the publication of RFC 920, the
@@ -17075,7 +17075,7 @@ allow-query { !{ !10/8; any; }; key example; };
       </para>
     </appendix>
 
-    <appendix xml:id="Bv9ARM.ch11"><info><title>General <acronym>DNS</acronym> Reference Information</title></info>
+    <appendix xml:id="Bv9ARM.ch10"><info><title>General <acronym>DNS</acronym> Reference Information</title></info>
 
       <section xml:id="ipv6addresses"><info><title>IPv6 addresses (AAAA)</title></info>
 
@@ -17924,11 +17924,11 @@ allow-query { !{ !10/8; any; }; key example; };
       </section>
     </appendix>
 
-    <appendix xml:id="Bv9ARM.ch12"><info><title>BIND 9 DNS Library Support</title></info>
+    <appendix xml:id="Bv9ARM.ch11"><info><title>BIND 9 DNS Library Support</title></info>
       <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="libdns.xml"/>
     </appendix>
 
-    <reference xml:id="Bv9ARM.ch13"><info><title>Manual pages</title></info>
+    <reference xml:id="Bv9ARM.ch12"><info><title>Manual pages</title></info>
       <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/tools/arpaname.docbook"/>
       <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/confgen/ddns-confgen.docbook"/>
       <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../bin/delv/delv.docbook"/>
index 56e5c83b4eee62d833fcb8da45a02685db09489a..034c1908d8b54e8203be49dfcbf3ff5e4ba7da91 100644 (file)
@@ -75,7 +75,7 @@
         <acronym class="acronym">BIND</acronym> version 9 software package for
         system administrators.
       </p>
-      <p>This version of the manual corresponds to BIND version 9.13.</p>
+      <p>This version of the manual corresponds to BIND version 9.12.</p>
     </div>
 
     <div class="section">
           The data associated with each domain name is stored in the
           form of <span class="emphasis"><em>resource records</em></span> (<acronym class="acronym">RR</acronym>s).
           Some of the supported resource record types are described in
-          <a class="xref" href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them" title="Types of Resource Records and When to Use Them">the section called &#8220;Types of Resource Records and When to Use Them&#8221;</a>.
+          <a class="xref" href="Bv9ARM.ch05.html#types_of_resource_records_and_when_to_use_them" title="Types of Resource Records and When to Use Them">the section called &#8220;Types of Resource Records and When to Use Them&#8221;</a>.
         </p>
 
         <p>
           For more detailed information about the design of the DNS and
           the DNS protocol, please refer to the standards documents listed in
-          <a class="xref" href="Bv9ARM.ch11.html#rfcs" title="Request for Comments (RFCs)">the section called &#8220;Request for Comments (RFCs)&#8221;</a>.
+          <a class="xref" href="Bv9ARM.ch10.html#rfcs" title="Request for Comments (RFCs)">the section called &#8220;Request for Comments (RFCs)&#8221;</a>.
         </p>
       </div>
 
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0-dev</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1-dev</p>
 </body>
 </html>
index c278dcc4831d411845c9aa67bf61cf2551825f4b..61eccb0eb949a32df38226456e20e38f5f3dc2a9 100644 (file)
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0-dev</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1-dev</p>
 </body>
 </html>
index b501c829f2fadf5c5429e66e6e7b821b8440bb4d..cd2cf15c188616f34d634c0fa876cbf44108a2e2 100644 (file)
@@ -293,7 +293,7 @@ zone "eng.example.com" {
         For more detail on ordering responses, check the
         <span class="command"><strong>rrset-order</strong></span> sub-statement in the
         <span class="command"><strong>options</strong></span> statement, see
-        <a class="xref" href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">RRset Ordering</a>.
+        <a class="xref" href="Bv9ARM.ch05.html#rrset_ordering" title="RRset Ordering">RRset Ordering</a>.
       </p>
 
     </div>
@@ -541,7 +541,7 @@ zone "eng.example.com" {
                   generated by
                   running <span class="command"><strong>rndc-confgen -a</strong></span> as
                   described in
-                  <a class="xref" href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and Usage">the section called &#8220;<span class="command"><strong>controls</strong></span> Statement Definition and
+                  <a class="xref" href="Bv9ARM.ch05.html#controls_statement_definition_and_usage" title="controls Statement Definition and Usage">the section called &#8220;<span class="command"><strong>controls</strong></span> Statement Definition and
           Usage&#8221;</a>.
                 </p>
 
@@ -759,6 +759,6 @@ controls {
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0-dev</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1-dev</p>
 </body>
 </html>
index 54b0d452042399a3178ba8dca1f96ee74d5a562c..d2c69d101c7bc499959035081a585f583e66bbb4 100644 (file)
@@ -14,7 +14,7 @@
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="prev" href="Bv9ARM.ch03.html" title="Chapter 3. Name Server Configuration">
-<link rel="next" href="Bv9ARM.ch06.html" title="Chapter 5. BIND 9 Configuration Reference">
+<link rel="next" href="Bv9ARM.ch05.html" title="Chapter 5. BIND 9 Configuration Reference">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
@@ -24,7 +24,7 @@
 <td width="20%" align="left">
 <a accesskey="p" href="Bv9ARM.ch03.html">Prev</a> </td>
 <th width="60%" align="center"> </th>
-<td width="20%" align="right"> <a accesskey="n" href="Bv9ARM.ch06.html">Next</a>
+<td width="20%" align="right"> <a accesskey="n" href="Bv9ARM.ch05.html">Next</a>
 </td>
 </tr>
 </table>
       <p>
         For more information about <acronym class="acronym">DNS</acronym>
         <span class="command"><strong>NOTIFY</strong></span>, see the description of the
-        <span class="command"><strong>notify</strong></span> option in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a> and
+        <span class="command"><strong>notify</strong></span> option in <a class="xref" href="Bv9ARM.ch05.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a> and
         the description of the zone option <span class="command"><strong>also-notify</strong></span> in
-        <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.  The <span class="command"><strong>NOTIFY</strong></span>
+        <a class="xref" href="Bv9ARM.ch05.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.  The <span class="command"><strong>NOTIFY</strong></span>
         protocol is specified in RFC 1996.
       </p>
 
         <strong class="userinput"><code>local</code></strong>, updates to the zone
         will be permitted for the key <code class="varname">local-ddns</code>,
         which will be generated by <span class="command"><strong>named</strong></span> at startup.
-        See <a class="xref" href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called &#8220;Dynamic Update Policies&#8221;</a> for more details.
+        See <a class="xref" href="Bv9ARM.ch05.html#dynamic_update_policies" title="Dynamic Update Policies">the section called &#8220;Dynamic Update Policies&#8221;</a> for more details.
       </p>
 
       <p>
         The incremental zone transfer (IXFR) protocol is a way for
         slave servers to transfer only changed data, instead of having to
         transfer the entire zone. The IXFR protocol is specified in RFC
-        1995. See <a class="xref" href="Bv9ARM.ch11.html#proposed_standards" title="Proposed Standards">Proposed Standards</a>.
+        1995. See <a class="xref" href="Bv9ARM.ch10.html#proposed_standards" title="Proposed Standards">Proposed Standards</a>.
       </p>
 
       <p>
@@ -769,7 +769,7 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
           <span class="command"><strong>host1-host2.</strong></span> key.
         </p>
         <p>
-          See <a class="xref" href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called &#8220;Dynamic Update Policies&#8221;</a> for a discussion of
+          See <a class="xref" href="Bv9ARM.ch05.html#dynamic_update_policies" title="Dynamic Update Policies">the section called &#8220;Dynamic Update Policies&#8221;</a> for a discussion of
           the more flexible <span class="command"><strong>update-policy</strong></span> statement.
         </p>
       </div>
@@ -1522,7 +1522,7 @@ options {
     maintain a trust anchor, configure the trust anchor using a
     <span class="command"><strong>managed-keys</strong></span> statement. Information about
     this can be found in
-    <a class="xref" href="Bv9ARM.ch06.html#managed-keys" title="managed-keys Statement Definition and Usage">the section called &#8220;<span class="command"><strong>managed-keys</strong></span> Statement Definition
+    <a class="xref" href="Bv9ARM.ch05.html#managed-keys" title="managed-keys Statement Definition and Usage">the section called &#8220;<span class="command"><strong>managed-keys</strong></span> Statement Definition
             and Usage&#8221;</a>.</p>
     
   </div>
@@ -2802,7 +2802,7 @@ allow-query.5960775ba382e7a4e09263fc06e7c00569b6a05c.zones.catalog.example. IN A
 
       <p>
         For an overview of the format and structure of IPv6 addresses,
-        see <a class="xref" href="Bv9ARM.ch11.html#ipv6addresses" title="IPv6 addresses (AAAA)">the section called &#8220;IPv6 addresses (AAAA)&#8221;</a>.
+        see <a class="xref" href="Bv9ARM.ch10.html#ipv6addresses" title="IPv6 addresses (AAAA)">the section called &#8220;IPv6 addresses (AAAA)&#8221;</a>.
       </p>
 
       <div class="section">
@@ -2857,7 +2857,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 <td width="40%" align="left">
 <a accesskey="p" href="Bv9ARM.ch03.html">Prev</a> </td>
 <td width="20%" align="center"> </td>
-<td width="40%" align="right"> <a accesskey="n" href="Bv9ARM.ch06.html">Next</a>
+<td width="40%" align="right"> <a accesskey="n" href="Bv9ARM.ch05.html">Next</a>
 </td>
 </tr>
 <tr>
@@ -2867,6 +2867,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0-dev</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1-dev</p>
 </body>
 </html>
index 458c3d8f47d0c597a6761b97fe2b93e10d02a876..15eaaeefd1b6d253aa68740c9f97fd1955e0582b 100644 (file)
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2000-2017 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - This Source Code Form is subject to the terms of the Mozilla Public
  - License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -9,17 +9,17 @@
 <html lang="en">
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>Chapter 5. The BIND 9 Lightweight Resolver</title>
+<title>Chapter 5. BIND 9 Configuration Reference</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="prev" href="Bv9ARM.ch04.html" title="Chapter 4. Advanced DNS Features">
-<link rel="next" href="Bv9ARM.ch06.html" title="Chapter 6. BIND 9 Configuration Reference">
+<link rel="next" href="Bv9ARM.ch06.html" title="Chapter 6. BIND 9 Security Considerations">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
 <table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center">Chapter 5. The <acronym class="acronym">BIND</acronym> 9 Lightweight Resolver</th></tr>
+<tr><th colspan="3" align="center">Chapter 5. <acronym class="acronym">BIND</acronym> 9 Configuration Reference</th></tr>
 <tr>
 <td width="20%" align="left">
 <a accesskey="p" href="Bv9ARM.ch04.html">Prev</a> </td>
 </div>
 <div class="chapter">
 <div class="titlepage"><div><div><h1 class="title">
-<a name="Bv9ARM.ch05"></a>Chapter 5. The <acronym class="acronym">BIND</acronym> 9 Lightweight Resolver</h1></div></div></div>
+<a name="Bv9ARM.ch05"></a>Chapter 5. <acronym class="acronym">BIND</acronym> 9 Configuration Reference</h1></div></div></div>
 <div class="toc">
 <p><b>Table of Contents</b></p>
-<dl class="toc"><dt><span class="section"><a href="Bv9ARM.ch05.html#lightweight_resolver">The Lightweight Resolver Library</a></span></dt></dl>
+<dl class="toc">
+<dt><span class="section"><a href="Bv9ARM.ch05.html#configuration_file_elements">Configuration File Elements</a></span></dt>
+<dd><dl>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#address_match_lists">Address Match Lists</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#comment_syntax">Comment Syntax</a></span></dt>
+</dl></dd>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt>
+<dd><dl>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#acl_grammar"><span class="command"><strong>acl</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#acl"><span class="command"><strong>acl</strong></span> Statement Definition and
+          Usage</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#controls_grammar"><span class="command"><strong>controls</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#controls_statement_definition_and_usage"><span class="command"><strong>controls</strong></span> Statement Definition and
+          Usage</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#include_grammar"><span class="command"><strong>include</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#include_statement"><span class="command"><strong>include</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#key_grammar"><span class="command"><strong>key</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#key_statement"><span class="command"><strong>key</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#logging_grammar"><span class="command"><strong>logging</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#logging_statement"><span class="command"><strong>logging</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#masters_grammar"><span class="command"><strong>masters</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#masters_statement"><span class="command"><strong>masters</strong></span> Statement Definition and
+          Usage</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#options_grammar"><span class="command"><strong>options</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#options"><span class="command"><strong>options</strong></span> Statement Definition and
+          Usage</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#server_statement_grammar"><span class="command"><strong>server</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#server_statement_definition_and_usage"><span class="command"><strong>server</strong></span> Statement Definition and
+            Usage</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#statschannels"><span class="command"><strong>statistics-channels</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#statistics_channels"><span class="command"><strong>statistics-channels</strong></span> Statement Definition and
+            Usage</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#trusted-keys"><span class="command"><strong>trusted-keys</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#trusted_keys"><span class="command"><strong>trusted-keys</strong></span> Statement Definition
+            and Usage</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#managed_keys"><span class="command"><strong>managed-keys</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#managed-keys"><span class="command"><strong>managed-keys</strong></span> Statement Definition
+            and Usage</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#view_statement_grammar"><span class="command"><strong>view</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#view_statement"><span class="command"><strong>view</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#zone_statement_grammar"><span class="command"><strong>zone</strong></span>
+            Statement Grammar</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#zone_statement"><span class="command"><strong>zone</strong></span> Statement Definition and Usage</a></span></dt>
+</dl></dd>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#zone_file">Zone File</a></span></dt>
+<dd><dl>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#mx_records">Discussion of MX Records</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#Setting_TTLs">Setting TTLs</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#ipv4_reverse">Inverse Mapping in IPv4</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#zone_directives">Other Zone File Directives</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#generate_directive"><acronym class="acronym">BIND</acronym> Master File Extension: the  <span class="command"><strong>$GENERATE</strong></span> Directive</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#zonefile_format">Additional File Formats</a></span></dt>
+</dl></dd>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#statistics">BIND9 Statistics</a></span></dt>
+<dd><dl>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#statsfile">The Statistics File</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#statistics_counters">Statistics Counters</a></span></dt>
+</dl></dd>
+</dl>
 </div>
 
+    <p>
+      <acronym class="acronym">BIND</acronym> 9 configuration is broadly similar
+      to <acronym class="acronym">BIND</acronym> 8; however, there are a few new
+      areas
+      of configuration, such as views. <acronym class="acronym">BIND</acronym>
+      8 configuration files should work with few alterations in <acronym class="acronym">BIND</acronym>
+      9, although more complex configurations should be reviewed to check
+      if they can be more efficiently implemented using the new features
+      found in <acronym class="acronym">BIND</acronym> 9.
+    </p>
+
+    <p>
+      <acronym class="acronym">BIND</acronym> 4 configuration files can be
+      converted to the new format
+      using the shell script
+      <code class="filename">contrib/named-bootconf/named-bootconf.sh</code>.
+    </p>
+    <div class="section">
+<div class="titlepage"><div><div><h2 class="title" style="clear: both">
+<a name="configuration_file_elements"></a>Configuration File Elements</h2></div></div></div>
+
+      <p>
+        Following is a list of elements used throughout the <acronym class="acronym">BIND</acronym> configuration
+        file documentation:
+      </p>
+      <div class="informaltable">
+        <table border="1">
+<colgroup>
+<col width="1.855in" class="1">
+<col width="3.770in" class="2">
+</colgroup>
+<tbody>
+<tr>
+<td>
+                <p>
+                  <code class="varname">acl_name</code>
+                </p>
+              </td>
+<td>
+                <p>
+                  The name of an <code class="varname">address_match_list</code> as
+                  defined by the <span class="command"><strong>acl</strong></span> statement.
+                </p>
+              </td>
+</tr>
+<tr>
+<td>
+                <p>
+                  <code class="varname">address_match_list</code>
+                </p>
+              </td>
+<td>
+                <p>
+                  A list of one or more
+                  <code class="varname">ip_addr</code>,
+                  <code class="varname">ip_prefix</code>, <code class="varname">key_id</code>,
+                  or <code class="varname">acl_name</code> elements, see
+                  <a class="xref" href="Bv9ARM.ch05.html#address_match_lists" title="Address Match Lists">the section called &#8220;Address Match Lists&#8221;</a>.
+                </p>
+              </td>
+</tr>
+<tr>
+<td>
+                <p>
+                  <code class="varname">masters_list</code>
+                </p>
+              </td>
+<td>
+                <p>
+                  A named list of one or more <code class="varname">ip_addr</code>
+                  with optional <code class="varname">key_id</code> and/or
+                  <code class="varname">ip_port</code>.
+                  A <code class="varname">masters_list</code> may include other
+                  <code class="varname">masters_lists</code>.
+                </p>
+              </td>
+</tr>
+<tr>
+<td>
+                <p>
+                  <code class="varname">domain_name</code>
+                </p>
+              </td>
+<td>
+                <p>
+                  A quoted string which will be used as
+                  a DNS name, for example "<code class="literal">my.test.domain</code>".
+                </p>
+              </td>
+</tr>
+<tr>
+<td>
+                <p>
+                  <code class="varname">namelist</code>
+                </p>
+              </td>
+<td>
+                <p>
+                  A list of one or more <code class="varname">domain_name</code>
+                  elements.
+                </p>
+              </td>
+</tr>
+<tr>
+<td>
+                <p>
+                  <code class="varname">dotted_decimal</code>
+                </p>
+              </td>
+<td>
+                <p>
+                  One to four integers valued 0 through
+                  255 separated by dots (`.'), such as <span class="command"><strong>123</strong></span>,
+                  <span class="command"><strong>45.67</strong></span> or <span class="command"><strong>89.123.45.67</strong></span>.
+                </p>
+              </td>
+</tr>
+<tr>
+<td>
+                <p>
+                  <code class="varname">ip4_addr</code>
+                </p>
+              </td>
+<td>
+                <p>
+                  An IPv4 address with exactly four elements
+                  in <code class="varname">dotted_decimal</code> notation.
+                </p>
+              </td>
+</tr>
+<tr>
+<td>
+                <p>
+                  <code class="varname">ip6_addr</code>
+                </p>
+              </td>
+<td>
+                <p>
+                  An IPv6 address, such as <span class="command"><strong>2001:db8::1234</strong></span>.
+                  IPv6 scoped addresses that have ambiguity on their
+                  scope zones must be disambiguated by an appropriate
+                  zone ID with the percent character (`%') as
+                  delimiter.  It is strongly recommended to use
+                  string zone names rather than numeric identifiers,
+                  in order to be robust against system configuration
+                  changes.  However, since there is no standard
+                  mapping for such names and identifier values,
+                  currently only interface names as link identifiers
+                  are supported, assuming one-to-one mapping between
+                  interfaces and links.  For example, a link-local
+                  address <span class="command"><strong>fe80::1</strong></span> on the link
+                  attached to the interface <span class="command"><strong>ne0</strong></span>
+                  can be specified as <span class="command"><strong>fe80::1%ne0</strong></span>.
+                  Note that on most systems link-local addresses
+                  always have the ambiguity, and need to be
+                  disambiguated.
+                </p>
+              </td>
+</tr>
+<tr>
+<td>
+                <p>
+                  <code class="varname">ip_addr</code>
+                </p>
+              </td>
+<td>
+                <p>
+                  An <code class="varname">ip4_addr</code> or <code class="varname">ip6_addr</code>.
+                </p>
+              </td>
+</tr>
+<tr>
+<td>
+                <p>
+                  <code class="varname">ip_dscp</code>
+                </p>
+              </td>
+<td>
+                <p>
+                  A <code class="varname">number</code> between 0 and 63, used
+                  to select a differentiated services code point (DSCP)
+                  value for use with outgoing traffic on operating systems
+                  that support DSCP.
+                </p>
+              </td>
+</tr>
+<tr>
+<td>
+                <p>
+                  <code class="varname">ip_port</code>
+                </p>
+              </td>
+<td>
+                <p>
+                  An IP port <code class="varname">number</code>.
+                  The <code class="varname">number</code> is limited to 0
+                  through 65535, with values
+                  below 1024 typically restricted to use by processes running
+                  as root.
+                  In some cases, an asterisk (`*') character can be used as a
+                  placeholder to
+                  select a random high-numbered port.
+                </p>
+              </td>
+</tr>
+<tr>
+<td>
+                <p>
+                  <code class="varname">ip_prefix</code>
+                </p>
+              </td>
+<td>
+                <p>
+                  An IP network specified as an <code class="varname">ip_addr</code>,
+                  followed by a slash (`/') and then the number of bits in the
+                  netmask.
+                  Trailing zeros in a <code class="varname">ip_addr</code>
+                  may omitted.
+                  For example, <span class="command"><strong>127/8</strong></span> is the
+                  network <span class="command"><strong>127.0.0.0</strong></span> with
+                  netmask <span class="command"><strong>255.0.0.0</strong></span> and <span class="command"><strong>1.2.3.0/28</strong></span> is
+                  network <span class="command"><strong>1.2.3.0</strong></span> with netmask <span class="command"><strong>255.255.255.240</strong></span>.
+                </p>
+                <p>
+                  When specifying a prefix involving a IPv6 scoped address
+                  the scope may be omitted.  In that case the prefix will
+                  match packets from any scope.
+                </p>
+              </td>
+</tr>
+<tr>
+<td>
+                <p>
+                  <code class="varname">key_id</code>
+                </p>
+              </td>
+<td>
+                <p>
+                  A <code class="varname">domain_name</code> representing
+                  the name of a shared key, to be used for transaction
+                  security.
+                </p>
+              </td>
+</tr>
+<tr>
+<td>
+                <p>
+                  <code class="varname">key_list</code>
+                </p>
+              </td>
+<td>
+                <p>
+                  A list of one or more
+                  <code class="varname">key_id</code>s,
+                  separated by semicolons and ending with a semicolon.
+                </p>
+              </td>
+</tr>
+<tr>
+<td>
+                <p>
+                  <code class="varname">number</code>
+                </p>
+              </td>
+<td>
+                <p>
+                  A non-negative 32-bit integer
+                  (i.e., a number between 0 and 4294967295, inclusive).
+                  Its acceptable value might be further
+                  limited by the context in which it is used.
+                </p>
+              </td>
+</tr>
+<tr>
+<td>
+                <p>
+                  <code class="varname">fixedpoint</code>
+                </p>
+              </td>
+<td>
+                <p>
+                  A non-negative real number that can be specified to
+                  the nearest one hundredth.  Up to five digits can be
+                  specified before a decimal point, and up to two
+                  digits after, so the maximum value is 99999.99.
+                  Acceptable values might be further limited by the
+                  context in which it is used.
+                </p>
+              </td>
+</tr>
+<tr>
+<td>
+                <p>
+                  <code class="varname">path_name</code>
+                </p>
+              </td>
+<td>
+                <p>
+                  A quoted string which will be used as
+                  a pathname, such as <code class="filename">zones/master/my.test.domain</code>.
+                </p>
+              </td>
+</tr>
+<tr>
+<td>
+                <p>
+                  <code class="varname">port_list</code>
+                </p>
+              </td>
+<td>
+                <p>
+                  A list of an <code class="varname">ip_port</code> or a port
+                  range.
+                  A port range is specified in the form of
+                  <strong class="userinput"><code>range</code></strong> followed by
+                  two <code class="varname">ip_port</code>s,
+                  <code class="varname">port_low</code> and
+                  <code class="varname">port_high</code>, which represents
+                  port numbers from <code class="varname">port_low</code> through
+                  <code class="varname">port_high</code>, inclusive.
+                  <code class="varname">port_low</code> must not be larger than
+                  <code class="varname">port_high</code>.
+                  For example,
+                  <strong class="userinput"><code>range 1024 65535</code></strong> represents
+                  ports from 1024 through 65535.
+                  In either case an asterisk (`*') character is not
+                  allowed as a valid <code class="varname">ip_port</code>.
+                </p>
+              </td>
+</tr>
+<tr>
+<td>
+                <p>
+                  <code class="varname">size_spec</code>
+                </p>
+              </td>
+<td>
+                <p>
+                  A 64-bit unsigned integer, or the keywords
+                  <strong class="userinput"><code>unlimited</code></strong> or
+                  <strong class="userinput"><code>default</code></strong>.
+                </p>
+                <p>
+                  Integers may take values
+                  0 &lt;= value &lt;= 18446744073709551615, though
+                  certain parameters
+                  (such as <span class="command"><strong>max-journal-size</strong></span>) may
+                  use a more limited range within these extremes.
+                  In most cases, setting a value to 0 does not
+                  literally mean zero; it means "undefined" or
+                  "as big as possible", depending on the context.
+                  See the explanations of particular parameters
+                  that use <code class="varname">size_spec</code>
+                  for details on how they interpret its use.
+                </p>
+                <p>
+                  Numeric values can optionally be followed by a
+                  scaling factor:
+                  <strong class="userinput"><code>K</code></strong> or <strong class="userinput"><code>k</code></strong>
+                  for kilobytes,
+                  <strong class="userinput"><code>M</code></strong> or <strong class="userinput"><code>m</code></strong>
+                  for megabytes, and
+                  <strong class="userinput"><code>G</code></strong> or <strong class="userinput"><code>g</code></strong>
+                  for gigabytes, which scale by 1024, 1024*1024, and
+                  1024*1024*1024 respectively.
+                </p>
+                <p>
+                  <code class="varname">unlimited</code> generally means
+                  "as big as possible", and is usually the best
+                  way to safely set a very large number.
+                </p>
+                <p>
+                  <code class="varname">default</code>
+                  uses the limit that was in force when the server was started.
+                </p>
+              </td>
+</tr>
+<tr>
+<td>
+                <p>
+                  <code class="varname">size_or_percent</code>
+                </p>
+              </td>
+<td>
+                <p>
+                  <code class="varname">size_spec</code> or integer value
+                  followed by '%' to represent percents.
+                </p>
+                <p>
+                  The behavior is exactly the same as
+                  <code class="varname">size_spec</code>, but
+                  <code class="varname">size_or_percent</code> allows also
+                  to specify a positive integer value followed by
+                  '%' sign to represent percents.
+                </p>
+              </td>
+</tr>
+<tr>
+<td>
+                <p>
+                  <code class="varname">yes_or_no</code>
+                </p>
+              </td>
+<td>
+                <p>
+                  Either <strong class="userinput"><code>yes</code></strong> or <strong class="userinput"><code>no</code></strong>.
+                  The words <strong class="userinput"><code>true</code></strong> and <strong class="userinput"><code>false</code></strong> are
+                  also accepted, as are the numbers <strong class="userinput"><code>1</code></strong>
+                  and <strong class="userinput"><code>0</code></strong>.
+                </p>
+              </td>
+</tr>
+<tr>
+<td>
+                <p>
+                  <code class="varname">dialup_option</code>
+                </p>
+              </td>
+<td>
+                <p>
+                  One of <strong class="userinput"><code>yes</code></strong>,
+                  <strong class="userinput"><code>no</code></strong>, <strong class="userinput"><code>notify</code></strong>,
+                  <strong class="userinput"><code>notify-passive</code></strong>, <strong class="userinput"><code>refresh</code></strong> or
+                  <strong class="userinput"><code>passive</code></strong>.
+                  When used in a zone, <strong class="userinput"><code>notify-passive</code></strong>,
+                  <strong class="userinput"><code>refresh</code></strong>, and <strong class="userinput"><code>passive</code></strong>
+                  are restricted to slave and stub zones.
+                </p>
+              </td>
+</tr>
+</tbody>
+</table>
+      </div>
+      <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="address_match_lists"></a>Address Match Lists</h3></div></div></div>
+
+        <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="id-1.6.4.4.2"></a>Syntax</h4></div></div></div>
+
+<pre class="programlisting"><em class="replaceable"><code>address_match_list</code></em> = <em class="replaceable"><code>address_match_list_element</code></em> <span class="command"><strong>;</strong></span> ...
+
+<em class="replaceable"><code>address_match_list_element</code></em> = [ <span class="command"><strong>!</strong></span> ] ( <em class="replaceable"><code>ip_address</code></em> | <em class="replaceable"><code>ip_prefix</code></em> |
+     <span class="command"><strong>key</strong></span> <em class="replaceable"><code>key_id</code></em> | <em class="replaceable"><code>acl_name</code></em> | <span class="command"><strong>{</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> )
+</pre>
+
+        </div>
+        <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="id-1.6.4.4.3"></a>Definition and Usage</h4></div></div></div>
+
+          <p>
+            Address match lists are primarily used to determine access
+            control for various server operations. They are also used in
+            the <span class="command"><strong>listen-on</strong></span> and <span class="command"><strong>sortlist</strong></span>
+            statements. The elements which constitute an address match
+            list can be any of the following:
+          </p>
+          <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+              an IP address (IPv4 or IPv6)
+            </li>
+<li class="listitem">
+              an IP prefix (in `/' notation)
+            </li>
+<li class="listitem">
+              
+                a key ID, as defined by the <span class="command"><strong>key</strong></span>
+                statement
+              
+            </li>
+<li class="listitem">
+              the name of an address match list defined with
+                the <span class="command"><strong>acl</strong></span> statement
+              
+            </li>
+<li class="listitem">
+              a nested address match list enclosed in braces
+            </li>
+</ul></div>
+
+          <p>
+            Elements can be negated with a leading exclamation mark (`!'),
+            and the match list names "any", "none", "localhost", and
+            "localnets" are predefined. More information on those names
+            can be found in the description of the acl statement.
+          </p>
+
+          <p>
+            The addition of the key clause made the name of this syntactic
+            element something of a misnomer, since security keys can be used
+            to validate access without regard to a host or network address.
+            Nonetheless, the term "address match list" is still used
+            throughout the documentation.
+          </p>
+
+          <p>
+            When a given IP address or prefix is compared to an address
+            match list, the comparison takes place in approximately O(1)
+            time.  However, key comparisons require that the list of keys
+            be traversed until a matching key is found, and therefore may
+            be somewhat slower.
+          </p>
+
+          <p>
+            The interpretation of a match depends on whether the list is being
+            used for access control, defining <span class="command"><strong>listen-on</strong></span> ports, or in a
+            <span class="command"><strong>sortlist</strong></span>, and whether the element was negated.
+          </p>
+
+          <p>
+            When used as an access control list, a non-negated match
+            allows access and a negated match denies access. If
+            there is no match, access is denied. The clauses
+            <span class="command"><strong>allow-notify</strong></span>,
+            <span class="command"><strong>allow-recursion</strong></span>,
+            <span class="command"><strong>allow-recursion-on</strong></span>,
+            <span class="command"><strong>allow-query</strong></span>,
+            <span class="command"><strong>allow-query-on</strong></span>,
+            <span class="command"><strong>allow-query-cache</strong></span>,
+            <span class="command"><strong>allow-query-cache-on</strong></span>,
+            <span class="command"><strong>allow-transfer</strong></span>,
+            <span class="command"><strong>allow-update</strong></span>,
+            <span class="command"><strong>allow-update-forwarding</strong></span>,
+            <span class="command"><strong>blackhole</strong></span>, and
+            <span class="command"><strong>keep-response-order</strong></span> all use address match
+            lists.  Similarly, the <span class="command"><strong>listen-on</strong></span> option will cause the
+            server to refuse queries on any of the machine's
+            addresses which do not match the list.
+          </p>
+
+          <p>
+            Order of insertion is significant.  If more than one element
+            in an ACL is found to match a given IP address or prefix,
+            preference will be given to the one that came
+            <span class="emphasis"><em>first</em></span> in the ACL definition.
+            Because of this first-match behavior, an element that
+            defines a subset of another element in the list should
+            come before the broader element, regardless of whether
+            either is negated. For example, in
+            <span class="command"><strong>1.2.3/24; ! 1.2.3.13;</strong></span>
+            the 1.2.3.13 element is completely useless because the
+            algorithm will match any lookup for 1.2.3.13 to the 1.2.3/24
+            element.  Using <span class="command"><strong>! 1.2.3.13; 1.2.3/24</strong></span> fixes
+            that problem by having 1.2.3.13 blocked by the negation, but
+            all other 1.2.3.* hosts fall through.
+          </p>
+        </div>
+      </div>
+
+      <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="comment_syntax"></a>Comment Syntax</h3></div></div></div>
+
+        <p>
+          The <acronym class="acronym">BIND</acronym> 9 comment syntax allows for
+          comments to appear
+          anywhere that whitespace may appear in a <acronym class="acronym">BIND</acronym> configuration
+          file. To appeal to programmers of all kinds, they can be written
+          in the C, C++, or shell/perl style.
+        </p>
+
+        <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="id-1.6.4.5.3"></a>Syntax</h4></div></div></div>
+
+          <p>
+            </p>
+<pre class="programlisting">/* This is a <acronym class="acronym">BIND</acronym> comment as in C */</pre>
+<p>
+            </p>
+<pre class="programlisting">// This is a <acronym class="acronym">BIND</acronym> comment as in C++</pre>
+<p>
+            </p>
+<pre class="programlisting"># This is a <acronym class="acronym">BIND</acronym> comment as in common UNIX shells
+# and perl</pre>
+<p>
+          </p>
+        </div>
+        <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="id-1.6.4.5.4"></a>Definition and Usage</h4></div></div></div>
+
+          <p>
+            Comments may appear anywhere that whitespace may appear in
+            a <acronym class="acronym">BIND</acronym> configuration file.
+          </p>
+          <p>
+            C-style comments start with the two characters /* (slash,
+            star) and end with */ (star, slash). Because they are completely
+            delimited with these characters, they can be used to comment only
+            a portion of a line or to span multiple lines.
+          </p>
+          <p>
+            C-style comments cannot be nested. For example, the following
+            is not valid because the entire comment ends with the first */:
+          </p>
+          <p>
+
+</p>
+<pre class="programlisting">/* This is the start of a comment.
+   This is still part of the comment.
+/* This is an incorrect attempt at nesting a comment. */
+   This is no longer in any comment. */
+</pre>
+<p>
+
+          </p>
+
+          <p>
+            C++-style comments start with the two characters // (slash,
+            slash) and continue to the end of the physical line. They cannot
+            be continued across multiple physical lines; to have one logical
+            comment span multiple lines, each line must use the // pair.
+            For example:
+          </p>
+          <p>
+
+</p>
+<pre class="programlisting">// This is the start of a comment.  The next line
+// is a new comment, even though it is logically
+// part of the previous comment.
+</pre>
+<p>
+
+          </p>
+          <p>
+            Shell-style (or perl-style, if you prefer) comments start
+            with the character <code class="literal">#</code> (number sign)
+            and continue to the end of the
+            physical line, as in C++ comments.
+            For example:
+          </p>
+
+          <p>
+
+</p>
+<pre class="programlisting"># This is the start of a comment.  The next line
+# is a new comment, even though it is logically
+# part of the previous comment.
+</pre>
+<p>
+
+          </p>
+
+          <div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
+<h3 class="title">Warning</h3>
+            <p>
+              You cannot use the semicolon (`;') character
+              to start a comment such as you would in a zone file. The
+              semicolon indicates the end of a configuration
+              statement.
+            </p>
+          </div>
+        </div>
+      </div>
+    </div>
+
     <div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="lightweight_resolver"></a>The Lightweight Resolver Library</h2></div></div></div>
+<a name="Configuration_File_Grammar"></a>Configuration File Grammar</h2></div></div></div>
 
       <p>
-        Traditionally applications have been linked with a stub resolver
-        library that sends recursive DNS queries to a local caching name
-        server.
+        A <acronym class="acronym">BIND</acronym> 9 configuration consists of
+        statements and comments.
+        Statements end with a semicolon. Statements and comments are the
+        only elements that can appear without enclosing braces. Many
+        statements contain a block of sub-statements, which are also
+        terminated with a semicolon.
       </p>
+
       <p>
-        IPv6 once introduced new complexity into the resolution process,
-        such as following A6 chains and DNAME records, and simultaneous
-        lookup of IPv4 and IPv6 addresses.  Though most of the complexity was
-        then removed, these are hard or impossible
-        to implement in a traditional stub resolver.
+        The following statements are supported:
       </p>
+
+      <div class="informaltable">
+        <table border="1">
+<colgroup>
+<col width="1.336in" class="1">
+<col width="3.778in" class="2">
+</colgroup>
+<tbody>
+<tr>
+<td>
+                <p><span class="command"><strong>acl</strong></span></p>
+              </td>
+<td>
+                <p>
+                  defines a named IP address
+                  matching list, for access control and other uses.
+                </p>
+              </td>
+</tr>
+<tr>
+<td>
+                <p><span class="command"><strong>controls</strong></span></p>
+              </td>
+<td>
+                <p>
+                  declares control channels to be used
+                  by the <span class="command"><strong>rndc</strong></span> utility.
+                </p>
+              </td>
+</tr>
+<tr>
+<td>
+                <p><span class="command"><strong>include</strong></span></p>
+              </td>
+<td>
+                <p>
+                  includes a file.
+                </p>
+              </td>
+</tr>
+<tr>
+<td>
+                <p><span class="command"><strong>key</strong></span></p>
+              </td>
+<td>
+                <p>
+                  specifies key information for use in
+                  authentication and authorization using TSIG.
+                </p>
+              </td>
+</tr>
+<tr>
+<td>
+                <p><span class="command"><strong>logging</strong></span></p>
+              </td>
+<td>
+                <p>
+                  specifies what the server logs, and where
+                  the log messages are sent.
+                </p>
+              </td>
+</tr>
+<tr>
+<td>
+                <p><span class="command"><strong>masters</strong></span></p>
+              </td>
+<td>
+                <p>
+                  defines a named masters list for
+                  inclusion in stub and slave zones'
+                  <span class="command"><strong>masters</strong></span> or
+                  <span class="command"><strong>also-notify</strong></span> lists.
+                </p>
+              </td>
+</tr>
+<tr>
+<td>
+                <p><span class="command"><strong>options</strong></span></p>
+              </td>
+<td>
+                <p>
+                  controls global server configuration
+                  options and sets defaults for other statements.
+                </p>
+              </td>
+</tr>
+<tr>
+<td>
+                <p><span class="command"><strong>server</strong></span></p>
+              </td>
+<td>
+                <p>
+                  sets certain configuration options on
+                  a per-server basis.
+                </p>
+              </td>
+</tr>
+<tr>
+<td>
+                <p><span class="command"><strong>statistics-channels</strong></span></p>
+              </td>
+<td>
+                <p>
+                  declares communication channels to get access to
+                  <span class="command"><strong>named</strong></span> statistics.
+                </p>
+              </td>
+</tr>
+<tr>
+<td>
+                <p><span class="command"><strong>trusted-keys</strong></span></p>
+              </td>
+<td>
+                <p>
+                  defines trusted DNSSEC keys.
+                </p>
+              </td>
+</tr>
+<tr>
+<td>
+                <p><span class="command"><strong>managed-keys</strong></span></p>
+              </td>
+<td>
+                <p>
+                  lists DNSSEC keys to be kept up to date
+                  using RFC 5011 trust anchor maintenance.
+                </p>
+              </td>
+</tr>
+<tr>
+<td>
+                <p><span class="command"><strong>view</strong></span></p>
+              </td>
+<td>
+                <p>
+                  defines a view.
+                </p>
+              </td>
+</tr>
+<tr>
+<td>
+                <p><span class="command"><strong>zone</strong></span></p>
+              </td>
+<td>
+                <p>
+                  defines a zone.
+                </p>
+              </td>
+</tr>
+</tbody>
+</table>
+      </div>
+
       <p>
-        <acronym class="acronym">BIND</acronym> 9 therefore can also provide resolution
-        services to local clients
-        using a combination of a lightweight resolver library and a resolver
-        daemon process running on the local host.  These communicate using
-        a simple UDP-based protocol, the "lightweight resolver protocol"
-        that is distinct from and simpler than the full DNS protocol.
+        The <span class="command"><strong>logging</strong></span> and
+        <span class="command"><strong>options</strong></span> statements may only occur once
+        per
+        configuration.
       </p>
+
+      <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="acl_grammar"></a><span class="command"><strong>acl</strong></span> Statement Grammar</h3></div></div></div>
+        <pre class="programlisting">
+<span class="command"><strong>acl</strong></span> <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>address_match_element</code></em>; ... };
+</pre>
+      </div>
+      <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="acl"></a><span class="command"><strong>acl</strong></span> Statement Definition and
+          Usage</h3></div></div></div>
+
+        <p>
+          The <span class="command"><strong>acl</strong></span> statement assigns a symbolic
+          name to an address match list. It gets its name from a primary
+          use of address match lists: Access Control Lists (ACLs).
+        </p>
+
+        <p>
+          The following ACLs are built-in:
+        </p>
+
+        <div class="informaltable">
+          <table border="1">
+<colgroup>
+<col width="1.130in" class="1">
+<col width="4.000in" class="2">
+</colgroup>
+<tbody>
+<tr>
+<td>
+                  <p><span class="command"><strong>any</strong></span></p>
+                </td>
+<td>
+                  <p>
+                    Matches all hosts.
+                  </p>
+                </td>
+</tr>
+<tr>
+<td>
+                  <p><span class="command"><strong>none</strong></span></p>
+                </td>
+<td>
+                  <p>
+                    Matches no hosts.
+                  </p>
+                </td>
+</tr>
+<tr>
+<td>
+                  <p><span class="command"><strong>localhost</strong></span></p>
+                </td>
+<td>
+                  <p>
+                    Matches the IPv4 and IPv6 addresses of all network
+                    interfaces on the system.  When addresses are
+                    added or removed, the <span class="command"><strong>localhost</strong></span>
+                    ACL element is updated to reflect the changes.
+                  </p>
+                </td>
+</tr>
+<tr>
+<td>
+                  <p><span class="command"><strong>localnets</strong></span></p>
+                </td>
+<td>
+                  <p>
+                    Matches any host on an IPv4 or IPv6 network
+                    for which the system has an interface.
+                    When addresses are added or removed,
+                    the <span class="command"><strong>localnets</strong></span>
+                    ACL element is updated to reflect the changes.
+                    Some systems do not provide a way to determine the prefix
+                    lengths of
+                    local IPv6 addresses.
+                    In such a case, <span class="command"><strong>localnets</strong></span>
+                    only matches the local
+                    IPv6 addresses, just like <span class="command"><strong>localhost</strong></span>.
+                  </p>
+                </td>
+</tr>
+</tbody>
+</table>
+        </div>
+      </div>
+      <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="controls_grammar"></a><span class="command"><strong>controls</strong></span> Statement Grammar</h3></div></div></div>
+        <pre class="programlisting">
+<span class="command"><strong>controls</strong></span> {
+       <span class="command"><strong>inet</strong></span> ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> |
+           * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] allow
+           { <em class="replaceable"><code>address_match_element</code></em>; ... } [
+           <span class="command"><strong>keys</strong></span> { <em class="replaceable"><code>string</code></em>; ... } ] [ read-only
+           <em class="replaceable"><code>boolean</code></em> ];
+       <span class="command"><strong>unix</strong></span> <em class="replaceable"><code>quoted_string</code></em> perm <em class="replaceable"><code>integer</code></em>
+           <span class="command"><strong>owner</strong></span> <em class="replaceable"><code>integer</code></em> group <em class="replaceable"><code>integer</code></em> [
+           <span class="command"><strong>keys</strong></span> { <em class="replaceable"><code>string</code></em>; ... } ] [ read-only
+           <em class="replaceable"><code>boolean</code></em> ];
+};
+</pre>
+      </div>
+
+      <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="controls_statement_definition_and_usage"></a><span class="command"><strong>controls</strong></span> Statement Definition and
+          Usage</h3></div></div></div>
+
+        <p>
+          The <span class="command"><strong>controls</strong></span> statement declares control
+          channels to be used by system administrators to control the
+          operation of the name server. These control channels are
+          used by the <span class="command"><strong>rndc</strong></span> utility to send
+          commands to and retrieve non-DNS results from a name server.
+        </p>
+
+        <p>
+          An <span class="command"><strong>inet</strong></span> control channel is a TCP socket
+          listening at the specified <span class="command"><strong>ip_port</strong></span> on the
+          specified <span class="command"><strong>ip_addr</strong></span>, which can be an IPv4 or IPv6
+          address.  An <span class="command"><strong>ip_addr</strong></span> of <code class="literal">*</code> (asterisk) is
+          interpreted as the IPv4 wildcard address; connections will be
+          accepted on any of the system's IPv4 addresses.
+          To listen on the IPv6 wildcard address,
+          use an <span class="command"><strong>ip_addr</strong></span> of <code class="literal">::</code>.
+          If you will only use <span class="command"><strong>rndc</strong></span> on the local host,
+          using the loopback address (<code class="literal">127.0.0.1</code>
+          or <code class="literal">::1</code>) is recommended for maximum security.
+        </p>
+
+        <p>
+          If no port is specified, port 953 is used. The asterisk
+          "<code class="literal">*</code>" cannot be used for <span class="command"><strong>ip_port</strong></span>.
+        </p>
+
+        <p>
+          The ability to issue commands over the control channel is
+          restricted by the <span class="command"><strong>allow</strong></span> and
+          <span class="command"><strong>keys</strong></span> clauses.
+          Connections to the control channel are permitted based on the
+          <span class="command"><strong>address_match_list</strong></span>.  This is for simple
+          IP address based filtering only; any <span class="command"><strong>key_id</strong></span>
+          elements of the <span class="command"><strong>address_match_list</strong></span>
+          are ignored.
+        </p>
+
+        <p>
+          A <span class="command"><strong>unix</strong></span> control channel is a UNIX domain
+          socket listening at the specified path in the file system.
+          Access to the socket is specified by the <span class="command"><strong>perm</strong></span>,
+          <span class="command"><strong>owner</strong></span> and <span class="command"><strong>group</strong></span> clauses.
+          Note on some platforms (SunOS and Solaris) the permissions
+          (<span class="command"><strong>perm</strong></span>) are applied to the parent directory
+          as the permissions on the socket itself are ignored.
+        </p>
+
+        <p>
+          The primary authorization mechanism of the command
+          channel is the <span class="command"><strong>key_list</strong></span>, which
+          contains a list of <span class="command"><strong>key_id</strong></span>s.
+          Each <span class="command"><strong>key_id</strong></span> in the <span class="command"><strong>key_list</strong></span>
+          is authorized to execute commands over the control channel.
+          See <a class="xref" href="Bv9ARM.ch03.html#rndc">Remote Name Daemon Control application</a> in <a class="xref" href="Bv9ARM.ch03.html#admin_tools" title="Administrative Tools">the section called &#8220;Administrative Tools&#8221;</a>)
+          for information about configuring keys in <span class="command"><strong>rndc</strong></span>.
+        </p>
+
+        <p>
+          If the <span class="command"><strong>read-only</strong></span> clause is enabled, the
+          control channel is limited to the following set of read-only
+          commands: <span class="command"><strong>nta -dump</strong></span>,
+          <span class="command"><strong>null</strong></span>, <span class="command"><strong>status</strong></span>,
+          <span class="command"><strong>showzone</strong></span>, <span class="command"><strong>testgen</strong></span>, and
+          <span class="command"><strong>zonestatus</strong></span>. By default,
+          <span class="command"><strong>read-only</strong></span> is not enabled and the control
+          channel allows read-write access.
+        </p>
+
+        <p>
+          If no <span class="command"><strong>controls</strong></span> statement is present,
+          <span class="command"><strong>named</strong></span> will set up a default
+          control channel listening on the loopback address 127.0.0.1
+          and its IPv6 counterpart ::1.
+          In this case, and also when the <span class="command"><strong>controls</strong></span> statement
+          is present but does not have a <span class="command"><strong>keys</strong></span> clause,
+          <span class="command"><strong>named</strong></span> will attempt to load the command channel key
+          from the file <code class="filename">rndc.key</code> in
+          <code class="filename">/etc</code> (or whatever <code class="varname">sysconfdir</code>
+          was specified as when <acronym class="acronym">BIND</acronym> was built).
+          To create a <code class="filename">rndc.key</code> file, run
+          <strong class="userinput"><code>rndc-confgen -a</code></strong>.
+        </p>
+
+        <p>
+          The <code class="filename">rndc.key</code> feature was created to
+          ease the transition of systems from <acronym class="acronym">BIND</acronym> 8,
+          which did not have digital signatures on its command channel
+          messages and thus did not have a <span class="command"><strong>keys</strong></span> clause.
+
+          It makes it possible to use an existing <acronym class="acronym">BIND</acronym> 8
+          configuration file in <acronym class="acronym">BIND</acronym> 9 unchanged,
+          and still have <span class="command"><strong>rndc</strong></span> work the same way
+          <span class="command"><strong>ndc</strong></span> worked in BIND 8, simply by executing the
+          command <strong class="userinput"><code>rndc-confgen -a</code></strong> after BIND 9 is
+          installed.
+        </p>
+
+        <p>
+          Since the <code class="filename">rndc.key</code> feature
+          is only intended to allow the backward-compatible usage of
+          <acronym class="acronym">BIND</acronym> 8 configuration files, this
+          feature does not
+          have a high degree of configurability.  You cannot easily change
+          the key name or the size of the secret, so you should make a
+          <code class="filename">rndc.conf</code> with your own key if you
+          wish to change
+          those things.  The <code class="filename">rndc.key</code> file
+          also has its
+          permissions set such that only the owner of the file (the user that
+          <span class="command"><strong>named</strong></span> is running as) can access it.
+          If you
+          desire greater flexibility in allowing other users to access
+          <span class="command"><strong>rndc</strong></span> commands, then you need to create
+          a
+          <code class="filename">rndc.conf</code> file and make it group
+          readable by a group
+          that contains the users who should have access.
+        </p>
+
+        <p>
+          To disable the command channel, use an empty
+          <span class="command"><strong>controls</strong></span> statement:
+          <span class="command"><strong>controls { };</strong></span>.
+        </p>
+
+      </div>
+      <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="include_grammar"></a><span class="command"><strong>include</strong></span> Statement Grammar</h3></div></div></div>
+
+        <pre class="programlisting"><span class="command"><strong>include</strong></span> <em class="replaceable"><code>filename</code></em><span class="command"><strong>;</strong></span></pre>
+      </div>
+      <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="include_statement"></a><span class="command"><strong>include</strong></span> Statement Definition and Usage</h3></div></div></div>
+
+        <p>
+          The <span class="command"><strong>include</strong></span> statement inserts the
+          specified file at the point where the <span class="command"><strong>include</strong></span>
+          statement is encountered. The <span class="command"><strong>include</strong></span>
+                statement facilitates the administration of configuration
+          files
+          by permitting the reading or writing of some things but not
+          others. For example, the statement could include private keys
+          that are readable only by the name server.
+        </p>
+
+      </div>
+      <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="key_grammar"></a><span class="command"><strong>key</strong></span> Statement Grammar</h3></div></div></div>
+        <pre class="programlisting">
+<span class="command"><strong>key</strong></span> <em class="replaceable"><code>string</code></em> {
+       <span class="command"><strong>algorithm</strong></span> <em class="replaceable"><code>string</code></em>;
+       <span class="command"><strong>secret</strong></span> <em class="replaceable"><code>string</code></em>;
+};
+</pre>
+      </div>
+
+      <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="key_statement"></a><span class="command"><strong>key</strong></span> Statement Definition and Usage</h3></div></div></div>
+
+        <p>
+          The <span class="command"><strong>key</strong></span> statement defines a shared
+          secret key for use with TSIG (see <a class="xref" href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called &#8220;TSIG&#8221;</a>)
+          or the command channel
+          (see <a class="xref" href="Bv9ARM.ch05.html#controls_statement_definition_and_usage" title="controls Statement Definition and Usage">the section called &#8220;<span class="command"><strong>controls</strong></span> Statement Definition and
+          Usage&#8221;</a>).
+        </p>
+
+        <p>
+          The <span class="command"><strong>key</strong></span> statement can occur at the
+          top level
+          of the configuration file or inside a <span class="command"><strong>view</strong></span>
+          statement.  Keys defined in top-level <span class="command"><strong>key</strong></span>
+          statements can be used in all views.  Keys intended for use in
+          a <span class="command"><strong>controls</strong></span> statement
+          (see <a class="xref" href="Bv9ARM.ch05.html#controls_statement_definition_and_usage" title="controls Statement Definition and Usage">the section called &#8220;<span class="command"><strong>controls</strong></span> Statement Definition and
+          Usage&#8221;</a>)
+          must be defined at the top level.
+        </p>
+
+        <p>
+          The <em class="replaceable"><code>key_id</code></em>, also known as the
+          key name, is a domain name uniquely identifying the key. It can
+          be used in a <span class="command"><strong>server</strong></span>
+          statement to cause requests sent to that
+          server to be signed with this key, or in address match lists to
+          verify that incoming requests have been signed with a key
+          matching this name, algorithm, and secret.
+        </p>
+
+        <p>
+          The <em class="replaceable"><code>algorithm_id</code></em> is a string
+          that specifies a security/authentication algorithm.  The
+          <span class="command"><strong>named</strong></span> server supports <code class="literal">hmac-md5</code>,
+          <code class="literal">hmac-sha1</code>, <code class="literal">hmac-sha224</code>,
+          <code class="literal">hmac-sha256</code>, <code class="literal">hmac-sha384</code>
+          and <code class="literal">hmac-sha512</code> TSIG authentication.
+          Truncated hashes are supported by appending the minimum
+          number of required bits preceded by a dash, e.g.
+          <code class="literal">hmac-sha1-80</code>.  The
+          <em class="replaceable"><code>secret_string</code></em> is the secret
+          to be used by the algorithm, and is treated as a Base64
+          encoded string.
+        </p>
+
+      </div>
+      <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="logging_grammar"></a><span class="command"><strong>logging</strong></span> Statement Grammar</h3></div></div></div>
+        <pre class="programlisting">
+<span class="command"><strong>logging</strong></span> {
+       <span class="command"><strong>category</strong></span> <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };
+       <span class="command"><strong>channel</strong></span> <em class="replaceable"><code>string</code></em> {
+               <span class="command"><strong>buffered</strong></span> <em class="replaceable"><code>boolean</code></em>;
+               <span class="command"><strong>file</strong></span> <em class="replaceable"><code>quoted_string</code></em> [ versions ( unlimited | <em class="replaceable"><code>integer</code></em> ) ]
+                   [ size <em class="replaceable"><code>size</code></em> ] [ suffix ( increment | timestamp ) ];
+               <span class="command"><strong>null</strong></span>;
+               <span class="command"><strong>print-category</strong></span> <em class="replaceable"><code>boolean</code></em>;
+               <span class="command"><strong>print-severity</strong></span> <em class="replaceable"><code>boolean</code></em>;
+               <span class="command"><strong>print-time</strong></span> ( iso8601 | iso8601-utc | local | <em class="replaceable"><code>boolean</code></em> );
+               <span class="command"><strong>severity</strong></span> <em class="replaceable"><code>log_severity</code></em>;
+               <span class="command"><strong>stderr</strong></span>;
+               <span class="command"><strong>syslog</strong></span> [ <em class="replaceable"><code>syslog_facility</code></em> ];
+       };
+};
+</pre>
+      </div>
+
+      <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="logging_statement"></a><span class="command"><strong>logging</strong></span> Statement Definition and Usage</h3></div></div></div>
+
+        <p>
+          The <span class="command"><strong>logging</strong></span> statement configures a
+          wide
+          variety of logging options for the name server. Its <span class="command"><strong>channel</strong></span> phrase
+          associates output methods, format options and severity levels with
+          a name that can then be used with the <span class="command"><strong>category</strong></span> phrase
+          to select how various classes of messages are logged.
+        </p>
+        <p>
+          Only one <span class="command"><strong>logging</strong></span> statement is used to
+          define
+          as many channels and categories as are wanted. If there is no <span class="command"><strong>logging</strong></span> statement,
+          the logging configuration will be:
+        </p>
+
+<pre class="programlisting">logging {
+     category default { default_syslog; default_debug; };
+     category unmatched { null; };
+};
+</pre>
+
+        <p>
+          If <span class="command"><strong>named</strong></span> is started with the
+          <code class="option">-L</code> option, it logs to the specified file
+          at startup, instead of using syslog. In this case the logging
+          configuration will be:
+        </p>
+
+<pre class="programlisting">logging {
+     category default { default_logfile; default_debug; };
+     category unmatched { null; };
+};
+</pre>
+
+        <p>
+          In <acronym class="acronym">BIND</acronym> 9, the logging configuration
+          is only established when
+          the entire configuration file has been parsed.  In <acronym class="acronym">BIND</acronym> 8, it was
+          established as soon as the <span class="command"><strong>logging</strong></span>
+          statement
+          was parsed. When the server is starting up, all logging messages
+          regarding syntax errors in the configuration file go to the default
+          channels, or to standard error if the <code class="option">-g</code> option
+          was specified.
+        </p>
+
+        <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="channel"></a>The <span class="command"><strong>channel</strong></span> Phrase</h4></div></div></div>
+
+          <p>
+            All log output goes to one or more <span class="emphasis"><em>channels</em></span>;
+            you can make as many of them as you want.
+          </p>
+
+          <p>
+            Every channel definition must include a destination clause that
+            says whether messages selected for the channel go to a file, to a
+            particular syslog facility, to the standard error stream, or are
+            discarded. It can optionally also limit the message severity level
+            that will be accepted by the channel (the default is
+            <span class="command"><strong>info</strong></span>), and whether to include a
+            <span class="command"><strong>named</strong></span>-generated time stamp, the
+            category name
+            and/or severity level (the default is not to include any).
+          </p>
+
+          <p>
+            The <span class="command"><strong>null</strong></span> destination clause
+            causes all messages sent to the channel to be discarded;
+            in that case, other options for the channel are meaningless.
+          </p>
+
+          <p>
+            The <span class="command"><strong>file</strong></span> destination clause directs
+            the channel to a disk file.  It can include additional
+            arguments to specify how large the file is allowed to
+            become before it is rolled to a backup file
+            (<span class="command"><strong>size</strong></span>), how many backup versions of
+            the file will be saved each time this happens
+            (<span class="command"><strong>versions</strong></span>), and the format to use
+            for naming backup versions (<span class="command"><strong>suffix</strong></span>).
+          </p>
+
+          <p>
+            The <span class="command"><strong>size</strong></span> option is used to limit
+            log file growth. If the file ever exceeds the specified
+            size, then <span class="command"><strong>named</strong></span> will stop writing to the
+            file unless it has a <span class="command"><strong>versions</strong></span> option
+            associated with it. If backup versions are kept, the files
+            are rolled as described below.  If there is no
+            <span class="command"><strong>versions</strong></span> option, no more data will
+            be written to the log until some out-of-band mechanism
+            removes or truncates the log to less than the maximum size.
+            The default behavior is not to limit the size of the file.
+          </p>
+          <p>
+            File rolling only occurs when the file exceeds the size
+            specified with the <span class="command"><strong>size</strong></span> option. No
+            backup versions are kept by default; any existing
+            log file is simply appended.  The
+            <span class="command"><strong>versions</strong></span> option specifies
+            how many backup versions of the file should be kept.
+            If set to <code class="literal">unlimited</code>, there is no limit.
+          </p>
+          <p>
+            The <span class="command"><strong>suffix</strong></span> option can be set to
+            either <code class="literal">increment</code> or
+            <code class="literal">timestamp</code>.  If set to
+            <code class="literal">timestamp</code>, then when a log file is
+            rolled, it is saved with the current timestamp as a
+            file suffix. If set to <code class="literal">increment</code>,
+            then backup files are saved with incrementing numbers
+            as suffixes; older files are renamed when rolling.
+            For example, if <span class="command"><strong>versions</strong></span>
+            is set to 3 and <span class="command"><strong>suffix</strong></span> to
+            <code class="literal">increment</code>, then when
+            <code class="filename">filename.log</code> reaches the size
+            specified by <span class="command"><strong>size</strong></span>,
+            <code class="filename">filename.log.1</code> is renamed to
+            <code class="filename">filename.log.2</code>,
+            <code class="filename">filename.log.0</code> is renamed
+            to <code class="filename">filename.log.1</code>,
+            and <code class="filename">filename.log</code> is
+            renamed to <code class="filename">filename.log.0</code>,
+            whereupon a new <code class="filename">filename.log</code> is
+            opened.
+          </p>
+
+          <p>
+            Example usage of the <span class="command"><strong>size</strong></span>,
+            <span class="command"><strong>versions</strong></span>, and <span class="command"><strong>suffix</strong></span>
+            options:
+          </p>
+
+<pre class="programlisting">channel an_example_channel {
+    file "example.log" versions 3 size 20m suffix increment;
+    print-time yes;
+    print-category yes;
+};
+</pre>
+
+          <p>
+            The <span class="command"><strong>syslog</strong></span> destination clause
+            directs the
+            channel to the system log.  Its argument is a
+            syslog facility as described in the <span class="command"><strong>syslog</strong></span> man
+            page. Known facilities are <span class="command"><strong>kern</strong></span>, <span class="command"><strong>user</strong></span>,
+            <span class="command"><strong>mail</strong></span>, <span class="command"><strong>daemon</strong></span>, <span class="command"><strong>auth</strong></span>,
+            <span class="command"><strong>syslog</strong></span>, <span class="command"><strong>lpr</strong></span>, <span class="command"><strong>news</strong></span>,
+            <span class="command"><strong>uucp</strong></span>, <span class="command"><strong>cron</strong></span>, <span class="command"><strong>authpriv</strong></span>,
+            <span class="command"><strong>ftp</strong></span>, <span class="command"><strong>local0</strong></span>, <span class="command"><strong>local1</strong></span>,
+            <span class="command"><strong>local2</strong></span>, <span class="command"><strong>local3</strong></span>, <span class="command"><strong>local4</strong></span>,
+            <span class="command"><strong>local5</strong></span>, <span class="command"><strong>local6</strong></span> and
+            <span class="command"><strong>local7</strong></span>, however not all facilities
+            are supported on
+            all operating systems.
+            How <span class="command"><strong>syslog</strong></span> will handle messages
+            sent to
+            this facility is described in the <span class="command"><strong>syslog.conf</strong></span> man
+            page. If you have a system which uses a very old version of <span class="command"><strong>syslog</strong></span> that
+            only uses two arguments to the <span class="command"><strong>openlog()</strong></span> function,
+            then this clause is silently ignored.
+          </p>
+          <p>
+            On Windows machines syslog messages are directed to the EventViewer.
+          </p>
+          <p>
+            The <span class="command"><strong>severity</strong></span> clause works like <span class="command"><strong>syslog</strong></span>'s
+            "priorities", except that they can also be used if you are writing
+            straight to a file rather than using <span class="command"><strong>syslog</strong></span>.
+            Messages which are not at least of the severity level given will
+            not be selected for the channel; messages of higher severity
+            levels
+            will be accepted.
+          </p>
+          <p>
+            If you are using <span class="command"><strong>syslog</strong></span>, then the <span class="command"><strong>syslog.conf</strong></span> priorities
+            will also determine what eventually passes through. For example,
+            defining a channel facility and severity as <span class="command"><strong>daemon</strong></span> and <span class="command"><strong>debug</strong></span> but
+            only logging <span class="command"><strong>daemon.warning</strong></span> via <span class="command"><strong>syslog.conf</strong></span> will
+            cause messages of severity <span class="command"><strong>info</strong></span> and
+            <span class="command"><strong>notice</strong></span> to
+            be dropped. If the situation were reversed, with <span class="command"><strong>named</strong></span> writing
+            messages of only <span class="command"><strong>warning</strong></span> or higher,
+            then <span class="command"><strong>syslogd</strong></span> would
+            print all messages it received from the channel.
+          </p>
+
+          <p>
+            The <span class="command"><strong>stderr</strong></span> destination clause
+            directs the
+            channel to the server's standard error stream.  This is intended
+            for
+            use when the server is running as a foreground process, for
+            example
+            when debugging a configuration.
+          </p>
+
+          <p>
+            The server can supply extensive debugging information when
+            it is in debugging mode. If the server's global debug level is
+            greater
+            than zero, then debugging mode will be active. The global debug
+            level is set either by starting the <span class="command"><strong>named</strong></span> server
+            with the <code class="option">-d</code> flag followed by a positive integer,
+            or by running <span class="command"><strong>rndc trace</strong></span>.
+            The global debug level
+            can be set to zero, and debugging mode turned off, by running <span class="command"><strong>rndc
+notrace</strong></span>. All debugging messages in the server have a debug
+            level, and higher debug levels give more detailed output. Channels
+            that specify a specific debug severity, for example:
+          </p>
+
+<pre class="programlisting">channel specific_debug_level {
+    file "foo";
+    severity debug 3;
+};
+</pre>
+
+          <p>
+            will get debugging output of level 3 or less any time the
+            server is in debugging mode, regardless of the global debugging
+            level. Channels with <span class="command"><strong>dynamic</strong></span>
+            severity use the
+            server's global debug level to determine what messages to print.
+          </p>
+          <p>
+            <span class="command"><strong>print-time</strong></span> can be set to
+            <strong class="userinput"><code>yes</code></strong>, <strong class="userinput"><code>no</code></strong>,
+            or a time format specifier, which may be one of
+            <strong class="userinput"><code>local</code></strong>, <strong class="userinput"><code>iso8601</code></strong> or
+            <strong class="userinput"><code>iso8601-utc</code></strong>.  If set to
+            <strong class="userinput"><code>no</code></strong>, then the date and time will
+            not be logged.  If set to <strong class="userinput"><code>yes</code></strong>
+            or <strong class="userinput"><code>local</code></strong>, the date and time are logged
+            in a human readable format, using the local time zone.
+            If set to <strong class="userinput"><code>iso8601</code></strong> the local time is
+            logged in ISO8601 format.  If set to
+            <strong class="userinput"><code>iso8601-utc</code></strong>, then the date and time
+            are logged in ISO8601 format, with time zone set to
+            UTC. The default is <strong class="userinput"><code>no</code></strong>.
+          </p>
+          <p>
+            <span class="command"><strong>print-time</strong></span> may
+            be specified for a <span class="command"><strong>syslog</strong></span> channel,
+            but it is usually
+            pointless since <span class="command"><strong>syslog</strong></span> also logs
+            the date and time.
+          </p>
+          <p>
+            If <span class="command"><strong>print-category</strong></span> is
+            requested, then the
+            category of the message will be logged as well. Finally, if <span class="command"><strong>print-severity</strong></span> is
+            on, then the severity level of the message will be logged. The <span class="command"><strong>print-</strong></span> options may
+            be used in any combination, and will always be printed in the
+            following
+            order: time, category, severity. Here is an example where all
+            three <span class="command"><strong>print-</strong></span> options
+            are on:
+          </p>
+
+          <p>
+            <code class="computeroutput">28-Feb-2000 15:05:32.863 general: notice: running</code>
+          </p>
+
+          <p>
+            If <span class="command"><strong>buffered</strong></span> has been turned on the output
+            to files will not be flushed after each log entry.  By default
+            all log messages are flushed.
+          </p>
+
+          <p>
+            There are four predefined channels that are used for
+            <span class="command"><strong>named</strong></span>'s default logging as follows.
+            If <span class="command"><strong>named</strong></span> is started with the
+            <code class="option">-L</code> then a
+            fifth channel <span class="command"><strong>default_logfile</strong></span> is added.
+            How they are
+            used is described in <a class="xref" href="Bv9ARM.ch05.html#the_category_phrase" title="The category Phrase">the section called &#8220;The <span class="command"><strong>category</strong></span> Phrase&#8221;</a>.
+          </p>
+
+<pre class="programlisting">channel default_syslog {
+    // send to syslog's daemon facility
+    syslog daemon;
+    // only send priority info and higher
+    severity info;
+
+channel default_debug {
+    // write to named.run in the working directory
+    // Note: stderr is used instead of "named.run" if
+    // the server is started with the '-g' option.
+    file "named.run";
+    // log at the server's current debug level
+    severity dynamic;
+};
+
+channel default_stderr {
+    // writes to stderr
+    stderr;
+    // only send priority info and higher
+    severity info;
+};
+
+channel null {
+   // toss anything sent to this channel
+   null;
+};
+
+channel default_logfile {
+    // this channel is only present if named is
+    // started with the -L option, whose argument
+    // provides the file name
+    file "...";
+    // log at the server's current debug level
+    severity dynamic;
+};
+</pre>
+
+          <p>
+            The <span class="command"><strong>default_debug</strong></span> channel has the
+            special
+            property that it only produces output when the server's debug
+            level is
+            nonzero.  It normally writes to a file called <code class="filename">named.run</code>
+            in the server's working directory.
+          </p>
+
+          <p>
+            For security reasons, when the <code class="option">-u</code>
+            command line option is used, the <code class="filename">named.run</code> file
+            is created only after <span class="command"><strong>named</strong></span> has
+            changed to the
+            new UID, and any debug output generated while <span class="command"><strong>named</strong></span> is
+            starting up and still running as root is discarded.  If you need
+            to capture this output, you must run the server with the <code class="option">-L</code>
+            option to specify a default logfile, or the <code class="option">-g</code>
+            option to log to standard error which you can redirect to a file.
+          </p>
+
+          <p>
+            Once a channel is defined, it cannot be redefined. Thus you
+            cannot alter the built-in channels directly, but you can modify
+            the default logging by pointing categories at channels you have
+            defined.
+          </p>
+        </div>
+
+        <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="the_category_phrase"></a>The <span class="command"><strong>category</strong></span> Phrase</h4></div></div></div>
+
+          <p>
+            There are many categories, so you can send the logs you want
+            to see wherever you want, without seeing logs you don't want. If
+            you don't specify a list of channels for a category, then log
+            messages
+            in that category will be sent to the <span class="command"><strong>default</strong></span> category
+            instead. If you don't specify a default category, the following
+            "default default" is used:
+          </p>
+
+<pre class="programlisting">category default { default_syslog; default_debug; };
+</pre>
+
+          <p>
+            If you start <span class="command"><strong>named</strong></span> with the
+            <code class="option">-L</code> option then the default category is:
+          </p>
+
+<pre class="programlisting">category default { default_logfile; default_debug; };
+</pre>
+
+          <p>
+            As an example, let's say you want to log security events to
+            a file, but you also want keep the default logging behavior. You'd
+            specify the following:
+          </p>
+
+<pre class="programlisting">channel my_security_channel {
+    file "my_security_file";
+    severity info;
+};
+category security {
+    my_security_channel;
+    default_syslog;
+    default_debug;
+};</pre>
+
+          <p>
+            To discard all messages in a category, specify the <span class="command"><strong>null</strong></span> channel:
+          </p>
+
+<pre class="programlisting">category xfer-out { null; };
+category notify { null; };
+</pre>
+
+          <p>
+            Following are the available categories and brief descriptions
+            of the types of log information they contain. More
+            categories may be added in future <acronym class="acronym">BIND</acronym> releases.
+          </p>
+          <div class="informaltable">
+  <table border="1">
+<colgroup>
+<col width="1.150in" class="1">
+<col width="3.350in" class="2">
+</colgroup>
+<tbody>
+<tr>
+<td>
+         <p><span class="command"><strong>client</strong></span></p>
+       </td>
+<td>
+         <p>
+           Processing of client requests.
+         </p>
+       </td>
+</tr>
+<tr>
+<td>
+         <p><span class="command"><strong>cname</strong></span></p>
+       </td>
+<td>
+         <p>
+           Logs nameservers that are skipped due to them being
+           a CNAME rather than A / AAAA records.
+         </p>
+       </td>
+</tr>
+<tr>
+<td>
+         <p><span class="command"><strong>config</strong></span></p>
+       </td>
+<td>
+         <p>
+           Configuration file parsing and processing.
+         </p>
+       </td>
+</tr>
+<tr>
+<td>
+         <p><span class="command"><strong>database</strong></span></p>
+       </td>
+<td>
+         <p>
+           Messages relating to the databases used
+           internally by the name server to store zone and cache
+           data.
+         </p>
+       </td>
+</tr>
+<tr>
+<td>
+         <p><span class="command"><strong>default</strong></span></p>
+       </td>
+<td>
+         <p>
+           The default category defines the logging
+           options for those categories where no specific
+           configuration has been
+           defined.
+         </p>
+       </td>
+</tr>
+<tr>
+<td>
+         <p><span class="command"><strong>delegation-only</strong></span></p>
+       </td>
+<td>
+         <p>
+           Delegation only.  Logs queries that have been
+           forced to NXDOMAIN as the result of a
+           delegation-only zone or a
+           <span class="command"><strong>delegation-only</strong></span> in a
+           forward, hint or stub zone declaration.
+         </p>
+       </td>
+</tr>
+<tr>
+<td>
+         <p><span class="command"><strong>dispatch</strong></span></p>
+       </td>
+<td>
+         <p>
+           Dispatching of incoming packets to the
+           server modules where they are to be processed.
+         </p>
+       </td>
+</tr>
+<tr>
+<td>
+         <p><span class="command"><strong>dnssec</strong></span></p>
+       </td>
+<td>
+         <p>
+           DNSSEC and TSIG protocol processing.
+         </p>
+       </td>
+</tr>
+<tr>
+<td>
+         <p><span class="command"><strong>dnstap</strong></span></p>
+       </td>
+<td>
+         <p>
+           The "dnstap" DNS traffic capture system.
+         </p>
+       </td>
+</tr>
+<tr>
+<td>
+         <p><span class="command"><strong>edns-disabled</strong></span></p>
+       </td>
+<td>
+         <p>
+           Log queries that have been forced to use plain
+           DNS due to timeouts.  This is often due to
+           the remote servers not being RFC 1034 compliant
+           (not always returning FORMERR or similar to
+           EDNS queries and other extensions to the DNS
+           when they are not understood).  In other words, this is
+           targeted at servers that fail to respond to
+           DNS queries that they don't understand.
+         </p>
+         <p>
+           Note: the log message can also be due to
+           packet loss.  Before reporting servers for
+           non-RFC 1034 compliance they should be re-tested
+           to determine the nature of the non-compliance.
+           This testing should prevent or reduce the
+           number of false-positive reports.
+         </p>
+         <p>
+           Note: eventually <span class="command"><strong>named</strong></span> will have to stop
+           treating such timeouts as due to RFC 1034 non
+           compliance and start treating it as plain
+           packet loss.  Falsely classifying packet
+           loss as due to RFC 1034 non compliance impacts
+           on DNSSEC validation which requires EDNS for
+           the DNSSEC records to be returned.
+         </p>
+       </td>
+</tr>
+<tr>
+<td>
+         <p><span class="command"><strong>general</strong></span></p>
+       </td>
+<td>
+         <p>
+           The catch-all. Many things still aren't
+           classified into categories, and they all end up here.
+         </p>
+       </td>
+</tr>
+<tr>
+<td>
+         <p><span class="command"><strong>lame-servers</strong></span></p>
+       </td>
+<td>
+         <p>
+           Lame servers.  These are misconfigurations
+           in remote servers, discovered by BIND 9 when trying to
+           query those servers during resolution.
+         </p>
+       </td>
+</tr>
+<tr>
+<td>
+         <p><span class="command"><strong>network</strong></span></p>
+       </td>
+<td>
+         <p>
+           Network operations.
+         </p>
+       </td>
+</tr>
+<tr>
+<td>
+         <p><span class="command"><strong>notify</strong></span></p>
+       </td>
+<td>
+         <p>
+           The NOTIFY protocol.
+         </p>
+       </td>
+</tr>
+<tr>
+<td>
+         <p><span class="command"><strong>queries</strong></span></p>
+       </td>
+<td>
+         <p>
+           Specify where queries should be logged to.
+         </p>
+         <p>
+           At startup, specifying the category <span class="command"><strong>queries</strong></span> will also
+           enable query logging unless <span class="command"><strong>querylog</strong></span> option has been
+           specified.
+         </p>
+
+         <p>
+           The query log entry first reports a client object
+           identifier in @0x&lt;hexadecimal-number&gt;
+           format. Next, it reports the client's IP
+           address and port number, and the query name,
+           class and type.  Next, it reports whether the
+           Recursion Desired flag was set (+ if set, -
+           if not set), whether the query was signed (S),
+           whether EDNS was in use along with the EDNS version
+           number (E(#)), whether TCP was used (T), whether
+           DO (DNSSEC Ok) was set (D), whether CD (Checking
+           Disabled) was set (C), whether a valid DNS Server
+           COOKIE was received (V), and whether a DNS
+           COOKIE option without a valid Server COOKIE was
+           present (K).  After this the destination
+           address the query was sent to is reported.
+           Finally, if any CLIENT-SUBNET option
+           was present in the client query, it is
+           included in square brackets in the format
+           [ECS <em class="replaceable"><code>address/source/scope</code></em>].
+         </p>
+
+         <p>
+           <code class="computeroutput">client 127.0.0.1#62536 (www.example.com): query: www.example.com IN AAAA +SE</code>
+         </p>
+         <p>
+           <code class="computeroutput">client ::1#62537 (www.example.net): query: www.example.net IN AAAA -SE</code>
+         </p>
+         <p>
+           (The first part of this log message, showing the
+           client address/port number and query name, is
+           repeated in all subsequent log messages related
+           to the same query.)
+         </p>
+       </td>
+</tr>
+<tr>
+<td>
+         <p><span class="command"><strong>query-errors</strong></span></p>
+       </td>
+<td>
+         <p>
+           Information about queries that resulted in some
+           failure.
+         </p>
+       </td>
+</tr>
+<tr>
+<td>
+         <p><span class="command"><strong>rate-limit</strong></span></p>
+       </td>
+<td>
+         <p>
+           The start, periodic, and final notices of the
+           rate limiting of a stream of responses are logged at
+           <span class="command"><strong>info</strong></span> severity in this category.
+           These messages include a hash value of the domain name
+           of the response and the name itself,
+           except when there is insufficient memory to record
+           the name for the final notice
+           The final notice is normally delayed until about one
+           minute after rate limit stops.
+           A lack of memory can hurry the final notice,
+           in which case it starts with an asterisk (*).
+           Various internal events are logged at debug 1 level
+           and higher.
+         </p>
+         <p>
+           Rate limiting of individual requests
+           is logged in the <span class="command"><strong>query-errors</strong></span> category.
+         </p>
+       </td>
+</tr>
+<tr>
+<td>
+         <p><span class="command"><strong>resolver</strong></span></p>
+       </td>
+<td>
+         <p>
+           DNS resolution, such as the recursive
+           lookups performed on behalf of clients by a caching name
+           server.
+         </p>
+       </td>
+</tr>
+<tr>
+<td>
+         <p><span class="command"><strong>rpz</strong></span></p>
+       </td>
+<td>
+         <p>
+           Information about errors in response policy zone files,
+           rewritten responses, and at the highest
+           <span class="command"><strong>debug</strong></span> levels, mere rewriting
+           attempts.
+         </p>
+       </td>
+</tr>
+<tr>
+<td>
+         <p><span class="command"><strong>security</strong></span></p>
+       </td>
+<td>
+         <p>
+           Approval and denial of requests.
+         </p>
+       </td>
+</tr>
+<tr>
+<td>
+         <p><span class="command"><strong>spill</strong></span></p>
+       </td>
+<td>
+         <p>
+           Logs queries that have been terminated, either by dropping
+           or responding with SERVFAIL, as a result of a fetchlimit
+           quota being exceeded.
+         </p>
+       </td>
+</tr>
+<tr>
+<td>
+         <p><span class="command"><strong>trust-anchor-telemetry</strong></span></p>
+       </td>
+<td>
+         <p>
+           Logs trust-anchor-telemetry requests received by named.
+         </p>
+       </td>
+</tr>
+<tr>
+<td>
+         <p><span class="command"><strong>unmatched</strong></span></p>
+       </td>
+<td>
+         <p>
+           Messages that <span class="command"><strong>named</strong></span> was unable to determine the
+           class of or for which there was no matching <span class="command"><strong>view</strong></span>.
+           A one line summary is also logged to the <span class="command"><strong>client</strong></span> category.
+           This category is best sent to a file or stderr, by
+           default it is sent to
+           the <span class="command"><strong>null</strong></span> channel.
+         </p>
+       </td>
+</tr>
+<tr>
+<td>
+         <p><span class="command"><strong>update</strong></span></p>
+       </td>
+<td>
+         <p>
+           Dynamic updates.
+         </p>
+       </td>
+</tr>
+<tr>
+<td>
+         <p><span class="command"><strong>update-security</strong></span></p>
+       </td>
+<td>
+         <p>
+           Approval and denial of update requests.
+         </p>
+       </td>
+</tr>
+<tr>
+<td>
+         <p><span class="command"><strong>xfer-in</strong></span></p>
+       </td>
+<td>
+         <p>
+           Zone transfers the server is receiving.
+         </p>
+       </td>
+</tr>
+<tr>
+<td>
+         <p><span class="command"><strong>xfer-out</strong></span></p>
+       </td>
+<td>
+         <p>
+           Zone transfers the server is sending.
+         </p>
+       </td>
+</tr>
+<tr>
+<td>
+         <p><span class="command"><strong>zoneload</strong></span></p>
+       </td>
+<td>
+         <p>
+           Loading of zones and creation of automatic empty zones.
+         </p>
+       </td>
+</tr>
+</tbody>
+</table>
+</div>
+        </div>
+        <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="query_errors"></a>The <span class="command"><strong>query-errors</strong></span> Category</h4></div></div></div>
+          <p>
+            The <span class="command"><strong>query-errors</strong></span> category is
+            specifically intended for debugging purposes: To identify
+            why and how specific queries result in responses which
+            indicate an error.
+            Messages of this category are therefore only logged
+            with <span class="command"><strong>debug</strong></span> levels.
+          </p>
+
+          <p>
+            At the debug levels of 1 or higher, each response with the
+            rcode of SERVFAIL is logged as follows:
+          </p>
+          <p>
+            <code class="computeroutput">client 127.0.0.1#61502: query failed (SERVFAIL) for www.example.com/IN/AAAA at query.c:3880</code>
+          </p>
+          <p>
+            This means an error resulting in SERVFAIL was
+            detected at line 3880 of source file
+            <code class="filename">query.c</code>.
+            Log messages of this level will particularly
+            help identify the cause of SERVFAIL for an
+            authoritative server.
+          </p>
+          <p>
+            At the debug levels of 2 or higher, detailed context
+            information of recursive resolutions that resulted in
+            SERVFAIL is logged.
+            The log message will look like as follows:
+          </p>
+          <p>
+
+            </p>
+<pre class="programlisting">
+fetch completed at resolver.c:2970 for www.example.com/A
+in 30.000183: timed out/success [domain:example.com,
+referral:2,restart:7,qrysent:8,timeout:5,lame:0,neterr:0,
+badresp:1,adberr:0,findfail:0,valfail:0]
+            </pre>
+<p>
+          </p>
+          <p>
+            The first part before the colon shows that a recursive
+            resolution for AAAA records of www.example.com completed
+            in 30.000183 seconds and the final result that led to the
+            SERVFAIL was determined at line 2970 of source file
+            <code class="filename">resolver.c</code>.
+          </p>
+          <p>
+            The following part shows the detected final result and the
+            latest result of DNSSEC validation.
+            The latter is always success when no validation attempt
+            is made.
+            In this example, this query resulted in SERVFAIL probably
+            because all name servers are down or unreachable, leading
+            to a timeout in 30 seconds.
+            DNSSEC validation was probably not attempted.
+          </p>
+          <p>
+            The last part enclosed in square brackets shows statistics
+            information collected for this particular resolution
+            attempt.
+            The <code class="varname">domain</code> field shows the deepest zone
+            that the resolver reached;
+            it is the zone where the error was finally detected.
+            The meaning of the other fields is summarized in the
+            following table.
+          </p>
+
+          <div class="informaltable">
+            <table border="1">
+<colgroup>
+<col width="1.150in" class="1">
+<col width="3.350in" class="2">
+</colgroup>
+<tbody>
+<tr>
+<td>
+                    <p><code class="varname">referral</code></p>
+                  </td>
+<td>
+                    <p>
+                      The number of referrals the resolver received
+                      throughout the resolution process.
+                      In the above example this is 2, which are most
+                      likely com and example.com.
+                    </p>
+                  </td>
+</tr>
+<tr>
+<td>
+                    <p><code class="varname">restart</code></p>
+                  </td>
+<td>
+                    <p>
+                      The number of cycles that the resolver tried
+                      remote servers at the <code class="varname">domain</code>
+                      zone.
+                      In each cycle the resolver sends one query
+                      (possibly resending it, depending on the response)
+                      to each known name server of
+                      the <code class="varname">domain</code> zone.
+                    </p>
+                  </td>
+</tr>
+<tr>
+<td>
+                    <p><code class="varname">qrysent</code></p>
+                  </td>
+<td>
+                    <p>
+                      The number of queries the resolver sent at the
+                      <code class="varname">domain</code> zone.
+                    </p>
+                  </td>
+</tr>
+<tr>
+<td>
+                    <p><code class="varname">timeout</code></p>
+                  </td>
+<td>
+                    <p>
+                      The number of timeouts since the resolver
+                      received the last response.
+                    </p>
+                  </td>
+</tr>
+<tr>
+<td>
+                    <p><code class="varname">lame</code></p>
+                  </td>
+<td>
+                    <p>
+                      The number of lame servers the resolver detected
+                      at the <code class="varname">domain</code> zone.
+                      A server is detected to be lame either by an
+                      invalid response or as a result of lookup in
+                      BIND9's address database (ADB), where lame
+                      servers are cached.
+                    </p>
+                  </td>
+</tr>
+<tr>
+<td>
+                    <p><code class="varname">neterr</code></p>
+                  </td>
+<td>
+                    <p>
+                      The number of erroneous results that the
+                      resolver encountered in sending queries
+                      at the <code class="varname">domain</code> zone.
+                      One common case is the remote server is
+                      unreachable and the resolver receives an ICMP
+                      unreachable error message.
+                    </p>
+                  </td>
+</tr>
+<tr>
+<td>
+                    <p><code class="varname">badresp</code></p>
+                  </td>
+<td>
+                    <p>
+                      The number of unexpected responses (other than
+                      <code class="varname">lame</code>) to queries sent by the
+                      resolver at the <code class="varname">domain</code> zone.
+                    </p>
+                  </td>
+</tr>
+<tr>
+<td>
+                    <p><code class="varname">adberr</code></p>
+                  </td>
+<td>
+                    <p>
+                      Failures in finding remote server addresses
+                      of the <code class="varname">domain</code> zone in the ADB.
+                      One common case of this is that the remote
+                      server's name does not have any address records.
+                    </p>
+                  </td>
+</tr>
+<tr>
+<td>
+                    <p><code class="varname">findfail</code></p>
+                  </td>
+<td>
+                    <p>
+                      Failures of resolving remote server addresses.
+                      This is a total number of failures throughout
+                      the resolution process.
+                    </p>
+                  </td>
+</tr>
+<tr>
+<td>
+                    <p><code class="varname">valfail</code></p>
+                  </td>
+<td>
+                    <p>
+                      Failures of DNSSEC validation.
+                      Validation failures are counted throughout
+                      the resolution process (not limited to
+                      the <code class="varname">domain</code> zone), but should
+                      only happen in <code class="varname">domain</code>.
+                    </p>
+                  </td>
+</tr>
+</tbody>
+</table>
+          </div>
+          <p>
+            At the debug levels of 3 or higher, the same messages
+            as those at the debug 1 level are logged for other errors
+            than SERVFAIL.
+            Note that negative responses such as NXDOMAIN are not
+            regarded as errors here.
+          </p>
+          <p>
+            At the debug levels of 4 or higher, the same messages
+            as those at the debug 2 level are logged for other errors
+            than SERVFAIL.
+            Unlike the above case of level 3, messages are logged for
+            negative responses.
+            This is because any unexpected results can be difficult to
+            debug in the recursion case.
+          </p>
+        </div>
+      </div>
+
+      <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="masters_grammar"></a><span class="command"><strong>masters</strong></span> Statement Grammar</h3></div></div></div>
+        <pre class="programlisting">
+<span class="command"><strong>masters</strong></span> <em class="replaceable"><code>string</code></em> [ port <em class="replaceable"><code>integer</code></em> ] [ dscp
+    <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [
+    <span class="command"><strong>port</strong></span> <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [ port
+    <em class="replaceable"><code>integer</code></em> ] ) [ key <em class="replaceable"><code>string</code></em> ]; ... };
+</pre>
+      </div>
+
+      <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="masters_statement"></a><span class="command"><strong>masters</strong></span> Statement Definition and
+          Usage</h3></div></div></div>
+
+        <p><span class="command"><strong>masters</strong></span>
+          lists allow for a common set of masters to be easily used by
+          multiple stub and slave zones in their <span class="command"><strong>masters</strong></span>
+          or <span class="command"><strong>also-notify</strong></span> lists.
+        </p>
+      </div>
+
+      <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="options_grammar"></a><span class="command"><strong>options</strong></span> Statement Grammar</h3></div></div></div>
+
+        <p>
+          This is the grammar of the <span class="command"><strong>options</strong></span>
+          statement in the <code class="filename">named.conf</code> file:
+        </p>
+        <pre class="programlisting">
+<span class="command"><strong>options</strong></span> {
+       <span class="command"><strong>allow-new-zones</strong></span> <em class="replaceable"><code>boolean</code></em>;
+       <span class="command"><strong>allow-notify</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
+       <span class="command"><strong>allow-query</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
+       <span class="command"><strong>allow-query-cache</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
+       <span class="command"><strong>allow-query-cache-on</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
+       <span class="command"><strong>allow-query-on</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
+       <span class="command"><strong>allow-recursion</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
+       <span class="command"><strong>allow-recursion-on</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
+       <span class="command"><strong>allow-transfer</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
+       <span class="command"><strong>allow-update</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
+       <span class="command"><strong>allow-update-forwarding</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
+       <span class="command"><strong>also-notify</strong></span> [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> |
+           <em class="replaceable"><code>ipv4_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [ port
+           <em class="replaceable"><code>integer</code></em> ] ) [ key <em class="replaceable"><code>string</code></em> ]; ... };
+       <span class="command"><strong>alt-transfer-source</strong></span> ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * )
+           ] [ dscp <em class="replaceable"><code>integer</code></em> ];
+       <span class="command"><strong>alt-transfer-source-v6</strong></span> ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> |
+           * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];
+       <span class="command"><strong>attach-cache</strong></span> <em class="replaceable"><code>string</code></em>;
+       <span class="command"><strong>auth-nxdomain</strong></span> <em class="replaceable"><code>boolean</code></em>; // default changed
+       <span class="command"><strong>auto-dnssec</strong></span> ( allow | maintain | off );
+       <span class="command"><strong>automatic-interface-scan</strong></span> <em class="replaceable"><code>boolean</code></em>;
+       <span class="command"><strong>avoid-v4-udp-ports</strong></span> { <em class="replaceable"><code>portrange</code></em>; ... };
+       <span class="command"><strong>avoid-v6-udp-ports</strong></span> { <em class="replaceable"><code>portrange</code></em>; ... };
+       <span class="command"><strong>bindkeys-file</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
+       <span class="command"><strong>blackhole</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
+       <span class="command"><strong>cache-file</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
+       <span class="command"><strong>catalog-zones</strong></span> { zone <em class="replaceable"><code>quoted_string</code></em> [ default-masters [ port
+           <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [
+           <span class="command"><strong>port</strong></span> <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] ) [ key
+           <em class="replaceable"><code>string</code></em> ]; ... } ] [ zone-directory <em class="replaceable"><code>quoted_string</code></em> ] [
+           <span class="command"><strong>in-memory</strong></span> <em class="replaceable"><code>boolean</code></em> ] [ min-update-interval <em class="replaceable"><code>integer</code></em> ]; ... };
+       <span class="command"><strong>check-dup-records</strong></span> ( fail | warn | ignore );
+       <span class="command"><strong>check-integrity</strong></span> <em class="replaceable"><code>boolean</code></em>;
+       <span class="command"><strong>check-mx</strong></span> ( fail | warn | ignore );
+       <span class="command"><strong>check-mx-cname</strong></span> ( fail | warn | ignore );
+       <span class="command"><strong>check-names</strong></span> ( primary | master |
+           <span class="command"><strong>secondary</strong></span> | slave | response ) (
+           <span class="command"><strong>fail</strong></span> | warn | ignore );
+       <span class="command"><strong>check-sibling</strong></span> <em class="replaceable"><code>boolean</code></em>;
+       <span class="command"><strong>check-spf</strong></span> ( warn | ignore );
+       <span class="command"><strong>check-srv-cname</strong></span> ( fail | warn | ignore );
+       <span class="command"><strong>check-wildcard</strong></span> <em class="replaceable"><code>boolean</code></em>;
+       <span class="command"><strong>cleaning-interval</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>clients-per-query</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>cookie-algorithm</strong></span> ( aes | sha1 | sha256 );
+       <span class="command"><strong>cookie-secret</strong></span> <em class="replaceable"><code>string</code></em>;
+       <span class="command"><strong>coresize</strong></span> ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );
+       <span class="command"><strong>datasize</strong></span> ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );
+       <span class="command"><strong>deny-answer-addresses</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... } [
+           <span class="command"><strong>except-from</strong></span> { <em class="replaceable"><code>quoted_string</code></em>; ... } ];
+       <span class="command"><strong>deny-answer-aliases</strong></span> { <em class="replaceable"><code>quoted_string</code></em>; ... } [ except-from {
+           <em class="replaceable"><code>quoted_string</code></em>; ... } ];
+       <span class="command"><strong>dialup</strong></span> ( notify | notify-passive | passive | refresh | <em class="replaceable"><code>boolean</code></em> );
+       <span class="command"><strong>directory</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
+       <span class="command"><strong>disable-algorithms</strong></span> <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>;
+           ... };
+       <span class="command"><strong>disable-ds-digests</strong></span> <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>;
+           ... };
+       <span class="command"><strong>disable-empty-zone</strong></span> <em class="replaceable"><code>string</code></em>;
+       <span class="command"><strong>dns64</strong></span> <em class="replaceable"><code>netprefix</code></em> {
+               <span class="command"><strong>break-dnssec</strong></span> <em class="replaceable"><code>boolean</code></em>;
+               <span class="command"><strong>clients</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
+               <span class="command"><strong>exclude</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
+               <span class="command"><strong>mapped</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
+               <span class="command"><strong>recursive-only</strong></span> <em class="replaceable"><code>boolean</code></em>;
+               <span class="command"><strong>suffix</strong></span> <em class="replaceable"><code>ipv6_address</code></em>;
+       };
+       <span class="command"><strong>dns64-contact</strong></span> <em class="replaceable"><code>string</code></em>;
+       <span class="command"><strong>dns64-server</strong></span> <em class="replaceable"><code>string</code></em>;
+       <span class="command"><strong>dnsrps-enable</strong></span> <em class="replaceable"><code>boolean</code></em>;
+       <span class="command"><strong>dnsrps-options</strong></span> { <em class="replaceable"><code>unspecified-text</code></em> };
+       <span class="command"><strong>dnssec-accept-expired</strong></span> <em class="replaceable"><code>boolean</code></em>;
+       <span class="command"><strong>dnssec-dnskey-kskonly</strong></span> <em class="replaceable"><code>boolean</code></em>;
+       <span class="command"><strong>dnssec-enable</strong></span> <em class="replaceable"><code>boolean</code></em>;
+       <span class="command"><strong>dnssec-loadkeys-interval</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>dnssec-lookaside</strong></span> ( <em class="replaceable"><code>string</code></em> trust-anchor
+           <em class="replaceable"><code>string</code></em> | auto | no );
+       <span class="command"><strong>dnssec-must-be-secure</strong></span> <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;
+       <span class="command"><strong>dnssec-secure-to-insecure</strong></span> <em class="replaceable"><code>boolean</code></em>;
+       <span class="command"><strong>dnssec-update-mode</strong></span> ( maintain | no-resign );
+       <span class="command"><strong>dnssec-validation</strong></span> ( yes | no | auto );
+       <span class="command"><strong>dnstap</strong></span> { ( all | auth | client | forwarder |
+           <span class="command"><strong>resolver</strong></span> ) [ ( query | response ) ]; ... };
+       <span class="command"><strong>dnstap-identity</strong></span> ( <em class="replaceable"><code>quoted_string</code></em> | none |
+           <span class="command"><strong>hostname</strong></span> );
+       <span class="command"><strong>dnstap-output</strong></span> ( file | unix ) <em class="replaceable"><code>quoted_string</code></em> [
+           <span class="command"><strong>size</strong></span> ( unlimited | <em class="replaceable"><code>size</code></em> ) ] [ versions (
+           <span class="command"><strong>unlimited</strong></span> | <em class="replaceable"><code>integer</code></em> ) ] [ suffix ( increment
+           | timestamp ) ];
+       <span class="command"><strong>dnstap-version</strong></span> ( <em class="replaceable"><code>quoted_string</code></em> | none );
+       <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>dual-stack-servers</strong></span> [ port <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>quoted_string</code></em> [ port
+           <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv4_address</code></em> [ port
+           <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [ port
+           <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] ); ... };
+       <span class="command"><strong>dump-file</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
+       <span class="command"><strong>edns-udp-size</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>empty-contact</strong></span> <em class="replaceable"><code>string</code></em>;
+       <span class="command"><strong>empty-server</strong></span> <em class="replaceable"><code>string</code></em>;
+       <span class="command"><strong>empty-zones-enable</strong></span> <em class="replaceable"><code>boolean</code></em>;
+       <span class="command"><strong>fetch-quota-params</strong></span> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>fixedpoint</code></em> <em class="replaceable"><code>fixedpoint</code></em> <em class="replaceable"><code>fixedpoint</code></em>;
+       <span class="command"><strong>fetches-per-server</strong></span> <em class="replaceable"><code>integer</code></em> [ ( drop | fail ) ];
+       <span class="command"><strong>fetches-per-zone</strong></span> <em class="replaceable"><code>integer</code></em> [ ( drop | fail ) ];
+       <span class="command"><strong>files</strong></span> ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );
+       <span class="command"><strong>filter-aaaa</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
+       <span class="command"><strong>filter-aaaa-on-v4</strong></span> ( break-dnssec | <em class="replaceable"><code>boolean</code></em> );
+       <span class="command"><strong>filter-aaaa-on-v6</strong></span> ( break-dnssec | <em class="replaceable"><code>boolean</code></em> );
+       <span class="command"><strong>flush-zones-on-shutdown</strong></span> <em class="replaceable"><code>boolean</code></em>;
+       <span class="command"><strong>forward</strong></span> ( first | only );
+       <span class="command"><strong>forwarders</strong></span> [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>ipv4_address</code></em>
+           | <em class="replaceable"><code>ipv6_address</code></em> ) [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ]; ... };
+       <span class="command"><strong>fstrm-set-buffer-hint</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>fstrm-set-flush-timeout</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>fstrm-set-input-queue-size</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>fstrm-set-output-notify-threshold</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>fstrm-set-output-queue-model</strong></span> ( mpsc | spsc );
+       <span class="command"><strong>fstrm-set-output-queue-size</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>fstrm-set-reopen-interval</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>geoip-directory</strong></span> ( <em class="replaceable"><code>quoted_string</code></em> | none );
+       <span class="command"><strong>geoip-use-ecs</strong></span> <em class="replaceable"><code>boolean</code></em>;
+       <span class="command"><strong>glue-cache</strong></span> <em class="replaceable"><code>boolean</code></em>;
+       <span class="command"><strong>heartbeat-interval</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>hostname</strong></span> ( <em class="replaceable"><code>quoted_string</code></em> | none );
+       <span class="command"><strong>inline-signing</strong></span> <em class="replaceable"><code>boolean</code></em>;
+       <span class="command"><strong>interface-interval</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>ixfr-from-differences</strong></span> ( primary | master | secondary | slave |
+           <em class="replaceable"><code>boolean</code></em> );
+       <span class="command"><strong>keep-response-order</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
+       <span class="command"><strong>key-directory</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
+       <span class="command"><strong>lame-ttl</strong></span> <em class="replaceable"><code>ttlval</code></em>;
+       <span class="command"><strong>listen-on</strong></span> [ port <em class="replaceable"><code>integer</code></em> ] [ dscp
+           <em class="replaceable"><code>integer</code></em> ] {
+           <em class="replaceable"><code>address_match_element</code></em>; ... };
+       <span class="command"><strong>listen-on-v6</strong></span> [ port <em class="replaceable"><code>integer</code></em> ] [ dscp
+           <em class="replaceable"><code>integer</code></em> ] {
+           <em class="replaceable"><code>address_match_element</code></em>; ... };
+       <span class="command"><strong>lmdb-mapsize</strong></span> <em class="replaceable"><code>sizeval</code></em>;
+       <span class="command"><strong>lock-file</strong></span> ( <em class="replaceable"><code>quoted_string</code></em> | none );
+       <span class="command"><strong>managed-keys-directory</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
+       <span class="command"><strong>masterfile-format</strong></span> ( map | raw | text );
+       <span class="command"><strong>masterfile-style</strong></span> ( full | relative );
+       <span class="command"><strong>match-mapped-addresses</strong></span> <em class="replaceable"><code>boolean</code></em>;
+       <span class="command"><strong>max-cache-size</strong></span> ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> | <em class="replaceable"><code>percentage</code></em> );
+       <span class="command"><strong>max-cache-ttl</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>max-clients-per-query</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>max-journal-size</strong></span> ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );
+       <span class="command"><strong>max-ncache-ttl</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>max-records</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>max-recursion-depth</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>max-recursion-queries</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>max-refresh-time</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>max-retry-time</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>max-rsa-exponent-size</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>max-stale-ttl</strong></span> <em class="replaceable"><code>ttlval</code></em>;
+       <span class="command"><strong>max-transfer-idle-in</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>max-transfer-idle-out</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>max-transfer-time-in</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>max-transfer-time-out</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>max-udp-size</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>max-zone-ttl</strong></span> ( unlimited | <em class="replaceable"><code>ttlval</code></em> );
+       <span class="command"><strong>memstatistics</strong></span> <em class="replaceable"><code>boolean</code></em>;
+       <span class="command"><strong>memstatistics-file</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
+       <span class="command"><strong>message-compression</strong></span> <em class="replaceable"><code>boolean</code></em>;
+       <span class="command"><strong>min-refresh-time</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>min-retry-time</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>minimal-any</strong></span> <em class="replaceable"><code>boolean</code></em>;
+       <span class="command"><strong>minimal-responses</strong></span> ( no-auth | no-auth-recursive | <em class="replaceable"><code>boolean</code></em> );
+       <span class="command"><strong>multi-master</strong></span> <em class="replaceable"><code>boolean</code></em>;
+       <span class="command"><strong>new-zones-directory</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
+       <span class="command"><strong>no-case-compress</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
+       <span class="command"><strong>nocookie-udp-size</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>notify</strong></span> ( explicit | master-only | <em class="replaceable"><code>boolean</code></em> );
+       <span class="command"><strong>notify-delay</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>notify-rate</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>notify-source</strong></span> ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [
+           <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>integer</code></em> ];
+       <span class="command"><strong>notify-source-v6</strong></span> ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ]
+           [ dscp <em class="replaceable"><code>integer</code></em> ];
+       <span class="command"><strong>notify-to-soa</strong></span> <em class="replaceable"><code>boolean</code></em>;
+       <span class="command"><strong>nta-lifetime</strong></span> <em class="replaceable"><code>ttlval</code></em>;
+       <span class="command"><strong>nta-recheck</strong></span> <em class="replaceable"><code>ttlval</code></em>;
+       <span class="command"><strong>nxdomain-redirect</strong></span> <em class="replaceable"><code>string</code></em>;
+       <span class="command"><strong>pid-file</strong></span> ( <em class="replaceable"><code>quoted_string</code></em> | none );
+       <span class="command"><strong>port</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>preferred-glue</strong></span> <em class="replaceable"><code>string</code></em>;
+       <span class="command"><strong>prefetch</strong></span> <em class="replaceable"><code>integer</code></em> [ <em class="replaceable"><code>integer</code></em> ];
+       <span class="command"><strong>provide-ixfr</strong></span> <em class="replaceable"><code>boolean</code></em>;
+       <span class="command"><strong>query-source</strong></span> ( ( [ address ] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port (
+           <em class="replaceable"><code>integer</code></em> | * ) ] ) | ( [ [ address ] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) ]
+           <span class="command"><strong>port</strong></span> ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [ dscp <em class="replaceable"><code>integer</code></em> ];
+       <span class="command"><strong>query-source-v6</strong></span> ( ( [ address ] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port (
+           <em class="replaceable"><code>integer</code></em> | * ) ] ) | ( [ [ address ] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) ]
+           <span class="command"><strong>port</strong></span> ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [ dscp <em class="replaceable"><code>integer</code></em> ];
+       <span class="command"><strong>querylog</strong></span> <em class="replaceable"><code>boolean</code></em>;
+       <span class="command"><strong>random-device</strong></span> ( <em class="replaceable"><code>quoted_string</code></em> | none );
+       <span class="command"><strong>rate-limit</strong></span> {
+               <span class="command"><strong>all-per-second</strong></span> <em class="replaceable"><code>integer</code></em>;
+               <span class="command"><strong>errors-per-second</strong></span> <em class="replaceable"><code>integer</code></em>;
+               <span class="command"><strong>exempt-clients</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
+               <span class="command"><strong>ipv4-prefix-length</strong></span> <em class="replaceable"><code>integer</code></em>;
+               <span class="command"><strong>ipv6-prefix-length</strong></span> <em class="replaceable"><code>integer</code></em>;
+               <span class="command"><strong>log-only</strong></span> <em class="replaceable"><code>boolean</code></em>;
+               <span class="command"><strong>max-table-size</strong></span> <em class="replaceable"><code>integer</code></em>;
+               <span class="command"><strong>min-table-size</strong></span> <em class="replaceable"><code>integer</code></em>;
+               <span class="command"><strong>nodata-per-second</strong></span> <em class="replaceable"><code>integer</code></em>;
+               <span class="command"><strong>nxdomains-per-second</strong></span> <em class="replaceable"><code>integer</code></em>;
+               <span class="command"><strong>qps-scale</strong></span> <em class="replaceable"><code>integer</code></em>;
+               <span class="command"><strong>referrals-per-second</strong></span> <em class="replaceable"><code>integer</code></em>;
+               <span class="command"><strong>responses-per-second</strong></span> <em class="replaceable"><code>integer</code></em>;
+               <span class="command"><strong>slip</strong></span> <em class="replaceable"><code>integer</code></em>;
+               <span class="command"><strong>window</strong></span> <em class="replaceable"><code>integer</code></em>;
+       };
+       <span class="command"><strong>recursing-file</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
+       <span class="command"><strong>recursion</strong></span> <em class="replaceable"><code>boolean</code></em>;
+       <span class="command"><strong>recursive-clients</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>request-expire</strong></span> <em class="replaceable"><code>boolean</code></em>;
+       <span class="command"><strong>request-ixfr</strong></span> <em class="replaceable"><code>boolean</code></em>;
+       <span class="command"><strong>request-nsid</strong></span> <em class="replaceable"><code>boolean</code></em>;
+       <span class="command"><strong>require-server-cookie</strong></span> <em class="replaceable"><code>boolean</code></em>;
+       <span class="command"><strong>reserved-sockets</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>resolver-nonbackoff-tries</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>resolver-query-timeout</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>resolver-retry-interval</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>response-padding</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... } block-size
+           <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>response-policy</strong></span> { zone <em class="replaceable"><code>quoted_string</code></em> [ log <em class="replaceable"><code>boolean</code></em> ] [
+           <span class="command"><strong>max-policy-ttl</strong></span> <em class="replaceable"><code>integer</code></em> ] [ min-update-interval <em class="replaceable"><code>integer</code></em> ] [
+           <span class="command"><strong>policy</strong></span> ( cname | disabled | drop | given | no-op | nodata |
+           <span class="command"><strong>nxdomain</strong></span> | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [
+           <span class="command"><strong>recursive-only</strong></span> <em class="replaceable"><code>boolean</code></em> ] [ nsip-enable <em class="replaceable"><code>boolean</code></em> ] [
+           <span class="command"><strong>nsdname-enable</strong></span> <em class="replaceable"><code>boolean</code></em> ]; ... } [ break-dnssec <em class="replaceable"><code>boolean</code></em> ] [
+           <span class="command"><strong>max-policy-ttl</strong></span> <em class="replaceable"><code>integer</code></em> ] [ min-update-interval <em class="replaceable"><code>integer</code></em> ] [
+           <span class="command"><strong>min-ns-dots</strong></span> <em class="replaceable"><code>integer</code></em> ] [ nsip-wait-recurse <em class="replaceable"><code>boolean</code></em> ] [
+           <span class="command"><strong>qname-wait-recurse</strong></span> <em class="replaceable"><code>boolean</code></em> ] [ recursive-only <em class="replaceable"><code>boolean</code></em> ] [
+           <span class="command"><strong>nsip-enable</strong></span> <em class="replaceable"><code>boolean</code></em> ] [ nsdname-enable <em class="replaceable"><code>boolean</code></em> ] [
+           <span class="command"><strong>dnsrps-enable</strong></span> <em class="replaceable"><code>boolean</code></em> ] [ dnsrps-options { <em class="replaceable"><code>unspecified-text</code></em>
+           } ];
+       <span class="command"><strong>root-delegation-only</strong></span> [ exclude { <em class="replaceable"><code>quoted_string</code></em>; ... } ];
+       <span class="command"><strong>rrset-order</strong></span> { [ class <em class="replaceable"><code>string</code></em> ] [ type <em class="replaceable"><code>string</code></em> ] [ name
+           <em class="replaceable"><code>quoted_string</code></em> ] <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em>; ... };
+       <span class="command"><strong>secroots-file</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
+       <span class="command"><strong>send-cookie</strong></span> <em class="replaceable"><code>boolean</code></em>;
+       <span class="command"><strong>serial-query-rate</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>serial-update-method</strong></span> ( date | increment | unixtime );
+       <span class="command"><strong>server-id</strong></span> ( <em class="replaceable"><code>quoted_string</code></em> | none | hostname );
+       <span class="command"><strong>servfail-ttl</strong></span> <em class="replaceable"><code>ttlval</code></em>;
+       <span class="command"><strong>session-keyalg</strong></span> <em class="replaceable"><code>string</code></em>;
+       <span class="command"><strong>session-keyfile</strong></span> ( <em class="replaceable"><code>quoted_string</code></em> | none );
+       <span class="command"><strong>session-keyname</strong></span> <em class="replaceable"><code>string</code></em>;
+       <span class="command"><strong>sig-signing-nodes</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>sig-signing-signatures</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>sig-signing-type</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>sig-validity-interval</strong></span> <em class="replaceable"><code>integer</code></em> [ <em class="replaceable"><code>integer</code></em> ];
+       <span class="command"><strong>sortlist</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
+       <span class="command"><strong>stacksize</strong></span> ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );
+       <span class="command"><strong>stale-answer-enable</strong></span> <em class="replaceable"><code>boolean</code></em>;
+       <span class="command"><strong>stale-answer-ttl</strong></span> <em class="replaceable"><code>ttlval</code></em>;
+       <span class="command"><strong>startup-notify-rate</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>statistics-file</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
+       <span class="command"><strong>synth-from-dnssec</strong></span> <em class="replaceable"><code>boolean</code></em>;
+       <span class="command"><strong>tcp-advertised-timeout</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>tcp-clients</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>tcp-idle-timeout</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>tcp-initial-timeout</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>tcp-keepalive-timeout</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>tcp-listen-queue</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>tkey-dhkey</strong></span> <em class="replaceable"><code>quoted_string</code></em> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>tkey-domain</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
+       <span class="command"><strong>tkey-gssapi-credential</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
+       <span class="command"><strong>tkey-gssapi-keytab</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
+       <span class="command"><strong>transfer-format</strong></span> ( many-answers | one-answer );
+       <span class="command"><strong>transfer-message-size</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>transfer-source</strong></span> ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [
+           <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>integer</code></em> ];
+       <span class="command"><strong>transfer-source-v6</strong></span> ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * )
+           ] [ dscp <em class="replaceable"><code>integer</code></em> ];
+       <span class="command"><strong>transfers-in</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>transfers-out</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>transfers-per-ns</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>trust-anchor-telemetry</strong></span> <em class="replaceable"><code>boolean</code></em>; // experimental
+       <span class="command"><strong>try-tcp-refresh</strong></span> <em class="replaceable"><code>boolean</code></em>;
+       <span class="command"><strong>update-check-ksk</strong></span> <em class="replaceable"><code>boolean</code></em>;
+       <span class="command"><strong>use-alt-transfer-source</strong></span> <em class="replaceable"><code>boolean</code></em>;
+       <span class="command"><strong>use-v4-udp-ports</strong></span> { <em class="replaceable"><code>portrange</code></em>; ... };
+       <span class="command"><strong>use-v6-udp-ports</strong></span> { <em class="replaceable"><code>portrange</code></em>; ... };
+       <span class="command"><strong>v6-bias</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>version</strong></span> ( <em class="replaceable"><code>quoted_string</code></em> | none );
+       <span class="command"><strong>zero-no-soa-ttl</strong></span> <em class="replaceable"><code>boolean</code></em>;
+       <span class="command"><strong>zero-no-soa-ttl-cache</strong></span> <em class="replaceable"><code>boolean</code></em>;
+       <span class="command"><strong>zone-statistics</strong></span> ( full | terse | none | <em class="replaceable"><code>boolean</code></em> );
+};
+</pre>
+      </div>
+
+      <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="options"></a><span class="command"><strong>options</strong></span> Statement Definition and
+          Usage</h3></div></div></div>
+
+        <p>
+          The <span class="command"><strong>options</strong></span> statement sets up global
+          options
+          to be used by <acronym class="acronym">BIND</acronym>. This statement
+          may appear only
+          once in a configuration file. If there is no <span class="command"><strong>options</strong></span>
+          statement, an options block with each option set to its default will
+          be used.
+        </p>
+
+        <div class="variablelist"><dl class="variablelist">
+<dt><span class="term"><span class="command"><strong>attach-cache</strong></span></span></dt>
+<dd>
+                <p>
+                  Allows multiple views to share a single cache
+                  database.
+                  Each view has its own cache database by default, but
+                  if multiple views have the same operational policy
+                  for name resolution and caching, those views can
+                  share a single cache to save memory and possibly
+                  improve resolution efficiency by using this option.
+                </p>
+
+                <p>
+                  The <span class="command"><strong>attach-cache</strong></span> option
+                  may also be specified in <span class="command"><strong>view</strong></span>
+                  statements, in which case it overrides the
+                  global <span class="command"><strong>attach-cache</strong></span> option.
+                </p>
+
+                <p>
+                  The <em class="replaceable"><code>cache_name</code></em> specifies
+                  the cache to be shared.
+                  When the <span class="command"><strong>named</strong></span> server configures
+                  views which are supposed to share a cache, it
+                  creates a cache with the specified name for the
+                  first view of these sharing views.
+                  The rest of the views will simply refer to the
+                  already created cache.
+                </p>
+
+                <p>
+                  One common configuration to share a cache would be to
+                  allow all views to share a single cache.
+                  This can be done by specifying
+                  the <span class="command"><strong>attach-cache</strong></span> as a global
+                  option with an arbitrary name.
+                </p>
+
+                <p>
+                  Another possible operation is to allow a subset of
+                  all views to share a cache while the others to
+                  retain their own caches.
+                  For example, if there are three views A, B, and C,
+                  and only A and B should share a cache, specify the
+                  <span class="command"><strong>attach-cache</strong></span> option as a view A (or
+                  B)'s option, referring to the other view name:
+                </p>
+
+<pre class="programlisting">
+  view "A" {
+    // this view has its own cache
+    ...
+  };
+  view "B" {
+    // this view refers to A's cache
+    attach-cache "A";
+  };
+  view "C" {
+    // this view has its own cache
+    ...
+  };
+</pre>
+
+                <p>
+                  Views that share a cache must have the same policy
+                  on configurable parameters that may affect caching.
+                  The current implementation requires the following
+                  configurable options be consistent among these
+                  views:
+                  <span class="command"><strong>check-names</strong></span>,
+                  <span class="command"><strong>cleaning-interval</strong></span>,
+                  <span class="command"><strong>dnssec-accept-expired</strong></span>,
+                  <span class="command"><strong>dnssec-validation</strong></span>,
+                  <span class="command"><strong>max-cache-ttl</strong></span>,
+                  <span class="command"><strong>max-ncache-ttl</strong></span>,
+                  <span class="command"><strong>max-stale-ttl</strong></span>,
+                  <span class="command"><strong>max-cache-size</strong></span>, and
+                  <span class="command"><strong>zero-no-soa-ttl</strong></span>.
+                </p>
+
+                <p>
+                  Note that there may be other parameters that may
+                  cause confusion if they are inconsistent for
+                  different views that share a single cache.
+                  For example, if these views define different sets of
+                  forwarders that can return different answers for the
+                  same question, sharing the answer does not make
+                  sense or could even be harmful.
+                  It is administrator's responsibility to ensure
+                  configuration differences in different views do
+                  not cause disruption with a shared cache.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>directory</strong></span></span></dt>
+<dd>
+              <p>
+                The working directory of the server.
+                Any non-absolute pathnames in the configuration file will
+                be taken as relative to this directory. The default
+                location for most server output files
+                (e.g. <code class="filename">named.run</code>) is this directory.
+                If a directory is not specified, the working directory
+                defaults to `<code class="filename">.</code>', the directory from
+                which the server was started. The directory specified
+                should be an absolute path, and <span class="emphasis"><em>must</em></span>
+                be writable by the effective user ID of the
+                <span class="command"><strong>named</strong></span> process.
+              </p>
+            </dd>
+<dt><span class="term"><span class="command"><strong>dnstap</strong></span></span></dt>
+<dd>
+              <p>
+                <span class="command"><strong>dnstap</strong></span> is a fast, flexible method
+                for capturing and logging DNS traffic. Developed by
+                Robert Edmonds at Farsight Security, Inc., and supported
+                by multiple DNS implementations, <span class="command"><strong>dnstap</strong></span>
+                uses
+                <span class="command"><strong>libfstrm</strong></span> (a lightweight high-speed
+                framing library, see
+                <a class="link" href="https://github.com/farsightsec/fstrm" target="_top">https://github.com/farsightsec/fstrm</a>) to send
+                event payloads which are encoded using Protocol Buffers
+                (<span class="command"><strong>libprotobuf-c</strong></span>, a mechanism for
+                serializing structured data developed
+                by Google, Inc.; see
+                <a class="link" href="https://developers.google.com/protocol-buffers/" target="_top">https://developers.google.com/protocol-buffers</a>).
+              </p>
+              <p>
+                To enable <span class="command"><strong>dnstap</strong></span> at compile time,
+                the <span class="command"><strong>fstrm</strong></span> and <span class="command"><strong>protobuf-c</strong></span>
+                libraries must be available, and BIND must be configured with
+                <code class="option">--enable-dnstap</code>.
+              </p>
+              <p>
+                The <span class="command"><strong>dnstap</strong></span> option is a bracketed list
+                of message types to be logged. These may be set differently
+                for each view. Supported types are <code class="literal">client</code>,
+                <code class="literal">auth</code>, <code class="literal">resolver</code>, and
+                <code class="literal">forwarder</code>.  Specifying type
+                <code class="literal">all</code> will cause all <span class="command"><strong>dnstap</strong></span>
+                messages to be logged, regardless of type.
+              </p>
+              <p>
+                Each type may take an additional argument to indicate whether
+                to log <code class="literal">query</code> messages or
+                <code class="literal">response</code> messages; if not specified,
+                both queries and responses are logged.
+              </p>
+              <p>
+                Example: To log all authoritative queries and responses,
+                recursive client responses, and upstream queries sent by
+                the resolver, use:
+</p>
+<pre class="programlisting">dnstap {
+  auth;
+  client response;
+  resolver query;
+};
+</pre>
+<p>
+              </p>
+              <p>
+                Logged <span class="command"><strong>dnstap</strong></span> messages can be parsed
+                using the <span class="command"><strong>dnstap-read</strong></span> utility (see
+                <a class="xref" href="man.dnstap-read.html" title="dnstap-read"><span class="refentrytitle"><span class="application">dnstap-read</span></span>(1)</a> for details).
+              </p>
+              <p>
+                For more information on <span class="command"><strong>dnstap</strong></span>, see
+                <a class="link" href="http://dnstap.info" target="_top">http://dnstap.info</a>.
+              </p>
+              <p>
+                The fstrm library has a number of tunables that are exposed
+                in <code class="filename">named.conf</code>, and can be modified
+                if necessary to improve performance or prevent loss of data.
+                These are:
+              </p>
+              <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+                  
+                    <span class="command"><strong>fstrm-set-buffer-hint</strong></span>: The
+                    threshold number of bytes to accumulate in the output
+                    buffer before forcing a buffer flush. The minimum is
+                    1024, the maximum is 65536, and the default is 8192.
+                  
+                </li>
+<li class="listitem">
+                  
+                    <span class="command"><strong>fstrm-set-flush-timeout</strong></span>: The number
+                    of seconds to allow unflushed data to remain in the
+                    output buffer. The minimum is 1 second, the maximum is
+                    600 seconds (10 minutes), and the default is 1 second.
+                  
+                </li>
+<li class="listitem">
+                  
+                    <span class="command"><strong>fstrm-set-output-notify-threshold</strong></span>:
+                    The number of outstanding queue entries to allow on
+                    an input queue before waking the I/O thread.
+                    The minimum is 1 and the default is 32.
+                  
+                </li>
+<li class="listitem">
+                  
+                    <span class="command"><strong>fstrm-set-output-queue-model</strong></span>:
+                    Controls the queuing semantics to use for queue
+                    objects. The default is <code class="literal">mpsc</code>
+                    (multiple producer, single consumer); the other
+                    option is <code class="literal">spsc</code> (single producer,
+                    single consumer).
+                  
+                </li>
+<li class="listitem">
+                  
+                    <span class="command"><strong>fstrm-set-input-queue-size</strong></span>: The
+                    number of queue entries to allocate for each
+                    input queue. This value must be a power of 2.
+                    The minimum is 2, the maximum is 16384, and
+                    the default is 512.
+                  
+                </li>
+<li class="listitem">
+                  
+                    <span class="command"><strong>fstrm-set-output-queue-size</strong></span>:
+                    The number of queue entries to allocate for each
+                    output queue. The minimum is 2, the maximum is
+                    system-dependent and based on <code class="option">IOV_MAX</code>,
+                    and the default is 64.
+                  
+                </li>
+<li class="listitem">
+                  
+                    <span class="command"><strong>fstrm-set-reopen-interval</strong></span>:
+                    The number of seconds to wait between attempts to
+                    reopen a closed output stream. The minimum is 1 second,
+                    the maximum is 600 seconds (10 minutes), and the default
+                    is 5 seconds.
+                  
+                </li>
+</ul></div>
+              <p>
+                Note that all of the above minimum, maximum, and default
+                values are set by the <span class="command"><strong>libfstrm</strong></span> library,
+                and may be subject to change in future versions of the
+                library. See the <span class="command"><strong>libfstrm</strong></span> documentation
+                for more information.
+              </p>
+            </dd>
+<dt><span class="term"><span class="command"><strong>dnstap-output</strong></span></span></dt>
+<dd>
+              <p>
+                Configures the path to which the <span class="command"><strong>dnstap</strong></span>
+                frame stream will be sent if <span class="command"><strong>dnstap</strong></span>
+                is enabled at compile time and active.
+              </p>
+              <p>
+                The first argument is either <code class="literal">file</code> or
+                <code class="literal">unix</code>, indicating whether the destination
+                is a file or a UNIX domain socket.  The second argument
+                is the path of the file or socket.  (Note: when using a
+                socket, <span class="command"><strong>dnstap</strong></span> messages will
+                only be sent if another process such as
+                <span class="command"><strong>fstrm_capture</strong></span>
+                (provided with <span class="command"><strong>libfstrm</strong></span>) is listening on
+                the socket.)
+              </p>
+              <p>
+                If the first argument is <code class="literal">file</code>, then
+                up to three additional options can be added:
+                <span class="command"><strong>size</strong></span> indicates the size to which a
+                <span class="command"><strong>dnstap</strong></span> log file can grow before being
+                rolled to a new file; <span class="command"><strong>versions</strong></span>
+                specifies the number of rolled log files to retain; and
+                <span class="command"><strong>suffix</strong></span> indicates whether to retain
+                rolled log files with an incrementing counter as the
+                suffix (<code class="literal">increment</code>) or with the
+                current timestamp (<code class="literal">timestamp</code>).
+                These are similar to the <span class="command"><strong>size</strong></span>,
+                <span class="command"><strong>versions</strong></span>, and <span class="command"><strong>suffix</strong></span>
+                options in a <span class="command"><strong>logging</strong></span> channel.
+                The default is to allow <span class="command"><strong>dnstap</strong></span> log
+                files to grow to any size without rolling.
+              </p>
+              <p>
+                <span class="command"><strong>dnstap-output</strong></span> can only be set globally
+                in <span class="command"><strong>options</strong></span>. Currently, it can only be
+                set once while <span class="command"><strong>named</strong></span> is running;
+                once set, it cannot be changed by
+                <span class="command"><strong>rndc reload</strong></span> or
+                <span class="command"><strong>rndc reconfig</strong></span>.
+              </p>
+            </dd>
+<dt><span class="term"><span class="command"><strong>dnstap-identity</strong></span></span></dt>
+<dd>
+              <p>
+                Specifies an <span class="command"><strong>identity</strong></span> string to send in
+                <span class="command"><strong>dnstap</strong></span> messages. If set to
+                <code class="literal">hostname</code>, which is the default, the
+                server's hostname will be sent. If set to
+                <code class="literal">none</code>, no identity string will be sent.
+              </p>
+            </dd>
+<dt><span class="term"><span class="command"><strong>dnstap-version</strong></span></span></dt>
+<dd>
+              <p>
+                Specifies a <span class="command"><strong>version</strong></span> string to send in
+                <span class="command"><strong>dnstap</strong></span> messages. The default is the
+                version number of the BIND release. If set to
+                <code class="literal">none</code>, no version string will be sent.
+              </p>
+            </dd>
+<dt><span class="term"><span class="command"><strong>geoip-directory</strong></span></span></dt>
+<dd>
+              <p>
+                Specifies the directory containing GeoIP
+                <code class="filename">.dat</code> database files for GeoIP
+                initialization.  By default, this option is unset
+                and the GeoIP support will use libGeoIP's
+                built-in directory.
+                (For details, see <a class="xref" href="Bv9ARM.ch05.html#acl" title="acl Statement Definition and Usage">the section called &#8220;<span class="command"><strong>acl</strong></span> Statement Definition and
+          Usage&#8221;</a> about the
+                <span class="command"><strong>geoip</strong></span> ACL.)
+              </p>
+            </dd>
+<dt><span class="term"><span class="command"><strong>key-directory</strong></span></span></dt>
+<dd>
+              <p>
+                When performing dynamic update of secure zones, the
+                directory where the public and private DNSSEC key files
+                should be found, if different than the current working
+                directory.  (Note that this option has no effect on the
+                paths for files containing non-DNSSEC keys such as
+                <code class="filename">bind.keys</code>,
+                <code class="filename">rndc.key</code> or
+                <code class="filename">session.key</code>.)
+              </p>
+            </dd>
+<dt><span class="term"><span class="command"><strong>lmdb-mapsize</strong></span></span></dt>
+<dd>
+              <p>
+                When <span class="command"><strong>named</strong></span> is built with liblmdb,
+                this option sets a maximum size for the memory map of
+                the new-zone database (NZD) in LMDB database format.
+                This database is used to store configuration information
+                for zones added using <span class="command"><strong>rndc addzone</strong></span>.
+                Note that this is not the NZD database file size, but
+                the largest size that the database may grow to.
+              </p>
+              <p>
+                Because the database file is memory mapped, its size is
+                limited by the address space of the named process.  The
+                default of 32 megabytes was chosen to be usable with
+                32-bit <span class="command"><strong>named</strong></span> builds.  The largest
+                permitted value is 1 terabyte. Given typical zone
+                configurations without elaborate ACLs, a 32 MB NZD file
+                ought to be able to hold configurations of about 100,000
+                zones.
+              </p>
+            </dd>
+<dt><span class="term"><span class="command"><strong>managed-keys-directory</strong></span></span></dt>
+<dd>
+              <p>
+                Specifies the directory in which to store the files that
+                track managed DNSSEC keys.  By default, this is the working
+                directory.  The directory <span class="emphasis"><em>must</em></span>
+                be writable by the effective user ID of the
+                <span class="command"><strong>named</strong></span> process.
+              </p>
+              <p>
+                If <span class="command"><strong>named</strong></span> is not configured to use views,
+                then managed keys for the server will be tracked in a single
+                file called <code class="filename">managed-keys.bind</code>.
+                Otherwise, managed keys will be tracked in separate files,
+                one file per view; each file name will be the view name
+                (or, if it contains characters that are incompatible with
+                use as a file name, the SHA256 hash of the view name),
+                followed by the extension
+                <code class="filename">.mkeys</code>.
+              </p>
+              <p>
+                (Note: in previous releases, file names for views
+                always used the SHA256 hash of the view name. To ensure
+                compatibility after upgrade, if a file using the old
+                name format is found to exist, it will be used instead
+                of the new format.)
+              </p>
+            </dd>
+<dt><span class="term"><span class="command"><strong>new-zones-directory</strong></span></span></dt>
+<dd>
+              <p>
+                Specifies the directory in which to store the configuration
+                parameters for zones added via <span class="command"><strong>rndc addzone</strong></span>.
+                By default, this is the working directory. If set to a relative
+                path, it will be relative to the working directory. The
+                directory <span class="emphasis"><em>must</em></span> be writable by the
+                effective user ID of the <span class="command"><strong>named</strong></span> process.
+              </p>
+            </dd>
+<dt><span class="term"><span class="command"><strong>named-xfer</strong></span></span></dt>
+<dd>
+              <p>
+                <span class="emphasis"><em>This option is obsolete.</em></span> It
+                was used in <acronym class="acronym">BIND</acronym> 8 to specify
+                the pathname to the <span class="command"><strong>named-xfer</strong></span>
+                program.  In <acronym class="acronym">BIND</acronym> 9, no separate
+                <span class="command"><strong>named-xfer</strong></span> program is needed;
+                its functionality is built into the name server.
+              </p>
+            </dd>
+<dt><span class="term"><span class="command"><strong>tkey-gssapi-keytab</strong></span></span></dt>
+<dd>
+              <p>
+                The KRB5 keytab file to use for GSS-TSIG updates. If
+                this option is set and tkey-gssapi-credential is not
+                set, then updates will be allowed with any key
+                matching a principal in the specified keytab.
+              </p>
+            </dd>
+<dt><span class="term"><span class="command"><strong>tkey-gssapi-credential</strong></span></span></dt>
+<dd>
+              <p>
+                The security credential with which the server should
+                authenticate keys requested by the GSS-TSIG protocol.
+                Currently only Kerberos 5 authentication is available
+                and the credential is a Kerberos principal which the
+                server can acquire through the default system key
+                file, normally <code class="filename">/etc/krb5.keytab</code>.
+                The location keytab file can be overridden using the
+                tkey-gssapi-keytab option. Normally this principal is
+                of the form "<strong class="userinput"><code>DNS/</code></strong><code class="varname">server.domain</code>".
+                To use GSS-TSIG, <span class="command"><strong>tkey-domain</strong></span> must
+                also be set if a specific keytab is not set with
+                tkey-gssapi-keytab.
+              </p>
+            </dd>
+<dt><span class="term"><span class="command"><strong>tkey-domain</strong></span></span></dt>
+<dd>
+              <p>
+                The domain appended to the names of all shared keys
+                generated with <span class="command"><strong>TKEY</strong></span>.  When a
+                client requests a <span class="command"><strong>TKEY</strong></span> exchange,
+                it may or may not specify the desired name for the
+                key. If present, the name of the shared key will
+                be <code class="varname">client specified part</code> +
+                <code class="varname">tkey-domain</code>.  Otherwise, the
+                name of the shared key will be <code class="varname">random hex
+                digits</code> + <code class="varname">tkey-domain</code>.
+                In most cases, the <span class="command"><strong>domainname</strong></span>
+                should be the server's domain name, or an otherwise
+                non-existent subdomain like
+                "_tkey.<code class="varname">domainname</code>".  If you are
+                using GSS-TSIG, this variable must be defined, unless
+                you specify a specific keytab using tkey-gssapi-keytab.
+              </p>
+            </dd>
+<dt><span class="term"><span class="command"><strong>tkey-dhkey</strong></span></span></dt>
+<dd>
+              <p>
+                The Diffie-Hellman key used by the server
+                to generate shared keys with clients using the Diffie-Hellman
+                mode
+                of <span class="command"><strong>TKEY</strong></span>. The server must be
+                able to load the
+                public and private keys from files in the working directory.
+                In
+                most cases, the <code class="varname">key_name</code> should be the server's host name.
+              </p>
+            </dd>
+<dt><span class="term"><span class="command"><strong>cache-file</strong></span></span></dt>
+<dd>
+              <p>
+                This is for testing only.  Do not use.
+              </p>
+            </dd>
+<dt><span class="term"><span class="command"><strong>dump-file</strong></span></span></dt>
+<dd>
+              <p>
+                The pathname of the file the server dumps
+                the database to when instructed to do so with
+                <span class="command"><strong>rndc dumpdb</strong></span>.
+                If not specified, the default is <code class="filename">named_dump.db</code>.
+              </p>
+            </dd>
+<dt><span class="term"><span class="command"><strong>memstatistics-file</strong></span></span></dt>
+<dd>
+              <p>
+                The pathname of the file the server writes memory
+                usage statistics to on exit. If not specified,
+                the default is <code class="filename">named.memstats</code>.
+              </p>
+            </dd>
+<dt><span class="term"><span class="command"><strong>lock-file</strong></span></span></dt>
+<dd>
+              <p>
+                The pathname of a file on which <span class="command"><strong>named</strong></span> will
+                attempt to acquire a file lock when starting up for
+                the first time; if unsuccessful, the server will
+                will terminate, under the assumption that another
+                server is already running.  If not specified, the default is
+                <code class="filename">/var/run/named/named.lock</code>.
+              </p>
+              <p>
+                Specifying <span class="command"><strong>lock-file none</strong></span> disables the
+                use of a lock file.  <span class="command"><strong>lock-file</strong></span> is
+                ignored if <span class="command"><strong>named</strong></span> was run using the <code class="option">-X</code>
+                option, which overrides it.  Changes to
+                <span class="command"><strong>lock-file</strong></span> are ignored if
+                <span class="command"><strong>named</strong></span> is being reloaded or
+                reconfigured; it is only effective when the server is
+                first started up.
+              </p>
+            </dd>
+<dt><span class="term"><span class="command"><strong>pid-file</strong></span></span></dt>
+<dd>
+              <p>
+                The pathname of the file the server writes its process ID
+                in. If not specified, the default is
+                <code class="filename">/var/run/named/named.pid</code>.
+                The PID file is used by programs that want to send signals to
+                the running
+                name server. Specifying <span class="command"><strong>pid-file none</strong></span> disables the
+                use of a PID file &#8212; no file will be written and any
+                existing one will be removed.  Note that <span class="command"><strong>none</strong></span>
+                is a keyword, not a filename, and therefore is not enclosed
+                in
+                double quotes.
+              </p>
+            </dd>
+<dt><span class="term"><span class="command"><strong>recursing-file</strong></span></span></dt>
+<dd>
+              <p>
+                The pathname of the file the server dumps
+                the queries that are currently recursing when instructed
+                to do so with <span class="command"><strong>rndc recursing</strong></span>.
+                If not specified, the default is <code class="filename">named.recursing</code>.
+              </p>
+            </dd>
+<dt><span class="term"><span class="command"><strong>statistics-file</strong></span></span></dt>
+<dd>
+              <p>
+                The pathname of the file the server appends statistics
+                to when instructed to do so using <span class="command"><strong>rndc stats</strong></span>.
+                If not specified, the default is <code class="filename">named.stats</code> in the
+                server's current directory.  The format of the file is
+                described
+                in <a class="xref" href="Bv9ARM.ch05.html#statsfile" title="The Statistics File">the section called &#8220;The Statistics File&#8221;</a>.
+              </p>
+            </dd>
+<dt><span class="term"><span class="command"><strong>bindkeys-file</strong></span></span></dt>
+<dd>
+              <p>
+                The pathname of a file to override the built-in trusted
+                keys provided by <span class="command"><strong>named</strong></span>.
+                See the discussion of <span class="command"><strong>dnssec-validation</strong></span>
+                for details.  If not specified, the default is
+                <code class="filename">/etc/bind.keys</code>.
+              </p>
+            </dd>
+<dt><span class="term"><span class="command"><strong>secroots-file</strong></span></span></dt>
+<dd>
+              <p>
+                The pathname of the file the server dumps
+                security roots to when instructed to do so with
+                <span class="command"><strong>rndc secroots</strong></span>.
+                If not specified, the default is
+                <code class="filename">named.secroots</code>.
+              </p>
+            </dd>
+<dt><span class="term"><span class="command"><strong>session-keyfile</strong></span></span></dt>
+<dd>
+              <p>
+                The pathname of the file into which to write a TSIG
+                session key generated by <span class="command"><strong>named</strong></span> for use by
+                <span class="command"><strong>nsupdate -l</strong></span>.  If not specified, the
+                default is <code class="filename">/var/run/named/session.key</code>.
+                (See <a class="xref" href="Bv9ARM.ch05.html#dynamic_update_policies" title="Dynamic Update Policies">the section called &#8220;Dynamic Update Policies&#8221;</a>, and in
+                particular the discussion of the
+                <span class="command"><strong>update-policy</strong></span> statement's
+                <strong class="userinput"><code>local</code></strong> option for more
+                information about this feature.)
+              </p>
+            </dd>
+<dt><span class="term"><span class="command"><strong>session-keyname</strong></span></span></dt>
+<dd>
+              <p>
+                The key name to use for the TSIG session key.
+                If not specified, the default is "local-ddns".
+              </p>
+            </dd>
+<dt><span class="term"><span class="command"><strong>session-keyalg</strong></span></span></dt>
+<dd>
+              <p>
+                The algorithm to use for the TSIG session key.
+                Valid values are hmac-sha1, hmac-sha224, hmac-sha256,
+                hmac-sha384, hmac-sha512 and hmac-md5.  If not
+                specified, the default is hmac-sha256.
+              </p>
+            </dd>
+<dt><span class="term"><span class="command"><strong>port</strong></span></span></dt>
+<dd>
+              <p>
+                The UDP/TCP port number the server uses for
+                receiving and sending DNS protocol traffic.
+                The default is 53.  This option is mainly intended for server
+                testing;
+                a server using a port other than 53 will not be able to
+                communicate with
+                the global DNS.
+              </p>
+            </dd>
+<dt><span class="term"><span class="command"><strong>dscp</strong></span></span></dt>
+<dd>
+              <p>
+                The global Differentiated Services Code Point (DSCP)
+                value to classify outgoing DNS traffic on operating
+                systems that support DSCP. Valid values are 0 through 63.
+                It is not configured by default.
+              </p>
+            </dd>
+<dt><span class="term"><span class="command"><strong>random-device</strong></span></span></dt>
+<dd>
+              <p>
+                Specifies a source of entropy to be used by the server.
+                This is a device or file from which to read entropy.
+                If it is a file, operations requiring entropy
+                will fail when the file has been exhausted.
+              </p>
+              <p>
+                Entropy is needed for cryptographic operations such as
+                TKEY transactions, dynamic update of signed zones, and
+                generation of TSIG session keys. It is also used for
+                seeding and stirring the pseudo-random number generator,
+                which is used for less critical functions requiring
+                randomness such as generation of DNS message transaction
+                ID's.
+              </p>
+              <p>
+                If <span class="command"><strong>random-device</strong></span> is not specified, or
+                if it is set to <code class="literal">none</code>, entropy will be
+                read from the random number generation function supplied
+                by the cryptographic library with which BIND was linked
+                (i.e.  OpenSSL or a PKCS#11 provider).
+              </p>
+              <p>
+                The <span class="command"><strong>random-device</strong></span> option takes
+                effect during the initial configuration load at server
+                startup time and is ignored on subsequent reloads.
+              </p>
+              <p>
+                If BIND is built with
+                <span class="command"><strong>configure --disable-crypto-rand</strong></span>, then
+                entropy is <span class="emphasis"><em>not</em></span> sourced from the
+                cryptographic library. In this case, if
+                <span class="command"><strong>random-device</strong></span> is not specified, the
+                default value is the system random device,
+                <code class="filename">/dev/random</code> or the equivalent.
+                This default can be overridden with
+                <span class="command"><strong>configure --with-randomdev</strong></span>.
+                If no system random device exists, then no entropy source
+                will be configured, and <span class="command"><strong>named</strong></span> will only
+                be able to use pseudo-random numbers.
+              </p>
+            </dd>
+<dt><span class="term"><span class="command"><strong>preferred-glue</strong></span></span></dt>
+<dd>
+              <p>
+                If specified, the listed type (A or AAAA) will be emitted
+                before other glue
+                in the additional section of a query response.
+                The default is to prefer A records when responding
+                to queries that arrived via IPv4 and AAAA when
+                responding to queries that arrived via IPv6.
+              </p>
+            </dd>
+<dt>
+<a name="root_delegation_only"></a><span class="term"><span class="command"><strong>root-delegation-only</strong></span></span>
+</dt>
+<dd>
+              <p>
+                Turn on enforcement of delegation-only in TLDs
+                (top level domains) and root zones with an optional
+                exclude list.
+              </p>
+              <p>
+                DS queries are expected to be made to and be answered by
+                delegation only zones.  Such queries and responses are
+                treated as an exception to delegation-only processing
+                and are not converted to NXDOMAIN responses provided
+                a CNAME is not discovered at the query name.
+              </p>
+              <p>
+                If a delegation only zone server also serves a child
+                zone it is not always possible to determine whether
+                an answer comes from the delegation only zone or the
+                child zone.  SOA NS and DNSKEY records are apex
+                only records and a matching response that contains
+                these records or DS is treated as coming from a
+                child zone.  RRSIG records are also examined to see
+                if they are signed by a child zone or not.  The
+                authority section is also examined to see if there
+                is evidence that the answer is from the child zone.
+                Answers that are determined to be from a child zone
+                are not converted to NXDOMAIN responses.  Despite
+                all these checks there is still a possibility of
+                false negatives when a child zone is being served.
+              </p>
+              <p>
+                Similarly false positives can arise from empty nodes
+                (no records at the name) in the delegation only zone
+                when the query type is not ANY.
+              </p>
+              <p>
+                Note some TLDs are not delegation only (e.g. "DE", "LV",
+                "US" and "MUSEUM").  This list is not exhaustive.
+              </p>
+
+<pre class="programlisting">
+options {
+        root-delegation-only exclude { "de"; "lv"; "us"; "museum"; };
+};
+</pre>
+
+            </dd>
+<dt><span class="term"><span class="command"><strong>disable-algorithms</strong></span></span></dt>
+<dd>
+              <p>
+                Disable the specified DNSSEC algorithms at and below the
+                specified name.
+                Multiple <span class="command"><strong>disable-algorithms</strong></span>
+                statements are allowed.
+                Only the best match <span class="command"><strong>disable-algorithms</strong></span>
+                clause will be used to determine which algorithms are used.
+              </p>
+              <p>
+                If all supported algorithms are disabled, the zones covered
+                by the <span class="command"><strong>disable-algorithms</strong></span> will be treated
+                as insecure.
+              </p>
+            </dd>
+<dt><span class="term"><span class="command"><strong>disable-ds-digests</strong></span></span></dt>
+<dd>
+              <p>
+                Disable the specified DS/DLV digest types at and below the
+                specified name.
+                Multiple <span class="command"><strong>disable-ds-digests</strong></span>
+                statements are allowed.
+                Only the best match <span class="command"><strong>disable-ds-digests</strong></span>
+                clause will be used to determine which digest types are used.
+              </p>
+              <p>
+                If all supported digest types are disabled, the zones covered
+                by the <span class="command"><strong>disable-ds-digests</strong></span> will be treated
+                as insecure.
+              </p>
+            </dd>
+<dt><span class="term"><span class="command"><strong>dnssec-lookaside</strong></span></span></dt>
+<dd>
+              <p>
+                When set, <span class="command"><strong>dnssec-lookaside</strong></span> provides the
+                validator with an alternate method to validate DNSKEY
+                records at the top of a zone.  When a DNSKEY is at or
+                below a domain specified by the deepest
+                <span class="command"><strong>dnssec-lookaside</strong></span>, and the normal DNSSEC
+                validation has left the key untrusted, the trust-anchor
+                will be appended to the key name and a DLV record will be
+                looked up to see if it can validate the key.  If the DLV
+                record validates a DNSKEY (similarly to the way a DS
+                record does) the DNSKEY RRset is deemed to be trusted.
+              </p>
+              <p>
+                If <span class="command"><strong>dnssec-lookaside</strong></span> is set to
+                <strong class="userinput"><code>no</code></strong>, then dnssec-lookaside
+                is not used.
+              </p>
+              <p>
+                NOTE: The ISC-provided DLV service at
+                <code class="literal">dlv.isc.org</code>, has been shut down.
+                The <span class="command"><strong>dnssec-lookaside auto;</strong></span>
+                configuration option, which set <span class="command"><strong>named</strong></span>
+                up to use ISC DLV with minimal configuration, has
+                accordingly been removed.
+              </p>
+            </dd>
+<dt><span class="term"><span class="command"><strong>dnssec-must-be-secure</strong></span></span></dt>
+<dd>
+              <p>
+                Specify hierarchies which must be or may not be secure
+                (signed and validated).  If <strong class="userinput"><code>yes</code></strong>,
+                then <span class="command"><strong>named</strong></span> will only accept answers if
+                they are secure.  If <strong class="userinput"><code>no</code></strong>, then normal
+                DNSSEC validation applies allowing for insecure answers to
+                be accepted.  The specified domain must be under a
+                <span class="command"><strong>trusted-keys</strong></span> or
+                <span class="command"><strong>managed-keys</strong></span> statement, or
+                <span class="command"><strong>dnssec-validation auto</strong></span> must be active.
+              </p>
+            </dd>
+<dt><span class="term"><span class="command"><strong>dns64</strong></span></span></dt>
+<dd>
+              <p>
+                This directive instructs <span class="command"><strong>named</strong></span> to
+                return mapped IPv4 addresses to AAAA queries when
+                there are no AAAA records.  It is intended to be
+                used in conjunction with a NAT64.  Each
+                <span class="command"><strong>dns64</strong></span> defines one DNS64 prefix.
+                Multiple DNS64 prefixes can be defined.
+              </p>
+              <p>
+                Compatible IPv6 prefixes have lengths of 32, 40, 48, 56,
+                64 and 96 as per RFC 6052.
+              </p>
+              <p>
+                Additionally a reverse IP6.ARPA zone will be created for
+                the prefix to provide a mapping from the IP6.ARPA names
+                to the corresponding IN-ADDR.ARPA names using synthesized
+                CNAMEs.  <span class="command"><strong>dns64-server</strong></span> and
+                <span class="command"><strong>dns64-contact</strong></span> can be used to specify
+                the name of the server and contact for the zones. These
+                are settable at the view / options level.  These are
+                not settable on a per-prefix basis.
+              </p>
+              <p>
+                Each <span class="command"><strong>dns64</strong></span> supports an optional
+                <span class="command"><strong>clients</strong></span> ACL that determines which
+                clients are affected by this directive.  If not defined,
+                it defaults to <strong class="userinput"><code>any;</code></strong>.
+              </p>
+              <p>
+                Each <span class="command"><strong>dns64</strong></span> supports an optional
+                <span class="command"><strong>mapped</strong></span> ACL that selects which
+                IPv4 addresses are to be mapped in the corresponding
+                A RRset.  If not defined it defaults to
+                <strong class="userinput"><code>any;</code></strong>.
+              </p>
+              <p>
+                Normally, DNS64 won't apply to a domain name that
+                owns one or more AAAA records; these records will
+                simply be returned.  The optional
+                <span class="command"><strong>exclude</strong></span> ACL allows specification
+                of a list of IPv6 addresses that will be ignored
+                if they appear in a domain name's AAAA records, and
+                DNS64 will be applied to any A records the domain
+                name owns.  If not defined, <span class="command"><strong>exclude</strong></span>
+                defaults to ::ffff:0.0.0.0/96.
+              </p>
+              <p>
+                A optional <span class="command"><strong>suffix</strong></span> can also
+                be defined to set the bits trailing the mapped
+                IPv4 address bits.  By default these bits are
+                set to <strong class="userinput"><code>::</code></strong>.  The bits
+                matching the prefix and mapped IPv4 address
+                must be zero.
+              </p>
+              <p>
+                If <span class="command"><strong>recursive-only</strong></span> is set to
+                <span class="command"><strong>yes</strong></span> the DNS64 synthesis will
+                only happen for recursive queries.  The default
+                is <span class="command"><strong>no</strong></span>.
+              </p>
+              <p>
+                If <span class="command"><strong>break-dnssec</strong></span> is set to
+                <span class="command"><strong>yes</strong></span> the DNS64 synthesis will
+                happen even if the result, if validated, would
+                cause a DNSSEC validation failure.  If this option
+                is set to <span class="command"><strong>no</strong></span> (the default), the DO
+                is set on the incoming query, and there are RRSIGs on
+                the applicable records, then synthesis will not happen.
+              </p>
+<pre class="programlisting">
+        acl rfc1918 { 10/8; 192.168/16; 172.16/12; };
+
+        dns64 64:FF9B::/96 {
+                clients { any; };
+                mapped { !rfc1918; any; };
+                exclude { 64:FF9B::/96; ::ffff:0000:0000/96; };
+                suffix ::;
+        };
+</pre>
+            </dd>
+<dt><span class="term"><span class="command"><strong>dnssec-loadkeys-interval</strong></span></span></dt>
+<dd>
+                <p>
+                  When a zone is configured with <span class="command"><strong>auto-dnssec
+                  maintain;</strong></span> its key repository must be checked
+                  periodically to see if any new keys have been added
+                  or any existing keys' timing metadata has been updated
+                  (see <a class="xref" href="man.dnssec-keygen.html" title="dnssec-keygen"><span class="refentrytitle"><span class="application">dnssec-keygen</span></span>(8)</a> and
+                  <a class="xref" href="man.dnssec-settime.html" title="dnssec-settime"><span class="refentrytitle"><span class="application">dnssec-settime</span></span>(8)</a>).  The
+                  <span class="command"><strong>dnssec-loadkeys-interval</strong></span> option
+                  sets the frequency of automatic repository checks, in
+                  minutes.  The default is <code class="literal">60</code> (1 hour),
+                  the minimum is <code class="literal">1</code> (1 minute), and the
+                  maximum is <code class="literal">1440</code> (24 hours); any higher
+                  value is silently reduced.
+                </p>
+            </dd>
+<dt><span class="term"><span class="command"><strong>dnssec-update-mode</strong></span></span></dt>
+<dd>
+                <p>
+                  If this option is set to its default value of
+                  <code class="literal">maintain</code> in a zone of type
+                  <code class="literal">master</code> which is DNSSEC-signed
+                  and configured to allow dynamic updates (see
+                  <a class="xref" href="Bv9ARM.ch05.html#dynamic_update_policies" title="Dynamic Update Policies">the section called &#8220;Dynamic Update Policies&#8221;</a>), and
+                  if <span class="command"><strong>named</strong></span> has access to the
+                  private signing key(s) for the zone, then
+                  <span class="command"><strong>named</strong></span> will automatically sign all new
+                  or changed records and maintain signatures for the zone
+                  by regenerating RRSIG records whenever they approach
+                  their expiration date.
+                </p>
+                <p>
+                  If the option is changed to <code class="literal">no-resign</code>,
+                  then <span class="command"><strong>named</strong></span> will sign all new or
+                  changed records, but scheduled maintenance of
+                  signatures is disabled.
+                </p>
+                <p>
+                  With either of these settings, <span class="command"><strong>named</strong></span>
+                  will reject updates to a DNSSEC-signed zone when the
+                  signing keys are inactive or unavailable to
+                  <span class="command"><strong>named</strong></span>.  (A planned third option,
+                  <code class="literal">external</code>, will disable all automatic
+                  signing and allow DNSSEC data to be submitted into a zone
+                  via dynamic update; this is not yet implemented.)
+                </p>
+            </dd>
+<dt><span class="term"><span class="command"><strong>nta-lifetime</strong></span></span></dt>
+<dd>
+                <p>
+                  Species the default lifetime, in seconds,
+                  that will be used for negative trust anchors added
+                  via <span class="command"><strong>rndc nta</strong></span>.
+                </p>
+                <p>
+                  A negative trust anchor selectively disables
+                  DNSSEC validation for zones that are known to be
+                  failing because of misconfiguration rather than
+                  an attack.  When data to be validated is
+                  at or below an active NTA (and above any other
+                  configured trust anchors), <span class="command"><strong>named</strong></span> will
+                  abort the DNSSEC validation process and treat the data as
+                  insecure rather than bogus.  This continues until the
+                  NTA's lifetime is elapsed. NTAs persist
+                  across <span class="command"><strong>named</strong></span> restarts.
+                </p>
+                <p>
+                  For convenience, TTL-style time unit suffixes can be
+                  used to specify the NTA lifetime in seconds, minutes
+                  or hours.  <code class="option">nta-lifetime</code> defaults to
+                  one hour.  It cannot exceed one week.
+                </p>
+            </dd>
+<dt><span class="term"><span class="command"><strong>nta-recheck</strong></span></span></dt>
+<dd>
+                <p>
+                  Species how often to check whether negative
+                  trust anchors added via <span class="command"><strong>rndc nta</strong></span>
+                  are still necessary.
+                </p>
+                <p>
+                  A negative trust anchor is normally used when a
+                  domain has stopped validating due to operator error;
+                  it temporarily disables DNSSEC validation for that
+                  domain. In the interest of ensuring that DNSSEC
+                  validation is turned back on as soon as possible,
+                  <span class="command"><strong>named</strong></span> will periodically send a
+                  query to the domain, ignoring negative trust anchors,
+                  to find out whether it can now be validated.  If so,
+                  the negative trust anchor is allowed to expire early.
+                </p>
+                <p>
+                  Validity checks can be disabled for an individual
+                  NTA by using <span class="command"><strong>rndc nta -f</strong></span>, or
+                  for all NTAs by setting <code class="option">nta-recheck</code>
+                  to zero.
+                </p>
+                <p>
+                  For convenience, TTL-style time unit suffixes can be
+                  used to specify the NTA recheck interval in seconds,
+                  minutes or hours.  The default is five minutes.  It
+                  cannot be longer than <code class="option">nta-lifetime</code>
+                  (which cannot be longer than a week).
+                </p>
+            </dd>
+<dt><span class="term"><span class="command"><strong>max-zone-ttl</strong></span></span></dt>
+<dd>
+              <p>
+                Specifies a maximum permissible TTL value in seconds.
+                For convenience, TTL-style time unit suffixes may be
+                used to specify the maximum value.
+                When loading a zone file using a
+                <code class="option">masterfile-format</code> of
+                <code class="constant">text</code> or <code class="constant">raw</code>,
+                any record encountered with a TTL higher than
+                <code class="option">max-zone-ttl</code> will cause the zone to
+                be rejected.
+              </p>
+              <p>
+                This is useful in DNSSEC-signed zones because when
+                rolling to a new DNSKEY, the old key needs to remain
+                available until RRSIG records have expired from
+                caches.  The <code class="option">max-zone-ttl</code> option guarantees
+                that the largest TTL in the zone will be no higher
+                than the set value.
+              </p>
+              <p>
+                (NOTE: Because <code class="constant">map</code>-format files
+                load directly into memory, this option cannot be
+                used with them.)
+              </p>
+              <p>
+                The default value is <code class="constant">unlimited</code>.
+                A <code class="option">max-zone-ttl</code> of zero is treated as
+                <code class="constant">unlimited</code>.
+              </p>
+            </dd>
+<dt><span class="term"><span class="command"><strong>stale-answer-ttl</strong></span></span></dt>
+<dd>
+              <p>
+                Specifies the TTL to be returned on stale answers.
+                The default is 1 second. The minimum allowed is
+                also 1 second; a value of 0 will be updated silently
+                to 1 second.  For stale answers to be returned,
+                they must be enabled (either in the configuration file
+                using <span class="command"><strong>stale-answer-enable</strong></span> or via
+                <span class="command"><strong>rndc</strong></span>), and
+                <code class="option">max-stale-ttl</code> must be set to a
+                nonzero value.
+              </p>
+            </dd>
+<dt><span class="term"><span class="command"><strong>serial-update-method</strong></span></span></dt>
+<dd>
+              <p>
+                Zones configured for dynamic DNS may use this
+                option to set the update method that will be used for
+                the zone serial number in the SOA record.
+              </p>
+              <p>
+                With the default setting of
+                <span class="command"><strong>serial-update-method increment;</strong></span>, the
+                SOA serial number will be incremented by one each time
+                the zone is updated.
+              </p>
+              <p>
+                When set to
+                <span class="command"><strong>serial-update-method unixtime;</strong></span>, the
+                SOA serial number will be set to the number of seconds
+                since the UNIX epoch, unless the serial number is
+                already greater than or equal to that value, in which
+                case it is simply incremented by one.
+              </p>
+              <p>
+                When set to
+                <span class="command"><strong>serial-update-method date;</strong></span>, the
+                new SOA serial number will be the current date
+                in the form "YYYYMMDD", followed by two zeroes,
+                unless the existing serial number is already greater
+                than or equal to that value, in which case it is
+                incremented by one.
+              </p>
+            </dd>
+<dt><span class="term"><span class="command"><strong>zone-statistics</strong></span></span></dt>
+<dd>
+              <p>
+                If <strong class="userinput"><code>full</code></strong>, the server will collect
+                statistical data on all zones (unless specifically
+                turned off on a per-zone basis by specifying
+                <span class="command"><strong>zone-statistics terse</strong></span> or
+                <span class="command"><strong>zone-statistics none</strong></span>
+                in the <span class="command"><strong>zone</strong></span> statement).
+                The default is <strong class="userinput"><code>terse</code></strong>, providing
+                minimal statistics on zones (including name and
+                current serial number, but not query type
+                counters).
+              </p>
+              <p>
+                These statistics may be accessed via the
+                <span class="command"><strong>statistics-channel</strong></span> or
+                using <span class="command"><strong>rndc stats</strong></span>, which
+                will dump them to the file listed
+                in the <span class="command"><strong>statistics-file</strong></span>.  See
+                also <a class="xref" href="Bv9ARM.ch05.html#statsfile" title="The Statistics File">the section called &#8220;The Statistics File&#8221;</a>.
+              </p>
+              <p>
+                For backward compatibility with earlier versions
+                of BIND 9, the <span class="command"><strong>zone-statistics</strong></span>
+                option can also accept <strong class="userinput"><code>yes</code></strong>
+                or <strong class="userinput"><code>no</code></strong>; <strong class="userinput"><code>yes</code></strong>
+                has the same meaning as <strong class="userinput"><code>full</code></strong>.
+                As of <acronym class="acronym">BIND</acronym> 9.10,
+                <strong class="userinput"><code>no</code></strong> has the same meaning
+                as <strong class="userinput"><code>none</code></strong>; previously, it
+                was the same as <strong class="userinput"><code>terse</code></strong>.
+              </p>
+            </dd>
+</dl></div>
+
+        <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="boolean_options"></a>Boolean Options</h4></div></div></div>
+
+          <div class="variablelist"><dl class="variablelist">
+<dt><span class="term"><span class="command"><strong>automatic-interface-scan</strong></span></span></dt>
+<dd>
+                <p>
+                  If <strong class="userinput"><code>yes</code></strong> and supported by the OS,
+                  automatically rescan network interfaces when the interface
+                  addresses are added or removed.  The default is
+                  <strong class="userinput"><code>yes</code></strong>.
+                </p>
+                <p>
+                  Currently the OS needs to support routing sockets for
+                  <span class="command"><strong>automatic-interface-scan</strong></span> to be
+                  supported.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>allow-new-zones</strong></span></span></dt>
+<dd>
+                <p>
+                  If <strong class="userinput"><code>yes</code></strong>, then zones can be
+                  added at runtime via <span class="command"><strong>rndc addzone</strong></span>.
+                  The default is <strong class="userinput"><code>no</code></strong>.
+                </p>
+                <p>
+                  Newly added zones' configuration parameters
+                  are stored so that they can persist after the
+                  server is restarted.  The configuration information
+                  is saved in a file called
+                  <code class="filename"><em class="replaceable"><code>viewname</code></em>.nzf</code>
+                  (or, if <span class="command"><strong>named</strong></span> is compiled with
+                  liblmdb, in an LMDB database file called
+                  <code class="filename"><em class="replaceable"><code>viewname</code></em>.nzd</code>).
+                  <em class="replaceable"><code>viewname</code></em> is the name of the
+                  view, unless the view name contains characters that are
+                  incompatible with use as a file name, in which case a
+                  cryptographic hash of the view name is used instead.
+                </p>
+                <p>
+                  Zones added at runtime will have their configuration
+                  stored either in a new-zone file (NZF) or a new-zone
+                  database (NZD) depending on whether
+                  <span class="command"><strong>named</strong></span> was linked with
+                  liblmdb at compile time.
+                  See <a class="xref" href="man.rndc.html" title="rndc"><span class="refentrytitle"><span class="application">rndc</span></span>(8)</a> for further details
+                  about <span class="command"><strong>rndc addzone</strong></span>.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>auth-nxdomain</strong></span></span></dt>
+<dd>
+                <p>
+                  If <strong class="userinput"><code>yes</code></strong>, then the <span class="command"><strong>AA</strong></span> bit
+                  is always set on NXDOMAIN responses, even if the server is
+                  not actually
+                  authoritative. The default is <strong class="userinput"><code>no</code></strong>;
+                  this is
+                  a change from <acronym class="acronym">BIND</acronym> 8. If you
+                  are using very old DNS software, you
+                  may need to set it to <strong class="userinput"><code>yes</code></strong>.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>deallocate-on-exit</strong></span></span></dt>
+<dd>
+                <p>
+                  This option was used in <acronym class="acronym">BIND</acronym>
+                  8 to enable checking
+                  for memory leaks on exit. <acronym class="acronym">BIND</acronym> 9 ignores the option and always performs
+                  the checks.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>memstatistics</strong></span></span></dt>
+<dd>
+                <p>
+                  Write memory statistics to the file specified by
+                  <span class="command"><strong>memstatistics-file</strong></span> at exit.
+                  The default is <strong class="userinput"><code>no</code></strong> unless
+                  '-m record' is specified on the command line in
+                  which case it is <strong class="userinput"><code>yes</code></strong>.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>dialup</strong></span></span></dt>
+<dd>
+                <p>
+                  If <strong class="userinput"><code>yes</code></strong>, then the
+                  server treats all zones as if they are doing zone transfers
+                  across
+                  a dial-on-demand dialup link, which can be brought up by
+                  traffic
+                  originating from this server. This has different effects
+                  according
+                  to zone type and concentrates the zone maintenance so that
+                  it all
+                  happens in a short interval, once every <span class="command"><strong>heartbeat-interval</strong></span> and
+                  hopefully during the one call. It also suppresses some of
+                  the normal
+                  zone maintenance traffic. The default is <strong class="userinput"><code>no</code></strong>.
+                </p>
+                <p>
+                  The <span class="command"><strong>dialup</strong></span> option
+                  may also be specified in the <span class="command"><strong>view</strong></span> and
+                  <span class="command"><strong>zone</strong></span> statements,
+                  in which case it overrides the global <span class="command"><strong>dialup</strong></span>
+                  option.
+                </p>
+                <p>
+                  If the zone is a master zone, then the server will send out a
+                  NOTIFY
+                  request to all the slaves (default). This should trigger the
+                  zone serial
+                  number check in the slave (providing it supports NOTIFY)
+                  allowing the slave
+                  to verify the zone while the connection is active.
+                  The set of servers to which NOTIFY is sent can be controlled
+                  by
+                  <span class="command"><strong>notify</strong></span> and <span class="command"><strong>also-notify</strong></span>.
+                </p>
+                <p>
+                  If the
+                  zone is a slave or stub zone, then the server will suppress
+                  the regular
+                  "zone up to date" (refresh) queries and only perform them
+                  when the
+                  <span class="command"><strong>heartbeat-interval</strong></span> expires in
+                  addition to sending
+                  NOTIFY requests.
+                </p>
+                <p>
+                  Finer control can be achieved by using
+                  <strong class="userinput"><code>notify</code></strong> which only sends NOTIFY
+                  messages,
+                  <strong class="userinput"><code>notify-passive</code></strong> which sends NOTIFY
+                  messages and
+                  suppresses the normal refresh queries, <strong class="userinput"><code>refresh</code></strong>
+                  which suppresses normal refresh processing and sends refresh
+                  queries
+                  when the <span class="command"><strong>heartbeat-interval</strong></span>
+                  expires, and
+                  <strong class="userinput"><code>passive</code></strong> which just disables normal
+                  refresh
+                  processing.
+                </p>
+
+                <div class="informaltable">
+                  <table border="1">
+<colgroup>
+<col width="1.150in" class="1">
+<col width="1.150in" class="2">
+<col width="1.150in" class="3">
+<col width="1.150in" class="4">
+</colgroup>
+<tbody>
+<tr>
+<td>
+                          <p>
+                            dialup mode
+                          </p>
+                        </td>
+<td>
+                          <p>
+                            normal refresh
+                          </p>
+                        </td>
+<td>
+                          <p>
+                            heart-beat refresh
+                          </p>
+                        </td>
+<td>
+                          <p>
+                            heart-beat notify
+                          </p>
+                        </td>
+</tr>
+<tr>
+<td>
+                          <p><span class="command"><strong>no</strong></span> (default)</p>
+                        </td>
+<td>
+                          <p>
+                            yes
+                          </p>
+                        </td>
+<td>
+                          <p>
+                            no
+                          </p>
+                        </td>
+<td>
+                          <p>
+                            no
+                          </p>
+                        </td>
+</tr>
+<tr>
+<td>
+                          <p><span class="command"><strong>yes</strong></span></p>
+                        </td>
+<td>
+                          <p>
+                            no
+                          </p>
+                        </td>
+<td>
+                          <p>
+                            yes
+                          </p>
+                        </td>
+<td>
+                          <p>
+                            yes
+                          </p>
+                        </td>
+</tr>
+<tr>
+<td>
+                          <p><span class="command"><strong>notify</strong></span></p>
+                        </td>
+<td>
+                          <p>
+                            yes
+                          </p>
+                        </td>
+<td>
+                          <p>
+                            no
+                          </p>
+                        </td>
+<td>
+                          <p>
+                            yes
+                          </p>
+                        </td>
+</tr>
+<tr>
+<td>
+                          <p><span class="command"><strong>refresh</strong></span></p>
+                        </td>
+<td>
+                          <p>
+                            no
+                          </p>
+                        </td>
+<td>
+                          <p>
+                            yes
+                          </p>
+                        </td>
+<td>
+                          <p>
+                            no
+                          </p>
+                        </td>
+</tr>
+<tr>
+<td>
+                          <p><span class="command"><strong>passive</strong></span></p>
+                        </td>
+<td>
+                          <p>
+                            no
+                          </p>
+                        </td>
+<td>
+                          <p>
+                            no
+                          </p>
+                        </td>
+<td>
+                          <p>
+                            no
+                          </p>
+                        </td>
+</tr>
+<tr>
+<td>
+                          <p><span class="command"><strong>notify-passive</strong></span></p>
+                        </td>
+<td>
+                          <p>
+                            no
+                          </p>
+                        </td>
+<td>
+                          <p>
+                            no
+                          </p>
+                        </td>
+<td>
+                          <p>
+                            yes
+                          </p>
+                        </td>
+</tr>
+</tbody>
+</table>
+                </div>
+
+                <p>
+                  Note that normal NOTIFY processing is not affected by
+                  <span class="command"><strong>dialup</strong></span>.
+                </p>
+
+              </dd>
+<dt><span class="term"><span class="command"><strong>fake-iquery</strong></span></span></dt>
+<dd>
+                <p>
+                  In <acronym class="acronym">BIND</acronym> 8, this option
+                  enabled simulating the obsolete DNS query type
+                  IQUERY. <acronym class="acronym">BIND</acronym> 9 never does
+                  IQUERY simulation.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>fetch-glue</strong></span></span></dt>
+<dd>
+                <p>
+                  This option is obsolete.
+                  In BIND 8, <strong class="userinput"><code>fetch-glue yes</code></strong>
+                  caused the server to attempt to fetch glue resource records
+                  it
+                  didn't have when constructing the additional
+                  data section of a response.  This is now considered a bad
+                  idea
+                  and BIND 9 never does it.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>flush-zones-on-shutdown</strong></span></span></dt>
+<dd>
+                <p>
+                  When the nameserver exits due receiving SIGTERM,
+                  flush or do not flush any pending zone writes.  The default
+                  is
+                  <span class="command"><strong>flush-zones-on-shutdown</strong></span> <strong class="userinput"><code>no</code></strong>.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>geoip-use-ecs</strong></span></span></dt>
+<dd>
+                <p>
+                  When BIND is compiled with GeoIP support and configured
+                  with "geoip" ACL elements, this option indicates whether
+                  the EDNS Client Subnet option, if present in a request,
+                  should be used for matching against the GeoIP database.
+                  The default is
+                  <span class="command"><strong>geoip-use-ecs</strong></span> <strong class="userinput"><code>yes</code></strong>.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>has-old-clients</strong></span></span></dt>
+<dd>
+                <p>
+                  This option was incorrectly implemented
+                  in <acronym class="acronym">BIND</acronym> 8, and is ignored by <acronym class="acronym">BIND</acronym> 9.
+                  To achieve the intended effect
+                  of
+                  <span class="command"><strong>has-old-clients</strong></span> <strong class="userinput"><code>yes</code></strong>, specify
+                  the two separate options <span class="command"><strong>auth-nxdomain</strong></span> <strong class="userinput"><code>yes</code></strong>
+                  and <span class="command"><strong>rfc2308-type1</strong></span> <strong class="userinput"><code>no</code></strong> instead.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>host-statistics</strong></span></span></dt>
+<dd>
+                <p>
+                  In BIND 8, this enabled keeping of
+                  statistics for every host that the name server interacts
+                  with.
+                  Not implemented in BIND 9.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>maintain-ixfr-base</strong></span></span></dt>
+<dd>
+                <p>
+                  <span class="emphasis"><em>This option is obsolete</em></span>.
+                  It was used in <acronym class="acronym">BIND</acronym> 8 to
+                  determine whether a transaction log was
+                  kept for Incremental Zone Transfer. <acronym class="acronym">BIND</acronym> 9 maintains a transaction
+                  log whenever possible.  If you need to disable outgoing
+                  incremental zone
+                  transfers, use <span class="command"><strong>provide-ixfr</strong></span> <strong class="userinput"><code>no</code></strong>.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>message-compression</strong></span></span></dt>
+<dd>
+                <p>
+                  If <strong class="userinput"><code>yes</code></strong>, DNS name compression is
+                  used in responses to regular queries (not including
+                  AXFR or IXFR, which always uses compression).  Setting
+                  this option to <strong class="userinput"><code>no</code></strong> reduces CPU
+                  usage on servers and may improve throughput.  However,
+                  it increases response size, which may cause more queries
+                  to be processed using TCP; a server with compression
+                  disabled is out of compliance with RFC 1123 Section
+                  6.1.3.2. The default is <strong class="userinput"><code>yes</code></strong>.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>minimal-responses</strong></span></span></dt>
+<dd>
+                <p>
+                  If set to <strong class="userinput"><code>yes</code></strong>, then when generating
+                  responses the server will only add records to the authority
+                  and additional data sections when they are required (e.g.
+                  delegations, negative responses).  This may improve the
+                  performance of the server.
+                </p>
+                <p>
+                  When set to <strong class="userinput"><code>no-auth</code></strong>, the
+                  server will omit records from the authority section
+                  unless they are required, but it may still add
+                  records to the additional section.  When set to
+                  <strong class="userinput"><code>no-auth-recursive</code></strong>, this
+                  is only done if the query is recursive.  When the
+                  query is not recursive, the effect is same as if
+                  <strong class="userinput"><code>no</code></strong> was specified. These
+                  settings are useful when answering stub clients,
+                  which usually ignore the authority section.
+                  <strong class="userinput"><code>no-auth-recursive</code></strong> is
+                  designed for mixed-mode servers which handle
+                  both authoritative and recursive queries.
+                </p>
+                <p>
+                  The default is
+                  <strong class="userinput"><code>no-auth-recursive</code></strong>.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>glue-cache</strong></span></span></dt>
+<dd>
+                <p>
+                  When set to <strong class="userinput"><code>yes</code></strong>, a cache is
+                  used to improve query performance when adding
+                  address-type (A and AAAA) glue records to the
+                  additional section of DNS response messages that
+                  delegate to a child zone.
+                </p>
+                <p>
+                  The glue cache uses memory proportional to the number
+                  of delegations in the zone. The default setting is
+                  <strong class="userinput"><code>yes</code></strong>, which improves performance
+                  at the cost of increased memory usage for the zone. If
+                  you don't want this, set it to <strong class="userinput"><code>no</code></strong>.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>minimal-any</strong></span></span></dt>
+<dd>
+                <p>
+                  If set to <strong class="userinput"><code>yes</code></strong>, then when
+                  generating a positive response to a query of type
+                  ANY over UDP, the server will reply with only one
+                  of the RRsets for the query name, and its covering
+                  RRSIGs if any, instead of replying with all known
+                  RRsets for the name.  Similarly, a query for type
+                  RRSIG will be answered with the RRSIG records covering
+                  only one type. This can reduce the impact of some kinds
+                  of attack traffic, without harming legitimate
+                  clients.  (Note, however, that the RRset returned is the
+                  first one found in the database; it is not necessarily
+                  the smallest available RRset.)
+                  Additionally, <code class="option">minimal-responses</code> is
+                  turned on for these queries, so no unnecessary records
+                  will be added to the authority or additional sections.
+                  The default is <strong class="userinput"><code>no</code></strong>.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>multiple-cnames</strong></span></span></dt>
+<dd>
+                <p>
+                  This option was used in <acronym class="acronym">BIND</acronym> 8 to allow
+                  a domain name to have multiple CNAME records in violation of
+                  the DNS standards.  <acronym class="acronym">BIND</acronym> 9.2 onwards
+                  always strictly enforces the CNAME rules both in master
+                  files and dynamic updates.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>notify</strong></span></span></dt>
+<dd>
+                <p>
+                  If <strong class="userinput"><code>yes</code></strong> (the default),
+                  DNS NOTIFY messages are sent when a zone the server is
+                  authoritative for
+                  changes, see <a class="xref" href="Bv9ARM.ch04.html#notify" title="Notify">the section called &#8220;Notify&#8221;</a>.  The messages are
+                  sent to the
+                  servers listed in the zone's NS records (except the master
+                  server identified
+                  in the SOA MNAME field), and to any servers listed in the
+                  <span class="command"><strong>also-notify</strong></span> option.
+                </p>
+                <p>
+                  If <strong class="userinput"><code>master-only</code></strong>, notifies are only
+                  sent
+                  for master zones.
+                  If <strong class="userinput"><code>explicit</code></strong>, notifies are sent only
+                  to
+                  servers explicitly listed using <span class="command"><strong>also-notify</strong></span>.
+                  If <strong class="userinput"><code>no</code></strong>, no notifies are sent.
+                </p>
+                <p>
+                  The <span class="command"><strong>notify</strong></span> option may also be
+                  specified in the <span class="command"><strong>zone</strong></span>
+                  statement,
+                  in which case it overrides the <span class="command"><strong>options notify</strong></span> statement.
+                  It would only be necessary to turn off this option if it
+                  caused slaves
+                  to crash.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>notify-to-soa</strong></span></span></dt>
+<dd>
+                <p>
+                  If <strong class="userinput"><code>yes</code></strong> do not check the nameservers
+                  in the NS RRset against the SOA MNAME.  Normally a NOTIFY
+                  message is not sent to the SOA MNAME (SOA ORIGIN) as it is
+                  supposed to contain the name of the ultimate master.
+                  Sometimes, however, a slave is listed as the SOA MNAME in
+                  hidden master configurations and in that case you would
+                  want the ultimate master to still send NOTIFY messages to
+                  all the nameservers listed in the NS RRset.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>recursion</strong></span></span></dt>
+<dd>
+                <p>
+                  If <strong class="userinput"><code>yes</code></strong>, and a
+                  DNS query requests recursion, then the server will attempt
+                  to do
+                  all the work required to answer the query. If recursion is
+                  off
+                  and the server does not already know the answer, it will
+                  return a
+                  referral response. The default is
+                  <strong class="userinput"><code>yes</code></strong>.
+                  Note that setting <span class="command"><strong>recursion no</strong></span> does not prevent
+                  clients from getting data from the server's cache; it only
+                  prevents new data from being cached as an effect of client
+                  queries.
+                  Caching may still occur as an effect the server's internal
+                  operation, such as NOTIFY address lookups.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>request-nsid</strong></span></span></dt>
+<dd>
+                <p>
+                  If <strong class="userinput"><code>yes</code></strong>, then an empty EDNS(0)
+                  NSID (Name Server Identifier) option is sent with all
+                  queries to authoritative name servers during iterative
+                  resolution. If the authoritative server returns an NSID
+                  option in its response, then its contents are logged in
+                  the <span class="command"><strong>resolver</strong></span> category at level
+                  <span class="command"><strong>info</strong></span>.
+                  The default is <strong class="userinput"><code>no</code></strong>.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>request-sit</strong></span></span></dt>
+<dd>
+                <p>
+                  This experimental option is obsolete.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>require-server-cookie</strong></span></span></dt>
+<dd>
+                <p>
+                  Require a valid server cookie before sending a full
+                  response to a UDP request from a cookie aware client.
+                  BADCOOKIE is sent if there is a bad or no existent
+                  server cookie.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>send-cookie</strong></span></span></dt>
+<dd>
+                <p>
+                  If <strong class="userinput"><code>yes</code></strong>, then a COOKIE EDNS
+                  option is sent along with the query.  If the
+                  resolver has previously talked to the server, the
+                  COOKIE returned in the previous transaction is sent.
+                  This is used by the server to determine whether
+                  the resolver has talked to it before. A resolver
+                  sending the correct COOKIE is assumed not to be an
+                  off-path attacker sending a spoofed-source query;
+                  the query is therefore unlikely to be part of a
+                  reflection/amplification attack, so resolvers
+                  sending a correct COOKIE option are not subject to
+                  response rate limiting (RRL).  Resolvers which
+                  do not send a correct COOKIE option may be limited
+                  to receiving smaller responses via the
+                  <span class="command"><strong>nocookie-udp-size</strong></span> option.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>stale-answer-enable</strong></span></span></dt>
+<dd>
+                <p>
+                  Enable the returning of stale answers when the
+                  nameservers for the zone are not answering.  This
+                  is off by default, but can be enabled/disabled via
+                  <span class="command"><strong>rndc serve-stale on</strong></span> and
+                  <span class="command"><strong>rndc serve-stale off</strong></span>, which
+                  override the <code class="filename">named.conf</code>
+                  setting.  <span class="command"><strong>rndc serve-stale reset</strong></span>
+                  restores the setting to the one specified in
+                  <code class="filename">named.conf</code>.  Note that
+                  reloading or reconfiguring <span class="command"><strong>named</strong></span>
+                  will not re-enable serving of stale records if they
+                  have been disabled via <span class="command"><strong>rndc</strong></span>.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>nocookie-udp-size</strong></span></span></dt>
+<dd>
+                <p>
+                  Sets the maximum size of UDP responses that will be
+                  sent to queries without a valid server COOKIE. A value
+                  below 128 will be silently raised to 128. The default
+                  value is 4096, but the <span class="command"><strong>max-udp-size</strong></span>
+                  option may further limit the response size.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>sit-secret</strong></span></span></dt>
+<dd>
+                <p>
+                  This experimental option is obsolete.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>cookie-algorithm</strong></span></span></dt>
+<dd>
+                <p>
+                  Set the algorithm to be used when generating the
+                  server cookie.  One of "aes", "sha1" or "sha256".
+                  The default is "aes" if supported by the cryptographic
+                  library or otherwise "sha256".
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>cookie-secret</strong></span></span></dt>
+<dd>
+                <p>
+                  If set, this is a shared secret used for generating
+                  and verifying EDNS COOKIE options
+                  within an anycast cluster.  If not set, the system
+                  will generate a random secret at startup.  The
+                  shared secret is encoded as a hex string and needs
+                  to be 128 bits for AES128, 160 bits for SHA1 and
+                  256 bits for SHA256.
+                </p>
+                <p>
+                  If there are multiple secrets specified, the first
+                  one listed in <code class="filename">named.conf</code> is
+                  used to generate new server cookies.  The others
+                  will only be used to verify returned cookies.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>response-padding</strong></span></span></dt>
+<dd>
+                <p>
+                  The EDNS Padding option is intended to improve
+                  confidentiality when DNS queries are sent over an
+                  encrypted channel by reducing the variability in
+                  packet sizes.  If a query:
+                  </p>
+<div class="orderedlist"><ol class="orderedlist" type="1">
+<li class="listitem">
+                      contains an EDNS Padding option,
+                    </li>
+<li class="listitem">
+                      includes a valid server cookie or uses TCP,
+                    </li>
+<li class="listitem">
+                      is <span class="emphasis"><em>not</em></span> signed using TSIG or
+                      SIG(0), and
+                    </li>
+<li class="listitem">
+                      is from a client whose address matches the specified ACL,
+                    </li>
+</ol></div>
+<p>
+                  then the response is padded with an EDNS Padding option
+                  to a multiple of <code class="varname">block-size</code> bytes.
+                  If these conditions are not met, the response is not
+                  padded.
+                </p>
+                <p>
+                  If <code class="varname">block-size</code> is 0 or the ACL is
+                  <span class="command"><strong>none;</strong></span>, then this feature is
+                  disabled and no padding will occur; this is the
+                  default.  If <code class="varname">block-size</code> is greater
+                  than 512, a warning is logged and the value is truncated
+                  to 512.  Block sizes are ordinarily expected to be powers
+                  of two (for instance, 128), but this is not mandatory.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>rfc2308-type1</strong></span></span></dt>
+<dd>
+                <p>
+                  Setting this to <strong class="userinput"><code>yes</code></strong> will
+                  cause the server to send NS records along with the SOA
+                  record for negative
+                  answers. The default is <strong class="userinput"><code>no</code></strong>.
+                </p>
+                <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<h3 class="title">Note</h3>
+                  <p>
+                    Not yet implemented in <acronym class="acronym">BIND</acronym>
+                    9.
+                  </p>
+                </div>
+              </dd>
+<dt><span class="term"><span class="command"><strong>trust-anchor-telemetry</strong></span></span></dt>
+<dd>
+                <p>
+                  Causes <span class="command"><strong>named</strong></span> to send specially-formed
+                  queries once per day to domains for which trust anchors
+                  have been configured via <span class="command"><strong>trusted-keys</strong></span>,
+                  <span class="command"><strong>managed-keys</strong></span>, or
+                  <span class="command"><strong>dnssec-validation auto</strong></span>.
+                </p>
+                <p>
+                  The query name used for these queries has the
+                  form "_ta-xxxx(-xxxx)(...)".&lt;domain&gt;, where
+                  each "xxxx" is a group of four hexadecimal digits
+                  representing the key ID of a trusted DNSSEC key.
+                  The key IDs for each domain are sorted smallest
+                  to largest prior to encoding. The query type is NULL.
+                </p>
+                <p>
+                  By monitoring these queries, zone operators will
+                  be able to see which resolvers have been updated to
+                  trust a new key; this may help them decide when it
+                  is safe to remove an old one.
+                </p>
+                <p>
+                  The default is <strong class="userinput"><code>yes</code></strong>.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>use-id-pool</strong></span></span></dt>
+<dd>
+                <p>
+                  <span class="emphasis"><em>This option is obsolete</em></span>.
+                  <acronym class="acronym">BIND</acronym> 9 always allocates query
+                  IDs from a pool.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>use-ixfr</strong></span></span></dt>
+<dd>
+                <p>
+                  <span class="emphasis"><em>This option is obsolete</em></span>.
+                  If you need to disable IXFR to a particular server or
+                  servers, see
+                  the information on the <span class="command"><strong>provide-ixfr</strong></span> option
+                  in <a class="xref" href="Bv9ARM.ch05.html#server_statement_definition_and_usage" title="server Statement Definition and Usage">the section called &#8220;<span class="command"><strong>server</strong></span> Statement Definition and
+            Usage&#8221;</a>.
+                  See also
+                  <a class="xref" href="Bv9ARM.ch04.html#incremental_zone_transfers" title="Incremental Zone Transfers (IXFR)">the section called &#8220;Incremental Zone Transfers (IXFR)&#8221;</a>.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>provide-ixfr</strong></span></span></dt>
+<dd>
+                <p>
+                  See the description of
+                  <span class="command"><strong>provide-ixfr</strong></span> in
+                  <a class="xref" href="Bv9ARM.ch05.html#server_statement_definition_and_usage" title="server Statement Definition and Usage">the section called &#8220;<span class="command"><strong>server</strong></span> Statement Definition and
+            Usage&#8221;</a>.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>request-ixfr</strong></span></span></dt>
+<dd>
+                <p>
+                  See the description of
+                  <span class="command"><strong>request-ixfr</strong></span> in
+                  <a class="xref" href="Bv9ARM.ch05.html#server_statement_definition_and_usage" title="server Statement Definition and Usage">the section called &#8220;<span class="command"><strong>server</strong></span> Statement Definition and
+            Usage&#8221;</a>.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>request-expire</strong></span></span></dt>
+<dd>
+                <p>
+                  See the description of
+                  <span class="command"><strong>request-expire</strong></span> in
+                  <a class="xref" href="Bv9ARM.ch05.html#server_statement_definition_and_usage" title="server Statement Definition and Usage">the section called &#8220;<span class="command"><strong>server</strong></span> Statement Definition and
+            Usage&#8221;</a>.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>treat-cr-as-space</strong></span></span></dt>
+<dd>
+                <p>
+                  This option was used in <acronym class="acronym">BIND</acronym>
+                  8 to make
+                  the server treat carriage return ("<span class="command"><strong>\r</strong></span>") characters the same way
+                  as a space or tab character,
+                  to facilitate loading of zone files on a UNIX system that
+                  were generated
+                  on an NT or DOS machine. In <acronym class="acronym">BIND</acronym> 9, both UNIX "<span class="command"><strong>\n</strong></span>"
+                  and NT/DOS "<span class="command"><strong>\r\n</strong></span>" newlines
+                  are always accepted,
+                  and the option is ignored.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>match-mapped-addresses</strong></span></span></dt>
+<dd>
+                <p>
+                  If <strong class="userinput"><code>yes</code></strong>, then an
+                  IPv4-mapped IPv6 address will match any address match
+                  list entries that match the corresponding IPv4 address.
+                </p>
+                <p>
+                  This option was introduced to work around a kernel quirk
+                  in some operating systems that causes IPv4 TCP
+                  connections, such as zone transfers, to be accepted on an
+                  IPv6 socket using mapped addresses.  This caused address
+                  match lists designed for IPv4 to fail to match.  However,
+                  <span class="command"><strong>named</strong></span> now solves this problem
+                  internally.  The use of this option is discouraged.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>filter-aaaa-on-v4</strong></span></span></dt>
+<dd>
+                <p>
+                  This option is intended to help the
+                  transition from IPv4 to IPv6 by not giving IPv6 addresses
+                  to DNS clients unless they have connections to the IPv6
+                  Internet.  This is not recommended unless absolutely
+                  necessary.  The default is <strong class="userinput"><code>no</code></strong>.
+                  The <span class="command"><strong>filter-aaaa-on-v4</strong></span> option
+                  may also be specified in <span class="command"><strong>view</strong></span> statements
+                  to override the global <span class="command"><strong>filter-aaaa-on-v4</strong></span>
+                  option.
+                </p>
+                <p>
+                  If <strong class="userinput"><code>yes</code></strong>,
+                  the DNS client is at an IPv4 address, in <span class="command"><strong>filter-aaaa</strong></span>,
+                  and if the response does not include DNSSEC signatures,
+                  then all AAAA records are deleted from the response.
+                  This filtering applies to all responses and not only
+                  authoritative responses.
+                </p>
+                <p>
+                  If <strong class="userinput"><code>break-dnssec</code></strong>,
+                  then AAAA records are deleted even when DNSSEC is enabled.
+                  As suggested by the name, this makes the response not verify,
+                  because the DNSSEC protocol is designed detect deletions.
+                </p>
+                <p>
+                  This mechanism can erroneously cause other servers to
+                  not give AAAA records to their clients.
+                  A recursing server with both IPv6 and IPv4 network connections
+                  that queries an authoritative server using this mechanism
+                  via IPv4 will be denied AAAA records even if its client is
+                  using IPv6.
+                </p>
+                <p>
+                  This mechanism is applied to authoritative as well as
+                  non-authoritative records.
+                  A client using IPv4 that is not allowed recursion can
+                  erroneously be given AAAA records because the server is not
+                  allowed to check for A records.
+                </p>
+                <p>
+                  Some AAAA records are given to IPv4 clients in glue records.
+                  IPv4 clients that are servers can then erroneously
+                  answer requests for AAAA records received via IPv4.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>filter-aaaa-on-v6</strong></span></span></dt>
+<dd>
+                <p>
+                  Identical to <span class="command"><strong>filter-aaaa-on-v4</strong></span>,
+                  except it filters AAAA responses to queries from IPv6
+                  clients instead of IPv4 clients.  To filter all
+                  responses, set both options to <strong class="userinput"><code>yes</code></strong>.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>ixfr-from-differences</strong></span></span></dt>
+<dd>
+                <p>
+                  When <strong class="userinput"><code>yes</code></strong> and the server loads a new
+                  version of a master zone from its zone file or receives a
+                  new version of a slave file via zone transfer, it will
+                  compare the new version to the previous one and calculate
+                  a set of differences.  The differences are then logged in
+                  the zone's journal file such that the changes can be
+                  transmitted to downstream slaves as an incremental zone
+                  transfer.
+                </p>
+                <p>
+                  By allowing incremental zone transfers to be used for
+                  non-dynamic zones, this option saves bandwidth at the
+                  expense of increased CPU and memory consumption at the
+                  master.
+                  In particular, if the new version of a zone is completely
+                  different from the previous one, the set of differences
+                  will be of a size comparable to the combined size of the
+                  old and new zone version, and the server will need to
+                  temporarily allocate memory to hold this complete
+                  difference set.
+                </p>
+                <p><span class="command"><strong>ixfr-from-differences</strong></span>
+                  also accepts <span class="command"><strong>master</strong></span> (or
+                  <span class="command"><strong>primary</strong></span>) and
+                  <span class="command"><strong>slave</strong></span> (or <span class="command"><strong>secondary</strong></span>)
+                  at the view and options levels, which causes
+                  <span class="command"><strong>ixfr-from-differences</strong></span> to be enabled for
+                  all primary or secondary zones, respectively.
+                  It is off for all zones by default.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>multi-master</strong></span></span></dt>
+<dd>
+                <p>
+                  This should be set when you have multiple masters for a zone
+                  and the
+                  addresses refer to different machines.  If <strong class="userinput"><code>yes</code></strong>, <span class="command"><strong>named</strong></span> will
+                  not log
+                  when the serial number on the master is less than what <span class="command"><strong>named</strong></span>
+                  currently
+                  has.  The default is <strong class="userinput"><code>no</code></strong>.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>auto-dnssec</strong></span></span></dt>
+<dd>
+                <p>
+                  Zones configured for dynamic DNS may use this
+                  option to allow varying levels of automatic DNSSEC key
+                  management. There are three possible settings:
+                </p>
+                <p>
+                  <span class="command"><strong>auto-dnssec allow;</strong></span> permits
+                  keys to be updated and the zone fully re-signed
+                  whenever the user issues the command <span class="command"><strong>rndc sign
+                  <em class="replaceable"><code>zonename</code></em></strong></span>.
+                </p>
+                <p>
+                  <span class="command"><strong>auto-dnssec maintain;</strong></span> includes the
+                  above, but also automatically adjusts the zone's DNSSEC
+                  keys on schedule, according to the keys' timing metadata
+                  (see <a class="xref" href="man.dnssec-keygen.html" title="dnssec-keygen"><span class="refentrytitle"><span class="application">dnssec-keygen</span></span>(8)</a> and
+                  <a class="xref" href="man.dnssec-settime.html" title="dnssec-settime"><span class="refentrytitle"><span class="application">dnssec-settime</span></span>(8)</a>).  The command
+                  <span class="command"><strong>rndc sign
+                  <em class="replaceable"><code>zonename</code></em></strong></span> causes
+                  <span class="command"><strong>named</strong></span> to load keys from the key
+                  repository and sign the zone with all keys that are
+                  active.
+                  <span class="command"><strong>rndc loadkeys
+                  <em class="replaceable"><code>zonename</code></em></strong></span> causes
+                  <span class="command"><strong>named</strong></span> to load keys from the key
+                  repository and schedule key maintenance events to occur
+                  in the future, but it does not sign the full zone
+                  immediately.  Note: once keys have been loaded for a
+                  zone the first time, the repository will be searched
+                  for changes periodically, regardless of whether
+                  <span class="command"><strong>rndc loadkeys</strong></span> is used.  The recheck
+                  interval is defined by
+                  <span class="command"><strong>dnssec-loadkeys-interval</strong></span>.)
+                </p>
+                <p>
+                  The default setting is <span class="command"><strong>auto-dnssec off</strong></span>.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>dnssec-enable</strong></span></span></dt>
+<dd>
+                <p>
+                  This indicates whether DNSSEC-related resource
+                  records are to be returned by <span class="command"><strong>named</strong></span>.
+                  If set to <strong class="userinput"><code>no</code></strong>,
+                  <span class="command"><strong>named</strong></span> will not return DNSSEC-related
+                  resource records unless specifically queried for.
+                  The default is <strong class="userinput"><code>yes</code></strong>.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>dnssec-validation</strong></span></span></dt>
+<dd>
+                <p>
+                  Enable DNSSEC validation in <span class="command"><strong>named</strong></span>.
+                  Note <span class="command"><strong>dnssec-enable</strong></span> also needs to be
+                  set to <strong class="userinput"><code>yes</code></strong> to be effective.
+                  If set to <strong class="userinput"><code>no</code></strong>, DNSSEC validation
+                  is disabled.
+                </p>
+                <p>
+                  If set to <strong class="userinput"><code>auto</code></strong>, DNSSEC validation
+                  is enabled, and a default trust anchor for the DNS root
+                  zone is used.  If set to <strong class="userinput"><code>yes</code></strong>,
+                  DNSSEC validation is enabled, but a trust anchor must be
+                  manually configured using a <span class="command"><strong>trusted-keys</strong></span>
+                  or <span class="command"><strong>managed-keys</strong></span> statement.  The default
+                  is <strong class="userinput"><code>yes</code></strong>.
+                </p>
+                <p>
+                  The default root trust anchor is stored in the file
+                  <code class="filename">bind.keys</code>.
+                  <span class="command"><strong>named</strong></span> will load that key at
+                  startup if <span class="command"><strong>dnssec-validation</strong></span> is
+                  set to <code class="constant">auto</code>.  A copy of the file is
+                  installed along with BIND 9, and is current as of the
+                  release date.  If the root key expires, a new copy of
+                  <code class="filename">bind.keys</code> can be downloaded
+                  from <a class="link" href="https://www.isc.org/bind-keys" target="_top">https://www.isc.org/bind-keys</a>.
+                </p>
+                <p>
+                  To prevent problems if <code class="filename">bind.keys</code> is
+                  not found, the current trust anchor is also compiled in
+                  to <span class="command"><strong>named</strong></span>.  Relying on this is not
+                  recommended, however, as it requires <span class="command"><strong>named</strong></span>
+                  to be recompiled with a new key when the root key expires.)
+                </p>
+                <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<h3 class="title">Note</h3>
+                  <p>
+                    <span class="command"><strong>named</strong></span> <span class="emphasis"><em>only</em></span>
+                    loads the root key from <code class="filename">bind.keys</code>.
+                    The file cannot be used to store keys for other zones.
+                    The root key in <code class="filename">bind.keys</code> is ignored
+                    if <span class="command"><strong>dnssec-validation auto</strong></span> is not in
+                    use.
+                  </p>
+                  <p>
+                    Whenever the resolver sends out queries to an
+                    EDNS-compliant server, it always sets the DO bit
+                    indicating it can support DNSSEC responses even if
+                    <span class="command"><strong>dnssec-validation</strong></span> is off.
+                  </p>
+                </div>
+              </dd>
+<dt><span class="term"><span class="command"><strong>dnssec-accept-expired</strong></span></span></dt>
+<dd>
+                <p>
+                  Accept expired signatures when verifying DNSSEC signatures.
+                  The default is <strong class="userinput"><code>no</code></strong>.
+                  Setting this option to <strong class="userinput"><code>yes</code></strong>
+                  leaves <span class="command"><strong>named</strong></span> vulnerable to
+                  replay attacks.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>querylog</strong></span></span></dt>
+<dd>
+                <p>
+                  Specify whether query logging should be started when <span class="command"><strong>named</strong></span>
+                  starts.
+                  If <span class="command"><strong>querylog</strong></span> is not specified,
+                  then the query logging
+                  is determined by the presence of the logging category <span class="command"><strong>queries</strong></span>.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>check-names</strong></span></span></dt>
+<dd>
+                <p>
+                  This option is used to restrict the character set and syntax
+                  of
+                  certain domain names in master files and/or DNS responses
+                  received
+                  from the network.  The default varies according to usage
+                  area.  For
+                  <span class="command"><strong>master</strong></span> zones the default is <span class="command"><strong>fail</strong></span>.
+                  For <span class="command"><strong>slave</strong></span> zones the default
+                  is <span class="command"><strong>warn</strong></span>.
+                  For answers received from the network (<span class="command"><strong>response</strong></span>)
+                  the default is <span class="command"><strong>ignore</strong></span>.
+                </p>
+                <p>
+                  The rules for legal hostnames and mail domains are derived
+                  from RFC 952 and RFC 821 as modified by RFC 1123.
+                </p>
+                <p><span class="command"><strong>check-names</strong></span>
+                  applies to the owner names of A, AAAA and MX records.
+                  It also applies to the domain names in the RDATA of NS, SOA,
+                  MX, and SRV records.
+                  It also applies to the RDATA of PTR records where the owner
+                  name indicated that it is a reverse lookup of a hostname
+                  (the owner name ends in IN-ADDR.ARPA, IP6.ARPA, or IP6.INT).
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>check-dup-records</strong></span></span></dt>
+<dd>
+                <p>
+                  Check master zones for records that are treated as different
+                  by DNSSEC but are semantically equal in plain DNS.  The
+                  default is to <span class="command"><strong>warn</strong></span>.  Other possible
+                  values are <span class="command"><strong>fail</strong></span> and
+                  <span class="command"><strong>ignore</strong></span>.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>check-mx</strong></span></span></dt>
+<dd>
+                <p>
+                  Check whether the MX record appears to refer to a IP address.
+                  The default is to <span class="command"><strong>warn</strong></span>.  Other possible
+                  values are <span class="command"><strong>fail</strong></span> and
+                  <span class="command"><strong>ignore</strong></span>.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>check-wildcard</strong></span></span></dt>
+<dd>
+                <p>
+                  This option is used to check for non-terminal wildcards.
+                  The use of non-terminal wildcards is almost always as a
+                  result of a failure
+                  to understand the wildcard matching algorithm (RFC 1034).
+                  This option
+                  affects master zones.  The default (<span class="command"><strong>yes</strong></span>) is to check
+                  for non-terminal wildcards and issue a warning.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>check-integrity</strong></span></span></dt>
+<dd>
+                <p>
+                  Perform post load zone integrity checks on master
+                  zones.  This checks that MX and SRV records refer
+                  to address (A or AAAA) records and that glue
+                  address records exist for delegated zones.  For
+                  MX and SRV records only in-zone hostnames are
+                  checked (for out-of-zone hostnames use
+                  <span class="command"><strong>named-checkzone</strong></span>).
+                  For NS records only names below top of zone are
+                  checked (for out-of-zone names and glue consistency
+                  checks use <span class="command"><strong>named-checkzone</strong></span>).
+                  The default is <span class="command"><strong>yes</strong></span>.
+                </p>
+                <p>
+                  The use of the SPF record for publishing Sender
+                  Policy Framework is deprecated as the migration
+                  from using TXT records to SPF records was abandoned.
+                  Enabling this option also checks that a TXT Sender
+                  Policy Framework record exists (starts with "v=spf1")
+                  if there is an SPF record. Warnings are emitted if the
+                  TXT record does not exist and can be suppressed with
+                  <span class="command"><strong>check-spf</strong></span>.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>check-mx-cname</strong></span></span></dt>
+<dd>
+                <p>
+                  If <span class="command"><strong>check-integrity</strong></span> is set then
+                  fail, warn or ignore MX records that refer
+                  to CNAMES.  The default is to <span class="command"><strong>warn</strong></span>.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>check-srv-cname</strong></span></span></dt>
+<dd>
+                <p>
+                  If <span class="command"><strong>check-integrity</strong></span> is set then
+                  fail, warn or ignore SRV records that refer
+                  to CNAMES.  The default is to <span class="command"><strong>warn</strong></span>.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>check-sibling</strong></span></span></dt>
+<dd>
+                <p>
+                  When performing integrity checks, also check that
+                  sibling glue exists.  The default is <span class="command"><strong>yes</strong></span>.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>check-spf</strong></span></span></dt>
+<dd>
+                <p>
+                  If <span class="command"><strong>check-integrity</strong></span> is set then
+                  check that there is a TXT Sender Policy Framework
+                  record present (starts with "v=spf1") if there is an
+                  SPF record present. The default is
+                  <span class="command"><strong>warn</strong></span>.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>zero-no-soa-ttl</strong></span></span></dt>
+<dd>
+                <p>
+                  When returning authoritative negative responses to
+                  SOA queries set the TTL of the SOA record returned in
+                  the authority section to zero.
+                  The default is <span class="command"><strong>yes</strong></span>.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>zero-no-soa-ttl-cache</strong></span></span></dt>
+<dd>
+                <p>
+                  When caching a negative response to a SOA query
+                  set the TTL to zero.
+                  The default is <span class="command"><strong>no</strong></span>.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>update-check-ksk</strong></span></span></dt>
+<dd>
+                <p>
+                  When set to the default value of <code class="literal">yes</code>,
+                  check the KSK bit in each key to determine how the key
+                  should be used when generating RRSIGs for a secure zone.
+                </p>
+                <p>
+                  Ordinarily, zone-signing keys (that is, keys without the
+                  KSK bit set) are used to sign the entire zone, while
+                  key-signing keys (keys with the KSK bit set) are only
+                  used to sign the DNSKEY RRset at the zone apex.
+                  However, if this option is set to <code class="literal">no</code>,
+                  then the KSK bit is ignored; KSKs are treated as if they
+                  were ZSKs and are used to sign the entire zone.  This is
+                  similar to the <span class="command"><strong>dnssec-signzone -z</strong></span>
+                  command line option.
+                </p>
+                <p>
+                  When this option is set to <code class="literal">yes</code>, there
+                  must be at least two active keys for every algorithm
+                  represented in the DNSKEY RRset: at least one KSK and one
+                  ZSK per algorithm.  If there is any algorithm for which
+                  this requirement is not met, this option will be ignored
+                  for that algorithm.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>dnssec-dnskey-kskonly</strong></span></span></dt>
+<dd>
+                <p>
+                  When this option and <span class="command"><strong>update-check-ksk</strong></span>
+                  are both set to <code class="literal">yes</code>, only key-signing
+                  keys (that is, keys with the KSK bit set) will be used
+                  to sign the DNSKEY, CDNSKEY, and CDS RRsets at the zone apex.
+                  Zone-signing keys (keys without the KSK bit set) will be used
+                  to sign the remainder of the zone, but not the DNSKEY RRset.
+                  This is similar to the
+                  <span class="command"><strong>dnssec-signzone -x</strong></span> command line option.
+                </p>
+                <p>
+                  The default is <span class="command"><strong>no</strong></span>.  If
+                  <span class="command"><strong>update-check-ksk</strong></span> is set to
+                  <code class="literal">no</code>, this option is ignored.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>try-tcp-refresh</strong></span></span></dt>
+<dd>
+                <p>
+                  Try to refresh the zone using TCP if UDP queries fail.
+                  For BIND 8 compatibility, the default is
+                  <span class="command"><strong>yes</strong></span>.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>dnssec-secure-to-insecure</strong></span></span></dt>
+<dd>
+                <p>
+                  Allow a dynamic zone to transition from secure to
+                  insecure (i.e., signed to unsigned) by deleting all
+                  of the DNSKEY records.  The default is <span class="command"><strong>no</strong></span>.
+                  If set to <span class="command"><strong>yes</strong></span>, and if the DNSKEY RRset
+                  at the zone apex is deleted, all RRSIG and NSEC records
+                  will be removed from the zone as well.
+                </p>
+                <p>
+                  If the zone uses NSEC3, then it is also necessary to
+                  delete the NSEC3PARAM RRset from the zone apex; this will
+                  cause the removal of all corresponding NSEC3 records.
+                  (It is expected that this requirement will be eliminated
+                  in a future release.)
+                </p>
+                <p>
+                  Note that if a zone has been configured with
+                  <span class="command"><strong>auto-dnssec maintain</strong></span> and the
+                  private keys remain accessible in the key repository,
+                  then the zone will be automatically signed again the
+                  next time <span class="command"><strong>named</strong></span> is started.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>synth-from-dnssec</strong></span></span></dt>
+<dd>
+                <p>
+                  Synthesize answers from cached NSEC, NSEC3 and
+                  other RRsets that have been proved to be correct
+                  using DNSSEC.  The default is <span class="command"><strong>yes</strong></span>.
+                </p>
+                <p>
+                  Note:
+                  </p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+                      <p>
+                        DNSSEC validation must be enabled for this
+                        option to be effective.
+                      </p>
+                      <p>
+                        This initial implementation only covers synthesis
+                        of answers from NSEC records.  Synthesis from NSEC3
+                        is planned for the future.  This will also be
+                        controlled by <span class="command"><strong>synth-from-dnssec</strong></span>.
+                      </p>
+                    </li></ul></div>
+<p>
+                </p>
+              </dd>
+</dl></div>
+
+        </div>
+
+        <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="forwarding"></a>Forwarding</h4></div></div></div>
+
+          <p>
+            The forwarding facility can be used to create a large site-wide
+            cache on a few servers, reducing traffic over links to external
+            name servers. It can also be used to allow queries by servers that
+            do not have direct access to the Internet, but wish to look up
+            exterior
+            names anyway. Forwarding occurs only on those queries for which
+            the server is not authoritative and does not have the answer in
+            its cache.
+          </p>
+
+          <div class="variablelist"><dl class="variablelist">
+<dt><span class="term"><span class="command"><strong>forward</strong></span></span></dt>
+<dd>
+                <p>
+                  This option is only meaningful if the
+                  forwarders list is not empty. A value of <code class="varname">first</code>,
+                  the default, causes the server to query the forwarders
+                  first &#8212; and
+                  if that doesn't answer the question, the server will then
+                  look for
+                  the answer itself. If <code class="varname">only</code> is
+                  specified, the
+                  server will only query the forwarders.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>forwarders</strong></span></span></dt>
+<dd>
+                <p>
+                  Specifies the IP addresses to be used
+                  for forwarding. The default is the empty list (no
+                  forwarding).
+                </p>
+              </dd>
+</dl></div>
+
+          <p>
+            Forwarding can also be configured on a per-domain basis, allowing
+            for the global forwarding options to be overridden in a variety
+            of ways. You can set particular domains to use different
+            forwarders,
+            or have a different <span class="command"><strong>forward only/first</strong></span> behavior,
+            or not forward at all, see <a class="xref" href="Bv9ARM.ch05.html#zone_statement_grammar" title="zone Statement Grammar">the section called &#8220;<span class="command"><strong>zone</strong></span>
+            Statement Grammar&#8221;</a>.
+          </p>
+        </div>
+
+        <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="dual_stack"></a>Dual-stack Servers</h4></div></div></div>
+
+          <p>
+            Dual-stack servers are used as servers of last resort to work
+            around
+            problems in reachability due the lack of support for either IPv4
+            or IPv6
+            on the host machine.
+          </p>
+
+          <div class="variablelist"><dl class="variablelist">
+<dt><span class="term"><span class="command"><strong>dual-stack-servers</strong></span></span></dt>
+<dd>
+                <p>
+                  Specifies host names or addresses of machines with access to
+                  both IPv4 and IPv6 transports. If a hostname is used, the
+                  server must be able
+                  to resolve the name using only the transport it has.  If the
+                  machine is dual
+                  stacked, then the <span class="command"><strong>dual-stack-servers</strong></span> have no effect unless
+                  access to a transport has been disabled on the command line
+                  (e.g. <span class="command"><strong>named -4</strong></span>).
+                </p>
+              </dd>
+</dl></div>
+        </div>
+
+        <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="access_control"></a>Access Control</h4></div></div></div>
+
+
+          <p>
+            Access to the server can be restricted based on the IP address
+            of the requesting system. See <a class="xref" href="Bv9ARM.ch05.html#address_match_lists" title="Address Match Lists">the section called &#8220;Address Match Lists&#8221;</a> for
+            details on how to specify IP address lists.
+          </p>
+
+          <div class="variablelist"><dl class="variablelist">
+<dt><span class="term"><span class="command"><strong>allow-notify</strong></span></span></dt>
+<dd>
+                <p>
+                  Specifies which hosts are allowed to
+                  notify this server, a slave, of zone changes in addition
+                  to the zone masters.
+                  <span class="command"><strong>allow-notify</strong></span> may also be
+                  specified in the
+                  <span class="command"><strong>zone</strong></span> statement, in which case
+                  it overrides the
+                  <span class="command"><strong>options allow-notify</strong></span>
+                  statement.  It is only meaningful
+                  for a slave zone.  If not specified, the default is to
+                  process notify messages
+                  only from a zone's master.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>allow-query</strong></span></span></dt>
+<dd>
+                <p>
+                  Specifies which hosts are allowed to ask ordinary
+                  DNS questions. <span class="command"><strong>allow-query</strong></span> may
+                  also be specified in the <span class="command"><strong>zone</strong></span>
+                  statement, in which case it overrides the
+                  <span class="command"><strong>options allow-query</strong></span> statement.
+                  If not specified, the default is to allow queries
+                  from all hosts.
+                </p>
+                <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<h3 class="title">Note</h3>
+                  <p>
+                    <span class="command"><strong>allow-query-cache</strong></span> is now
+                    used to specify access to the cache.
+                  </p>
+                </div>
+              </dd>
+<dt><span class="term"><span class="command"><strong>allow-query-on</strong></span></span></dt>
+<dd>
+                <p>
+                  Specifies which local addresses can accept ordinary
+                  DNS questions. This makes it possible, for instance,
+                  to allow queries on internal-facing interfaces but
+                  disallow them on external-facing ones, without
+                  necessarily knowing the internal network's addresses.
+                </p>
+                <p>
+                  Note that <span class="command"><strong>allow-query-on</strong></span> is only
+                  checked for queries that are permitted by
+                  <span class="command"><strong>allow-query</strong></span>.  A query must be
+                  allowed by both ACLs, or it will be refused.
+                </p>
+                <p>
+                  <span class="command"><strong>allow-query-on</strong></span> may
+                  also be specified in the <span class="command"><strong>zone</strong></span>
+                  statement, in which case it overrides the
+                  <span class="command"><strong>options allow-query-on</strong></span> statement.
+                </p>
+                <p>
+                  If not specified, the default is to allow queries
+                  on all addresses.
+                </p>
+                <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<h3 class="title">Note</h3>
+                  <p>
+                    <span class="command"><strong>allow-query-cache</strong></span> is
+                    used to specify access to the cache.
+                  </p>
+                </div>
+              </dd>
+<dt><span class="term"><span class="command"><strong>allow-query-cache</strong></span></span></dt>
+<dd>
+                <p>
+                  Specifies which hosts are allowed to get answers
+                  from the cache.  If <span class="command"><strong>allow-query-cache</strong></span>
+                  is not set then <span class="command"><strong>allow-recursion</strong></span>
+                  is used if set, otherwise <span class="command"><strong>allow-query</strong></span>
+                  is used if set unless <span class="command"><strong>recursion no;</strong></span> is
+                  set in which case <span class="command"><strong>none;</strong></span> is used,
+                  otherwise the default (<span class="command"><strong>localnets;</strong></span>
+                  <span class="command"><strong>localhost;</strong></span>) is used.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>allow-query-cache-on</strong></span></span></dt>
+<dd>
+                <p>
+                  Specifies which local addresses can give answers
+                  from the cache.  If not specified, the default is
+                  to allow cache queries on any address,
+                  <span class="command"><strong>localnets</strong></span> and
+                  <span class="command"><strong>localhost</strong></span>.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>allow-recursion</strong></span></span></dt>
+<dd>
+                <p>
+                  Specifies which hosts are allowed to make recursive
+                  queries through this server. If
+                  <span class="command"><strong>allow-recursion</strong></span> is not set
+                  then <span class="command"><strong>allow-query-cache</strong></span> is
+                  used if set, otherwise <span class="command"><strong>allow-query</strong></span>
+                  is used if set, otherwise the default
+                  (<span class="command"><strong>localnets;</strong></span>
+                  <span class="command"><strong>localhost;</strong></span>) is used.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>allow-recursion-on</strong></span></span></dt>
+<dd>
+                <p>
+                  Specifies which local addresses can accept recursive
+                  queries.  If not specified, the default is to allow
+                  recursive queries on all addresses.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>allow-update</strong></span></span></dt>
+<dd>
+                <p>
+                  Specifies which hosts are allowed to
+                  submit Dynamic DNS updates for master zones. The default is
+                  to deny
+                  updates from all hosts.  Note that allowing updates based
+                  on the requestor's IP address is insecure; see
+                  <a class="xref" href="Bv9ARM.ch06.html#dynamic_update_security" title="Dynamic Update Security">the section called &#8220;Dynamic Update Security&#8221;</a> for details.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>allow-update-forwarding</strong></span></span></dt>
+<dd>
+                <p>
+                  Specifies which hosts are allowed to
+                  submit Dynamic DNS updates to slave zones to be forwarded to
+                  the
+                  master.  The default is <strong class="userinput"><code>{ none; }</code></strong>,
+                  which
+                  means that no update forwarding will be performed.  To
+                  enable
+                  update forwarding, specify
+                  <strong class="userinput"><code>allow-update-forwarding { any; };</code></strong>.
+                  Specifying values other than <strong class="userinput"><code>{ none; }</code></strong> or
+                  <strong class="userinput"><code>{ any; }</code></strong> is usually
+                  counterproductive, since
+                  the responsibility for update access control should rest
+                  with the
+                  master server, not the slaves.
+                </p>
+                <p>
+                  Note that enabling the update forwarding feature on a slave
+                  server
+                  may expose master servers relying on insecure IP address
+                  based
+                  access control to attacks; see <a class="xref" href="Bv9ARM.ch06.html#dynamic_update_security" title="Dynamic Update Security">the section called &#8220;Dynamic Update Security&#8221;</a>
+                  for more details.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>allow-v6-synthesis</strong></span></span></dt>
+<dd>
+                <p>
+                  This option was introduced for the smooth transition from
+                  AAAA
+                  to A6 and from "nibble labels" to binary labels.
+                  However, since both A6 and binary labels were then
+                  deprecated,
+                  this option was also deprecated.
+                  It is now ignored with some warning messages.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>allow-transfer</strong></span></span></dt>
+<dd>
+                <p>
+                  Specifies which hosts are allowed to
+                  receive zone transfers from the server. <span class="command"><strong>allow-transfer</strong></span> may
+                  also be specified in the <span class="command"><strong>zone</strong></span>
+                  statement, in which
+                  case it overrides the <span class="command"><strong>options allow-transfer</strong></span> statement.
+                  If not specified, the default is to allow transfers to all
+                  hosts.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>blackhole</strong></span></span></dt>
+<dd>
+                <p>
+                  Specifies a list of addresses that the
+                  server will not accept queries from or use to resolve a
+                  query. Queries
+                  from these addresses will not be responded to. The default
+                  is <strong class="userinput"><code>none</code></strong>.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>filter-aaaa</strong></span></span></dt>
+<dd>
+                <p>
+                  Specifies a list of addresses to which
+                  <span class="command"><strong>filter-aaaa-on-v4</strong></span>
+                  and <span class="command"><strong>filter-aaaa-on-v6</strong></span>
+                  apply.  The default is <strong class="userinput"><code>any</code></strong>.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>keep-response-order</strong></span></span></dt>
+<dd>
+                <p>
+                  Specifies a list of addresses to which the server
+                  will send responses to TCP queries in the same order
+                  in which they were received.  This disables the
+                  processing of TCP queries in parallel. The default
+                  is <strong class="userinput"><code>none</code></strong>.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>no-case-compress</strong></span></span></dt>
+<dd>
+                <p>
+                  Specifies a list of addresses which require responses
+                  to use case-insensitive compression.  This ACL can be
+                  used when <span class="command"><strong>named</strong></span> needs to work with
+                  clients that do not comply with the requirement in RFC
+                  1034 to use case-insensitive name comparisons when
+                  checking for matching domain names.
+                </p>
+                <p>
+                  If left undefined, the ACL defaults to
+                  <span class="command"><strong>none</strong></span>: case-insensitive compression
+                  will be used for all clients.  If the ACL is defined and
+                  matches a client, then case will be ignored when
+                  compressing domain names in DNS responses sent to that
+                  client.
+                </p>
+                <p>
+                  This can result in slightly smaller responses: if
+                  a response contains the names "example.com" and
+                  "example.COM", case-insensitive compression would treat
+                  the second one as a duplicate.  It also ensures
+                  that the case of the query name exactly matches the
+                  case of the owner names of returned records, rather
+                  than matching the case of the records entered in
+                  the zone file.  This allows responses to exactly
+                  match the query, which is required by some clients
+                  due to incorrect use of case-sensitive comparisons.
+                </p>
+                <p>
+                  Case-insensitive compression is <span class="emphasis"><em>always</em></span>
+                  used in AXFR and IXFR responses, regardless of whether
+                  the client matches this ACL.
+                </p>
+                <p>
+                  There are circumstances in which <span class="command"><strong>named</strong></span>
+                  will not preserve the case of owner names of records:
+                  if a zone file defines records of different types with
+                  the same name, but the capitalization of the name is
+                  different (e.g., "www.example.com/A" and
+                  "WWW.EXAMPLE.COM/AAAA"), then all responses for that
+                  name will use the <span class="emphasis"><em>first</em></span> version
+                  of the name that was used in the zone file.  This
+                  limitation may be addressed in a future release.  However,
+                  domain names specified in the rdata of resource records
+                  (i.e., records of type NS, MX, CNAME, etc) will always
+                  have their case preserved unless the client matches this
+                  ACL.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>resolver-query-timeout</strong></span></span></dt>
+<dd>
+                <p>
+                  The amount of time in milliseconds that the resolver
+                  will spend attempting to resolve a recursive
+                  query before failing.  The default and minimum
+                  is <code class="literal">10000</code> and the maximum is
+                  <code class="literal">30000</code>.  Setting it to
+                  <code class="literal">0</code> will result in the default
+                  being used.
+                </p>
+                <p>
+                  This value was originally specified in seconds.
+                  Values less than or equal to 300 will be be treated
+                  as seconds and converted to milliseconds before
+                  applying the above limits.
+                </p>
+              </dd>
+</dl></div>
+
+        </div>
+
+        <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="interfaces"></a>Interfaces</h4></div></div></div>
+
+          <p>
+            The interfaces and ports that the server will answer queries
+            from may be specified using the <span class="command"><strong>listen-on</strong></span> option. <span class="command"><strong>listen-on</strong></span> takes
+            an optional port and an <code class="varname">address_match_list</code>
+            of IPv4 addresses.  (IPv6 addresses are ignored, with a
+            logged warning.)
+            The server will listen on all interfaces allowed by the address
+            match list. If a port is not specified, port 53 will be used.
+          </p>
+          <p>
+            Multiple <span class="command"><strong>listen-on</strong></span> statements are
+            allowed.
+            For example,
+          </p>
+
+<pre class="programlisting">listen-on { 5.6.7.8; };
+listen-on port 1234 { !1.2.3.4; 1.2/16; };
+</pre>
+
+          <p>
+            will enable the name server on port 53 for the IP address
+            5.6.7.8, and on port 1234 of an address on the machine in net
+            1.2 that is not 1.2.3.4.
+          </p>
+
+          <p>
+            If no <span class="command"><strong>listen-on</strong></span> is specified, the
+            server will listen on port 53 on all IPv4 interfaces.
+          </p>
+
+          <p>
+            The <span class="command"><strong>listen-on-v6</strong></span> option is used to
+            specify the interfaces and the ports on which the server will
+            listen for incoming queries sent using IPv6.  If not specified,
+            the server will listen on port 53 on all IPv6 interfaces.
+          </p>
+
+          <p>
+            When </p>
+<pre class="programlisting">{ any; }</pre>
+<p> is
+            specified
+            as the <code class="varname">address_match_list</code> for the
+            <span class="command"><strong>listen-on-v6</strong></span> option,
+            the server does not bind a separate socket to each IPv6 interface
+            address as it does for IPv4 if the operating system has enough API
+            support for IPv6 (specifically if it conforms to RFC 3493 and RFC
+            3542).
+            Instead, it listens on the IPv6 wildcard address.
+            If the system only has incomplete API support for IPv6, however,
+            the behavior is the same as that for IPv4.
+          </p>
+
+          <p>
+            A list of particular IPv6 addresses can also be specified, in
+            which case
+            the server listens on a separate socket for each specified
+            address,
+            regardless of whether the desired API is supported by the system.
+            IPv4 addresses specified in <span class="command"><strong>listen-on-v6</strong></span>
+            will be ignored, with a logged warning.
+          </p>
+
+          <p>
+            Multiple <span class="command"><strong>listen-on-v6</strong></span> options can
+            be used.
+            For example,
+          </p>
+
+<pre class="programlisting">listen-on-v6 { any; };
+listen-on-v6 port 1234 { !2001:db8::/32; any; };
+</pre>
+
+          <p>
+            will enable the name server on port 53 for any IPv6 addresses
+            (with a single wildcard socket),
+            and on port 1234 of IPv6 addresses that is not in the prefix
+            2001:db8::/32 (with separate sockets for each matched address.)
+          </p>
+
+          <p>
+            To make the server not listen on any IPv6 address, use
+          </p>
+
+<pre class="programlisting">listen-on-v6 { none; };
+</pre>
+
+        </div>
+
+        <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="query_address"></a>Query Address</h4></div></div></div>
+
+          <p>
+            If the server doesn't know the answer to a question, it will
+            query other name servers. <span class="command"><strong>query-source</strong></span> specifies
+            the address and port used for such queries. For queries sent over
+            IPv6, there is a separate <span class="command"><strong>query-source-v6</strong></span> option.
+            If <span class="command"><strong>address</strong></span> is <span class="command"><strong>*</strong></span> (asterisk) or is omitted,
+            a wildcard IP address (<span class="command"><strong>INADDR_ANY</strong></span>)
+            will be used.
+          </p>
+
+          <p>
+            If <span class="command"><strong>port</strong></span> is <span class="command"><strong>*</strong></span> or is omitted,
+            a random port number from a pre-configured
+            range is picked up and will be used for each query.
+            The port range(s) is that specified in
+            the <span class="command"><strong>use-v4-udp-ports</strong></span> (for IPv4)
+            and <span class="command"><strong>use-v6-udp-ports</strong></span> (for IPv6)
+            options, excluding the ranges specified in
+            the <span class="command"><strong>avoid-v4-udp-ports</strong></span>
+            and <span class="command"><strong>avoid-v6-udp-ports</strong></span> options, respectively.
+          </p>
+
+          <p>
+            The defaults of the <span class="command"><strong>query-source</strong></span> and
+            <span class="command"><strong>query-source-v6</strong></span> options
+            are:
+          </p>
+
+<pre class="programlisting">query-source address * port *;
+query-source-v6 address * port *;
+</pre>
+
+          <p>
+            If <span class="command"><strong>use-v4-udp-ports</strong></span> or
+            <span class="command"><strong>use-v6-udp-ports</strong></span> is unspecified,
+            <span class="command"><strong>named</strong></span> will check if the operating
+            system provides a programming interface to retrieve the
+            system's default range for ephemeral ports.
+            If such an interface is available,
+            <span class="command"><strong>named</strong></span> will use the corresponding system
+            default range; otherwise, it will use its own defaults:
+         </p>
+
+<pre class="programlisting">use-v4-udp-ports { range 1024 65535; };
+use-v6-udp-ports { range 1024 65535; };
+</pre>
+
+          <p>
+            Note: make sure the ranges be sufficiently large for
+            security.  A desirable size depends on various parameters,
+            but we generally recommend it contain at least 16384 ports
+            (14 bits of entropy).
+            Note also that the system's default range when used may be
+            too small for this purpose, and that the range may even be
+            changed while <span class="command"><strong>named</strong></span> is running; the new
+            range will automatically be applied when <span class="command"><strong>named</strong></span>
+            is reloaded.
+            It is encouraged to
+            configure <span class="command"><strong>use-v4-udp-ports</strong></span> and
+            <span class="command"><strong>use-v6-udp-ports</strong></span> explicitly so that the
+            ranges are sufficiently large and are reasonably
+            independent from the ranges used by other applications.
+          </p>
+
+          <p>
+            Note: the operational configuration
+            where <span class="command"><strong>named</strong></span> runs may prohibit the use
+            of some ports.  For example, UNIX systems will not allow
+            <span class="command"><strong>named</strong></span> running without a root privilege
+            to use ports less than 1024.
+            If such ports are included in the specified (or detected)
+            set of query ports, the corresponding query attempts will
+            fail, resulting in resolution failures or delay.
+            It is therefore important to configure the set of ports
+            that can be safely used in the expected operational environment.
+          </p>
+
+          <p>
+            The defaults of the <span class="command"><strong>avoid-v4-udp-ports</strong></span> and
+            <span class="command"><strong>avoid-v6-udp-ports</strong></span> options
+            are:
+          </p>
+
+<pre class="programlisting">avoid-v4-udp-ports {};
+avoid-v6-udp-ports {};
+</pre>
+
+          <p>
+            Note: BIND 9.5.0 introduced
+            the <span class="command"><strong>use-queryport-pool</strong></span>
+            option to support a pool of such random ports, but this
+            option is now obsolete because reusing the same ports in
+            the pool may not be sufficiently secure.
+            For the same reason, it is generally strongly discouraged to
+            specify a particular port for the
+            <span class="command"><strong>query-source</strong></span> or
+            <span class="command"><strong>query-source-v6</strong></span> options;
+            it implicitly disables the use of randomized port numbers.
+          </p>
+
+          <div class="variablelist"><dl class="variablelist">
+<dt><span class="term"><span class="command"><strong>use-queryport-pool</strong></span></span></dt>
+<dd>
+                <p>
+                  This option is obsolete.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>queryport-pool-ports</strong></span></span></dt>
+<dd>
+                <p>
+                  This option is obsolete.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>queryport-pool-updateinterval</strong></span></span></dt>
+<dd>
+                <p>
+                  This option is obsolete.
+                </p>
+              </dd>
+</dl></div>
+          <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<h3 class="title">Note</h3>
+            <p>
+              The address specified in the <span class="command"><strong>query-source</strong></span> option
+              is used for both UDP and TCP queries, but the port applies only
+              to UDP queries.  TCP queries always use a random
+              unprivileged port.
+            </p>
+          </div>
+          <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<h3 class="title">Note</h3>
+            <p>
+              Solaris 2.5.1 and earlier does not support setting the source
+              address for TCP sockets.
+            </p>
+          </div>
+          <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<h3 class="title">Note</h3>
+            <p>
+              See also <span class="command"><strong>transfer-source</strong></span> and
+              <span class="command"><strong>notify-source</strong></span>.
+            </p>
+          </div>
+        </div>
+
+        <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="zone_transfers"></a>Zone Transfers</h4></div></div></div>
+
+          <p>
+            <acronym class="acronym">BIND</acronym> has mechanisms in place to
+            facilitate zone transfers
+            and set limits on the amount of load that transfers place on the
+            system. The following options apply to zone transfers.
+          </p>
+
+          <div class="variablelist"><dl class="variablelist">
+<dt><span class="term"><span class="command"><strong>also-notify</strong></span></span></dt>
+<dd>
+                <p>
+                  Defines a global list of IP addresses of name servers
+                  that are also sent NOTIFY messages whenever a fresh copy of
+                  the
+                  zone is loaded, in addition to the servers listed in the
+                  zone's NS records.
+                  This helps to ensure that copies of the zones will
+                  quickly converge on stealth servers.
+                  Optionally, a port may be specified with each
+                  <span class="command"><strong>also-notify</strong></span> address to send
+                  the notify messages to a port other than the
+                  default of 53.
+                  An optional TSIG key can also be specified with each
+                  address to cause the notify messages to be signed; this
+                  can be useful when sending notifies to multiple views.
+                  In place of explicit addresses, one or more named
+                  <span class="command"><strong>masters</strong></span> lists can be used.
+                </p>
+                <p>
+                  If an <span class="command"><strong>also-notify</strong></span> list
+                  is given in a <span class="command"><strong>zone</strong></span> statement,
+                  it will override
+                  the <span class="command"><strong>options also-notify</strong></span>
+                  statement. When a <span class="command"><strong>zone notify</strong></span>
+                  statement
+                  is set to <span class="command"><strong>no</strong></span>, the IP
+                  addresses in the global <span class="command"><strong>also-notify</strong></span> list will
+                  not be sent NOTIFY messages for that zone. The default is
+                  the empty
+                  list (no global notification list).
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>max-transfer-time-in</strong></span></span></dt>
+<dd>
+                <p>
+                  Inbound zone transfers running longer than
+                  this many minutes will be terminated. The default is 120
+                  minutes
+                  (2 hours).  The maximum value is 28 days (40320 minutes).
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>max-transfer-idle-in</strong></span></span></dt>
+<dd>
+                <p>
+                  Inbound zone transfers making no progress
+                  in this many minutes will be terminated. The default is 60
+                  minutes
+                  (1 hour).  The maximum value is 28 days (40320 minutes).
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>max-transfer-time-out</strong></span></span></dt>
+<dd>
+                <p>
+                  Outbound zone transfers running longer than
+                  this many minutes will be terminated. The default is 120
+                  minutes
+                  (2 hours).  The maximum value is 28 days (40320 minutes).
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>max-transfer-idle-out</strong></span></span></dt>
+<dd>
+                <p>
+                  Outbound zone transfers making no progress
+                  in this many minutes will be terminated.  The default is 60
+                  minutes (1
+                  hour).  The maximum value is 28 days (40320 minutes).
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>notify-rate</strong></span></span></dt>
+<dd>
+                <p>
+                  The rate at which NOTIFY requests will be sent
+                  during normal zone maintenance operations. (NOTIFY
+                  requests due to initial zone loading are subject
+                  to a separate rate limit; see below.) The default is
+                  20 per second.
+                  The lowest possible rate is one per second; when set
+                  to zero, it will be silently raised to one.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>startup-notify-rate</strong></span></span></dt>
+<dd>
+                <p>
+                  The rate at which NOTIFY requests will be sent
+                  when the name server is first starting up, or when
+                  zones have been newly added to the nameserver.
+                  The default is 20 per second.
+                  The lowest possible rate is one per second; when set
+                  to zero, it will be silently raised to one.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>serial-query-rate</strong></span></span></dt>
+<dd>
+                <p>
+                  Slave servers will periodically query master
+                  servers to find out if zone serial numbers have
+                  changed. Each such query uses a minute amount of
+                  the slave server's network bandwidth.  To limit
+                  the amount of bandwidth used, BIND 9 limits the
+                  rate at which queries are sent.  The value of the
+                  <span class="command"><strong>serial-query-rate</strong></span> option, an
+                  integer, is the maximum number of queries sent
+                  per second.  The default is 20 per second.
+                  The lowest possible rate is one per second; when set
+                  to zero, it will be silently raised to one.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>serial-queries</strong></span></span></dt>
+<dd>
+                <p>
+                  In BIND 8, the <span class="command"><strong>serial-queries</strong></span>
+                  option
+                  set the maximum number of concurrent serial number queries
+                  allowed to be outstanding at any given time.
+                  BIND 9 does not limit the number of outstanding
+                  serial queries and ignores the <span class="command"><strong>serial-queries</strong></span> option.
+                  Instead, it limits the rate at which the queries are sent
+                  as defined using the <span class="command"><strong>serial-query-rate</strong></span> option.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>transfer-format</strong></span></span></dt>
+<dd>
+
+                <p>
+                  Zone transfers can be sent using two different formats,
+                  <span class="command"><strong>one-answer</strong></span> and
+                  <span class="command"><strong>many-answers</strong></span>.
+                  The <span class="command"><strong>transfer-format</strong></span> option is used
+                  on the master server to determine which format it sends.
+                  <span class="command"><strong>one-answer</strong></span> uses one DNS message per
+                  resource record transferred.
+                  <span class="command"><strong>many-answers</strong></span> packs as many resource
+                  records as possible into a message.
+                  <span class="command"><strong>many-answers</strong></span> is more efficient, but is
+                  only supported by relatively new slave servers,
+                  such as <acronym class="acronym">BIND</acronym> 9, <acronym class="acronym">BIND</acronym>
+                  8.x and <acronym class="acronym">BIND</acronym> 4.9.5 onwards.
+                  The <span class="command"><strong>many-answers</strong></span> format is also supported by
+                  recent Microsoft Windows nameservers.
+                  The default is <span class="command"><strong>many-answers</strong></span>.
+                  <span class="command"><strong>transfer-format</strong></span> may be overridden on a
+                  per-server basis by using the <span class="command"><strong>server</strong></span>
+                  statement.
+                </p>
+
+              </dd>
+<dt><span class="term"><span class="command"><strong>transfer-message-size</strong></span></span></dt>
+<dd>
+                <p>
+                  This is an upper bound on the uncompressed size of DNS
+                  messages used in zone transfers over TCP.  If a message
+                  grows larger than this size, additional messages will be
+                  used to complete the zone transfer.  (Note, however,
+                  that this is a hint, not a hard limit; if a message
+                  contains a single resource record whose RDATA does not
+                  fit within the size limit, a larger message will be
+                  permitted so the record can be transferred.)
+                </p>
+                <p>
+                  Valid values are between 512 and 65535 octets, and any
+                  values outside that range will be adjusted to the nearest
+                  value within it.  The default is <code class="literal">20480</code>,
+                  which was selected to improve message compression:
+                  most DNS messages of this size will compress to less
+                  than 16536 bytes.  Larger messages cannot be compressed
+                  as effectively, because 16536 is the largest permissible
+                  compression offset pointer in a DNS message.
+                </p>
+                <p>
+                  This option is mainly intended for server testing;
+                  there is rarely any benefit in setting a value other
+                  than the default.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>transfers-in</strong></span></span></dt>
+<dd>
+                <p>
+                  The maximum number of inbound zone transfers
+                  that can be running concurrently. The default value is <code class="literal">10</code>.
+                  Increasing <span class="command"><strong>transfers-in</strong></span> may
+                  speed up the convergence
+                  of slave zones, but it also may increase the load on the
+                  local system.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>transfers-out</strong></span></span></dt>
+<dd>
+                <p>
+                  The maximum number of outbound zone transfers
+                  that can be running concurrently. Zone transfer requests in
+                  excess
+                  of the limit will be refused. The default value is <code class="literal">10</code>.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>transfers-per-ns</strong></span></span></dt>
+<dd>
+                <p>
+                  The maximum number of inbound zone transfers
+                  that can be concurrently transferring from a given remote
+                  name server.
+                  The default value is <code class="literal">2</code>.
+                  Increasing <span class="command"><strong>transfers-per-ns</strong></span>
+                  may
+                  speed up the convergence of slave zones, but it also may
+                  increase
+                  the load on the remote name server. <span class="command"><strong>transfers-per-ns</strong></span> may
+                  be overridden on a per-server basis by using the <span class="command"><strong>transfers</strong></span> phrase
+                  of the <span class="command"><strong>server</strong></span> statement.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>transfer-source</strong></span></span></dt>
+<dd>
+                <p><span class="command"><strong>transfer-source</strong></span>
+                  determines which local address will be bound to IPv4
+                  TCP connections used to fetch zones transferred
+                  inbound by the server.  It also determines the
+                  source IPv4 address, and optionally the UDP port,
+                  used for the refresh queries and forwarded dynamic
+                  updates.  If not set, it defaults to a system
+                  controlled value which will usually be the address
+                  of the interface "closest to" the remote end. This
+                  address must appear in the remote end's
+                  <span class="command"><strong>allow-transfer</strong></span> option for the
+                  zone being transferred, if one is specified. This
+                  statement sets the
+                  <span class="command"><strong>transfer-source</strong></span> for all zones,
+                  but can be overridden on a per-view or per-zone
+                  basis by including a
+                  <span class="command"><strong>transfer-source</strong></span> statement within
+                  the <span class="command"><strong>view</strong></span> or
+                  <span class="command"><strong>zone</strong></span> block in the configuration
+                  file.
+                </p>
+                <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<h3 class="title">Note</h3>
+                  <p>
+                    Solaris 2.5.1 and earlier does not support setting the
+                    source address for TCP sockets.
+                  </p>
+                </div>
+              </dd>
+<dt><span class="term"><span class="command"><strong>transfer-source-v6</strong></span></span></dt>
+<dd>
+                <p>
+                  The same as <span class="command"><strong>transfer-source</strong></span>,
+                  except zone transfers are performed using IPv6.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>alt-transfer-source</strong></span></span></dt>
+<dd>
+                <p>
+                  An alternate transfer source if the one listed in
+                  <span class="command"><strong>transfer-source</strong></span> fails and
+                  <span class="command"><strong>use-alt-transfer-source</strong></span> is
+                  set.
+                </p>
+                <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<h3 class="title">Note</h3>
+<p>
+                  If you do not wish the alternate transfer source
+                  to be used, you should set
+                  <span class="command"><strong>use-alt-transfer-source</strong></span>
+                  appropriately and you should not depend upon
+                  getting an answer back to the first refresh
+                  query.
+                </p>
+</div>
+              </dd>
+<dt><span class="term"><span class="command"><strong>alt-transfer-source-v6</strong></span></span></dt>
+<dd>
+                <p>
+                  An alternate transfer source if the one listed in
+                  <span class="command"><strong>transfer-source-v6</strong></span> fails and
+                  <span class="command"><strong>use-alt-transfer-source</strong></span> is
+                  set.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>use-alt-transfer-source</strong></span></span></dt>
+<dd>
+                <p>
+                  Use the alternate transfer sources or not.  If views are
+                  specified this defaults to <span class="command"><strong>no</strong></span>
+                  otherwise it defaults to
+                  <span class="command"><strong>yes</strong></span> (for BIND 8
+                  compatibility).
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>notify-source</strong></span></span></dt>
+<dd>
+                <p><span class="command"><strong>notify-source</strong></span>
+                  determines which local source address, and
+                  optionally UDP port, will be used to send NOTIFY
+                  messages.  This address must appear in the slave
+                  server's <span class="command"><strong>masters</strong></span> zone clause or
+                  in an <span class="command"><strong>allow-notify</strong></span> clause.  This
+                  statement sets the <span class="command"><strong>notify-source</strong></span>
+                  for all zones, but can be overridden on a per-zone or
+                  per-view basis by including a
+                  <span class="command"><strong>notify-source</strong></span> statement within
+                  the <span class="command"><strong>zone</strong></span> or
+                  <span class="command"><strong>view</strong></span> block in the configuration
+                  file.
+                </p>
+                <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<h3 class="title">Note</h3>
+                  <p>
+                    Solaris 2.5.1 and earlier does not support setting the
+                    source address for TCP sockets.
+                  </p>
+                </div>
+              </dd>
+<dt><span class="term"><span class="command"><strong>notify-source-v6</strong></span></span></dt>
+<dd>
+                <p>
+                  Like <span class="command"><strong>notify-source</strong></span>,
+                  but applies to notify messages sent to IPv6 addresses.
+                </p>
+              </dd>
+</dl></div>
+
+        </div>
+
+        <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="port_lists"></a>UDP Port Lists</h4></div></div></div>
+
+          <p>
+            <span class="command"><strong>use-v4-udp-ports</strong></span>,
+            <span class="command"><strong>avoid-v4-udp-ports</strong></span>,
+            <span class="command"><strong>use-v6-udp-ports</strong></span>, and
+            <span class="command"><strong>avoid-v6-udp-ports</strong></span>
+            specify a list of IPv4 and IPv6 UDP ports that will be
+            used or not used as source ports for UDP messages.
+            See <a class="xref" href="Bv9ARM.ch05.html#query_address" title="Query Address">the section called &#8220;Query Address&#8221;</a> about how the
+            available ports are determined.
+            For example, with the following configuration
+          </p>
+
+<pre class="programlisting">
+use-v6-udp-ports { range 32768 65535; };
+avoid-v6-udp-ports { 40000; range 50000 60000; };
+</pre>
+
+           <p>
+             UDP ports of IPv6 messages sent
+             from <span class="command"><strong>named</strong></span> will be in one
+             of the following ranges: 32768 to 39999, 40001 to 49999,
+             and 60001 to 65535.
+           </p>
+
+           <p>
+             <span class="command"><strong>avoid-v4-udp-ports</strong></span> and
+             <span class="command"><strong>avoid-v6-udp-ports</strong></span> can be used
+             to prevent <span class="command"><strong>named</strong></span> from choosing as its random source port a
+             port that is blocked by your firewall or a port that is
+             used by other applications;
+             if a query went out with a source port blocked by a
+             firewall, the
+             answer would not get by the firewall and the name server would
+             have to query again.
+             Note: the desired range can also be represented only with
+             <span class="command"><strong>use-v4-udp-ports</strong></span> and
+             <span class="command"><strong>use-v6-udp-ports</strong></span>, and the
+             <span class="command"><strong>avoid-</strong></span> options are redundant in that
+             sense; they are provided for backward compatibility and
+             to possibly simplify the port specification.
+           </p>
+        </div>
+
+        <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="resource_limits"></a>Operating System Resource Limits</h4></div></div></div>
+
+          <p>
+            The server's usage of many system resources can be limited.
+            Scaled values are allowed when specifying resource limits.  For
+            example, <span class="command"><strong>1G</strong></span> can be used instead of
+            <span class="command"><strong>1073741824</strong></span> to specify a limit of
+            one
+            gigabyte. <span class="command"><strong>unlimited</strong></span> requests
+            unlimited use, or the
+            maximum available amount. <span class="command"><strong>default</strong></span>
+            uses the limit
+            that was in force when the server was started. See the description
+            of <span class="command"><strong>size_spec</strong></span> in <a class="xref" href="Bv9ARM.ch05.html#configuration_file_elements" title="Configuration File Elements">the section called &#8220;Configuration File Elements&#8221;</a>.
+          </p>
+
+          <p>
+            The following options set operating system resource limits for
+            the name server process.  Some operating systems don't support
+            some or
+            any of the limits. On such systems, a warning will be issued if
+            the
+            unsupported limit is used.
+          </p>
+
+          <div class="variablelist"><dl class="variablelist">
+<dt><span class="term"><span class="command"><strong>coresize</strong></span></span></dt>
+<dd>
+                <p>
+                  The maximum size of a core dump. The default
+                  is <code class="literal">default</code>.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>datasize</strong></span></span></dt>
+<dd>
+                <p>
+                  The maximum amount of data memory the server
+                  may use. The default is <code class="literal">default</code>.
+                  This is a hard limit on server memory usage.
+                  If the server attempts to allocate memory in excess of this
+                  limit, the allocation will fail, which may in turn leave
+                  the server unable to perform DNS service.  Therefore,
+                  this option is rarely useful as a way of limiting the
+                  amount of memory used by the server, but it can be used
+                  to raise an operating system data size limit that is
+                  too small by default.  If you wish to limit the amount
+                  of memory used by the server, use the
+                  <span class="command"><strong>max-cache-size</strong></span> and
+                  <span class="command"><strong>recursive-clients</strong></span>
+                  options instead.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>files</strong></span></span></dt>
+<dd>
+                <p>
+                  The maximum number of files the server
+                  may have open concurrently. The default is <code class="literal">unlimited</code>.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>stacksize</strong></span></span></dt>
+<dd>
+                <p>
+                  The maximum amount of stack memory the server
+                  may use. The default is <code class="literal">default</code>.
+                </p>
+              </dd>
+</dl></div>
+
+        </div>
+
+        <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="server_resource_limits"></a>Server  Resource Limits</h4></div></div></div>
+
+          <p>
+            The following options set limits on the server's
+            resource consumption that are enforced internally by the
+            server rather than the operating system.
+          </p>
+
+          <div class="variablelist"><dl class="variablelist">
+<dt><span class="term"><span class="command"><strong>max-ixfr-log-size</strong></span></span></dt>
+<dd>
+                <p>
+                  This option is obsolete; it is accepted
+                  and ignored for BIND 8 compatibility.  The option
+                  <span class="command"><strong>max-journal-size</strong></span> performs a
+                  similar function in BIND 9.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>max-journal-size</strong></span></span></dt>
+<dd>
+                <p>
+                  Sets a maximum size for each journal file (see
+                  <a class="xref" href="Bv9ARM.ch04.html#journal" title="The journal file">the section called &#8220;The journal file&#8221;</a>), expressed in bytes
+                  or, if followed by an optional unit suffix ('k',
+                  'm', or 'g'), in kilobytes, megabytes, or gigabytes.
+                  When the journal file approaches the specified size,
+                  some of the oldest transactions in the journal
+                  will be automatically removed. The largest
+                  permitted value is 2 gigabytes.  Very small
+                  values are rounded up to 4096 bytes.  You
+                  can specify <code class="literal">unlimited</code>, which
+                  also means 2 gigabytes. If you set the limit to
+                  <code class="literal">default</code> or leave it unset, the
+                  journal is allowed to grow up to twice as large as
+                  the zone. (There is little benefit in storing
+                  larger journals.)
+                </p>
+                <p>
+                  This option may also be set on a per-zone basis.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>max-records</strong></span></span></dt>
+<dd>
+                <p>
+                  The maximum number of records permitted in a zone.
+                  The default is zero which means unlimited.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>host-statistics-max</strong></span></span></dt>
+<dd>
+                <p>
+                  In BIND 8, specifies the maximum number of host statistics
+                  entries to be kept.
+                  Not implemented in BIND 9.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>recursive-clients</strong></span></span></dt>
+<dd>
+                <p>
+                  The maximum number ("hard quota") of simultaneous
+                  recursive lookups the server will perform on behalf
+                  of clients.  The default is
+                  <code class="literal">1000</code>.  Because each recursing
+                  client uses a fair
+                  bit of memory (on the order of 20 kilobytes), the
+                  value of the
+                  <span class="command"><strong>recursive-clients</strong></span> option may
+                  have to be decreased on hosts with limited memory.
+                </p>
+                <p>
+                  <code class="option">recursive-clients</code> defines a "hard
+                  quota" limit for pending recursive clients: when more
+                  clients than this are pending, new incoming requests
+                  will not be accepted, and for each incoming request
+                  a previous pending request will also be dropped.
+                </p>
+                <p>
+                  A "soft quota" is also set.  When this lower
+                  quota is exceeded, incoming requests are accepted, but
+                  for each one, a pending request will be dropped.
+                  If <code class="option">recursive-clients</code> is greater than
+                  1000, the soft quota is set to
+                  <code class="option">recursive-clients</code> minus 100;
+                  otherwise it is set to 90% of
+                  <code class="option">recursive-clients</code>.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>tcp-clients</strong></span></span></dt>
+<dd>
+                <p>
+                  The maximum number of simultaneous client TCP
+                  connections that the server will accept.
+                  The default is <code class="literal">150</code>.
+                </p>
+              </dd>
+<dt>
+<a name="clients-per-query"></a><span class="term"><a name="cpq_term"></a><span class="command"><strong>clients-per-query</strong></span>, </span><span class="term"><span class="command"><strong>max-clients-per-query</strong></span></span>
+</dt>
+<dd>
+                <p>These set the
+                  initial value (minimum) and maximum number of recursive
+                  simultaneous clients for any given query
+                  (&lt;qname,qtype,qclass&gt;) that the server will accept
+                  before dropping additional clients.  <span class="command"><strong>named</strong></span> will attempt to
+                  self tune this value and changes will be logged.  The
+                  default values are 10 and 100.
+                </p>
+                <p>
+                  This value should reflect how many queries come in for
+                  a given name in the time it takes to resolve that name.
+                  If the number of queries exceed this value, <span class="command"><strong>named</strong></span> will
+                  assume that it is dealing with a non-responsive zone
+                  and will drop additional queries.  If it gets a response
+                  after dropping queries, it will raise the estimate.  The
+                  estimate will then be lowered in 20 minutes if it has
+                  remained unchanged.
+                </p>
+                <p>
+                  If <span class="command"><strong>clients-per-query</strong></span> is set to zero,
+                  then there is no limit on the number of clients per query
+                  and no queries will be dropped.
+                </p>
+                <p>
+                  If <span class="command"><strong>max-clients-per-query</strong></span> is set to zero,
+                  then there is no upper bound other than imposed by
+                  <span class="command"><strong>recursive-clients</strong></span>.
+                </p>
+              </dd>
+<dt>
+<a name="fetches-per-zone"></a><span class="term"><span class="command"><strong>fetches-per-zone</strong></span></span>
+</dt>
+<dd>
+                <p>
+                  The maximum number of simultaneous iterative
+                  queries to any one domain that the server will
+                  permit before blocking new queries for data
+                  in or beneath that zone.
+                  This value should reflect how many fetches would
+                  normally be sent to any one zone in the time it
+                  would take to resolve them.  It should be smaller
+                  than <code class="option">recursive-clients</code>.
+                </p>
+                <p>
+                  When many clients simultaneously query for the
+                  same name and type, the clients will all be attached
+                  to the same fetch, up to the
+                  <code class="option">max-clients-per-query</code> limit,
+                  and only one iterative query will be sent.
+                  However, when clients are simultaneously
+                  querying for <span class="emphasis"><em>different</em></span> names
+                  or types, multiple queries will be sent and
+                  <code class="option">max-clients-per-query</code> is not
+                  effective as a limit.
+                </p>
+                <p>
+                  Optionally, this value may be followed by the keyword
+                  <code class="literal">drop</code> or <code class="literal">fail</code>,
+                  indicating whether queries which exceed the fetch
+                  quota for a zone will be dropped with no response,
+                  or answered with SERVFAIL.  The default is
+                  <code class="literal">drop</code>.
+                </p>
+                <p>
+                  If <span class="command"><strong>fetches-per-zone</strong></span> is set to zero,
+                  then there is no limit on the number of fetches per query
+                  and no queries will be dropped.  The default is zero.
+                </p>
+                <p>
+                  The current list of active fetches can be dumped by
+                  running <span class="command"><strong>rndc recursing</strong></span>.  The list
+                  includes the number of active fetches for each
+                  domain and the number of queries that have been
+                  passed or dropped as a result of the
+                  <code class="option">fetches-per-zone</code> limit.  (Note:
+                  these counters are not cumulative over time; whenever
+                  the number of active fetches for a domain drops to
+                  zero, the counter for that domain is deleted, and the
+                  next time a fetch is sent to that domain, it is
+                  recreated with the counters set to zero.)
+                </p>
+              </dd>
+<dt>
+<a name="fetches-per-server"></a><span class="term"><span class="command"><strong>fetches-per-server</strong></span></span>
+</dt>
+<dd>
+                <p>
+                  The maximum number of simultaneous iterative
+                  queries that the server will allow to be sent to
+                  a single upstream name server before blocking
+                  additional queries.
+                  This value should reflect how many fetches would
+                  normally be sent to any one server in the time it
+                  would take to resolve them.  It should be smaller
+                  than <code class="option">recursive-clients</code>.
+                </p>
+                <p>
+                  Optionally, this value may be followed by the keyword
+                  <code class="literal">drop</code> or <code class="literal">fail</code>,
+                  indicating whether queries will be dropped with no
+                  response, or answered with SERVFAIL, when all of the
+                  servers authoritative for a zone are found to have
+                  exceeded the per-server quota.  The default is
+                  <code class="literal">fail</code>.
+                </p>
+                <p>
+                  If <span class="command"><strong>fetches-per-server</strong></span> is set to zero,
+                  then there is no limit on the number of fetches per query
+                  and no queries will be dropped.  The default is zero.
+                </p>
+                <p>
+                  The <span class="command"><strong>fetches-per-server</strong></span> quota is
+                  dynamically adjusted in response to detected
+                  congestion. As queries are sent to a server
+                  and are either answered or time out, an
+                  exponentially weighted moving average is calculated
+                  of the ratio of timeouts to responses.  If the
+                  current average timeout ratio rises above a "high"
+                  threshold, then <span class="command"><strong>fetches-per-server</strong></span>
+                  is reduced for that server.  If the timeout ratio
+                  drops below a "low" threshold, then
+                  <span class="command"><strong>fetches-per-server</strong></span> is increased.
+                  The <span class="command"><strong>fetch-quota-params</strong></span> options
+                  can be used to adjust the parameters for this
+                  calculation.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>fetch-quota-params</strong></span></span></dt>
+<dd>
+                <p>
+                  Sets the parameters to use for dynamic resizing of
+                  the <code class="option">fetches-per-server</code> quota in
+                  response to detected congestion.
+                </p>
+                <p>
+                  The first argument is an integer value indicating
+                  how frequently to recalculate the moving average
+                  of the ratio of timeouts to responses for each
+                  server.  The default is 100, meaning we recalculate
+                  the average ratio after every 100 queries have either
+                  been answered or timed out.
+                </p>
+                <p>
+                  The remaining three arguments represent the "low"
+                  threshold (defaulting to a timeout ratio of 0.1),
+                  the "high" threshold (defaulting to a timeout
+                  ratio of 0.3), and the discount rate for
+                  the moving average (defaulting to 0.7).
+                  A higher discount rate causes recent events to
+                  weigh more heavily when calculating the moving
+                  average; a lower discount rate causes past
+                  events to weigh more heavily, smoothing out
+                  short-term blips in the timeout ratio.
+                  These arguments are all fixed-point numbers with
+                  precision of 1/100: at most two places after
+                  the decimal point are significant.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>reserved-sockets</strong></span></span></dt>
+<dd>
+                <p>
+                  The number of file descriptors reserved for TCP, stdio,
+                  etc.  This needs to be big enough to cover the number of
+                  interfaces <span class="command"><strong>named</strong></span> listens on, <span class="command"><strong>tcp-clients</strong></span> as well as
+                  to provide room for outgoing TCP queries and incoming zone
+                  transfers.  The default is <code class="literal">512</code>.
+                  The minimum value is <code class="literal">128</code> and the
+                  maximum value is <code class="literal">128</code> less than
+                  maxsockets (-S).  This option may be removed in the future.
+                </p>
+                <p>
+                  This option has little effect on Windows.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>max-cache-size</strong></span></span></dt>
+<dd>
+                <p>
+                  The maximum amount of memory to use for the
+                  server's cache, in bytes or % of total physical memory.
+                  When the amount of data in the cache
+                  reaches this limit, the server will cause records to
+                  expire prematurely based on an LRU based strategy so
+                  that the limit is not exceeded.
+                  The keyword <strong class="userinput"><code>unlimited</code></strong>,
+                  or the value 0, will place no limit on cache size;
+                  records will be purged from the cache only when their
+                  TTLs expire.
+                  Any positive values less than 2MB will be ignored
+                  and reset to 2MB.
+                  In a server with multiple views, the limit applies
+                  separately to the cache of each view.
+                  The default is <strong class="userinput"><code>90%</code></strong>.
+                  On systems where detection of amount of physical
+                  memory is not supported values represented as %
+                  fall back to unlimited.
+                  Note that the detection of physical memory is done only
+                  once at startup, so <span class="command"><strong>named</strong></span> will not
+                  adjust the cache size if the amount of physical memory
+                  is changed during runtime.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>tcp-listen-queue</strong></span></span></dt>
+<dd>
+                <p>
+                  The listen queue depth.  The default and minimum is 10.
+                  If the kernel supports the accept filter "dataready" this
+                  also controls how
+                  many TCP connections that will be queued in kernel space
+                  waiting for
+                  some data before being passed to accept.  Nonzero values
+                  less than 10 will be silently raised. A value of 0 may also
+                  be used; on most platforms this sets the listen queue
+                  length to a system-defined default value.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>tcp-initial-timeout</strong></span></span></dt>
+<dd>
+                <p>
+                  The amount of time (in units of 100 milliseconds) the
+                  server waits on a new TCP connection for the first message
+                  from the client. The default is 300 (30 seconds),
+                  the minimum is 25 (2.5 seconds), and the maximum is
+                  1200 (two minutes). Values above the maximum or below
+                  the minimum will be adjusted with a logged warning.
+                  (Note: This value must be greater than the expected
+                  round trip delay time; otherwise no client will ever
+                  have enough time to submit a message.)
+                  This value can be updated at runtime by using
+                  <span class="command"><strong>rndc tcp-timeouts</strong></span>.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>tcp-idle-timeout</strong></span></span></dt>
+<dd>
+                <p>
+                  The amount of time (in units of 100 milliseconds) the
+                  server waits on an idle TCP connection before closing
+                  it when the client is not using the EDNS TCP keepalive
+                  option.  The default is 300 (30 seconds), the maximum
+                  is 1200 (two minutes), and the minimum is 1 (one tenth
+                  of a second). Values above the maximum or below the minimum
+                  will be adjusted with a logged warning.
+                  See <span class="command"><strong>tcp-keepalive-timeout</strong></span>
+                  for clients using the EDNS TCP keepalive option.
+                  This value can be updated at runtime by using
+                  <span class="command"><strong>rndc tcp-timeouts</strong></span>.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>tcp-keepalive-timeout</strong></span></span></dt>
+<dd>
+                <p>
+                  The amount of time (in units of 100 milliseconds) the
+                  server waits on an idle TCP connection before closing
+                  it when the client is using the EDNS TCP keepalive
+                  option.  The default is 300 (30 seconds), the maximum
+                  is 65535 (about 1.8 hours), and the minimum is 1 (one tenth
+                  of a second). Values above the maximum or below the minimum
+                  will be adjusted with a logged warning.
+                  This value may be greater than
+                  <span class="command"><strong>tcp-idle-timeout</strong></span>, because
+                  clients using the EDNS TCP keepalive option are expected
+                  to use TCP connections for more than one message.
+                  This value can be updated at runtime by using
+                  <span class="command"><strong>rndc tcp-timeouts</strong></span>.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>tcp-advertised-timeout</strong></span></span></dt>
+<dd>
+                <p>
+                  The timeout value (in units of 100 milliseconds) the
+                  server will send in respones containing the EDNS TCP
+                  keepalive option. This informs a client of the
+                  amount of time it may keep the session open.
+                  The default is 300 (30 seconds), the maximum is
+                  65535 (about 1.8 hours), and the minimum is 0, which
+                  signals that the clients must close TCP connections
+                  immediately.  Ordinarily this should be set to the
+                  same value as <span class="command"><strong>tcp-keepalive-timeout</strong></span>.
+                  This value can be updated at runtime by using
+                  <span class="command"><strong>rndc tcp-timeouts</strong></span>.
+                </p>
+              </dd>
+</dl></div>
+
+        </div>
+
+        <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="intervals"></a>Periodic Task Intervals</h4></div></div></div>
+
+          <div class="variablelist"><dl class="variablelist">
+<dt><span class="term"><span class="command"><strong>cleaning-interval</strong></span></span></dt>
+<dd>
+                <p>
+                  This interval is effectively obsolete.  Previously,
+                  the server would remove expired resource records
+                  from the cache every <span class="command"><strong>cleaning-interval</strong></span> minutes.
+                  <acronym class="acronym">BIND</acronym> 9 now manages cache
+                  memory in a more sophisticated manner and does not
+                  rely on the periodic cleaning any more.
+                  Specifying this option therefore has no effect on
+                  the server's behavior.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>heartbeat-interval</strong></span></span></dt>
+<dd>
+                <p>
+                  The server will perform zone maintenance tasks
+                  for all zones marked as <span class="command"><strong>dialup</strong></span> whenever this
+                  interval expires. The default is 60 minutes. Reasonable
+                  values are up
+                  to 1 day (1440 minutes).  The maximum value is 28 days
+                  (40320 minutes).
+                  If set to 0, no zone maintenance for these zones will occur.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>interface-interval</strong></span></span></dt>
+<dd>
+                <p>
+                  The server will scan the network interface list
+                  every <span class="command"><strong>interface-interval</strong></span>
+                  minutes. The default
+                  is 60 minutes. The maximum value is 28 days (40320 minutes).
+                  If set to 0, interface scanning will only occur when
+                  the configuration file is  loaded. After the scan, the
+                  server will
+                  begin listening for queries on any newly discovered
+                  interfaces (provided they are allowed by the
+                  <span class="command"><strong>listen-on</strong></span> configuration), and
+                  will
+                  stop listening on interfaces that have gone away.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>statistics-interval</strong></span></span></dt>
+<dd>
+                <p>
+                  Name server statistics will be logged
+                  every <span class="command"><strong>statistics-interval</strong></span>
+                  minutes. The default is
+                  60. The maximum value is 28 days (40320 minutes).
+                  If set to 0, no statistics will be logged.
+                  </p>
+<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<h3 class="title">Note</h3>
+                  <p>
+                    Not yet implemented in
+                    <acronym class="acronym">BIND</acronym> 9.
+                  </p>
+                </div>
+              </dd>
+<dt><span class="term"><span class="command"><strong>topology</strong></span></span></dt>
+<dd>
+                <p>
+                  In BIND 8, this option indicated network topology
+                  so that preferential treatment could be given to
+                  the topologicaly closest name servers when sending
+                  queries. It is not implemented in BIND 9.
+                </p>
+              </dd>
+</dl></div>
+
+        </div>
+
+        <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="the_sortlist_statement"></a>The <span class="command"><strong>sortlist</strong></span> Statement</h4></div></div></div>
+
+          <p>
+            The response to a DNS query may consist of multiple resource
+            records (RRs) forming a resource record set (RRset).  The name
+            server will normally return the RRs within the RRset in an
+            indeterminate order (but see the <span class="command"><strong>rrset-order</strong></span>
+            statement in <a class="xref" href="Bv9ARM.ch05.html#rrset_ordering" title="RRset Ordering">the section called &#8220;RRset Ordering&#8221;</a>).  The client
+            resolver code should rearrange the RRs as appropriate, that is,
+            using any addresses on the local net in preference to other
+            addresses.  However, not all resolvers can do this or are
+            correctly configured.  When a client is using a local server,
+            the sorting can be performed in the server, based on the
+            client's address. This only requires configuring the name
+            servers, not all the clients.
+          </p>
+
+          <p>
+            The <span class="command"><strong>sortlist</strong></span> statement (see below) takes an
+            <span class="command"><strong>address_match_list</strong></span> and interprets it in a
+            special way.  Each top level statement in the
+            <span class="command"><strong>sortlist</strong></span> must itself be an explicit
+            <span class="command"><strong>address_match_list</strong></span> with one or two elements.
+            The first element (which may be an IP address, an IP prefix, an
+            ACL name or a nested <span class="command"><strong>address_match_list</strong></span>) of
+            each top level list is checked against the source address of
+            the query until a match is found.
+          </p>
+          <p>
+            Once the source address of the query has been matched, if the
+            top level statement contains only one element, the actual
+            primitive element that matched the source address is used to
+            select the address in the response to move to the beginning of
+            the response. If the statement is a list of two elements, then
+            the second element is interpreted as a topology preference
+            list.  Each top level element is assigned a distance and the
+            address in the response with the minimum distance is moved to
+            the beginning of the response.
+          </p>
+          <p>
+            In the following example, any queries received from any of the
+            addresses of the host itself will get responses preferring
+            addresses on any of the locally connected networks. Next most
+            preferred are addresses on the 192.168.1/24 network, and after
+            that either the 192.168.2/24 or 192.168.3/24 network with no
+            preference shown between these two networks. Queries received
+            from a host on the 192.168.1/24 network will prefer other
+            addresses on that network to the 192.168.2/24 and 192.168.3/24
+            networks. Queries received from a host on the 192.168.4/24 or
+            the 192.168.5/24 network will only prefer other addresses on
+            their directly connected networks.
+          </p>
+
+<pre class="programlisting">sortlist {
+    // IF the local host
+    // THEN first fit on the following nets
+    { localhost;
+        { localnets;
+            192.168.1/24;
+            { 192.168.2/24; 192.168.3/24; }; }; };
+    // IF on class C 192.168.1 THEN use .1, or .2 or .3
+    { 192.168.1/24;
+        { 192.168.1/24;
+            { 192.168.2/24; 192.168.3/24; }; }; };
+    // IF on class C 192.168.2 THEN use .2, or .1 or .3
+    { 192.168.2/24;
+        { 192.168.2/24;
+            { 192.168.1/24; 192.168.3/24; }; }; };
+    // IF on class C 192.168.3 THEN use .3, or .1 or .2
+    { 192.168.3/24;
+        { 192.168.3/24;
+            { 192.168.1/24; 192.168.2/24; }; }; };
+    // IF .4 or .5 THEN prefer that net
+    { { 192.168.4/24; 192.168.5/24; };
+    };
+};</pre>
+
+          <p>
+            The following example will give reasonable behavior for the
+            local host and hosts on directly connected networks. It is
+            similar to the behavior of the address sort in
+            <acronym class="acronym">BIND</acronym> 4.9.x. Responses sent to queries from
+            the local host will favor any of the directly connected
+            networks. Responses sent to queries from any other hosts on a
+            directly connected network will prefer addresses on that same
+            network.  Responses to other queries will not be sorted.
+          </p>
+
+<pre class="programlisting">sortlist {
+           { localhost; localnets; };
+           { localnets; };
+};
+</pre>
+
+        </div>
+        <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="rrset_ordering"></a>RRset Ordering</h4></div></div></div>
+
+          <p>
+            When multiple records are returned in an answer it may be
+            useful to configure the order of the records placed into the
+            response.  The <span class="command"><strong>rrset-order</strong></span> statement permits
+            configuration of the ordering of the records in a
+            multiple-record response.
+            See also the <span class="command"><strong>sortlist</strong></span> statement,
+            <a class="xref" href="Bv9ARM.ch05.html#the_sortlist_statement" title="The sortlist Statement">the section called &#8220;The <span class="command"><strong>sortlist</strong></span> Statement&#8221;</a>.
+          </p>
+          <p>
+            An <span class="command"><strong>order_spec</strong></span> is defined as follows:
+          </p>
+          <p>
+            [<span class="optional">class <em class="replaceable"><code>class_name</code></em></span>]
+            [<span class="optional">type <em class="replaceable"><code>type_name</code></em></span>]
+            [<span class="optional">name <em class="replaceable"><code>"domain_name"</code></em></span>]
+            order <em class="replaceable"><code>ordering</code></em>
+          </p>
+          <p>
+            If no class is specified, the default is <span class="command"><strong>ANY</strong></span>.
+            If no type is specified, the default is <span class="command"><strong>ANY</strong></span>.
+            If no name is specified, the default is "<span class="command"><strong>*</strong></span>" (asterisk).
+          </p>
+          <p>
+            The legal values for <span class="command"><strong>ordering</strong></span> are:
+          </p>
+          <div class="informaltable">
+            <table border="1">
+<colgroup>
+<col width="0.750in" class="1">
+<col width="3.750in" class="2">
+</colgroup>
+<tbody>
+<tr>
+<td>
+                    <p><span class="command"><strong>fixed</strong></span></p>
+                  </td>
+<td>
+                    <p>
+                      Records are returned in the order they
+                      are defined in the zone file. This option
+                      is only available if <acronym class="acronym">BIND</acronym>
+                      is configured with "--enable-fixed-rrset" at
+                      compile time.
+                    </p>
+                  </td>
+</tr>
+<tr>
+<td>
+                    <p><span class="command"><strong>random</strong></span></p>
+                  </td>
+<td>
+                    <p>
+                      Records are returned in some random order.
+                    </p>
+                  </td>
+</tr>
+<tr>
+<td>
+                    <p><span class="command"><strong>cyclic</strong></span></p>
+                  </td>
+<td>
+                    <p>
+                      Records are returned in a cyclic round-robin order,
+                      rotating by one record per query.
+                    </p>
+                    <p>
+                      If <acronym class="acronym">BIND</acronym> is configured with
+                      "--enable-fixed-rrset" at compile time, then
+                      the initial ordering of the RRset will match the
+                      one specified in the zone file; otherwise the
+                      initial ordering is indeterminate.
+                    </p>
+                  </td>
+</tr>
+<tr>
+<td>
+                    <p><span class="command"><strong>none</strong></span></p>
+                  </td>
+<td>
+                    <p>
+                      Records are returned in whatever order they were
+                      retrieved from the database.  This order is
+                      indeterminate, but will be consistent as long as the
+                      database is not modified. When no ordering is
+                      specified, this is the default.
+                    </p>
+                  </td>
+</tr>
+</tbody>
+</table>
+          </div>
+          <p>
+          </p>
+          <p>
+            For example:
+          </p>
+<pre class="programlisting">rrset-order {
+   class IN type A name "host.example.com" order random;
+   order cyclic;
+};
+</pre>
+          <p>
+            will cause any responses for type A records in class IN that
+            have "<code class="literal">host.example.com</code>" as a
+            suffix, to always be returned
+            in random order. All other records are returned in cyclic order.
+          </p>
+          <p>
+            If multiple <span class="command"><strong>rrset-order</strong></span> statements
+            appear, they are not combined &#8212; the last one applies.
+          </p>
+          <p>
+            By default, records are returned in indeterminate but
+            consistent order (see <span class="command"><strong>none</strong></span> above).
+          </p>
+
+          <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<h3 class="title">Note</h3>
+            <p>
+              In this release of <acronym class="acronym">BIND</acronym> 9, the
+              <span class="command"><strong>rrset-order</strong></span> statement does not support
+              "fixed" ordering by default.  Fixed ordering can be enabled
+              at compile time by specifying "--enable-fixed-rrset" on
+              the "configure" command line.
+            </p>
+          </div>
+        </div>
+
+        <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="tuning"></a>Tuning</h4></div></div></div>
+
+          <div class="variablelist"><dl class="variablelist">
+<dt><span class="term"><span class="command"><strong>lame-ttl</strong></span></span></dt>
+<dd>
+                <p>
+                  Sets the number of seconds to cache a
+                  lame server indication. 0 disables caching. (This is
+                  <span class="bold"><strong>NOT</strong></span> recommended.)
+                  The default is <code class="literal">600</code> (10 minutes) and the
+                  maximum value is
+                  <code class="literal">1800</code> (30 minutes).
+                </p>
+
+              </dd>
+<dt><span class="term"><span class="command"><strong>servfail-ttl</strong></span></span></dt>
+<dd>
+                <p>
+                  Sets the number of seconds to cache a
+                  SERVFAIL response due to DNSSEC validation failure or
+                  other general server failure.  If set to
+                  <code class="literal">0</code>, SERVFAIL caching is disabled.
+                  The SERVFAIL cache is not consulted if a query has
+                  the CD (Checking Disabled) bit set; this allows a
+                  query that failed due to DNSSEC validation to be retried
+                  without waiting for the SERVFAIL TTL to expire.
+                </p>
+                <p>
+                  The maximum value is <code class="literal">30</code>
+                  seconds; any higher value will be silently
+                  reduced. The default is <code class="literal">1</code>
+                  second.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>max-ncache-ttl</strong></span></span></dt>
+<dd>
+                <p>
+                  To reduce network traffic and increase performance,
+                  the server stores negative answers. <span class="command"><strong>max-ncache-ttl</strong></span> is
+                  used to set a maximum retention time for these answers in
+                  the server
+                  in seconds. The default
+                  <span class="command"><strong>max-ncache-ttl</strong></span> is <code class="literal">10800</code> seconds (3 hours).
+                  <span class="command"><strong>max-ncache-ttl</strong></span> cannot exceed
+                  7 days and will
+                  be silently truncated to 7 days if set to a greater value.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>max-cache-ttl</strong></span></span></dt>
+<dd>
+                <p>
+                  Sets the maximum time for which the server will
+                  cache ordinary (positive) answers in seconds.
+                  The default is 604800 (one week).
+                  A value of zero may cause all queries to return
+                  SERVFAIL, because of lost caches of intermediate
+                  RRsets (such as NS and glue AAAA/A records) in the
+                  resolution process.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>max-stale-ttl</strong></span></span></dt>
+<dd>
+                <p>
+                  Sets the maximum time for which the server will
+                  retain records past their normal expiry to
+                  return them as stale records when the servers
+                  for those records are not reachable.  The default
+                  is to not retain the record.
+                </p>
+                <p>
+                  <span class="command"><strong>rndc serve-stale</strong></span> can be used
+                  to disable and re-enable the serving of stale
+                  records at runtime.  Reloading or reconfiguring
+                  <span class="command"><strong>named</strong></span> will not re-enable serving
+                  of stale records if they have been disabled via
+                  <span class="command"><strong>rndc</strong></span>.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>min-roots</strong></span></span></dt>
+<dd>
+                <p>
+                  The minimum number of root servers that
+                  is required for a request for the root servers to be
+                  accepted. The default
+                  is <strong class="userinput"><code>2</code></strong>.
+                </p>
+                <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<h3 class="title">Note</h3>
+                  <p>
+                    Not implemented in <acronym class="acronym">BIND</acronym> 9.
+                  </p>
+                </div>
+              </dd>
+<dt><span class="term"><span class="command"><strong>sig-validity-interval</strong></span></span></dt>
+<dd>
+                <p>
+                  Specifies the number of days into the future when
+                  DNSSEC signatures automatically generated as a
+                  result of dynamic updates (<a class="xref" href="Bv9ARM.ch04.html#dynamic_update" title="Dynamic Update">the section called &#8220;Dynamic Update&#8221;</a>) will expire.  There
+                  is an optional second field which specifies how
+                  long before expiry that the signatures will be
+                  regenerated.  If not specified, the signatures will
+                  be regenerated at 1/4 of base interval.  The second
+                  field is specified in days if the base interval is
+                  greater than 7 days otherwise it is specified in hours.
+                  The default base interval is <code class="literal">30</code> days
+                  giving a re-signing interval of 7 1/2 days.  The maximum
+                  values are 10 years (3660 days).
+                </p>
+                <p>
+                  The signature inception time is unconditionally
+                  set to one hour before the current time to allow
+                  for a limited amount of clock skew.
+                </p>
+                <p>
+                  The <span class="command"><strong>sig-validity-interval</strong></span>
+                  should be, at least, several multiples of the SOA
+                  expire interval to allow for reasonable interaction
+                  between the various timer and expiry dates.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>sig-signing-nodes</strong></span></span></dt>
+<dd>
+                <p>
+                  Specify the maximum number of nodes to be
+                  examined in each quantum when signing a zone with
+                  a new DNSKEY. The default is
+                  <code class="literal">100</code>.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>sig-signing-signatures</strong></span></span></dt>
+<dd>
+                <p>
+                  Specify a threshold number of signatures that
+                  will terminate processing a quantum when signing
+                  a zone with a new DNSKEY.  The default is
+                  <code class="literal">10</code>.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>sig-signing-type</strong></span></span></dt>
+<dd>
+                <p>
+                  Specify a private RDATA type to be used when generating
+                  signing state records.  The default is
+                  <code class="literal">65534</code>.
+                </p>
+                <p>
+                  It is expected that this parameter may be removed
+                  in a future version once there is a standard type.
+                </p>
+                <p>
+                  Signing state records are used to internally by
+                  <span class="command"><strong>named</strong></span> to track the current state of
+                  a zone-signing process, i.e., whether it is still active
+                  or has been completed.  The records can be inspected
+                  using the command
+                  <span class="command"><strong>rndc signing -list <em class="replaceable"><code>zone</code></em></strong></span>.
+                  Once <span class="command"><strong>named</strong></span> has finished signing
+                  a zone with a particular key, the signing state
+                  record associated with that key can be removed from
+                  the zone by running
+                  <span class="command"><strong>rndc signing -clear <em class="replaceable"><code>keyid/algorithm</code></em> <em class="replaceable"><code>zone</code></em></strong></span>.
+                  To clear all of the completed signing state
+                  records for a zone, use
+                  <span class="command"><strong>rndc signing -clear all <em class="replaceable"><code>zone</code></em></strong></span>.
+                </p>
+              </dd>
+<dt>
+<span class="term"><span class="command"><strong>min-refresh-time</strong></span>, </span><span class="term"><span class="command"><strong>max-refresh-time</strong></span>, </span><span class="term"><span class="command"><strong>min-retry-time</strong></span>, </span><span class="term"><span class="command"><strong>max-retry-time</strong></span></span>
+</dt>
+<dd>
+                <p>
+                  These options control the server's behavior on refreshing a
+                  zone (querying for SOA changes) or retrying failed
+                  transfers.  Usually the SOA values for the zone are used,
+                  up to a hard-coded maximum expiry of 24 weeks. However,
+                  these values are set by the master, giving slave server
+                  administrators little control over their contents.
+                </p>
+                <p>
+                  These options allow the administrator to set a minimum and
+                  maximum refresh and retry time in seconds per-zone,
+                  per-view, or globally.  These options are valid for
+                  slave and stub zones, and clamp the SOA refresh and
+                  retry times to the specified values.
+                </p>
+                <p>
+                  The following defaults apply.
+                  <span class="command"><strong>min-refresh-time</strong></span> 300 seconds,
+                  <span class="command"><strong>max-refresh-time</strong></span> 2419200 seconds
+                  (4 weeks), <span class="command"><strong>min-retry-time</strong></span> 500 seconds,
+                  and <span class="command"><strong>max-retry-time</strong></span> 1209600 seconds
+                  (2 weeks).
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>edns-udp-size</strong></span></span></dt>
+<dd>
+                <p>
+                  Sets the maximum advertised EDNS UDP buffer size in
+                  bytes, to control the size of packets received from
+                  authoritative servers in response to recursive queries.
+                  Valid values are 512 to 4096 (values outside this range
+                  will be silently adjusted to the nearest value within
+                  it).  The default value is 4096.
+                </p>
+                <p>
+                  The usual reason for setting
+                  <span class="command"><strong>edns-udp-size</strong></span> to a non-default value
+                  is to get UDP answers to pass through broken firewalls
+                  that block fragmented packets and/or block UDP DNS
+                  packets that are greater than 512 bytes.
+                </p>
+                <p>
+                  When <span class="command"><strong>named</strong></span> first queries a remote
+                  server, it will advertise a UDP buffer size of 512, as
+                  this has the greatest chance of success on the first try.
+                </p>
+                <p>
+                  If the initial response times out, <span class="command"><strong>named</strong></span>
+                  will try again with plain DNS, and if that is successful,
+                  it will be taken as evidence that the server does not
+                  support EDNS. After enough failures using EDNS and
+                  successes using plain DNS, <span class="command"><strong>named</strong></span>
+                  will default to plain DNS for future communications
+                  with that server.  (Periodically, <span class="command"><strong>named</strong></span>
+                  will send an EDNS query to see if the situation has
+                  improved.)
+                </p>
+                <p>
+                  However, if the initial query is successful with
+                  EDNS advertising a buffer size of 512, then
+                  <span class="command"><strong>named</strong></span> will advertise progressively
+                  larger buffer sizes on successive queries, until
+                  responses begin timing out or
+                  <span class="command"><strong>edns-udp-size</strong></span> is reached.
+                </p>
+                <p>
+                  The default buffer sizes used by <span class="command"><strong>named</strong></span>
+                  are 512, 1232, 1432, and 4096, but never exceeding
+                  <span class="command"><strong>edns-udp-size</strong></span>.  (The values 1232 and
+                  1432 are chosen to allow for an IPv4/IPv6 encapsulated
+                  UDP message to be sent without fragmentation at the
+                  minimum MTU sizes for Ethernet and IPv6 networks.)
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>max-udp-size</strong></span></span></dt>
+<dd>
+                <p>
+                  Sets the maximum EDNS UDP message size
+                  <span class="command"><strong>named</strong></span> will send in bytes.
+                  Valid values are 512 to 4096 (values outside this
+                  range will be silently adjusted to the nearest
+                  value within it).  The default value is 4096.
+                </p>
+                <p>
+                  This value applies to responses sent by a server; to
+                  set the advertised buffer size in queries, see
+                  <span class="command"><strong>edns-udp-size</strong></span>.
+                </p>
+                <p>
+                  The usual reason for setting
+                  <span class="command"><strong>max-udp-size</strong></span> to a non-default
+                  value is to get UDP answers to pass through broken
+                  firewalls that block fragmented packets and/or
+                  block UDP packets that are greater than 512 bytes.
+                  This is independent of the advertised receive
+                  buffer (<span class="command"><strong>edns-udp-size</strong></span>).
+                </p>
+                <p>
+                  Setting this to a low value will encourage additional
+                  TCP traffic to the nameserver.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>masterfile-format</strong></span></span></dt>
+<dd>
+                <p>Specifies
+                  the file format of zone files (see
+                  <a class="xref" href="Bv9ARM.ch05.html#zonefile_format" title="Additional File Formats">the section called &#8220;Additional File Formats&#8221;</a>).
+                  The default value is <code class="constant">text</code>, which is the
+                  standard textual representation, except for slave zones,
+                  in which the default value is <code class="constant">raw</code>.
+                  Files in other formats than <code class="constant">text</code> are
+                  typically expected to be generated by the
+                  <span class="command"><strong>named-compilezone</strong></span> tool, or dumped by
+                  <span class="command"><strong>named</strong></span>.
+                </p>
+                <p>
+                  Note that when a zone file in a different format than
+                  <code class="constant">text</code> is loaded, <span class="command"><strong>named</strong></span>
+                  may omit some of the checks which would be performed for a
+                  file in the <code class="constant">text</code> format.  In particular,
+                  <span class="command"><strong>check-names</strong></span> checks do not apply
+                  for the <code class="constant">raw</code> format.  This means
+                  a zone file in the <code class="constant">raw</code> format
+                  must be generated with the same check level as that
+                  specified in the <span class="command"><strong>named</strong></span> configuration
+                  file.  Also, <code class="constant">map</code> format files are
+                  loaded directly into memory via memory mapping, with only
+                  minimal checking.
+                </p>
+                <p>
+                  This statement sets the
+                  <span class="command"><strong>masterfile-format</strong></span> for all zones,
+                  but can be overridden on a per-zone or per-view basis
+                  by including a <span class="command"><strong>masterfile-format</strong></span>
+                  statement within the <span class="command"><strong>zone</strong></span> or
+                  <span class="command"><strong>view</strong></span> block in the configuration
+                  file.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>masterfile-style</strong></span></span></dt>
+<dd>
+                <p>
+                  Specifies the formatting of zone files during dump
+                  when the <code class="option">masterfile-format</code> is
+                  <code class="constant">text</code>. (This option is ignored
+                  with any other <code class="option">masterfile-format</code>.)
+                </p>
+                <p>
+                  When set to <code class="constant">relative</code>,
+                  records are printed in a multi-line format with owner
+                  names expressed relative to a shared origin.  When set
+                  to <code class="constant">full</code>, records are printed in
+                  a single-line format with absolute owner names.
+                  The <code class="constant">full</code> format is most suitable
+                  when a zone file needs to be processed automatically
+                  by a script.  The <code class="constant">relative</code> format
+                  is more human-readable, and is thus suitable when a
+                  zone is to be edited by hand.  The default is
+                  <code class="constant">relative</code>.
+                </p>
+              </dd>
+<dt>
+<a name="max-recursion-depth"></a><span class="term"><span class="command"><strong>max-recursion-depth</strong></span></span>
+</dt>
+<dd>
+                <p>
+                  Sets the maximum number of levels of recursion
+                  that are permitted at any one time while servicing
+                  a recursive query. Resolving a name may require
+                  looking up a name server address, which in turn
+                  requires resolving another name, etc; if the number
+                  of indirections exceeds this value, the recursive
+                  query is terminated and returns SERVFAIL.  The
+                  default is 7.
+                </p>
+              </dd>
+<dt>
+<a name="max-recursion-queries"></a><span class="term"><span class="command"><strong>max-recursion-queries</strong></span></span>
+</dt>
+<dd>
+                <p>
+                  Sets the maximum number of iterative queries that
+                  may be sent while servicing a recursive query.
+                  If more queries are sent, the recursive query
+                  is terminated and returns SERVFAIL. Queries to
+                  look up top level domains such as "com" and "net"
+                  and the DNS root zone are exempt from this limitation.
+                  The default is 75.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>notify-delay</strong></span></span></dt>
+<dd>
+                <p>
+                  The delay, in seconds, between sending sets of notify
+                  messages for a zone.  The default is five (5) seconds.
+                </p>
+                <p>
+                  The overall rate that NOTIFY messages are sent for all
+                  zones is controlled by <span class="command"><strong>serial-query-rate</strong></span>.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>max-rsa-exponent-size</strong></span></span></dt>
+<dd>
+                <p>
+                  The maximum RSA exponent size, in bits, that will
+                  be accepted when validating.  Valid values are 35
+                  to 4096 bits.  The default zero (0) is also accepted
+                  and is equivalent to 4096.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>prefetch</strong></span></span></dt>
+<dd>
+                <p>
+                  When a query is received for cached data which
+                  is to expire shortly, <span class="command"><strong>named</strong></span> can
+                  refresh the data from the authoritative server
+                  immediately, ensuring that the cache always has an
+                  answer available.
+                </p>
+                <p>
+                  The <code class="option">prefetch</code> specifies the
+                  "trigger" TTL value at which prefetch of the current
+                  query will take place: when a cache record with a
+                  lower TTL value is encountered during query processing,
+                  it will be refreshed.  Valid trigger TTL values are 1 to
+                  10 seconds.  Values larger than 10 seconds will be silently
+                  reduced to 10.
+                  Setting a trigger TTL to zero (0) causes
+                  prefetch to be disabled.
+                  The default trigger TTL is <code class="literal">2</code>.
+                </p>
+                <p>
+                  An optional second argument specifies the "eligibility"
+                  TTL: the smallest <span class="emphasis"><em>original</em></span>
+                  TTL value that will be accepted for a record to be
+                  eligible for prefetching.  The eligibility TTL must
+                  be at least six seconds longer than the trigger TTL;
+                  if it isn't, <span class="command"><strong>named</strong></span> will silently
+                  adjust it upward.
+                  The default eligibility TTL is <code class="literal">9</code>.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>v6-bias</strong></span></span></dt>
+<dd>
+                <p>
+                  When determining the next nameserver to try
+                  preference IPv6 nameservers by this many milliseconds.
+                  The default is <code class="literal">50</code> milliseconds.
+                </p>
+              </dd>
+</dl></div>
+
+        </div>
+
+        <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="builtin"></a>Built-in server information zones</h4></div></div></div>
+
+          <p>
+            The server provides some helpful diagnostic information
+            through a number of built-in zones under the
+            pseudo-top-level-domain <code class="literal">bind</code> in the
+            <span class="command"><strong>CHAOS</strong></span> class.  These zones are part
+            of a
+            built-in view (see <a class="xref" href="Bv9ARM.ch05.html#view_statement_grammar" title="view Statement Grammar">the section called &#8220;<span class="command"><strong>view</strong></span> Statement Grammar&#8221;</a>) of
+            class
+            <span class="command"><strong>CHAOS</strong></span> which is separate from the
+            default view of class <span class="command"><strong>IN</strong></span>. Most global
+            configuration options (<span class="command"><strong>allow-query</strong></span>,
+            etc) will apply to this view, but some are locally
+            overridden: <span class="command"><strong>notify</strong></span>,
+            <span class="command"><strong>recursion</strong></span> and
+            <span class="command"><strong>allow-new-zones</strong></span> are
+            always set to <strong class="userinput"><code>no</code></strong>, and
+            <span class="command"><strong>rate-limit</strong></span> is set to allow
+            three responses per second.
+          </p>
+          <p>
+            If you need to disable these zones, use the options
+            below, or hide the built-in <span class="command"><strong>CHAOS</strong></span>
+            view by
+            defining an explicit view of class <span class="command"><strong>CHAOS</strong></span>
+            that matches all clients.
+          </p>
+
+          <div class="variablelist"><dl class="variablelist">
+<dt><span class="term"><span class="command"><strong>version</strong></span></span></dt>
+<dd>
+                <p>
+                  The version the server should report
+                  via a query of the name <code class="literal">version.bind</code>
+                  with type <span class="command"><strong>TXT</strong></span>, class <span class="command"><strong>CHAOS</strong></span>.
+                  The default is the real version number of this server.
+                  Specifying <span class="command"><strong>version none</strong></span>
+                  disables processing of the queries.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>hostname</strong></span></span></dt>
+<dd>
+                <p>
+                  The hostname the server should report via a query of
+                  the name <code class="filename">hostname.bind</code>
+                  with type <span class="command"><strong>TXT</strong></span>, class <span class="command"><strong>CHAOS</strong></span>.
+                  This defaults to the hostname of the machine hosting the
+                  name server as
+                  found by the gethostname() function.  The primary purpose of such queries
+                  is to
+                  identify which of a group of anycast servers is actually
+                  answering your queries.  Specifying <span class="command"><strong>hostname none;</strong></span>
+                  disables processing of the queries.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>server-id</strong></span></span></dt>
+<dd>
+                <p>
+                  The ID the server should report when receiving a Name
+                  Server Identifier (NSID) query, or a query of the name
+                  <code class="filename">ID.SERVER</code> with type
+                  <span class="command"><strong>TXT</strong></span>, class <span class="command"><strong>CHAOS</strong></span>.
+                  The primary purpose of such queries is to
+                  identify which of a group of anycast servers is actually
+                  answering your queries.  Specifying <span class="command"><strong>server-id none;</strong></span>
+                  disables processing of the queries.
+                  Specifying <span class="command"><strong>server-id hostname;</strong></span> will cause <span class="command"><strong>named</strong></span> to
+                  use the hostname as found by the gethostname() function.
+                  The default <span class="command"><strong>server-id</strong></span> is <span class="command"><strong>none</strong></span>.
+                </p>
+              </dd>
+</dl></div>
+
+        </div>
+
+        <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="empty"></a>Built-in Empty Zones</h4></div></div></div>
+
+          <p>
+            The <span class="command"><strong>named</strong></span> server has some built-in
+            empty zones (SOA and NS records only).
+            These are for zones that should normally be answered locally
+            and which queries should not be sent to the Internet's root
+            servers.  The official servers which cover these namespaces
+            return NXDOMAIN responses to these queries.  In particular,
+            these cover the reverse namespaces for addresses from
+            RFC 1918, RFC 4193, RFC 5737 and RFC 6598.  They also include the
+            reverse namespace for IPv6 local address (locally assigned),
+            IPv6 link local addresses, the IPv6 loopback address and the
+            IPv6 unknown address.
+          </p>
+          <p>
+            The server will attempt to determine if a built-in zone
+            already exists or is active (covered by a forward-only
+            forwarding declaration) and will not create an empty
+            zone in that case.
+          </p>
+          <p>
+            The current list of empty zones is:
+            </p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">10.IN-ADDR.ARPA</li>
+<li class="listitem">16.172.IN-ADDR.ARPA</li>
+<li class="listitem">17.172.IN-ADDR.ARPA</li>
+<li class="listitem">18.172.IN-ADDR.ARPA</li>
+<li class="listitem">19.172.IN-ADDR.ARPA</li>
+<li class="listitem">20.172.IN-ADDR.ARPA</li>
+<li class="listitem">21.172.IN-ADDR.ARPA</li>
+<li class="listitem">22.172.IN-ADDR.ARPA</li>
+<li class="listitem">23.172.IN-ADDR.ARPA</li>
+<li class="listitem">24.172.IN-ADDR.ARPA</li>
+<li class="listitem">25.172.IN-ADDR.ARPA</li>
+<li class="listitem">26.172.IN-ADDR.ARPA</li>
+<li class="listitem">27.172.IN-ADDR.ARPA</li>
+<li class="listitem">28.172.IN-ADDR.ARPA</li>
+<li class="listitem">29.172.IN-ADDR.ARPA</li>
+<li class="listitem">30.172.IN-ADDR.ARPA</li>
+<li class="listitem">31.172.IN-ADDR.ARPA</li>
+<li class="listitem">168.192.IN-ADDR.ARPA</li>
+<li class="listitem">64.100.IN-ADDR.ARPA</li>
+<li class="listitem">65.100.IN-ADDR.ARPA</li>
+<li class="listitem">66.100.IN-ADDR.ARPA</li>
+<li class="listitem">67.100.IN-ADDR.ARPA</li>
+<li class="listitem">68.100.IN-ADDR.ARPA</li>
+<li class="listitem">69.100.IN-ADDR.ARPA</li>
+<li class="listitem">70.100.IN-ADDR.ARPA</li>
+<li class="listitem">71.100.IN-ADDR.ARPA</li>
+<li class="listitem">72.100.IN-ADDR.ARPA</li>
+<li class="listitem">73.100.IN-ADDR.ARPA</li>
+<li class="listitem">74.100.IN-ADDR.ARPA</li>
+<li class="listitem">75.100.IN-ADDR.ARPA</li>
+<li class="listitem">76.100.IN-ADDR.ARPA</li>
+<li class="listitem">77.100.IN-ADDR.ARPA</li>
+<li class="listitem">78.100.IN-ADDR.ARPA</li>
+<li class="listitem">79.100.IN-ADDR.ARPA</li>
+<li class="listitem">80.100.IN-ADDR.ARPA</li>
+<li class="listitem">81.100.IN-ADDR.ARPA</li>
+<li class="listitem">82.100.IN-ADDR.ARPA</li>
+<li class="listitem">83.100.IN-ADDR.ARPA</li>
+<li class="listitem">84.100.IN-ADDR.ARPA</li>
+<li class="listitem">85.100.IN-ADDR.ARPA</li>
+<li class="listitem">86.100.IN-ADDR.ARPA</li>
+<li class="listitem">87.100.IN-ADDR.ARPA</li>
+<li class="listitem">88.100.IN-ADDR.ARPA</li>
+<li class="listitem">89.100.IN-ADDR.ARPA</li>
+<li class="listitem">90.100.IN-ADDR.ARPA</li>
+<li class="listitem">91.100.IN-ADDR.ARPA</li>
+<li class="listitem">92.100.IN-ADDR.ARPA</li>
+<li class="listitem">93.100.IN-ADDR.ARPA</li>
+<li class="listitem">94.100.IN-ADDR.ARPA</li>
+<li class="listitem">95.100.IN-ADDR.ARPA</li>
+<li class="listitem">96.100.IN-ADDR.ARPA</li>
+<li class="listitem">97.100.IN-ADDR.ARPA</li>
+<li class="listitem">98.100.IN-ADDR.ARPA</li>
+<li class="listitem">99.100.IN-ADDR.ARPA</li>
+<li class="listitem">100.100.IN-ADDR.ARPA</li>
+<li class="listitem">101.100.IN-ADDR.ARPA</li>
+<li class="listitem">102.100.IN-ADDR.ARPA</li>
+<li class="listitem">103.100.IN-ADDR.ARPA</li>
+<li class="listitem">104.100.IN-ADDR.ARPA</li>
+<li class="listitem">105.100.IN-ADDR.ARPA</li>
+<li class="listitem">106.100.IN-ADDR.ARPA</li>
+<li class="listitem">107.100.IN-ADDR.ARPA</li>
+<li class="listitem">108.100.IN-ADDR.ARPA</li>
+<li class="listitem">109.100.IN-ADDR.ARPA</li>
+<li class="listitem">110.100.IN-ADDR.ARPA</li>
+<li class="listitem">111.100.IN-ADDR.ARPA</li>
+<li class="listitem">112.100.IN-ADDR.ARPA</li>
+<li class="listitem">113.100.IN-ADDR.ARPA</li>
+<li class="listitem">114.100.IN-ADDR.ARPA</li>
+<li class="listitem">115.100.IN-ADDR.ARPA</li>
+<li class="listitem">116.100.IN-ADDR.ARPA</li>
+<li class="listitem">117.100.IN-ADDR.ARPA</li>
+<li class="listitem">118.100.IN-ADDR.ARPA</li>
+<li class="listitem">119.100.IN-ADDR.ARPA</li>
+<li class="listitem">120.100.IN-ADDR.ARPA</li>
+<li class="listitem">121.100.IN-ADDR.ARPA</li>
+<li class="listitem">122.100.IN-ADDR.ARPA</li>
+<li class="listitem">123.100.IN-ADDR.ARPA</li>
+<li class="listitem">124.100.IN-ADDR.ARPA</li>
+<li class="listitem">125.100.IN-ADDR.ARPA</li>
+<li class="listitem">126.100.IN-ADDR.ARPA</li>
+<li class="listitem">127.100.IN-ADDR.ARPA</li>
+<li class="listitem">0.IN-ADDR.ARPA</li>
+<li class="listitem">127.IN-ADDR.ARPA</li>
+<li class="listitem">254.169.IN-ADDR.ARPA</li>
+<li class="listitem">2.0.192.IN-ADDR.ARPA</li>
+<li class="listitem">100.51.198.IN-ADDR.ARPA</li>
+<li class="listitem">113.0.203.IN-ADDR.ARPA</li>
+<li class="listitem">255.255.255.255.IN-ADDR.ARPA</li>
+<li class="listitem">0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA</li>
+<li class="listitem">1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA</li>
+<li class="listitem">8.B.D.0.1.0.0.2.IP6.ARPA</li>
+<li class="listitem">D.F.IP6.ARPA</li>
+<li class="listitem">8.E.F.IP6.ARPA</li>
+<li class="listitem">9.E.F.IP6.ARPA</li>
+<li class="listitem">A.E.F.IP6.ARPA</li>
+<li class="listitem">B.E.F.IP6.ARPA</li>
+</ul></div>
+<p>
+          </p>
+          <p>
+            Empty zones are settable at the view level and only apply to
+            views of class IN.  Disabled empty zones are only inherited
+            from options if there are no disabled empty zones specified
+            at the view level.  To override the options list of disabled
+            zones, you can disable the root zone at the view level, for example:
+</p>
+<pre class="programlisting">
+            disable-empty-zone ".";
+</pre>
+<p>
+          </p>
+          <p>
+            If you are using the address ranges covered here, you should
+            already have reverse zones covering the addresses you use.
+            In practice this appears to not be the case with many queries
+            being made to the infrastructure servers for names in these
+            spaces.  So many in fact that sacrificial servers were needed
+            to be deployed to channel the query load away from the
+            infrastructure servers.
+          </p>
+          <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<h3 class="title">Note</h3>
+<p>
+            The real parent servers for these zones should disable all
+            empty zone under the parent zone they serve.  For the real
+            root servers, this is all built-in empty zones.  This will
+            enable them to return referrals to deeper in the tree.
+          </p>
+</div>
+          <div class="variablelist"><dl class="variablelist">
+<dt><span class="term"><span class="command"><strong>empty-server</strong></span></span></dt>
+<dd>
+                <p>
+                  Specify what server name will appear in the returned
+                  SOA record for empty zones.  If none is specified, then
+                  the zone's name will be used.
+                </p>
+               </dd>
+<dt><span class="term"><span class="command"><strong>empty-contact</strong></span></span></dt>
+<dd>
+                <p>
+                  Specify what contact name will appear in the returned
+                  SOA record for empty zones.  If none is specified, then
+                  "." will be used.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>empty-zones-enable</strong></span></span></dt>
+<dd>
+                <p>
+                  Enable or disable all empty zones.  By default, they
+                  are enabled.
+                </p>
+              </dd>
+<dt><span class="term"><span class="command"><strong>disable-empty-zone</strong></span></span></dt>
+<dd>
+                <p>
+                  Disable individual empty zones.  By default, none are
+                  disabled.  This option can be specified multiple times.
+                </p>
+              </dd>
+</dl></div>
+        </div>
+
+        <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="content_filtering"></a>Content Filtering</h4></div></div></div>
+
+          <p>
+            <acronym class="acronym">BIND</acronym> 9 provides the ability to filter
+            out DNS responses from external DNS servers containing
+            certain types of data in the answer section.
+            Specifically, it can reject address (A or AAAA) records if
+            the corresponding IPv4 or IPv6 addresses match the given
+            <code class="varname">address_match_list</code> of the
+            <span class="command"><strong>deny-answer-addresses</strong></span> option.
+            It can also reject CNAME or DNAME records if the "alias"
+            name (i.e., the CNAME alias or the substituted query name
+            due to DNAME) matches the
+            given <code class="varname">namelist</code> of the
+            <span class="command"><strong>deny-answer-aliases</strong></span> option, where
+            "match" means the alias name is a subdomain of one of
+            the <code class="varname">name_list</code> elements.
+            If the optional <code class="varname">namelist</code> is specified
+            with <span class="command"><strong>except-from</strong></span>, records whose query name
+            matches the list will be accepted regardless of the filter
+            setting.
+            Likewise, if the alias name is a subdomain of the
+            corresponding zone, the <span class="command"><strong>deny-answer-aliases</strong></span>
+            filter will not apply;
+            for example, even if "example.com" is specified for
+            <span class="command"><strong>deny-answer-aliases</strong></span>,
+          </p>
+<pre class="programlisting">www.example.com. CNAME xxx.example.com.</pre>
+
+          <p>
+            returned by an "example.com" server will be accepted.
+          </p>
+
+          <p>
+            In the <code class="varname">address_match_list</code> of the
+            <span class="command"><strong>deny-answer-addresses</strong></span> option, only
+            <code class="varname">ip_addr</code>
+            and <code class="varname">ip_prefix</code>
+            are meaningful;
+            any <code class="varname">key_id</code> will be silently ignored.
+          </p>
+
+          <p>
+            If a response message is rejected due to the filtering,
+            the entire message is discarded without being cached, and
+            a SERVFAIL error will be returned to the client.
+          </p>
+
+          <p>
+            This filtering is intended to prevent "DNS rebinding attacks," in
+            which an attacker, in response to a query for a domain name the
+            attacker controls, returns an IP address within your own network or
+            an alias name within your own domain.
+            A naive web browser or script could then serve as an
+            unintended proxy, allowing the attacker
+            to get access to an internal node of your local network
+            that couldn't be externally accessed otherwise.
+            See the paper available at
+            <a class="link" href="http://portal.acm.org/citation.cfm?id=1315245.1315298" target="_top">
+            http://portal.acm.org/citation.cfm?id=1315245.1315298
+            </a>
+            for more details about the attacks.
+          </p>
+
+          <p>
+            For example, if you own a domain named "example.net" and
+            your internal network uses an IPv4 prefix 192.0.2.0/24,
+            you might specify the following rules:
+          </p>
+
+<pre class="programlisting">deny-answer-addresses { 192.0.2.0/24; } except-from { "example.net"; };
+deny-answer-aliases { "example.net"; };
+</pre>
+
+          <p>
+            If an external attacker lets a web browser in your local
+            network look up an IPv4 address of "attacker.example.com",
+            the attacker's DNS server would return a response like this:
+          </p>
+
+<pre class="programlisting">attacker.example.com. A 192.0.2.1</pre>
+
+          <p>
+            in the answer section.
+            Since the rdata of this record (the IPv4 address) matches
+            the specified prefix 192.0.2.0/24, this response will be
+            ignored.
+          </p>
+
+          <p>
+            On the other hand, if the browser looks up a legitimate
+            internal web server "www.example.net" and the
+            following response is returned to
+            the <acronym class="acronym">BIND</acronym> 9 server
+          </p>
+
+<pre class="programlisting">www.example.net. A 192.0.2.2</pre>
+
+          <p>
+            it will be accepted since the owner name "www.example.net"
+            matches the <span class="command"><strong>except-from</strong></span> element,
+            "example.net".
+          </p>
+
+          <p>
+            Note that this is not really an attack on the DNS per se.
+            In fact, there is nothing wrong for an "external" name to
+            be mapped to your "internal" IP address or domain name
+            from the DNS point of view.
+            It might actually be provided for a legitimate purpose,
+            such as for debugging.
+            As long as the mapping is provided by the correct owner,
+            it is not possible or does not make sense to detect
+            whether the intent of the mapping is legitimate or not
+            within the DNS.
+            The "rebinding" attack must primarily be protected at the
+            application that uses the DNS.
+            For a large site, however, it may be difficult to protect
+            all possible applications at once.
+            This filtering feature is provided only to help such an
+            operational environment;
+            it is generally discouraged to turn it on unless you are
+            very sure you have no other choice and the attack is a
+            real threat for your applications.
+          </p>
+
+          <p>
+            Care should be particularly taken if you want to use this
+            option for addresses within 127.0.0.0/8.
+            These addresses are obviously "internal", but many
+            applications conventionally rely on a DNS mapping from
+            some name to such an address.
+            Filtering out DNS records containing this address
+            spuriously can break such applications.
+          </p>
+        </div>
+
+        <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="rpz"></a>Response Policy Zone (RPZ) Rewriting</h4></div></div></div>
+
+          <p>
+            <acronym class="acronym">BIND</acronym> 9 includes a limited
+            mechanism to modify DNS responses for requests
+            analogous to email anti-spam DNS blacklists.
+            Responses can be changed to deny the existence of domains (NXDOMAIN),
+            deny the existence of IP addresses for domains (NODATA),
+            or contain other IP addresses or data.
+          </p>
+
+          <p>
+            Response policy zones are named in the
+            <span class="command"><strong>response-policy</strong></span> option for the view or among the
+            global options if there is no response-policy option for the view.
+            Response policy zones are ordinary DNS zones containing RRsets
+            that can be queried normally if allowed.
+            It is usually best to restrict those queries with something like
+            <span class="command"><strong>allow-query { localhost; };</strong></span>.
+            Note that zones using <span class="command"><strong>masterfile-format map</strong></span>
+            cannot be used as policy zones.
+          </p>
+
+          <p>
+            A <span class="command"><strong>response-policy</strong></span> option can support
+            multiple policy zones.  To maximize performance, a radix
+            tree is used to quickly identify response policy zones
+            containing triggers that match the current query.  This
+            imposes an upper limit of 32 on the number of policy zones
+            in a single <span class="command"><strong>response-policy</strong></span> option; more
+            than that is a configuration error.
+          </p>
+
+          <p>
+            Five policy triggers can be encoded in RPZ records.
+            </p>
+<div class="variablelist"><dl class="variablelist">
+<dt><span class="term"><span class="command"><strong>RPZ-CLIENT-IP</strong></span></span></dt>
+<dd>
+                  <p>
+                    IP records are triggered by the IP address of the
+                    DNS client.
+                    Client IP address triggers are encoded in records that have
+                    owner names that are subdomains of
+                    <span class="command"><strong>rpz-client-ip</strong></span> relativized to the
+                    policy zone origin name
+                    and encode an address or address block.
+                    IPv4 addresses are represented as
+                    <strong class="userinput"><code>prefixlength.B4.B3.B2.B1.rpz-client-ip</code></strong>.
+                    The IPv4 prefix length must be between 1 and 32.
+                    All four bytes, B4, B3, B2, and B1, must be present.
+                    B4 is the decimal value of the least significant byte of the
+                    IPv4 address as in IN-ADDR.ARPA.
+                  </p>
+
+                  <p>
+                    IPv6 addresses are encoded in a format similar
+                    to the standard IPv6 text representation,
+                    <strong class="userinput"><code>prefixlength.W8.W7.W6.W5.W4.W3.W2.W1.rpz-client-ip</code></strong>.
+                    Each of W8,...,W1 is a one to four digit hexadecimal number
+                    representing 16 bits of the IPv6 address as in the standard
+                    text representation of IPv6 addresses, but reversed as in
+                    IP6.ARPA. (Note that this representation of IPv6
+                    address is different from IP6.ARPA where each hex
+                    digit occupies a label.)
+                    All 8 words must be present except when one set of consecutive
+                    zero words is replaced with <strong class="userinput"><code>.zz.</code></strong>
+                    analogous to double colons (::) in standard IPv6 text
+                    encodings.
+                    The IPv6 prefix length must be between 1 and 128.
+                  </p>
+                </dd>
+<dt><span class="term"><span class="command"><strong>QNAME</strong></span></span></dt>
+<dd>
+                  <p>
+                    QNAME policy records are triggered by query names of
+                    requests and targets of CNAME records resolved to generate
+                    the response.
+                    The owner name of a QNAME policy record is
+                    the query name relativized to the policy zone.
+                  </p>
+                </dd>
+<dt><span class="term"><span class="command"><strong>RPZ-IP</strong></span></span></dt>
+<dd>
+                  <p>
+                    IP triggers are IP addresses in an
+                    A or AAAA record in the ANSWER section of a response.
+                    They are encoded like client-IP triggers except as
+                    subdomains of <span class="command"><strong>rpz-ip</strong></span>.
+                  </p>
+                </dd>
+<dt><span class="term"><span class="command"><strong>RPZ-NSDNAME</strong></span></span></dt>
+<dd>
+                  <p>
+                    NSDNAME triggers match names of authoritative servers
+                    for the query name, a parent of the query name, a CNAME for
+                    query name, or a parent of a CNAME.
+                    They are encoded as subdomains of
+                    <span class="command"><strong>rpz-nsdname</strong></span> relativized
+                    to the RPZ origin name.
+                    NSIP triggers match IP addresses in A and
+                    AAAA RRsets for domains that can be checked against NSDNAME
+                    policy records.
+                    The <span class="command"><strong>nsdname-enable</strong></span> phrase turns NSDNAME
+                    triggers off or on for a single policy zone or all
+                    zones.
+                  </p>
+                </dd>
+<dt><span class="term"><span class="command"><strong>RPZ-NSIP</strong></span></span></dt>
+<dd>
+                  <p>
+                    NSIP triggers match the IP addresses of authoritative
+                    servers.  They are enncoded like IP triggers, except as
+                    subdomains of <span class="command"><strong>rpz-nsip</strong></span>.
+                    NSDNAME and NSIP triggers are checked only for names with at
+                    least <span class="command"><strong>min-ns-dots</strong></span> dots.
+                    The default value of <span class="command"><strong>min-ns-dots</strong></span> is
+                    1, to exclude top level domains.
+                    The <span class="command"><strong>nsip-enable</strong></span> phrase turns NSIP
+                    triggers off or on for a single policy zone or all
+                    zones.
+                  </p>
+                  <p>
+                    If a name server's IP address is not yet known,
+                    <span class="command"><strong>named</strong></span> will recursively look up
+                    the IP address before applying an RPZ-NSIP rule.
+                    This can cause a processing delay. To speed up
+                    processing at the cost of precision, the
+                    <span class="command"><strong>nsip-wait-recurse</strong></span> option
+                    can be used: when set to <strong class="userinput"><code>no</code></strong>,
+                    RPZ-NSIP rules will only be applied when a name
+                    servers's IP address has already been looked up and
+                    cached.  If a server's IP address is not in the
+                    cache, then the RPZ-NSIP rule will be ignored,
+                    but the address will be looked up in the
+                    background, and the rule will be applied
+                    to subsequent queries.  The default is
+                    <strong class="userinput"><code>yes</code></strong>, meaning RPZ-NSIP
+                    rules should always be applied even if an
+                    address needs to be looked up first.
+                  </p>
+                </dd>
+</dl></div>
+<p>
+          </p>
+
+          <p>
+            The query response is checked against all response policy zones,
+            so two or more policy records can be triggered by a response.
+            Because DNS responses are rewritten according to at most one
+            policy record, a single record encoding an action (other than
+            <span class="command"><strong>DISABLED</strong></span> actions) must be chosen.
+            Triggers or the records that encode them are chosen for the
+            rewriting in the following order:
+            </p>
+<div class="orderedlist"><ol class="orderedlist" type="1">
+<li class="listitem">Choose the triggered record in the zone that appears
+                first in the <span class="command"><strong>response-policy</strong></span> option.
+              </li>
+<li class="listitem">Prefer CLIENT-IP to QNAME to IP to NSDNAME to NSIP
+                triggers in a single zone.
+              </li>
+<li class="listitem">Among NSDNAME triggers, prefer the
+                trigger that matches the smallest name under the DNSSEC ordering.
+              </li>
+<li class="listitem">Among IP or NSIP triggers, prefer the trigger
+                with the longest prefix.
+              </li>
+<li class="listitem">Among triggers with the same prefix length,
+                prefer the IP or NSIP trigger that matches
+                the smallest IP address.
+              </li>
+</ol></div>
+<p>
+          </p>
+
+          <p>
+            When the processing of a response is restarted to resolve
+            DNAME or CNAME records and a policy record set has
+            not been triggered,
+            all response policy zones are again consulted for the
+            DNAME or CNAME names and addresses.
+          </p>
+
+          <p>
+            RPZ record sets are any types of DNS record except
+            DNAME or DNSSEC that encode actions or responses to
+            individual queries.
+            Any of the policies can be used with any of the triggers.
+            For example, while the <span class="command"><strong>TCP-only</strong></span> policy is
+            commonly used with <span class="command"><strong>client-IP</strong></span> triggers,
+            it can be used with any type of trigger to force the use of
+            TCP for responses with owner names in a zone.
+            </p>
+<div class="variablelist"><dl class="variablelist">
+<dt><span class="term"><span class="command"><strong>PASSTHRU</strong></span></span></dt>
+<dd>
+                  <p>
+                    The whitelist policy is specified
+                    by a CNAME whose target is <span class="command"><strong>rpz-passthru</strong></span>.
+                    It causes the response to not be rewritten
+                    and is most often used to "poke holes" in policies for
+                    CIDR blocks.
+                  </p>
+                </dd>
+<dt><span class="term"><span class="command"><strong>DROP</strong></span></span></dt>
+<dd>
+                  <p>
+                    The blacklist policy is specified
+                    by a CNAME whose target is <span class="command"><strong>rpz-drop</strong></span>.
+                    It causes the response to be discarded.
+                    Nothing is sent to the DNS client.
+                  </p>
+                </dd>
+<dt><span class="term"><span class="command"><strong>TCP-Only</strong></span></span></dt>
+<dd>
+                  <p>
+                    The "slip" policy is specified
+                    by a CNAME whose target is <span class="command"><strong>rpz-tcp-only</strong></span>.
+                    It changes UDP responses to short, truncated DNS responses
+                    that require the DNS client to try again with TCP.
+                    It is used to mitigate distributed DNS reflection attacks.
+                  </p>
+                </dd>
+<dt><span class="term"><span class="command"><strong>NXDOMAIN</strong></span></span></dt>
+<dd>
+                  <p>
+                    The domain undefined response is encoded
+                    by a CNAME whose target is the root domain (.)
+                  </p>
+                </dd>
+<dt><span class="term"><span class="command"><strong>NODATA</strong></span></span></dt>
+<dd>
+                  <p>
+                    The empty set of resource records is specified by
+                    CNAME whose target is the wildcard top-level
+                    domain (*.).
+                    It rewrites the response to NODATA or ANCOUNT=1.
+                  </p>
+                </dd>
+<dt><span class="term"><span class="command"><strong>Local Data</strong></span></span></dt>
+<dd>
+                  <p>
+                    A set of ordinary DNS records can be used to answer queries.
+                    Queries for record types not the set are answered with
+                    NODATA.
+                  </p>
+
+                  <p>
+                    A special form of local data is a CNAME whose target is a
+                    wildcard such as *.example.com.
+                    It is used as if were an ordinary CNAME after the asterisk (*)
+                    has been replaced with the query name.
+                    The purpose for this special form is query logging in the
+                    walled garden's authority DNS server.
+                  </p>
+                </dd>
+</dl></div>
+<p>
+          </p>
+
+          <p>
+            All of the actions specified in all of the individual records
+            in a policy zone
+            can be overridden with a <span class="command"><strong>policy</strong></span> clause in the
+            <span class="command"><strong>response-policy</strong></span> option.
+            An organization using a policy zone provided by another
+            organization might use this mechanism to redirect domains
+            to its own walled garden.
+            </p>
+<div class="variablelist"><dl class="variablelist">
+<dt><span class="term"><span class="command"><strong>GIVEN</strong></span></span></dt>
+<dd>
+                  <p>The placeholder policy says "do not override but
+                    perform the action specified in the zone."
+                  </p>
+                </dd>
+<dt><span class="term"><span class="command"><strong>DISABLED</strong></span></span></dt>
+<dd>
+                  <p>
+                    The testing override policy causes policy zone records to do
+                    nothing but log what they would have done if the
+                    policy zone were not disabled.
+                    The response to the DNS query will be written (or not)
+                    according to any triggered policy records that are not
+                    disabled.
+                    Disabled policy zones should appear first,
+                    because they will often not be logged
+                    if a higher precedence trigger is found first.
+                  </p>
+                </dd>
+<dt>
+<span class="term"><span class="command"><strong>PASSTHRU</strong></span>, </span><span class="term"><span class="command"><strong>DROP</strong></span>, </span><span class="term"><span class="command"><strong>TCP-Only</strong></span>, </span><span class="term"><span class="command"><strong>NXDOMAIN</strong></span>, </span><span class="term"><span class="command"><strong>NODATA</strong></span></span>
+</dt>
+<dd>
+                  <p>
+                    override with the corresponding per-record policy.
+                  </p>
+                </dd>
+<dt><span class="term"><span class="command"><strong>CNAME domain</strong></span></span></dt>
+<dd>
+                    <p>
+                      causes all RPZ policy records to act as if they were
+                      "cname domain" records.
+                    </p>
+                  </dd>
+</dl></div>
+<p>
+          </p>
+
+          <p>
+            By default, the actions encoded in a response policy zone
+            are applied only to queries that ask for recursion (RD=1).
+            That default can be changed for a single policy zone or
+            all response policy zones in a view
+            with a <span class="command"><strong>recursive-only no</strong></span> clause.
+            This feature is useful for serving the same zone files
+            both inside and outside an RFC 1918 cloud and using RPZ to
+            delete answers that would otherwise contain RFC 1918 values
+            on the externally visible name server or view.
+          </p>
+
+          <p>
+            Also by default, RPZ actions are applied only to DNS requests
+            that either do not request DNSSEC metadata (DO=0) or when no
+            DNSSEC records are available for request name in the original
+            zone (not the response policy zone).  This default can be
+            changed for all response policy zones in a view with a
+            <span class="command"><strong>break-dnssec yes</strong></span> clause.  In that case, RPZ
+            actions are applied regardless of DNSSEC.  The name of the
+            clause option reflects the fact that results rewritten by RPZ
+            actions cannot verify.
+          </p>
+
+          <p>
+            No DNS records are needed for a QNAME or Client-IP trigger.
+            The name or IP address itself is sufficient,
+            so in principle the query name need not be recursively resolved.
+            However, not resolving the requested
+            name can leak the fact that response policy rewriting is in use
+            and that the name is listed in a policy zone to operators of
+            servers for listed names.  To prevent that information leak, by
+            default any recursion needed for a request is done before any
+            policy triggers are considered.  Because listed domains often
+            have slow authoritative servers, this behavior can cost
+            significant time.
+            The <span class="command"><strong>qname-wait-recurse yes</strong></span> option
+            overrides the default and enables that behavior
+            when recursion cannot change a non-error response.
+            The option does not affect QNAME or client-IP triggers
+            in policy zones listed
+            after other zones containing IP, NSIP and NSDNAME triggers, because
+            those may depend on the A, AAAA, and NS records that would be
+            found during recursive resolution.  It also does not affect
+            DNSSEC requests (DO=1) unless <span class="command"><strong>break-dnssec yes</strong></span>
+            is in use, because the response would depend on whether or not
+            RRSIG records were found during resolution.
+            Using this option can cause error responses such as SERVFAIL to
+            appear to be rewritten, since no recursion is being done to
+            discover problems at the authoritative server.
+          </p>
+
+          <p>
+            The <span class="command"><strong>dnsrps-enable yes</strong></span> option turns on
+            the DNS Rsponse Policy Service (DNSRPS) interface, if it has been
+            compiled in to <span class="command"><strong>named</strong></span> using
+            <span class="command"><strong>configure --enable-dnsrps</strong></span>.
+          </p>
+
+          <p>
+            The <span class="command"><strong>dnsrps-options</strong></span> block provides additional
+            RPZ configuration settings, which are passed through to the
+            DNSRPS provider library.
+            Multiple DNSRPS settings in an <span class="command"><strong>dnsrps-options</strong></span>
+            string should be separated with semi-colons.
+            The DNSRPS provider, librpz, is passed a configuration string
+            consisting of the <span class="command"><strong>dnsrps-options</strong></span> text,
+            concatenated with settings derived from the
+            <span class="command"><strong>response-policy</strong></span> statement.
+          </p>
+
+          <p>
+            Note: The <span class="command"><strong>dnsrps-options</strong></span> text should only include
+            configuration settings that are specific to the DNSRPS
+            provider.  For example, the DNSRPS provider from
+            Farsight Security takes options such as
+            <span class="command"><strong>dnsrpzd-conf</strong></span>,
+            <span class="command"><strong>dnsrpzd-sock</strong></span>, and
+            <span class="command"><strong>dnzrpzd-args</strong></span> (for details of these options,
+            see the <span class="command"><strong>librpz</strong></span> documentation).
+            Other RPZ configuration settings could be included in
+            <span class="command"><strong>dnsrps-options</strong></span>
+            as well, but if <span class="command"><strong>named</strong></span> were switched
+            back to traditional RPZ by setting
+            <span class="command"><strong>dnsrps-enable</strong></span> to "no", those options would
+            be ignored.
+          </p>
+
+          <p>
+            The TTL of a record modified by RPZ policies is set from the
+            TTL of the relevant record in policy zone.  It is then limited
+            to a maximum value.
+            The <span class="command"><strong>max-policy-ttl</strong></span> clause changes the
+            maximum seconds from its default of 5.
+          </p>
+
+          <p>
+            For example, you might use this option statement
+          </p>
+<pre class="programlisting">    response-policy { zone "badlist"; };</pre>
+          <p>
+            and this zone statement
+          </p>
+<pre class="programlisting">    zone "badlist" {type master; file "master/badlist"; allow-query {none;}; };</pre>
+          <p>
+            with this zone file
+          </p>
+<pre class="programlisting">$TTL 1H
+@                       SOA LOCALHOST. named-mgr.example.com (1 1h 15m 30d 2h)
+                        NS  LOCALHOST.
+
+; QNAME policy records.  There are no periods (.) after the owner names.
+nxdomain.domain.com     CNAME   .               ; NXDOMAIN policy
+*.nxdomain.domain.com   CNAME   .               ; NXDOMAIN policy
+nodata.domain.com       CNAME   *.              ; NODATA policy
+*.nodata.domain.com     CNAME   *.              ; NODATA policy
+bad.domain.com          A       10.0.0.1        ; redirect to a walled garden
+                        AAAA    2001:2::1
+bzone.domain.com        CNAME   garden.example.com.
+
+; do not rewrite (PASSTHRU) OK.DOMAIN.COM
+ok.domain.com           CNAME   rpz-passthru.
+
+; redirect x.bzone.domain.com to x.bzone.domain.com.garden.example.com
+*.bzone.domain.com      CNAME   *.garden.example.com.
+
+
+; IP policy records that rewrite all responses containing A records in 127/8
+;       except 127.0.0.1
+8.0.0.0.127.rpz-ip      CNAME   .
+32.1.0.0.127.rpz-ip     CNAME   rpz-passthru.
+
+; NSDNAME and NSIP policy records
+ns.domain.com.rpz-nsdname   CNAME   .
+48.zz.2.2001.rpz-nsip       CNAME   .
+
+; blacklist and whitelist some DNS clients
+112.zz.2001.rpz-client-ip    CNAME   rpz-drop.
+8.0.0.0.127.rpz-client-ip    CNAME   rpz-drop.
+
+; force some DNS clients and responses in the example.com zone to TCP
+16.0.0.1.10.rpz-client-ip   CNAME   rpz-tcp-only.
+example.com                 CNAME   rpz-tcp-only.
+*.example.com               CNAME   rpz-tcp-only.
+
+</pre>
+          <p>
+            RPZ can affect server performance.
+            Each configured response policy zone requires the server to
+            perform one to four additional database lookups before a
+            query can be answered.
+            For example, a DNS server with four policy zones, each with all
+            four kinds of response triggers, QNAME, IP, NSIP, and
+            NSDNAME, requires a total of 17 times as many database
+            lookups as a similar DNS server with no response policy zones.
+            A <acronym class="acronym">BIND9</acronym> server with adequate memory and one
+            response policy zone with QNAME and IP triggers might achieve a
+            maximum queries-per-second rate about 20% lower.
+            A server with four response policy zones with QNAME and IP
+            triggers might have a maximum QPS rate about 50% lower.
+          </p>
+
+          <p>
+            Responses rewritten by RPZ are counted in the
+            <span class="command"><strong>RPZRewrites</strong></span> statistics.
+          </p>
+
+          <p>
+            The <span class="command"><strong>log</strong></span> clause can be used to optionally
+            turn off rewrite logging for a particular response policy
+            zone. By default, all rewrites are logged.
+          </p>
+
+          <p>
+            Updates to RPZ zones are processed asynchronously; if there
+            is more than one update pending they are bundled together.
+            If an update to a RPZ zone (for example, via IXFR) happens less
+            than <code class="option">min-update-interval</code> seconds after the most
+            recent update, then the changes will not be carried out until this
+            interval has elapsed.  The default is <code class="literal">5</code> seconds.
+          </p>
+        </div>
+
+        <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="rrl"></a>Response Rate Limiting</h4></div></div></div>
+
+          <p>
+            Excessive almost identical UDP <span class="emphasis"><em>responses</em></span>
+            can be controlled by configuring a
+            <span class="command"><strong>rate-limit</strong></span> clause in an
+            <span class="command"><strong>options</strong></span> or <span class="command"><strong>view</strong></span> statement.
+            This mechanism keeps authoritative BIND 9 from being used
+            in amplifying reflection denial of service (DoS) attacks.
+            Short truncated (TC=1) responses can be sent to provide
+            rate-limited responses to legitimate clients within
+            a range of forged, attacked IP addresses.
+            Legitimate clients react to dropped or truncated response
+            by retrying with UDP or with TCP respectively.
+          </p>
+
+          <p>
+            This mechanism is intended for authoritative DNS servers.
+            It can be used on recursive servers but can slow
+            applications such as SMTP servers (mail receivers) and
+            HTTP clients (web browsers) that repeatedly request the
+            same domains.
+            When possible, closing "open" recursive servers is better.
+          </p>
+
+          <p>
+            Response rate limiting uses a "credit" or "token bucket" scheme.
+            Each combination of identical response and client
+            has a conceptual account that earns a specified number
+            of credits every second.
+            A prospective response debits its account by one.
+            Responses are dropped or truncated
+            while the account is negative.
+            Responses are tracked within a rolling window of time
+            which defaults to 15 seconds, but can be configured with
+            the <span class="command"><strong>window</strong></span> option to any value from
+            1 to 3600 seconds (1 hour).
+            The account cannot become more positive than
+            the per-second limit
+            or more negative than <span class="command"><strong>window</strong></span>
+            times the per-second limit.
+            When the specified number of credits for a class of
+            responses is set to 0, those responses are not rate limited.
+          </p>
+
+          <p>
+            The notions of "identical response" and "DNS client"
+            for rate limiting are not simplistic.
+            All responses to an address block are counted as if to a
+            single client.
+            The prefix lengths of addresses blocks are
+            specified with <span class="command"><strong>ipv4-prefix-length</strong></span> (default 24)
+            and <span class="command"><strong>ipv6-prefix-length</strong></span> (default 56).
+          </p>
+
+          <p>
+            All non-empty responses for a valid domain name (qname)
+            and record type (qtype) are identical and have a limit specified
+            with <span class="command"><strong>responses-per-second</strong></span>
+            (default 0 or no limit).
+            All empty (NODATA) responses for a valid domain,
+            regardless of query type, are identical.
+            Responses in the NODATA class are limited by
+            <span class="command"><strong>nodata-per-second</strong></span>
+            (default <span class="command"><strong>responses-per-second</strong></span>).
+            Requests for any and all undefined subdomains of a given
+            valid domain result in NXDOMAIN errors, and are identical
+            regardless of query type.
+            They are limited by <span class="command"><strong>nxdomains-per-second</strong></span>
+            (default <span class="command"><strong>responses-per-second</strong></span>).
+            This controls some attacks using random names, but
+            can be relaxed or turned off (set to 0)
+            on servers that expect many legitimate
+            NXDOMAIN responses, such as from anti-spam blacklists.
+            Referrals or delegations to the server of a given
+            domain are identical and are limited by
+            <span class="command"><strong>referrals-per-second</strong></span>
+            (default <span class="command"><strong>responses-per-second</strong></span>).
+          </p>
+
+          <p>
+            Responses generated from local wildcards are counted and limited
+            as if they were for the parent domain name.
+            This controls flooding using random.wild.example.com.
+          </p>
+
+          <p>
+            All requests that result in DNS errors other
+            than NXDOMAIN, such as SERVFAIL and FORMERR, are identical
+            regardless of requested name (qname) or record type (qtype).
+            This controls attacks using invalid requests or distant,
+            broken authoritative servers.
+            By default the limit on errors is the same as the
+            <span class="command"><strong>responses-per-second</strong></span> value,
+            but it can be set separately with
+            <span class="command"><strong>errors-per-second</strong></span>.
+          </p>
+
+          <p>
+            Many attacks using DNS involve UDP requests with forged source
+            addresses.
+            Rate limiting prevents the use of BIND 9 to flood a network
+            with responses to requests with forged source addresses,
+            but could let a third party block responses to legitimate requests.
+            There is a mechanism that can answer some legitimate
+            requests from a client whose address is being forged in a flood.
+            Setting <span class="command"><strong>slip</strong></span> to 2 (its default) causes every
+            other UDP request to be answered with a small truncated (TC=1)
+            response.
+            The small size and reduced frequency, and so lack of
+            amplification, of "slipped" responses make them unattractive
+            for reflection DoS attacks.
+            <span class="command"><strong>slip</strong></span> must be between 0 and 10.
+            A value of 0 does not "slip":
+            no truncated responses are sent due to rate limiting,
+            all responses are dropped.
+            A value of 1 causes every response to slip;
+            values between 2 and 10 cause every n'th response to slip.
+            Some error responses including REFUSED and SERVFAIL
+            cannot be replaced with truncated responses and are instead
+            leaked at the <span class="command"><strong>slip</strong></span> rate.
+          </p>
+
+          <p>
+            (NOTE: Dropped responses from an authoritative server may
+            reduce the difficulty of a third party successfully forging
+            a response to a recursive resolver. The best security
+            against forged responses is for authoritative operators
+            to sign their zones using DNSSEC and for resolver operators
+            to validate the responses. When this is not an option,
+            operators who are more concerned with response integrity
+            than with flood mitigation may consider setting
+            <span class="command"><strong>slip</strong></span> to 1, causing all rate-limited
+            responses to be truncated rather than dropped.  This reduces
+            the effectiveness of rate-limiting against reflection attacks.)
+          </p>
+
+          <p>
+            When the approximate query per second rate exceeds
+            the <span class="command"><strong>qps-scale</strong></span> value,
+            then the <span class="command"><strong>responses-per-second</strong></span>,
+            <span class="command"><strong>errors-per-second</strong></span>,
+            <span class="command"><strong>nxdomains-per-second</strong></span> and
+            <span class="command"><strong>all-per-second</strong></span> values are reduced by the
+            ratio of the current rate to the <span class="command"><strong>qps-scale</strong></span> value.
+            This feature can tighten defenses during attacks.
+            For example, with
+            <span class="command"><strong>qps-scale 250; responses-per-second 20;</strong></span> and
+            a total query rate of 1000 queries/second for all queries from
+            all DNS clients including via TCP,
+            then the effective responses/second limit changes to
+            (250/1000)*20 or 5.
+            Responses sent via TCP are not limited
+            but are counted to compute the query per second rate.
+          </p>
+
+          <p>
+            Rate limiters for different name spaces maintain
+            separate counters: If, for example, there is a
+            <span class="command"><strong>rate-limit</strong></span> statement for "com" and
+            another for "example.com", queries matching "example.com"
+            will not be debited against the rate limiter for "com".
+          </p>
+
+          <p>
+            If a <span class="command"><strong>rate-limit</strong></span> statement does not specify a
+            <span class="command"><strong>domain</strong></span>, then it applies to the root domain
+            (".") and thus affects the entire DNS namespace, except those
+            portions covered by other <span class="command"><strong>rate-limit</strong></span>
+            statements.
+          </p>
+
+          <p>
+            Communities of DNS clients can be given their own parameters or no
+            rate limiting by putting
+            <span class="command"><strong>rate-limit</strong></span> statements in <span class="command"><strong>view</strong></span>
+            statements instead of the global <span class="command"><strong>option</strong></span>
+            statement.
+            A <span class="command"><strong>rate-limit</strong></span> statement in a view replaces,
+            rather than supplementing, a <span class="command"><strong>rate-limit</strong></span>
+            statement among the main options.
+            DNS clients within a view can be exempted from rate limits
+            with the <span class="command"><strong>exempt-clients</strong></span> clause.
+          </p>
+
+          <p>
+            UDP responses of all kinds can be limited with the
+            <span class="command"><strong>all-per-second</strong></span> phrase.  This rate
+            limiting is unlike the rate limiting provided by
+            <span class="command"><strong>responses-per-second</strong></span>,
+            <span class="command"><strong>errors-per-second</strong></span>, and
+            <span class="command"><strong>nxdomains-per-second</strong></span> on a DNS server
+            which are often invisible to the victim of a DNS
+            reflection attack.  Unless the forged requests of the
+            attack are the same as the legitimate requests of the
+            victim, the victim's requests are not affected.  Responses
+            affected by an <span class="command"><strong>all-per-second</strong></span> limit
+            are always dropped; the <span class="command"><strong>slip</strong></span> value
+            has no effect.  An <span class="command"><strong>all-per-second</strong></span>
+            limit should be at least 4 times as large as the other
+            limits, because single DNS clients often send bursts
+            of legitimate requests.  For example, the receipt of a
+            single mail message can prompt requests from an SMTP
+            server for NS, PTR, A, and AAAA records as the incoming
+            SMTP/TCP/IP connection is considered.  The SMTP server
+            can need additional NS, A, AAAA, MX, TXT, and SPF records
+            as it considers the STMP <span class="command"><strong>Mail From</strong></span>
+            command.  Web browsers often repeatedly resolve the
+            same names that are repeated in HTML &lt;IMG&gt; tags
+            in a page.  <span class="command"><strong>all-per-second</strong></span> is similar
+            to the rate limiting offered by firewalls but often
+            inferior.  Attacks that justify ignoring the contents
+            of DNS responses are likely to be attacks on the DNS
+            server itself.  They usually should be discarded before
+            the DNS server spends resources make TCP connections
+            or parsing DNS requests, but that rate limiting must
+            be done before the DNS server sees the requests.
+          </p>
+
+          <p>
+            The maximum size of the table used to track requests and
+            rate limit responses is set with <span class="command"><strong>max-table-size</strong></span>.
+            Each entry in the table is between 40 and 80 bytes.
+            The table needs approximately as many entries as the number
+            of requests received per second.
+            The default is 20,000.
+            To reduce the cold start of growing the table,
+            <span class="command"><strong>min-table-size</strong></span> (default 500)
+            can set the minimum table size.
+            Enable <span class="command"><strong>rate-limit</strong></span> category logging to monitor
+            expansions of the table and inform
+            choices for the initial and maximum table size.
+          </p>
+
+          <p>
+            Use <span class="command"><strong>log-only yes</strong></span> to test rate limiting parameters
+            without actually dropping any requests.
+          </p>
+
+          <p>
+            Responses dropped by rate limits are included in the
+            <span class="command"><strong>RateDropped</strong></span> and <span class="command"><strong>QryDropped</strong></span>
+            statistics.
+            Responses that truncated by rate limits are included in
+            <span class="command"><strong>RateSlipped</strong></span> and <span class="command"><strong>RespTruncated</strong></span>.
+          </p>
+        </div>
+
+        <div class="section">
+<div class="titlepage"></div>
+          <p>
+            Named supports NXDOMAIN redirection via two methods:
+            </p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">Redirect zone <a class="xref" href="Bv9ARM.ch05.html#zone_statement_grammar" title="zone Statement Grammar">the section called &#8220;<span class="command"><strong>zone</strong></span>
+            Statement Grammar&#8221;</a>
+</li>
+<li class="listitem">Redirect namespace</li>
+</ul></div>
+<p>
+          </p>
+          <p>
+            With both methods when named gets a NXDOMAIN response
+            it examines a separate namespace to see if the NXDOMAIN
+            response should be replaced with an alternative response.
+          </p>
+          <p>
+            With a redirect zone (<span class="command"><strong>zone "." { type redirect; };</strong></span>), the
+            data used to replace the NXDOMAIN is held in a single
+            zone which is not part of the normal namespace.  All the
+            redirect information is contained in the zone; there are
+            no delegations.
+          </p>
+          <p>
+            With a redirect namespace (<span class="command"><strong>option { nxdomain-redirect
+            &lt;suffix&gt; };</strong></span>) the data used to replace the
+            NXDOMAIN is part of the normal namespace and is looked up by
+            appending the specified suffix to the original query name.
+            This roughly doubles the cache required to process NXDOMAIN
+            responses as you have the original NXDOMAIN response and
+            the replacement data or a NXDOMAIN indicating that there
+            is no replacement.
+          </p>
+          <p>
+            If both a redirect zone and a redirect namespace are configured,
+            the redirect zone is tried first.
+          </p>
+        </div>
+      </div>
+
+      <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="server_statement_grammar"></a><span class="command"><strong>server</strong></span> Statement Grammar</h3></div></div></div>
+        <pre class="programlisting">
+<span class="command"><strong>server</strong></span> <em class="replaceable"><code>netprefix</code></em> {
+       <span class="command"><strong>bogus</strong></span> <em class="replaceable"><code>boolean</code></em>;
+       <span class="command"><strong>edns</strong></span> <em class="replaceable"><code>boolean</code></em>;
+       <span class="command"><strong>edns-udp-size</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>edns-version</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>keys</strong></span> <em class="replaceable"><code>server_key</code></em>;
+       <span class="command"><strong>max-udp-size</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>notify-source</strong></span> ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [
+           <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>integer</code></em> ];
+       <span class="command"><strong>notify-source-v6</strong></span> ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ]
+           [ dscp <em class="replaceable"><code>integer</code></em> ];
+       <span class="command"><strong>padding</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>provide-ixfr</strong></span> <em class="replaceable"><code>boolean</code></em>;
+       <span class="command"><strong>query-source</strong></span> ( ( [ address ] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port (
+           <em class="replaceable"><code>integer</code></em> | * ) ] ) | ( [ [ address ] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) ]
+           <span class="command"><strong>port</strong></span> ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [ dscp <em class="replaceable"><code>integer</code></em> ];
+       <span class="command"><strong>query-source-v6</strong></span> ( ( [ address ] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port (
+           <em class="replaceable"><code>integer</code></em> | * ) ] ) | ( [ [ address ] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) ]
+           <span class="command"><strong>port</strong></span> ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [ dscp <em class="replaceable"><code>integer</code></em> ];
+       <span class="command"><strong>request-expire</strong></span> <em class="replaceable"><code>boolean</code></em>;
+       <span class="command"><strong>request-ixfr</strong></span> <em class="replaceable"><code>boolean</code></em>;
+       <span class="command"><strong>request-nsid</strong></span> <em class="replaceable"><code>boolean</code></em>;
+       <span class="command"><strong>send-cookie</strong></span> <em class="replaceable"><code>boolean</code></em>;
+       <span class="command"><strong>tcp-keepalive</strong></span> <em class="replaceable"><code>boolean</code></em>;
+       <span class="command"><strong>tcp-only</strong></span> <em class="replaceable"><code>boolean</code></em>;
+       <span class="command"><strong>transfer-format</strong></span> ( many-answers | one-answer );
+       <span class="command"><strong>transfer-source</strong></span> ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [
+           <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>integer</code></em> ];
+       <span class="command"><strong>transfer-source-v6</strong></span> ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * )
+           ] [ dscp <em class="replaceable"><code>integer</code></em> ];
+       <span class="command"><strong>transfers</strong></span> <em class="replaceable"><code>integer</code></em>;
+};
+</pre>
+        </div>
+
+        <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="server_statement_definition_and_usage"></a><span class="command"><strong>server</strong></span> Statement Definition and
+            Usage</h3></div></div></div>
+
+          <p>
+            The <span class="command"><strong>server</strong></span> statement defines
+            characteristics
+            to be associated with a remote name server.  If a prefix length is
+            specified, then a range of servers is covered.  Only the most
+            specific
+            server clause applies regardless of the order in
+            <code class="filename">named.conf</code>.
+          </p>
+
+          <p>
+            The <span class="command"><strong>server</strong></span> statement can occur at
+            the top level of the
+            configuration file or inside a <span class="command"><strong>view</strong></span>
+            statement.
+            If a <span class="command"><strong>view</strong></span> statement contains
+            one or more <span class="command"><strong>server</strong></span> statements, only
+            those
+            apply to the view and any top-level ones are ignored.
+            If a view contains no <span class="command"><strong>server</strong></span>
+            statements,
+            any top-level <span class="command"><strong>server</strong></span> statements are
+            used as
+            defaults.
+          </p>
+
+          <p>
+            If you discover that a remote server is giving out bad data,
+            marking it as bogus will prevent further queries to it. The
+            default
+            value of <span class="command"><strong>bogus</strong></span> is <span class="command"><strong>no</strong></span>.
+          </p>
+          <p>
+            The <span class="command"><strong>provide-ixfr</strong></span> clause determines
+            whether
+            the local server, acting as master, will respond with an
+            incremental
+            zone transfer when the given remote server, a slave, requests it.
+            If set to <span class="command"><strong>yes</strong></span>, incremental transfer
+            will be provided
+            whenever possible. If set to <span class="command"><strong>no</strong></span>,
+            all transfers
+            to the remote server will be non-incremental. If not set, the
+            value
+            of the <span class="command"><strong>provide-ixfr</strong></span> option in the
+            view or
+            global options block is used as a default.
+          </p>
+
+          <p>
+            The <span class="command"><strong>request-ixfr</strong></span> clause determines
+            whether
+            the local server, acting as a slave, will request incremental zone
+            transfers from the given remote server, a master. If not set, the
+            value of the <span class="command"><strong>request-ixfr</strong></span> option in
+            the view or global options block is used as a default. It may
+            also be set in the zone block and, if set there, it will
+            override the global or view setting for that zone.
+          </p>
+
+          <p>
+            IXFR requests to servers that do not support IXFR will
+            automatically
+            fall back to AXFR.  Therefore, there is no need to manually list
+            which servers support IXFR and which ones do not; the global
+            default
+            of <span class="command"><strong>yes</strong></span> should always work.
+            The purpose of the <span class="command"><strong>provide-ixfr</strong></span> and
+            <span class="command"><strong>request-ixfr</strong></span> clauses is
+            to make it possible to disable the use of IXFR even when both
+            master
+            and slave claim to support it, for example if one of the servers
+            is buggy and crashes or corrupts data when IXFR is used.
+          </p>
+
+          <p>
+            The <span class="command"><strong>request-expire</strong></span> clause determines
+            whether the local server, when acting as a slave, will
+            request the EDNS EXPIRE value.  The EDNS EXPIRE value
+            indicates the remaining time before the zone data will
+            expire and need to be be refreshed.  This is used
+            when a secondary server transfers a zone from another
+            secondary server; when transferring from the primary, the
+            expiration timer is set from the EXPIRE field of the SOA
+            record instead.
+            The default is <span class="command"><strong>yes</strong></span>.
+          </p>
+
+          <p>
+            The <span class="command"><strong>edns</strong></span> clause determines whether
+            the local server will attempt to use EDNS when communicating
+            with the remote server.  The default is <span class="command"><strong>yes</strong></span>.
+          </p>
+
+          <p>
+            The <span class="command"><strong>edns-udp-size</strong></span> option sets the
+            EDNS UDP size that is advertised by <span class="command"><strong>named</strong></span>
+            when querying the remote server.  Valid values are 512
+            to 4096 bytes (values outside this range will be silently
+            adjusted to the nearest value within it).  This option
+            is useful when you wish to advertise a different value
+            to this server than the value you advertise globally,
+            for example, when there is a firewall at the remote
+            site that is blocking large replies. (Note: Currently,
+            this sets a single UDP size for all packets sent to the
+            server; <span class="command"><strong>named</strong></span> will not deviate from
+            this value.  This differs from the behavior of
+            <span class="command"><strong>edns-udp-size</strong></span> in <span class="command"><strong>options</strong></span>
+            or <span class="command"><strong>view</strong></span> statements, where it specifies
+            a maximum value. The <span class="command"><strong>server</strong></span> statement
+            behavior may be brought into conformance with the
+            <span class="command"><strong>options/view</strong></span> behavior in future releases.)
+          </p>
+
+          <p>
+            The <span class="command"><strong>edns-version</strong></span> option sets the
+            maximum EDNS VERSION that will be sent to the server(s)
+            by the resolver.  The actual EDNS version sent is still
+            subject to normal EDNS version negotiation rules (see
+            RFC 6891), the maximum EDNS version supported by the
+            server, and any other heuristics that indicate that a
+            lower version should be sent.  This option is intended
+            to be used when a remote server reacts badly to a given
+            EDNS version or higher; it should be set to the highest
+            version the remote server is known to support.  Valid
+            values are 0 to 255; higher values will be silently
+            adjusted.  This option will not be needed until higher
+            EDNS versions than 0 are in use.
+          </p>
+
+          <p>
+            The <span class="command"><strong>max-udp-size</strong></span> option sets the
+            maximum EDNS UDP message size <span class="command"><strong>named</strong></span>
+            will send.  Valid values are 512 to 4096 bytes (values
+            outside this range will be silently adjusted).  This
+            option is useful when you know that there is a firewall
+            that is blocking large replies from <span class="command"><strong>named</strong></span>.
+          </p>
+
+          <p>
+            The <span class="command"><strong>padding</strong></span> option adds EDNS Padding
+            options to outgoing messages, increasing the packet size to
+            a multiple of the specified block size. Valid block sizes
+            range from 0 (the default, which disables the use of
+            EDNS Padding) to 512 bytes.  Larger values will be reduced
+            to 512, with a logged warning.
+            Note: This option is not currently compatible with no TSIG
+            or SIG(0), as the EDNS OPT record containing the padding
+            would have to be added to the packet after it had already
+            been signed.
+          </p>
+
+          <p>
+            The <span class="command"><strong>tcp-only</strong></span> option sets the transport
+            protocol to TCP. The default is to use the UDP transport
+            and to fallback on TCP only when a truncated response
+            is received.
+          </p>
+
+          <p>
+            The <span class="command"><strong>tcp-keepalive</strong></span> option adds EDNS
+            TCP keepalive to messages sent over TCP. Note currently
+            idle timeouts in responses are ignored.
+          </p>
+
+          <p>
+            The server supports two zone transfer methods. The first, <span class="command"><strong>one-answer</strong></span>,
+            uses one DNS message per resource record transferred. <span class="command"><strong>many-answers</strong></span> packs
+            as many resource records as possible into a message. <span class="command"><strong>many-answers</strong></span> is
+            more efficient, but is only known to be understood by <acronym class="acronym">BIND</acronym> 9, <acronym class="acronym">BIND</acronym>
+            8.x, and patched versions of <acronym class="acronym">BIND</acronym>
+            4.9.5. You can specify which method
+            to use for a server with the <span class="command"><strong>transfer-format</strong></span> option.
+            If <span class="command"><strong>transfer-format</strong></span> is not
+            specified, the <span class="command"><strong>transfer-format</strong></span>
+            specified
+            by the <span class="command"><strong>options</strong></span> statement will be
+            used.
+          </p>
+
+          <p><span class="command"><strong>transfers</strong></span>
+            is used to limit the number of concurrent inbound zone
+            transfers from the specified server. If no
+            <span class="command"><strong>transfers</strong></span> clause is specified, the
+            limit is set according to the
+            <span class="command"><strong>transfers-per-ns</strong></span> option.
+          </p>
+
+          <p>
+            The <span class="command"><strong>keys</strong></span> clause identifies a
+            <span class="command"><strong>key_id</strong></span> defined by the <span class="command"><strong>key</strong></span> statement,
+            to be used for transaction security (TSIG, <a class="xref" href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called &#8220;TSIG&#8221;</a>)
+            when talking to the remote server.
+            When a request is sent to the remote server, a request signature
+            will be generated using the key specified here and appended to the
+            message. A request originating from the remote server is not
+            required
+            to be signed by this key.
+          </p>
+
+          <p>
+            Only a single key per server is currently supported.
+          </p>
+
+          <p>
+            The <span class="command"><strong>transfer-source</strong></span> and
+            <span class="command"><strong>transfer-source-v6</strong></span> clauses specify
+            the IPv4 and IPv6 source
+            address to be used for zone transfer with the remote server,
+            respectively.
+            For an IPv4 remote server, only <span class="command"><strong>transfer-source</strong></span> can
+            be specified.
+            Similarly, for an IPv6 remote server, only
+            <span class="command"><strong>transfer-source-v6</strong></span> can be
+            specified.
+            For more details, see the description of
+            <span class="command"><strong>transfer-source</strong></span> and
+            <span class="command"><strong>transfer-source-v6</strong></span> in
+            <a class="xref" href="Bv9ARM.ch05.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
+          </p>
+
+          <p>
+            The <span class="command"><strong>notify-source</strong></span> and
+            <span class="command"><strong>notify-source-v6</strong></span> clauses specify the
+            IPv4 and IPv6 source address to be used for notify
+            messages sent to remote servers, respectively.  For an
+            IPv4 remote server, only <span class="command"><strong>notify-source</strong></span>
+            can be specified.  Similarly, for an IPv6 remote server,
+            only <span class="command"><strong>notify-source-v6</strong></span> can be specified.
+          </p>
+
+          <p>
+            The <span class="command"><strong>query-source</strong></span> and
+            <span class="command"><strong>query-source-v6</strong></span> clauses specify the
+            IPv4 and IPv6 source address to be used for queries
+            sent to remote servers, respectively.  For an IPv4
+            remote server, only <span class="command"><strong>query-source</strong></span> can
+            be specified.  Similarly, for an IPv6 remote server,
+            only <span class="command"><strong>query-source-v6</strong></span> can be specified.
+          </p>
+
+          <p>
+            The <span class="command"><strong>request-nsid</strong></span> clause determines
+            whether the local server will add a NSID EDNS option
+            to requests sent to the server.  This overrides
+            <span class="command"><strong>request-nsid</strong></span> set at the view or
+            option level.
+          </p>
+
+          <p>
+            The <span class="command"><strong>send-cookie</strong></span> clause determines
+            whether the local server will add a COOKIE EDNS option
+            to requests sent to the server.  This overrides
+            <span class="command"><strong>send-cookie</strong></span> set at the view or
+            option level.  The <span class="command"><strong>named</strong></span> server may
+            determine that COOKIE is not supported by the remote server
+            and not add a COOKIE EDNS option to requests.
+          </p>
+        </div>
+
+      <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="statschannels"></a><span class="command"><strong>statistics-channels</strong></span> Statement Grammar</h3></div></div></div>
+        <pre class="programlisting">
+<span class="command"><strong>statistics-channels</strong></span> {
+       <span class="command"><strong>inet</strong></span> ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> |
+           * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [
+           <span class="command"><strong>allow</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ...
+           } ];
+};
+</pre>
+      </div>
+
+      <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="statistics_channels"></a><span class="command"><strong>statistics-channels</strong></span> Statement Definition and
+            Usage</h3></div></div></div>
+
+        <p>
+          The <span class="command"><strong>statistics-channels</strong></span> statement
+          declares communication channels to be used by system
+          administrators to get access to statistics information of
+          the name server.
+        </p>
+
+        <p>
+          This statement intends to be flexible to support multiple
+          communication protocols in the future, but currently only
+          HTTP access is supported.
+          It requires that BIND 9 be compiled with libxml2 and/or
+          json-c (also known as libjson0); the
+          <span class="command"><strong>statistics-channels</strong></span> statement is
+          still accepted even if it is built without the library,
+          but any HTTP access will fail with an error.
+        </p>
+
+        <p>
+          An <span class="command"><strong>inet</strong></span> control channel is a TCP socket
+          listening at the specified <span class="command"><strong>ip_port</strong></span> on the
+          specified <span class="command"><strong>ip_addr</strong></span>, which can be an IPv4 or IPv6
+          address.  An <span class="command"><strong>ip_addr</strong></span> of <code class="literal">*</code>
+          (asterisk) is
+          interpreted as the IPv4 wildcard address; connections will be
+          accepted on any of the system's IPv4 addresses.
+          To listen on the IPv6 wildcard address,
+          use an <span class="command"><strong>ip_addr</strong></span> of <code class="literal">::</code>.
+        </p>
+
+        <p>
+          If no port is specified, port 80 is used for HTTP channels.
+          The asterisk "<code class="literal">*</code>" cannot be used for
+          <span class="command"><strong>ip_port</strong></span>.
+        </p>
+
+        <p>
+          The attempt of opening a statistics channel is
+          restricted by the optional <span class="command"><strong>allow</strong></span> clause.
+          Connections to the statistics channel are permitted based on the
+          <span class="command"><strong>address_match_list</strong></span>.
+          If no <span class="command"><strong>allow</strong></span> clause is present,
+          <span class="command"><strong>named</strong></span> accepts connection
+          attempts from any address; since the statistics may
+          contain sensitive internal information, it is highly
+          recommended to restrict the source of connection requests
+          appropriately.
+        </p>
+
+        <p>
+          If no <span class="command"><strong>statistics-channels</strong></span> statement is present,
+          <span class="command"><strong>named</strong></span> will not open any communication channels.
+        </p>
+
+        <p>
+          The statistics are available in various formats and views
+          depending on the URI used to access them.  For example, if
+          the statistics channel is configured to listen on 127.0.0.1
+          port 8888, then the statistics are accessible in XML format at
+          <a class="link" href="http://127.0.0.1:8888/" target="_top">http://127.0.0.1:8888/</a> or
+          <a class="link" href="http://127.0.0.1:8888/xml" target="_top">http://127.0.0.1:8888/xml</a>. A CSS file is
+          included which can format the XML statistics into tables
+          when viewed with a stylesheet-capable browser, and into
+          charts and graphs using the Google Charts API when using a
+          javascript-capable browser.
+        </p>
+
+        <p>
+          Applications that depend on a particular XML schema
+          can request
+          <a class="link" href="http://127.0.0.1:8888/xml/v2" target="_top">http://127.0.0.1:8888/xml/v2</a> for version 2
+          of the statistics XML schema or
+          <a class="link" href="http://127.0.0.1:8888/xml/v3" target="_top">http://127.0.0.1:8888/xml/v3</a> for version 3.
+          If the requested schema is supported by the server, then
+          it will respond; if not, it will return a "page not found"
+          error.
+        </p>
+
+        <p>
+          Broken-out subsets of the statistics can be viewed at
+          <a class="link" href="http://127.0.0.1:8888/xml/v3/status" target="_top">http://127.0.0.1:8888/xml/v3/status</a>
+          (server uptime and last reconfiguration time),
+          <a class="link" href="http://127.0.0.1:8888/xml/v3/server" target="_top">http://127.0.0.1:8888/xml/v3/server</a>
+          (server and resolver statistics),
+          <a class="link" href="http://127.0.0.1:8888/xml/v3/zones" target="_top">http://127.0.0.1:8888/xml/v3/zones</a>
+          (zone statistics),
+          <a class="link" href="http://127.0.0.1:8888/xml/v3/net" target="_top">http://127.0.0.1:8888/xml/v3/net</a>
+          (network status and socket statistics),
+          <a class="link" href="http://127.0.0.1:8888/xml/v3/mem" target="_top">http://127.0.0.1:8888/xml/v3/mem</a>
+          (memory manager statistics),
+          <a class="link" href="http://127.0.0.1:8888/xml/v3/tasks" target="_top">http://127.0.0.1:8888/xml/v3/tasks</a>
+          (task manager statistics), and
+          <a class="link" href="http://127.0.0.1:8888/xml/v3/traffic" target="_top">http://127.0.0.1:8888/xml/v3/traffic</a>
+          (traffic sizes).
+        </p>
+
+        <p>
+          The full set of statistics can also be read in JSON format at
+          <a class="link" href="http://127.0.0.1:8888/json" target="_top">http://127.0.0.1:8888/json</a>,
+          with the broken-out subsets at
+          <a class="link" href="http://127.0.0.1:8888/json/v1/status" target="_top">http://127.0.0.1:8888/json/v1/status</a>
+          (server uptime and last reconfiguration time),
+          <a class="link" href="http://127.0.0.1:8888/json/v1/server" target="_top">http://127.0.0.1:8888/json/v1/server</a>
+          (server and resolver statistics),
+          <a class="link" href="http://127.0.0.1:8888/json/v1/zones" target="_top">http://127.0.0.1:8888/json/v1/zones</a>
+          (zone statistics),
+          <a class="link" href="http://127.0.0.1:8888/json/v1/net" target="_top">http://127.0.0.1:8888/json/v1/net</a>
+          (network status and socket statistics),
+          <a class="link" href="http://127.0.0.1:8888/json/v1/mem" target="_top">http://127.0.0.1:8888/json/v1/mem</a>
+          (memory manager statistics),
+          <a class="link" href="http://127.0.0.1:8888/json/v1/tasks" target="_top">http://127.0.0.1:8888/json/v1/tasks</a>
+          (task manager statistics), and
+          <a class="link" href="http://127.0.0.1:8888/json/v1/traffic" target="_top">http://127.0.0.1:8888/json/v1/traffic</a>
+          (traffic sizes).
+        </p>
+      </div>
+
+        <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="trusted-keys"></a><span class="command"><strong>trusted-keys</strong></span> Statement Grammar</h3></div></div></div>
+        <pre class="programlisting">
+<span class="command"><strong>trusted-keys</strong></span> { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em>
+    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; ... };
+</pre>
+        </div>
+        <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="trusted_keys"></a><span class="command"><strong>trusted-keys</strong></span> Statement Definition
+            and Usage</h3></div></div></div>
+
+          <p>
+            The <span class="command"><strong>trusted-keys</strong></span> statement defines
+            DNSSEC security roots. DNSSEC is described in <a class="xref" href="Bv9ARM.ch04.html#DNSSEC" title="DNSSEC">the section called &#8220;DNSSEC&#8221;</a>. A security root is defined when the
+            public key for a non-authoritative zone is known, but
+            cannot be securely obtained through DNS, either because
+            it is the DNS root zone or because its parent zone is
+            unsigned.  Once a key has been configured as a trusted
+            key, it is treated as if it had been validated and
+            proven secure. The resolver attempts DNSSEC validation
+            on all DNS data in subdomains of a security root.
+          </p>
+          <p>
+            All keys (and corresponding zones) listed in
+            <span class="command"><strong>trusted-keys</strong></span> are deemed to exist regardless
+            of what parent zones say.  Similarly for all keys listed in
+            <span class="command"><strong>trusted-keys</strong></span> only those keys are
+            used to validate the DNSKEY RRset.  The parent's DS RRset
+            will not be used.
+          </p>
+          <p>
+            The <span class="command"><strong>trusted-keys</strong></span> statement can contain
+            multiple key entries, each consisting of the key's
+            domain name, flags, protocol, algorithm, and the Base64
+            representation of the key data.
+            Spaces, tabs, newlines and carriage returns are ignored
+            in the key data, so the configuration may be split up into
+            multiple lines.
+          </p>
+          <p>
+            <span class="command"><strong>trusted-keys</strong></span> may be set at the top level
+            of <code class="filename">named.conf</code> or within a view.  If it is
+            set in both places, they are additive: keys defined at the top
+            level are inherited by all views, but keys defined in a view
+            are only used within that view.
+          </p>
+          <p>
+            Validation below specified names can be temporarily disabled
+            by using <span class="command"><strong>rndc nta</strong></span>.
+          </p>
+        </div>
+
+        <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="managed_keys"></a><span class="command"><strong>managed-keys</strong></span> Statement Grammar</h3></div></div></div>
+        <pre class="programlisting">
+<span class="command"><strong>managed-keys</strong></span> { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em>
+    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; ... };
+</pre>
+        </div>
+        <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="managed-keys"></a><span class="command"><strong>managed-keys</strong></span> Statement Definition
+            and Usage</h3></div></div></div>
+
+          <p>
+            The <span class="command"><strong>managed-keys</strong></span> statement, like
+            <span class="command"><strong>trusted-keys</strong></span>, defines DNSSEC
+            security roots.  The difference is that
+            <span class="command"><strong>managed-keys</strong></span> can be kept up to date
+            automatically, without intervention from the resolver
+            operator.
+          </p>
+          <p>
+            Suppose, for example, that a zone's key-signing
+            key was compromised, and the zone owner had to revoke and
+            replace the key.  A resolver which had the old key in a
+            <span class="command"><strong>trusted-keys</strong></span> statement would be
+            unable to validate this zone any longer; it would
+            reply with a SERVFAIL response code.  This would
+            continue until the resolver operator had updated the
+            <span class="command"><strong>trusted-keys</strong></span> statement with the new key.
+          </p>
+          <p>
+            If, however, the zone were listed in a
+            <span class="command"><strong>managed-keys</strong></span> statement instead, then the
+            zone owner could add a "stand-by" key to the zone in advance.
+            <span class="command"><strong>named</strong></span> would store the stand-by key, and
+            when the original key was revoked, <span class="command"><strong>named</strong></span>
+            would be able to transition smoothly to the new key.  It would
+            also recognize that the old key had been revoked, and cease
+            using that key to validate answers, minimizing the damage that
+            the compromised key could do.
+          </p>
+          <p>
+            A <span class="command"><strong>managed-keys</strong></span> statement contains a list of
+            the keys to be managed, along with information about how the
+            keys are to be initialized for the first time.  The only
+            initialization method currently supported is
+            <code class="literal">initial-key</code>.
+            This means the <span class="command"><strong>managed-keys</strong></span> statement must
+            contain a copy of the initializing key.  (Future releases may
+            allow keys to be initialized by other methods, eliminating this
+            requirement.)
+          </p>
+          <p>
+            Consequently, a <span class="command"><strong>managed-keys</strong></span> statement
+            appears similar to a <span class="command"><strong>trusted-keys</strong></span>, differing
+            in the presence of the second field, containing the keyword
+            <code class="literal">initial-key</code>.  The difference is, whereas the
+            keys listed in a <span class="command"><strong>trusted-keys</strong></span> continue to be
+            trusted until they are removed from
+            <code class="filename">named.conf</code>, an initializing key listed
+            in a <span class="command"><strong>managed-keys</strong></span> statement is only trusted
+            <span class="emphasis"><em>once</em></span>: for as long as it takes to load the
+            managed key database and start the RFC 5011 key maintenance
+            process.
+          </p>
+          <p>
+            The first time <span class="command"><strong>named</strong></span> runs with a managed key
+            configured in <code class="filename">named.conf</code>, it fetches the
+            DNSKEY RRset directly from the zone apex, and validates it
+            using the key specified in the <span class="command"><strong>managed-keys</strong></span>
+            statement.  If the DNSKEY RRset is validly signed, then it is
+            used as the basis for a new managed keys database.
+          </p>
+          <p>
+            From that point on, whenever <span class="command"><strong>named</strong></span> runs, it
+            sees the <span class="command"><strong>managed-keys</strong></span> statement, checks to
+            make sure RFC 5011 key maintenance has already been initialized
+            for the specified domain, and if so, it simply moves on.  The
+            key specified in the <span class="command"><strong>managed-keys</strong></span>
+            statement is not used to validate answers; it has been
+            superseded by the key or keys stored in the managed keys database.
+          </p>
+          <p>
+            The next time <span class="command"><strong>named</strong></span> runs after a name
+            has been <span class="emphasis"><em>removed</em></span> from the
+            <span class="command"><strong>managed-keys</strong></span> statement, the corresponding
+            zone will be removed from the managed keys database,
+            and RFC 5011 key maintenance will no longer be used for that
+            domain.
+          </p>
+          <p>
+            In the current implementation, the managed keys database
+            is stored as a master-format zone file.
+          </p>
+          <p>
+            On servers which do not use views, this file is named
+            <code class="filename">managed-keys.bind</code>.  When views are in
+            use, there will be a separate managed keys database for each
+            view; the filename will be the view name (or, if a view name
+            contains characters which would make it illegal as a filename,
+            a hash of the view name), followed by
+            the suffix <code class="filename">.mkeys</code>.
+          </p>
+          <p>
+            When the key database is changed, the zone is updated.
+            As with any other dynamic zone, changes will be written
+            into a journal file, e.g.,
+            <code class="filename">managed-keys.bind.jnl</code> or
+            <code class="filename">internal.mkeys.jnl</code>.
+            Changes are committed to the master file as soon as
+            possible afterward; this will usually occur within 30
+            seconds.  So, whenever <span class="command"><strong>named</strong></span> is using
+            automatic key maintenance, the zone file and journal file
+            can be expected to exist in the working directory.
+            (For this reason among others, the working directory
+            should be always be writable by <span class="command"><strong>named</strong></span>.)
+          </p>
+          <p>
+            If the <span class="command"><strong>dnssec-validation</strong></span> option is
+            set to <strong class="userinput"><code>auto</code></strong>, <span class="command"><strong>named</strong></span>
+            will automatically initialize a managed key for the
+            root zone.  The key that is used to initialize the key
+            maintenance process is stored in <code class="filename">bind.keys</code>;
+            the location of this file can be overridden with the
+            <span class="command"><strong>bindkeys-file</strong></span> option. As a fallback
+            in the event no <code class="filename">bind.keys</code> can be
+            found, the initializing key is also compiled directly
+            into <span class="command"><strong>named</strong></span>.
+          </p>
+        </div>
+
+        <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="view_statement_grammar"></a><span class="command"><strong>view</strong></span> Statement Grammar</h3></div></div></div>
+
+<pre class="programlisting"><span class="command"><strong>view</strong></span> <em class="replaceable"><code>view_name</code></em> [ <em class="replaceable"><code>class</code></em> ] <span class="command"><strong>{</strong></span>
+    <span class="command"><strong>match-clients {</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ;
+    <span class="command"><strong>match-destinations {</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ;
+    <span class="command"><strong>match-recursive-only</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ;
+  [ <em class="replaceable"><code>view_option</code></em> ; ... ]
+  [ <em class="replaceable"><code>zone_statement</code></em> ; ... ]
+<span class="command"><strong>} </strong></span>;
+</pre>
+
+        </div>
+        <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="view_statement"></a><span class="command"><strong>view</strong></span> Statement Definition and Usage</h3></div></div></div>
+
+          <p>
+            The <span class="command"><strong>view</strong></span> statement is a powerful
+            feature
+            of <acronym class="acronym">BIND</acronym> 9 that lets a name server
+            answer a DNS query differently
+            depending on who is asking. It is particularly useful for
+            implementing
+            split DNS setups without having to run multiple servers.
+          </p>
+
+          <p>
+            Each <span class="command"><strong>view</strong></span> statement defines a view
+            of the
+            DNS namespace that will be seen by a subset of clients.  A client
+            matches
+            a view if its source IP address matches the
+            <code class="varname">address_match_list</code> of the view's
+            <span class="command"><strong>match-clients</strong></span> clause and its
+            destination IP address matches
+            the <code class="varname">address_match_list</code> of the
+            view's
+            <span class="command"><strong>match-destinations</strong></span> clause.  If not
+            specified, both
+            <span class="command"><strong>match-clients</strong></span> and <span class="command"><strong>match-destinations</strong></span>
+            default to matching all addresses.  In addition to checking IP
+            addresses
+            <span class="command"><strong>match-clients</strong></span> and <span class="command"><strong>match-destinations</strong></span>
+            can also take <span class="command"><strong>keys</strong></span> which provide an
+            mechanism for the
+            client to select the view.  A view can also be specified
+            as <span class="command"><strong>match-recursive-only</strong></span>, which
+            means that only recursive
+            requests from matching clients will match that view.
+            The order of the <span class="command"><strong>view</strong></span> statements is
+            significant &#8212;
+            a client request will be resolved in the context of the first
+            <span class="command"><strong>view</strong></span> that it matches.
+          </p>
+
+          <p>
+            Zones defined within a <span class="command"><strong>view</strong></span>
+            statement will
+            only be accessible to clients that match the <span class="command"><strong>view</strong></span>.
+            By defining a zone of the same name in multiple views, different
+            zone data can be given to different clients, for example,
+            "internal"
+            and "external" clients in a split DNS setup.
+          </p>
+
+          <p>
+            Many of the options given in the <span class="command"><strong>options</strong></span> statement
+            can also be used within a <span class="command"><strong>view</strong></span>
+            statement, and then
+            apply only when resolving queries with that view.  When no
+            view-specific
+            value is given, the value in the <span class="command"><strong>options</strong></span> statement
+            is used as a default.  Also, zone options can have default values
+            specified
+            in the <span class="command"><strong>view</strong></span> statement; these
+            view-specific defaults
+            take precedence over those in the <span class="command"><strong>options</strong></span> statement.
+          </p>
+
+          <p>
+            Views are class specific.  If no class is given, class IN
+            is assumed.  Note that all non-IN views must contain a hint zone,
+            since only the IN class has compiled-in default hints.
+          </p>
+
+          <p>
+            If there are no <span class="command"><strong>view</strong></span> statements in
+            the config
+            file, a default view that matches any client is automatically
+            created
+            in class IN. Any <span class="command"><strong>zone</strong></span> statements
+            specified on
+            the top level of the configuration file are considered to be part
+            of
+            this default view, and the <span class="command"><strong>options</strong></span>
+            statement will
+            apply to the default view. If any explicit <span class="command"><strong>view</strong></span>
+            statements are present, all <span class="command"><strong>zone</strong></span>
+            statements must
+            occur inside <span class="command"><strong>view</strong></span> statements.
+          </p>
+
+          <p>
+            Here is an example of a typical split DNS setup implemented
+            using <span class="command"><strong>view</strong></span> statements:
+          </p>
+
+<pre class="programlisting">view "internal" {
+      // This should match our internal networks.
+      match-clients { 10.0.0.0/8; };
+
+      // Provide recursive service to internal
+      // clients only.
+      recursion yes;
+
+      // Provide a complete view of the example.com
+      // zone including addresses of internal hosts.
+      zone "example.com" {
+            type master;
+            file "example-internal.db";
+      };
+};
+
+view "external" {
+      // Match all clients not matched by the
+      // previous view.
+      match-clients { any; };
+
+      // Refuse recursive service to external clients.
+      recursion no;
+
+      // Provide a restricted view of the example.com
+      // zone containing only publicly accessible hosts.
+      zone "example.com" {
+           type master;
+           file "example-external.db";
+      };
+};
+</pre>
+
+        </div>
+        <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="zone_statement_grammar"></a><span class="command"><strong>zone</strong></span>
+            Statement Grammar</h3></div></div></div>
+
+<pre class="programlisting">
+<span class="command"><strong>zone</strong></span> <em class="replaceable"><code>string</code></em> [ <em class="replaceable"><code>class</code></em> ] {
+       <span class="command"><strong>type</strong></span> ( master | primary );
+       <span class="command"><strong>allow-query</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
+       <span class="command"><strong>allow-query-on</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
+       <span class="command"><strong>allow-transfer</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
+       <span class="command"><strong>allow-update</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
+       <span class="command"><strong>also-notify</strong></span> [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] ) [ key <em class="replaceable"><code>string</code></em> ]; ... };
+       <span class="command"><strong>alt-transfer-source</strong></span> ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];
+       <span class="command"><strong>alt-transfer-source-v6</strong></span> ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];
+       <span class="command"><strong>auto-dnssec</strong></span> ( allow | maintain | off );
+       <span class="command"><strong>check-dup-records</strong></span> ( fail | warn | ignore );
+       <span class="command"><strong>check-integrity</strong></span> <em class="replaceable"><code>boolean</code></em>;
+       <span class="command"><strong>check-mx</strong></span> ( fail | warn | ignore );
+       <span class="command"><strong>check-mx-cname</strong></span> ( fail | warn | ignore );
+       <span class="command"><strong>check-names</strong></span> ( fail | warn | ignore );
+       <span class="command"><strong>check-sibling</strong></span> <em class="replaceable"><code>boolean</code></em>;
+       <span class="command"><strong>check-spf</strong></span> ( warn | ignore );
+       <span class="command"><strong>check-srv-cname</strong></span> ( fail | warn | ignore );
+       <span class="command"><strong>check-wildcard</strong></span> <em class="replaceable"><code>boolean</code></em>;
+       <span class="command"><strong>database</strong></span> <em class="replaceable"><code>string</code></em>;
+       <span class="command"><strong>dialup</strong></span> ( notify | notify-passive | passive | refresh | <em class="replaceable"><code>boolean</code></em> );
+       <span class="command"><strong>dlz</strong></span> <em class="replaceable"><code>string</code></em>;
+       <span class="command"><strong>dnssec-dnskey-kskonly</strong></span> <em class="replaceable"><code>boolean</code></em>;
+       <span class="command"><strong>dnssec-loadkeys-interval</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>dnssec-secure-to-insecure</strong></span> <em class="replaceable"><code>boolean</code></em>;
+       <span class="command"><strong>dnssec-update-mode</strong></span> ( maintain | no-resign );
+       <span class="command"><strong>file</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
+       <span class="command"><strong>forward</strong></span> ( first | only );
+       <span class="command"><strong>forwarders</strong></span> [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ]; ... };
+       <span class="command"><strong>inline-signing</strong></span> <em class="replaceable"><code>boolean</code></em>;
+       <span class="command"><strong>ixfr-from-differences</strong></span> <em class="replaceable"><code>boolean</code></em>;
+       <span class="command"><strong>journal</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
+       <span class="command"><strong>key-directory</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
+       <span class="command"><strong>masterfile-format</strong></span> ( map | raw | text );
+       <span class="command"><strong>masterfile-style</strong></span> ( full | relative );
+       <span class="command"><strong>max-journal-size</strong></span> ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );
+       <span class="command"><strong>max-records</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>max-transfer-idle-out</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>max-transfer-time-out</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>max-zone-ttl</strong></span> ( unlimited | <em class="replaceable"><code>ttlval</code></em> );
+       <span class="command"><strong>notify</strong></span> ( explicit | master-only | <em class="replaceable"><code>boolean</code></em> );
+       <span class="command"><strong>notify-delay</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>notify-source</strong></span> ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];
+       <span class="command"><strong>notify-source-v6</strong></span> ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];
+       <span class="command"><strong>notify-to-soa</strong></span> <em class="replaceable"><code>boolean</code></em>;
+       <span class="command"><strong>serial-update-method</strong></span> ( date | increment | unixtime );
+       <span class="command"><strong>sig-signing-nodes</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>sig-signing-signatures</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>sig-signing-type</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>sig-validity-interval</strong></span> <em class="replaceable"><code>integer</code></em> [ <em class="replaceable"><code>integer</code></em> ];
+       <span class="command"><strong>update-check-ksk</strong></span> <em class="replaceable"><code>boolean</code></em>;
+       <span class="command"><strong>update-policy</strong></span> ( local | { ( deny | grant ) <em class="replaceable"><code>string</code></em> ( 6to4-self | external | krb5-self | krb5-subdomain | ms-self | ms-subdomain | name | self | selfsub | selfwild | subdomain | tcp-self | wildcard | zonesub ) [ <em class="replaceable"><code>string</code></em> ] <em class="replaceable"><code>rrtypelist</code></em>; ... };
+       <span class="command"><strong>zero-no-soa-ttl</strong></span> <em class="replaceable"><code>boolean</code></em>;
+       <span class="command"><strong>zone-statistics</strong></span> ( full | terse | none | <em class="replaceable"><code>boolean</code></em> );
+};
+</pre>
+<pre class="programlisting">
+<span class="command"><strong>zone</strong></span> <em class="replaceable"><code>string</code></em> [ <em class="replaceable"><code>class</code></em> ] {
+       <span class="command"><strong>type</strong></span> ( slave | secondary );
+       <span class="command"><strong>allow-notify</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
+       <span class="command"><strong>allow-query</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
+       <span class="command"><strong>allow-query-on</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
+       <span class="command"><strong>allow-transfer</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
+       <span class="command"><strong>allow-update-forwarding</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
+       <span class="command"><strong>also-notify</strong></span> [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] ) [ key <em class="replaceable"><code>string</code></em> ]; ... };
+       <span class="command"><strong>alt-transfer-source</strong></span> ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];
+       <span class="command"><strong>alt-transfer-source-v6</strong></span> ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];
+       <span class="command"><strong>auto-dnssec</strong></span> ( allow | maintain | off );
+       <span class="command"><strong>check-names</strong></span> ( fail | warn | ignore );
+       <span class="command"><strong>database</strong></span> <em class="replaceable"><code>string</code></em>;
+       <span class="command"><strong>dialup</strong></span> ( notify | notify-passive | passive | refresh | <em class="replaceable"><code>boolean</code></em> );
+       <span class="command"><strong>dlz</strong></span> <em class="replaceable"><code>string</code></em>;
+       <span class="command"><strong>dnssec-dnskey-kskonly</strong></span> <em class="replaceable"><code>boolean</code></em>;
+       <span class="command"><strong>dnssec-loadkeys-interval</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>dnssec-update-mode</strong></span> ( maintain | no-resign );
+       <span class="command"><strong>file</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
+       <span class="command"><strong>forward</strong></span> ( first | only );
+       <span class="command"><strong>forwarders</strong></span> [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ]; ... };
+       <span class="command"><strong>inline-signing</strong></span> <em class="replaceable"><code>boolean</code></em>;
+       <span class="command"><strong>ixfr-from-differences</strong></span> <em class="replaceable"><code>boolean</code></em>;
+       <span class="command"><strong>journal</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
+       <span class="command"><strong>key-directory</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
+       <span class="command"><strong>masterfile-format</strong></span> ( map | raw | text );
+       <span class="command"><strong>masterfile-style</strong></span> ( full | relative );
+       <span class="command"><strong>masters</strong></span> [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] ) [ key <em class="replaceable"><code>string</code></em> ]; ... };
+       <span class="command"><strong>max-journal-size</strong></span> ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );
+       <span class="command"><strong>max-records</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>max-refresh-time</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>max-retry-time</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>max-transfer-idle-in</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>max-transfer-idle-out</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>max-transfer-time-in</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>max-transfer-time-out</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>min-refresh-time</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>min-retry-time</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>multi-master</strong></span> <em class="replaceable"><code>boolean</code></em>;
+       <span class="command"><strong>notify</strong></span> ( explicit | master-only | <em class="replaceable"><code>boolean</code></em> );
+       <span class="command"><strong>notify-delay</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>notify-source</strong></span> ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];
+       <span class="command"><strong>notify-source-v6</strong></span> ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];
+       <span class="command"><strong>notify-to-soa</strong></span> <em class="replaceable"><code>boolean</code></em>;
+       <span class="command"><strong>request-expire</strong></span> <em class="replaceable"><code>boolean</code></em>;
+       <span class="command"><strong>request-ixfr</strong></span> <em class="replaceable"><code>boolean</code></em>;
+       <span class="command"><strong>sig-signing-nodes</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>sig-signing-signatures</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>sig-signing-type</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>sig-validity-interval</strong></span> <em class="replaceable"><code>integer</code></em> [ <em class="replaceable"><code>integer</code></em> ];
+       <span class="command"><strong>transfer-source</strong></span> ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];
+       <span class="command"><strong>transfer-source-v6</strong></span> ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];
+       <span class="command"><strong>try-tcp-refresh</strong></span> <em class="replaceable"><code>boolean</code></em>;
+       <span class="command"><strong>update-check-ksk</strong></span> <em class="replaceable"><code>boolean</code></em>;
+       <span class="command"><strong>use-alt-transfer-source</strong></span> <em class="replaceable"><code>boolean</code></em>;
+       <span class="command"><strong>zero-no-soa-ttl</strong></span> <em class="replaceable"><code>boolean</code></em>;
+       <span class="command"><strong>zone-statistics</strong></span> ( full | terse | none | <em class="replaceable"><code>boolean</code></em> );
+};
+</pre>
+<pre class="programlisting">
+<span class="command"><strong>zone</strong></span> <em class="replaceable"><code>string</code></em> [ <em class="replaceable"><code>class</code></em> ] {
+       <span class="command"><strong>type</strong></span> hint;
+       <span class="command"><strong>check-names</strong></span> ( fail | warn | ignore );
+       <span class="command"><strong>delegation-only</strong></span> <em class="replaceable"><code>boolean</code></em>;
+       <span class="command"><strong>file</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
+};
+</pre>
+<pre class="programlisting">
+<span class="command"><strong>zone</strong></span> <em class="replaceable"><code>string</code></em> [ <em class="replaceable"><code>class</code></em> ] {
+       <span class="command"><strong>type</strong></span> stub;
+       <span class="command"><strong>allow-query</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
+       <span class="command"><strong>allow-query-on</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
+       <span class="command"><strong>check-names</strong></span> ( fail | warn | ignore );
+       <span class="command"><strong>database</strong></span> <em class="replaceable"><code>string</code></em>;
+       <span class="command"><strong>delegation-only</strong></span> <em class="replaceable"><code>boolean</code></em>;
+       <span class="command"><strong>dialup</strong></span> ( notify | notify-passive | passive | refresh | <em class="replaceable"><code>boolean</code></em> );
+       <span class="command"><strong>file</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
+       <span class="command"><strong>forward</strong></span> ( first | only );
+       <span class="command"><strong>forwarders</strong></span> [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ]; ... };
+       <span class="command"><strong>masterfile-format</strong></span> ( map | raw | text );
+       <span class="command"><strong>masterfile-style</strong></span> ( full | relative );
+       <span class="command"><strong>masters</strong></span> [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] ) [ key <em class="replaceable"><code>string</code></em> ]; ... };
+       <span class="command"><strong>max-records</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>max-refresh-time</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>max-retry-time</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>max-transfer-idle-in</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>max-transfer-time-in</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>min-refresh-time</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>min-retry-time</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>multi-master</strong></span> <em class="replaceable"><code>boolean</code></em>;
+       <span class="command"><strong>transfer-source</strong></span> ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];
+       <span class="command"><strong>transfer-source-v6</strong></span> ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];
+       <span class="command"><strong>use-alt-transfer-source</strong></span> <em class="replaceable"><code>boolean</code></em>;
+       <span class="command"><strong>zone-statistics</strong></span> ( full | terse | none | <em class="replaceable"><code>boolean</code></em> );
+};
+</pre>
+<pre class="programlisting">
+<span class="command"><strong>zone</strong></span> <em class="replaceable"><code>string</code></em> [ <em class="replaceable"><code>class</code></em> ] {
+       <span class="command"><strong>type</strong></span> static-stub;
+       <span class="command"><strong>allow-query</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
+       <span class="command"><strong>allow-query-on</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
+       <span class="command"><strong>forward</strong></span> ( first | only );
+       <span class="command"><strong>forwarders</strong></span> [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ]; ... };
+       <span class="command"><strong>max-records</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>server-addresses</strong></span> { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [ port <em class="replaceable"><code>integer</code></em> ]; ... };
+       <span class="command"><strong>server-names</strong></span> { <em class="replaceable"><code>quoted_string</code></em>; ... };
+       <span class="command"><strong>zone-statistics</strong></span> ( full | terse | none | <em class="replaceable"><code>boolean</code></em> );
+};
+</pre>
+<pre class="programlisting">
+<span class="command"><strong>zone</strong></span> <em class="replaceable"><code>string</code></em> [ <em class="replaceable"><code>class</code></em> ] {
+       <span class="command"><strong>type</strong></span> forward;
+       <span class="command"><strong>delegation-only</strong></span> <em class="replaceable"><code>boolean</code></em>;
+       <span class="command"><strong>forward</strong></span> ( first | only );
+       <span class="command"><strong>forwarders</strong></span> [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ]; ... };
+};
+</pre>
+<pre class="programlisting">
+<span class="command"><strong>zone</strong></span> <em class="replaceable"><code>string</code></em> [ <em class="replaceable"><code>class</code></em> ] {
+       <span class="command"><strong>type</strong></span> redirect;
+       <span class="command"><strong>allow-query</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
+       <span class="command"><strong>allow-query-on</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
+       <span class="command"><strong>dlz</strong></span> <em class="replaceable"><code>string</code></em>;
+       <span class="command"><strong>file</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
+       <span class="command"><strong>masterfile-format</strong></span> ( map | raw | text );
+       <span class="command"><strong>masterfile-style</strong></span> ( full | relative );
+       <span class="command"><strong>masters</strong></span> [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] ) [ key <em class="replaceable"><code>string</code></em> ]; ... };
+       <span class="command"><strong>max-records</strong></span> <em class="replaceable"><code>integer</code></em>;
+       <span class="command"><strong>max-zone-ttl</strong></span> ( unlimited | <em class="replaceable"><code>ttlval</code></em> );
+       <span class="command"><strong>zone-statistics</strong></span> ( full | terse | none | <em class="replaceable"><code>boolean</code></em> );
+};
+</pre>
+<pre class="programlisting">
+<span class="command"><strong>zone</strong></span> <em class="replaceable"><code>string</code></em> [ <em class="replaceable"><code>class</code></em> ] {
+       <span class="command"><strong>type</strong></span> delegation-only;
+};
+</pre>
+<pre class="programlisting">
+<span class="command"><strong>zone</strong></span> <em class="replaceable"><code>string</code></em> [ <em class="replaceable"><code>class</code></em> ] {
+       <span class="command"><strong>in-view</strong></span> <em class="replaceable"><code>string</code></em>;
+};
+</pre>
+
+        </div>
+        <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="zone_statement"></a><span class="command"><strong>zone</strong></span> Statement Definition and Usage</h3></div></div></div>
+
+          <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="zone_types"></a>Zone Types</h4></div></div></div>
+            <p>
+              The <span class="command"><strong>type</strong></span> keyword is required
+              for the <span class="command"><strong>zone</strong></span> configuration unless
+              it is an <span class="command"><strong>in-view</strong></span> configuration. Its
+              acceptable values include:
+              <code class="varname">master</code> (or <code class="varname">primary</code>),
+              <code class="varname">slave</code> (or <code class="varname">secondary</code>),
+              <code class="varname">delegation-only</code>,
+              <code class="varname">forward</code>,
+              <code class="varname">hint</code>,
+              <code class="varname">redirect</code>,
+              <code class="varname">static-stub</code>,
+              and <code class="varname">stub</code>.
+            </p>
+
+            <div class="informaltable">
+              <table border="1">
+<colgroup>
+<col class="1">
+<col width="4.017in" class="2">
+</colgroup>
+<tbody>
+<tr>
+<td>
+                      <p>
+                        <code class="varname">master</code>
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        The server has a master copy of the data
+                        for the zone and will be able to provide authoritative
+                        answers for it. Type <code class="varname">primary</code> is
+                        a synonym for <code class="varname">master</code>.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        <code class="varname">slave</code>
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        A slave zone is a replica of a master
+                        zone. Type <code class="varname">secondary</code> is a
+                        synonym for <code class="varname">slave</code>.
+                        The <span class="command"><strong>masters</strong></span> list
+                        specifies one or more IP addresses
+                        of master servers that the slave contacts to update
+                        its copy of the zone.
+                        Masters list elements can also be names of other
+                        masters lists.
+                        By default, transfers are made from port 53 on the
+                        servers; this can
+                        be changed for all servers by specifying a port number
+                        before the
+                        list of IP addresses, or on a per-server basis after
+                        the IP address.
+                        Authentication to the master can also be done with
+                        per-server TSIG keys.
+                        If a file is specified, then the
+                        replica will be written to this file whenever the zone
+                        is changed,
+                        and reloaded from this file on a server restart. Use
+                        of a file is
+                        recommended, since it often speeds server startup and
+                        eliminates
+                        a needless waste of bandwidth. Note that for large
+                        numbers (in the
+                        tens or hundreds of thousands) of zones per server, it
+                        is best to
+                        use a two-level naming scheme for zone filenames. For
+                        example,
+                        a slave server for the zone <code class="literal">example.com</code> might place
+                        the zone contents into a file called
+                        <code class="filename">ex/example.com</code> where <code class="filename">ex/</code> is
+                        just the first two letters of the zone name. (Most
+                        operating systems
+                        behave very slowly if you put 100000 files into
+                        a single directory.)
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        <code class="varname">stub</code>
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        A stub zone is similar to a slave zone,
+                        except that it replicates only the NS records of a
+                        master zone instead
+                        of the entire zone. Stub zones are not a standard part
+                        of the DNS;
+                        they are a feature specific to the <acronym class="acronym">BIND</acronym> implementation.
+                      </p>
+
+                      <p>
+                        Stub zones can be used to eliminate the need for glue
+                        NS record
+                        in a parent zone at the expense of maintaining a stub
+                        zone entry and
+                        a set of name server addresses in <code class="filename">named.conf</code>.
+                        This usage is not recommended for new configurations,
+                        and BIND 9
+                        supports it only in a limited way.
+                        In <acronym class="acronym">BIND</acronym> 4/8, zone
+                        transfers of a parent zone
+                        included the NS records from stub children of that
+                        zone. This meant
+                        that, in some cases, users could get away with
+                        configuring child stubs
+                        only in the master server for the parent zone. <acronym class="acronym">BIND</acronym>
+                        9 never mixes together zone data from different zones
+                        in this
+                        way. Therefore, if a <acronym class="acronym">BIND</acronym> 9 master serving a parent
+                        zone has child stub zones configured, all the slave
+                        servers for the
+                        parent zone also need to have the same child stub
+                        zones
+                        configured.
+                      </p>
+
+                      <p>
+                        Stub zones can also be used as a way of forcing the
+                        resolution
+                        of a given domain to use a particular set of
+                        authoritative servers.
+                        For example, the caching name servers on a private
+                        network using
+                        RFC1918 addressing may be configured with stub zones
+                        for
+                        <code class="literal">10.in-addr.arpa</code>
+                        to use a set of internal name servers as the
+                        authoritative
+                        servers for that domain.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        <code class="varname">static-stub</code>
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        A static-stub zone is similar to a stub zone
+                        with the following exceptions:
+                        the zone data is statically configured, rather
+                        than transferred from a master server;
+                        when recursion is necessary for a query that
+                        matches a static-stub zone, the locally
+                        configured data (nameserver names and glue addresses)
+                        is always used even if different authoritative
+                        information is cached.
+                      </p>
+                      <p>
+                        Zone data is configured via the
+                        <span class="command"><strong>server-addresses</strong></span> and
+                        <span class="command"><strong>server-names</strong></span> zone options.
+                      </p>
+                      <p>
+                        The zone data is maintained in the form of NS
+                        and (if necessary) glue A or AAAA RRs
+                        internally, which can be seen by dumping zone
+                        databases by <span class="command"><strong>rndc dumpdb -all</strong></span>.
+                        The configured RRs are considered local configuration
+                        parameters rather than public data.
+                        Non recursive queries (i.e., those with the RD
+                        bit off) to a static-stub zone are therefore
+                        prohibited and will be responded with REFUSED.
+                      </p>
+                      <p>
+                        Since the data is statically configured, no
+                        zone maintenance action takes place for a static-stub
+                        zone.
+                        For example, there is no periodic refresh
+                        attempt, and an incoming notify message
+                        will be rejected with an rcode of NOTAUTH.
+                      </p>
+                      <p>
+                        Each static-stub zone is configured with
+                        internally generated NS and (if necessary)
+                        glue A or AAAA RRs
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        <code class="varname">forward</code>
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        A "forward zone" is a way to configure
+                        forwarding on a per-domain basis.  A <span class="command"><strong>zone</strong></span> statement
+                        of type <span class="command"><strong>forward</strong></span> can
+                        contain a <span class="command"><strong>forward</strong></span>
+                        and/or <span class="command"><strong>forwarders</strong></span>
+                        statement,
+                        which will apply to queries within the domain given by
+                        the zone
+                        name. If no <span class="command"><strong>forwarders</strong></span>
+                        statement is present or
+                        an empty list for <span class="command"><strong>forwarders</strong></span> is given, then no
+                        forwarding will be done for the domain, canceling the
+                        effects of
+                        any forwarders in the <span class="command"><strong>options</strong></span> statement. Thus
+                        if you want to use this type of zone to change the
+                        behavior of the
+                        global <span class="command"><strong>forward</strong></span> option
+                        (that is, "forward first"
+                        to, then "forward only", or vice versa, but want to
+                        use the same
+                        servers as set globally) you need to re-specify the
+                        global forwarders.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        <code class="varname">hint</code>
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        The initial set of root name servers is
+                        specified using a "hint zone". When the server starts
+                        up, it uses
+                        the root hints to find a root name server and get the
+                        most recent
+                        list of root name servers. If no hint zone is
+                        specified for class
+                        IN, the server uses a compiled-in default set of root
+                        servers hints.
+                        Classes other than IN have no built-in defaults hints.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        <code class="varname">redirect</code>
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Redirect zones are used to provide answers to
+                        queries when normal resolution would result in
+                        NXDOMAIN being returned.
+                        Only one redirect zone is supported
+                        per view.  <span class="command"><strong>allow-query</strong></span> can be
+                        used to restrict which clients see these answers.
+                      </p>
+                      <p>
+                        If the client has requested DNSSEC records (DO=1) and
+                        the NXDOMAIN response is signed then no substitution
+                        will occur.
+                      </p>
+                      <p>
+                        To redirect all NXDOMAIN responses to
+                        100.100.100.2 and
+                        2001:ffff:ffff::100.100.100.2, one would
+                        configure a type redirect zone named ".",
+                        with the zone file containing wildcard records
+                        that point to the desired addresses:
+                        <code class="literal">"*. IN A 100.100.100.2"</code>
+                        and
+                        <code class="literal">"*. IN AAAA 2001:ffff:ffff::100.100.100.2"</code>.
+                      </p>
+                      <p>
+                        To redirect all Spanish names (under .ES) one
+                        would use similar entries but with the names
+                        "*.ES." instead of "*.".  To redirect all
+                        commercial Spanish names (under COM.ES) one
+                        would use wildcard entries called "*.COM.ES.".
+                      </p>
+                      <p>
+                        Note that the redirect zone supports all
+                        possible types; it is not limited to A and
+                        AAAA records.
+                      </p>
+                      <p>
+                        If a redirect zone is configured with a
+                        <code class="option">masters</code> option, then it is
+                        transfered in as if it were a slave zone.
+                        Otherwise, it is loaded from a file as if it
+                        were a master zone.
+                      </p>
+                      <p>
+                        Because redirect zones are not referenced
+                        directly by name, they are not kept in the
+                        zone lookup table with normal master and slave
+                        zones. To reload a redirect zone, use
+                        <span class="command"><strong>rndc reload -redirect</strong></span>,
+                        and to retransfer a redirect zone configured
+                        as slave, use
+                        <span class="command"><strong>rndc retransfer -redirect</strong></span>.
+                        When using <span class="command"><strong>rndc reload</strong></span>
+                        without specifying a zone name, redirect zones
+                        will be reloaded along with other zones.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        <code class="varname">delegation-only</code>
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        This is used to enforce the delegation-only
+                        status of infrastructure zones (e.g. COM,
+                        NET, ORG).  Any answer that is received
+                        without an explicit or implicit delegation
+                        in the authority section will be treated
+                        as NXDOMAIN.  This does not apply to the
+                        zone apex.  This should not be applied to
+                        leaf zones.
+                      </p>
+                      <p>
+                        <code class="varname">delegation-only</code> has no
+                        effect on answers received from forwarders.
+                      </p>
+                      <p>
+                        See caveats in <a class="xref" href="Bv9ARM.ch05.html#root_delegation_only"><span class="command"><strong>root-delegation-only</strong></span></a>.
+                      </p>
+                    </td>
+</tr>
+</tbody>
+</table>
+            </div>
+          </div>
+
+          <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="class"></a>Class</h4></div></div></div>
+
+            <p>
+              The zone's name may optionally be followed by a class. If
+              a class is not specified, class <code class="literal">IN</code> (for <code class="varname">Internet</code>),
+              is assumed. This is correct for the vast majority of cases.
+            </p>
+            <p>
+              The <code class="literal">hesiod</code> class is
+              named for an information service from MIT's Project Athena. It
+              is
+              used to share information about various systems databases, such
+              as users, groups, printers and so on. The keyword
+              <code class="literal">HS</code> is
+              a synonym for hesiod.
+            </p>
+            <p>
+              Another MIT development is Chaosnet, a LAN protocol created
+              in the mid-1970s. Zone data for it can be specified with the <code class="literal">CHAOS</code> class.
+            </p>
+          </div>
+
+          <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="zone_options"></a>Zone Options</h4></div></div></div>
+
+            <div class="variablelist"><dl class="variablelist">
+<dt><span class="term"><span class="command"><strong>allow-notify</strong></span></span></dt>
+<dd>
+                  <p>
+                    See the description of
+                    <span class="command"><strong>allow-notify</strong></span> in <a class="xref" href="Bv9ARM.ch05.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.
+                  </p>
+                </dd>
+<dt><span class="term"><span class="command"><strong>allow-query</strong></span></span></dt>
+<dd>
+                  <p>
+                    See the description of
+                    <span class="command"><strong>allow-query</strong></span> in <a class="xref" href="Bv9ARM.ch05.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.
+                  </p>
+                </dd>
+<dt><span class="term"><span class="command"><strong>allow-query-on</strong></span></span></dt>
+<dd>
+                  <p>
+                    See the description of
+                    <span class="command"><strong>allow-query-on</strong></span> in <a class="xref" href="Bv9ARM.ch05.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.
+                  </p>
+                </dd>
+<dt><span class="term"><span class="command"><strong>allow-transfer</strong></span></span></dt>
+<dd>
+                  <p>
+                    See the description of <span class="command"><strong>allow-transfer</strong></span>
+                    in <a class="xref" href="Bv9ARM.ch05.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.
+                  </p>
+                </dd>
+<dt><span class="term"><span class="command"><strong>allow-update</strong></span></span></dt>
+<dd>
+                  <p>
+                    See the description of <span class="command"><strong>allow-update</strong></span>
+                    in <a class="xref" href="Bv9ARM.ch05.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.
+                  </p>
+                </dd>
+<dt><span class="term"><span class="command"><strong>update-policy</strong></span></span></dt>
+<dd>
+                  <p>
+                    Specifies a "Simple Secure Update" policy. See
+                    <a class="xref" href="Bv9ARM.ch05.html#dynamic_update_policies" title="Dynamic Update Policies">the section called &#8220;Dynamic Update Policies&#8221;</a>.
+                  </p>
+                </dd>
+<dt><span class="term"><span class="command"><strong>allow-update-forwarding</strong></span></span></dt>
+<dd>
+                  <p>
+                    See the description of <span class="command"><strong>allow-update-forwarding</strong></span>
+                    in <a class="xref" href="Bv9ARM.ch05.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.
+                  </p>
+                </dd>
+<dt><span class="term"><span class="command"><strong>also-notify</strong></span></span></dt>
+<dd>
+                  <p>
+                    Only meaningful if <span class="command"><strong>notify</strong></span>
+                    is
+                    active for this zone. The set of machines that will
+                    receive a
+                    <code class="literal">DNS NOTIFY</code> message
+                    for this zone is made up of all the listed name servers
+                    (other than
+                    the primary master) for the zone plus any IP addresses
+                    specified
+                    with <span class="command"><strong>also-notify</strong></span>. A port
+                    may be specified
+                    with each <span class="command"><strong>also-notify</strong></span>
+                    address to send the notify
+                    messages to a port other than the default of 53.
+                    A TSIG key may also be specified to cause the
+                    <code class="literal">NOTIFY</code> to be signed by the
+                    given key.
+                    <span class="command"><strong>also-notify</strong></span> is not
+                    meaningful for stub zones.
+                    The default is the empty list.
+                  </p>
+                </dd>
+<dt><span class="term"><span class="command"><strong>check-names</strong></span></span></dt>
+<dd>
+                  <p>
+                    This option is used to restrict the character set and
+                    syntax of
+                    certain domain names in master files and/or DNS responses
+                    received from the
+                    network.  The default varies according to zone type.  For <span class="command"><strong>master</strong></span> zones the default is <span class="command"><strong>fail</strong></span>.  For <span class="command"><strong>slave</strong></span>
+                    zones the default is <span class="command"><strong>warn</strong></span>.
+                    It is not implemented for <span class="command"><strong>hint</strong></span> zones.
+                  </p>
+                </dd>
+<dt><span class="term"><span class="command"><strong>check-mx</strong></span></span></dt>
+<dd>
+                  <p>
+                    See the description of
+                    <span class="command"><strong>check-mx</strong></span> in <a class="xref" href="Bv9ARM.ch05.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
+                  </p>
+                </dd>
+<dt><span class="term"><span class="command"><strong>check-spf</strong></span></span></dt>
+<dd>
+                  <p>
+                    See the description of
+                    <span class="command"><strong>check-spf</strong></span> in <a class="xref" href="Bv9ARM.ch05.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
+                  </p>
+                </dd>
+<dt><span class="term"><span class="command"><strong>check-wildcard</strong></span></span></dt>
+<dd>
+                  <p>
+                    See the description of
+                    <span class="command"><strong>check-wildcard</strong></span> in <a class="xref" href="Bv9ARM.ch05.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
+                  </p>
+                </dd>
+<dt><span class="term"><span class="command"><strong>check-integrity</strong></span></span></dt>
+<dd>
+                  <p>
+                    See the description of
+                    <span class="command"><strong>check-integrity</strong></span> in <a class="xref" href="Bv9ARM.ch05.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
+                  </p>
+                </dd>
+<dt><span class="term"><span class="command"><strong>check-sibling</strong></span></span></dt>
+<dd>
+                  <p>
+                    See the description of
+                    <span class="command"><strong>check-sibling</strong></span> in <a class="xref" href="Bv9ARM.ch05.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
+                  </p>
+                </dd>
+<dt><span class="term"><span class="command"><strong>zero-no-soa-ttl</strong></span></span></dt>
+<dd>
+                  <p>
+                    See the description of
+                    <span class="command"><strong>zero-no-soa-ttl</strong></span> in <a class="xref" href="Bv9ARM.ch05.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
+                  </p>
+                </dd>
+<dt><span class="term"><span class="command"><strong>update-check-ksk</strong></span></span></dt>
+<dd>
+                  <p>
+                    See the description of
+                    <span class="command"><strong>update-check-ksk</strong></span> in <a class="xref" href="Bv9ARM.ch05.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
+                  </p>
+                </dd>
+<dt><span class="term"><span class="command"><strong>dnssec-loadkeys-interval</strong></span></span></dt>
+<dd>
+                  <p>
+                    See the description of
+                    <span class="command"><strong>dnssec-loadkeys-interval</strong></span> in <a class="xref" href="Bv9ARM.ch05.html#options" title="options Statement Definition and Usage">the section called &#8220;<span class="command"><strong>options</strong></span> Statement Definition and
+          Usage&#8221;</a>.
+                  </p>
+                </dd>
+<dt><span class="term"><span class="command"><strong>dnssec-update-mode</strong></span></span></dt>
+<dd>
+                  <p>
+                    See the description of
+                    <span class="command"><strong>dnssec-update-mode</strong></span> in <a class="xref" href="Bv9ARM.ch05.html#options" title="options Statement Definition and Usage">the section called &#8220;<span class="command"><strong>options</strong></span> Statement Definition and
+          Usage&#8221;</a>.
+                  </p>
+                </dd>
+<dt><span class="term"><span class="command"><strong>dnssec-dnskey-kskonly</strong></span></span></dt>
+<dd>
+                  <p>
+                    See the description of
+                    <span class="command"><strong>dnssec-dnskey-kskonly</strong></span> in <a class="xref" href="Bv9ARM.ch05.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
+                  </p>
+                </dd>
+<dt><span class="term"><span class="command"><strong>try-tcp-refresh</strong></span></span></dt>
+<dd>
+                  <p>
+                    See the description of
+                    <span class="command"><strong>try-tcp-refresh</strong></span> in <a class="xref" href="Bv9ARM.ch05.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
+                  </p>
+                </dd>
+<dt><span class="term"><span class="command"><strong>database</strong></span></span></dt>
+<dd>
+                  <p>
+                    Specify the type of database to be used for storing the
+                    zone data.  The string following the <span class="command"><strong>database</strong></span> keyword
+                    is interpreted as a list of whitespace-delimited words.
+                    The first word
+                    identifies the database type, and any subsequent words are
+                    passed
+                    as arguments to the database to be interpreted in a way
+                    specific
+                    to the database type.
+                  </p>
+                  <p>
+                    The default is <strong class="userinput"><code>"rbt"</code></strong>, BIND 9's
+                    native in-memory
+                    red-black-tree database.  This database does not take
+                    arguments.
+                  </p>
+                  <p>
+                    Other values are possible if additional database drivers
+                    have been linked into the server.  Some sample drivers are
+                    included
+                    with the distribution but none are linked in by default.
+                  </p>
+                </dd>
+<dt><span class="term"><span class="command"><strong>dialup</strong></span></span></dt>
+<dd>
+                  <p>
+                    See the description of
+                    <span class="command"><strong>dialup</strong></span> in <a class="xref" href="Bv9ARM.ch05.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
+                  </p>
+                </dd>
+<dt><span class="term"><span class="command"><strong>delegation-only</strong></span></span></dt>
+<dd>
+                  <p>
+                    The flag only applies to forward, hint and stub
+                    zones.  If set to <strong class="userinput"><code>yes</code></strong>,
+                    then the zone will also be treated as if it is
+                    also a delegation-only type zone.
+                  </p>
+                  <p>
+                    See caveats in <a class="xref" href="Bv9ARM.ch05.html#root_delegation_only"><span class="command"><strong>root-delegation-only</strong></span></a>.
+                  </p>
+                </dd>
+<dt><span class="term"><span class="command"><strong>file</strong></span></span></dt>
+<dd>
+                  <p>
+                    Set the zone's filename. In <span class="command"><strong>master</strong></span>,
+                    <span class="command"><strong>hint</strong></span>, and <span class="command"><strong>redirect</strong></span>
+                    zones which do not have <span class="command"><strong>masters</strong></span>
+                    defined, zone data is loaded from this file. In
+                    <span class="command"><strong>slave</strong></span>, <span class="command"><strong>stub</strong></span>, and
+                    <span class="command"><strong>redirect</strong></span> zones which do have
+                    <span class="command"><strong>masters</strong></span> defined, zone data is
+                    retrieved from another server and saved in this file.
+                    This option is not applicable to other zone types.
+                  </p>
+                </dd>
+<dt><span class="term"><span class="command"><strong>forward</strong></span></span></dt>
+<dd>
+                  <p>
+                    Only meaningful if the zone has a forwarders
+                    list. The <span class="command"><strong>only</strong></span> value causes
+                    the lookup to fail
+                    after trying the forwarders and getting no answer, while <span class="command"><strong>first</strong></span> would
+                    allow a normal lookup to be tried.
+                  </p>
+                </dd>
+<dt><span class="term"><span class="command"><strong>forwarders</strong></span></span></dt>
+<dd>
+                  <p>
+                    Used to override the list of global forwarders.
+                    If it is not specified in a zone of type <span class="command"><strong>forward</strong></span>,
+                    no forwarding is done for the zone and the global options are
+                    not used.
+                  </p>
+                </dd>
+<dt><span class="term"><span class="command"><strong>ixfr-base</strong></span></span></dt>
+<dd>
+                  <p>
+                    Was used in <acronym class="acronym">BIND</acronym> 8 to
+                    specify the name
+                    of the transaction log (journal) file for dynamic update
+                    and IXFR.
+                    <acronym class="acronym">BIND</acronym> 9 ignores the option
+                    and constructs the name of the journal
+                    file by appending "<code class="filename">.jnl</code>"
+                    to the name of the
+                    zone file.
+                  </p>
+                </dd>
+<dt><span class="term"><span class="command"><strong>ixfr-tmp-file</strong></span></span></dt>
+<dd>
+                  <p>
+                    Was an undocumented option in <acronym class="acronym">BIND</acronym> 8.
+                    Ignored in <acronym class="acronym">BIND</acronym> 9.
+                  </p>
+                </dd>
+<dt><span class="term"><span class="command"><strong>journal</strong></span></span></dt>
+<dd>
+                  <p>
+                    Allow the default journal's filename to be overridden.
+                    The default is the zone's filename with "<code class="filename">.jnl</code>" appended.
+                    This is applicable to <span class="command"><strong>master</strong></span> and <span class="command"><strong>slave</strong></span> zones.
+                  </p>
+                </dd>
+<dt><span class="term"><span class="command"><strong>max-journal-size</strong></span></span></dt>
+<dd>
+                  <p>
+                    See the description of
+                    <span class="command"><strong>max-journal-size</strong></span> in <a class="xref" href="Bv9ARM.ch05.html#server_resource_limits" title="Server Resource Limits">the section called &#8220;Server  Resource Limits&#8221;</a>.
+                  </p>
+                </dd>
+<dt><span class="term"><span class="command"><strong>max-records</strong></span></span></dt>
+<dd>
+                  <p>
+                    See the description of
+                    <span class="command"><strong>max-records</strong></span> in <a class="xref" href="Bv9ARM.ch05.html#server_resource_limits" title="Server Resource Limits">the section called &#8220;Server  Resource Limits&#8221;</a>.
+                  </p>
+                </dd>
+<dt><span class="term"><span class="command"><strong>max-transfer-time-in</strong></span></span></dt>
+<dd>
+                  <p>
+                    See the description of
+                    <span class="command"><strong>max-transfer-time-in</strong></span> in <a class="xref" href="Bv9ARM.ch05.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
+                  </p>
+                </dd>
+<dt><span class="term"><span class="command"><strong>max-transfer-idle-in</strong></span></span></dt>
+<dd>
+                  <p>
+                    See the description of
+                    <span class="command"><strong>max-transfer-idle-in</strong></span> in <a class="xref" href="Bv9ARM.ch05.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
+                  </p>
+                </dd>
+<dt><span class="term"><span class="command"><strong>max-transfer-time-out</strong></span></span></dt>
+<dd>
+                  <p>
+                    See the description of
+                    <span class="command"><strong>max-transfer-time-out</strong></span> in <a class="xref" href="Bv9ARM.ch05.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
+                  </p>
+                </dd>
+<dt><span class="term"><span class="command"><strong>max-transfer-idle-out</strong></span></span></dt>
+<dd>
+                  <p>
+                    See the description of
+                    <span class="command"><strong>max-transfer-idle-out</strong></span> in <a class="xref" href="Bv9ARM.ch05.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
+                  </p>
+                </dd>
+<dt><span class="term"><span class="command"><strong>notify</strong></span></span></dt>
+<dd>
+                  <p>
+                    See the description of
+                    <span class="command"><strong>notify</strong></span> in <a class="xref" href="Bv9ARM.ch05.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
+                  </p>
+                </dd>
+<dt><span class="term"><span class="command"><strong>notify-delay</strong></span></span></dt>
+<dd>
+                  <p>
+                    See the description of
+                    <span class="command"><strong>notify-delay</strong></span> in <a class="xref" href="Bv9ARM.ch05.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.
+                  </p>
+                </dd>
+<dt><span class="term"><span class="command"><strong>notify-to-soa</strong></span></span></dt>
+<dd>
+                  <p>
+                    See the description of
+                    <span class="command"><strong>notify-to-soa</strong></span> in
+                    <a class="xref" href="Bv9ARM.ch05.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
+                  </p>
+                </dd>
+<dt><span class="term"><span class="command"><strong>pubkey</strong></span></span></dt>
+<dd>
+                  <p>
+                    In <acronym class="acronym">BIND</acronym> 8, this option was
+                    intended for specifying
+                    a public zone key for verification of signatures in DNSSEC
+                    signed
+                    zones when they are loaded from disk. <acronym class="acronym">BIND</acronym> 9 does not verify signatures
+                    on load and ignores the option.
+                  </p>
+                </dd>
+<dt><span class="term"><span class="command"><strong>zone-statistics</strong></span></span></dt>
+<dd>
+                  <p>
+                    See the description of
+                    <span class="command"><strong>zone-statistics</strong></span> in
+                    <a class="xref" href="Bv9ARM.ch05.html#options" title="options Statement Definition and Usage">the section called &#8220;<span class="command"><strong>options</strong></span> Statement Definition and
+          Usage&#8221;</a>.
+                  </p>
+                </dd>
+<dt><span class="term"><span class="command"><strong>server-addresses</strong></span></span></dt>
+<dd>
+                  <p>
+                    Only meaningful for static-stub zones.
+                    This is a list of IP addresses to which queries
+                    should be sent in recursive resolution for the
+                    zone.
+                    A non empty list for this option will internally
+                    configure the apex NS RR with associated glue A or
+                    AAAA RRs.
+                  </p>
+                  <p>
+                    For example, if "example.com" is configured as a
+                    static-stub zone with 192.0.2.1 and 2001:db8::1234
+                    in a <span class="command"><strong>server-addresses</strong></span> option,
+                    the following RRs will be internally configured.
+                  </p>
+<pre class="programlisting">example.com. NS example.com.
+example.com. A 192.0.2.1
+example.com. AAAA 2001:db8::1234</pre>
+                  <p>
+                    These records are internally used to resolve
+                    names under the static-stub zone.
+                    For instance, if the server receives a query for
+                    "www.example.com" with the RD bit on, the server
+                    will initiate recursive resolution and send
+                    queries to 192.0.2.1 and/or 2001:db8::1234.
+                  </p>
+                </dd>
+<dt><span class="term"><span class="command"><strong>server-names</strong></span></span></dt>
+<dd>
+                  <p>
+                    Only meaningful for static-stub zones.
+                    This is a list of domain names of nameservers that
+                    act as authoritative servers of the static-stub
+                    zone.
+                    These names will be resolved to IP addresses when
+                    <span class="command"><strong>named</strong></span> needs to send queries to
+                    these servers.
+                    To make this supplemental resolution successful,
+                    these names must not be a subdomain of the origin
+                    name of static-stub zone.
+                    That is, when "example.net" is the origin of a
+                    static-stub zone, "ns.example" and
+                    "master.example.com" can be specified in the
+                    <span class="command"><strong>server-names</strong></span> option, but
+                    "ns.example.net" cannot, and will be rejected by
+                    the configuration parser.
+                  </p>
+                  <p>
+                    A non empty list for this option will internally
+                    configure the apex NS RR with the specified names.
+                    For example, if "example.com" is configured as a
+                    static-stub zone with "ns1.example.net" and
+                    "ns2.example.net"
+                    in a <span class="command"><strong>server-names</strong></span> option,
+                    the following RRs will be internally configured.
+                  </p>
+<pre class="programlisting">example.com. NS ns1.example.net.
+example.com. NS ns2.example.net.
+</pre>
+                  <p>
+                    These records are internally used to resolve
+                    names under the static-stub zone.
+                    For instance, if the server receives a query for
+                    "www.example.com" with the RD bit on, the server
+                    initiate recursive resolution,
+                    resolve "ns1.example.net" and/or
+                    "ns2.example.net" to IP addresses, and then send
+                    queries to (one or more of) these addresses.
+                  </p>
+                </dd>
+<dt><span class="term"><span class="command"><strong>sig-validity-interval</strong></span></span></dt>
+<dd>
+                  <p>
+                    See the description of
+                    <span class="command"><strong>sig-validity-interval</strong></span> in <a class="xref" href="Bv9ARM.ch05.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.
+                  </p>
+                </dd>
+<dt><span class="term"><span class="command"><strong>sig-signing-nodes</strong></span></span></dt>
+<dd>
+                  <p>
+                    See the description of
+                    <span class="command"><strong>sig-signing-nodes</strong></span> in <a class="xref" href="Bv9ARM.ch05.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.
+                  </p>
+                </dd>
+<dt><span class="term"><span class="command"><strong>sig-signing-signatures</strong></span></span></dt>
+<dd>
+                  <p>
+                    See the description of
+                    <span class="command"><strong>sig-signing-signatures</strong></span> in <a class="xref" href="Bv9ARM.ch05.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.
+                  </p>
+                </dd>
+<dt><span class="term"><span class="command"><strong>sig-signing-type</strong></span></span></dt>
+<dd>
+                  <p>
+                    See the description of
+                    <span class="command"><strong>sig-signing-type</strong></span> in <a class="xref" href="Bv9ARM.ch05.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.
+                  </p>
+                </dd>
+<dt><span class="term"><span class="command"><strong>transfer-source</strong></span></span></dt>
+<dd>
+                  <p>
+                    See the description of
+                    <span class="command"><strong>transfer-source</strong></span> in <a class="xref" href="Bv9ARM.ch05.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
+                  </p>
+                </dd>
+<dt><span class="term"><span class="command"><strong>transfer-source-v6</strong></span></span></dt>
+<dd>
+                  <p>
+                    See the description of
+                    <span class="command"><strong>transfer-source-v6</strong></span> in <a class="xref" href="Bv9ARM.ch05.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
+                  </p>
+                </dd>
+<dt><span class="term"><span class="command"><strong>alt-transfer-source</strong></span></span></dt>
+<dd>
+                  <p>
+                    See the description of
+                    <span class="command"><strong>alt-transfer-source</strong></span> in <a class="xref" href="Bv9ARM.ch05.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
+                  </p>
+                </dd>
+<dt><span class="term"><span class="command"><strong>alt-transfer-source-v6</strong></span></span></dt>
+<dd>
+                  <p>
+                    See the description of
+                    <span class="command"><strong>alt-transfer-source-v6</strong></span> in <a class="xref" href="Bv9ARM.ch05.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
+                  </p>
+                </dd>
+<dt><span class="term"><span class="command"><strong>use-alt-transfer-source</strong></span></span></dt>
+<dd>
+                  <p>
+                    See the description of
+                    <span class="command"><strong>use-alt-transfer-source</strong></span> in <a class="xref" href="Bv9ARM.ch05.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
+                  </p>
+                </dd>
+<dt><span class="term"><span class="command"><strong>notify-source</strong></span></span></dt>
+<dd>
+                  <p>
+                    See the description of
+                    <span class="command"><strong>notify-source</strong></span> in <a class="xref" href="Bv9ARM.ch05.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
+                  </p>
+                </dd>
+<dt><span class="term"><span class="command"><strong>notify-source-v6</strong></span></span></dt>
+<dd>
+                  <p>
+                    See the description of
+                    <span class="command"><strong>notify-source-v6</strong></span> in <a class="xref" href="Bv9ARM.ch05.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
+                  </p>
+                </dd>
+<dt>
+<span class="term"><span class="command"><strong>min-refresh-time</strong></span>, </span><span class="term"><span class="command"><strong>max-refresh-time</strong></span>, </span><span class="term"><span class="command"><strong>min-retry-time</strong></span>, </span><span class="term"><span class="command"><strong>max-retry-time</strong></span></span>
+</dt>
+<dd>
+                  <p>
+                    See the description in <a class="xref" href="Bv9ARM.ch05.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.
+                  </p>
+                </dd>
+<dt><span class="term"><span class="command"><strong>ixfr-from-differences</strong></span></span></dt>
+<dd>
+                  <p>
+                    See the description of
+                    <span class="command"><strong>ixfr-from-differences</strong></span> in <a class="xref" href="Bv9ARM.ch05.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
+                    (Note that the <span class="command"><strong>ixfr-from-differences</strong></span>
+                    <strong class="userinput"><code>master</code></strong> and
+                    <strong class="userinput"><code>slave</code></strong> choices are not
+                    available at the zone level.)
+                  </p>
+                </dd>
+<dt><span class="term"><span class="command"><strong>key-directory</strong></span></span></dt>
+<dd>
+                  <p>
+                    See the description of
+                    <span class="command"><strong>key-directory</strong></span> in <a class="xref" href="Bv9ARM.ch05.html#options" title="options Statement Definition and Usage">the section called &#8220;<span class="command"><strong>options</strong></span> Statement Definition and
+          Usage&#8221;</a>.
+                  </p>
+                </dd>
+<dt><span class="term"><span class="command"><strong>auto-dnssec</strong></span></span></dt>
+<dd>
+                  <p>
+                    See the description of
+                    <span class="command"><strong>auto-dnssec</strong></span> in
+                    <a class="xref" href="Bv9ARM.ch05.html#options" title="options Statement Definition and Usage">the section called &#8220;<span class="command"><strong>options</strong></span> Statement Definition and
+          Usage&#8221;</a>.
+                  </p>
+                </dd>
+<dt><span class="term"><span class="command"><strong>serial-update-method</strong></span></span></dt>
+<dd>
+                  <p>
+                    See the description of
+                    <span class="command"><strong>serial-update-method</strong></span> in
+                    <a class="xref" href="Bv9ARM.ch05.html#options" title="options Statement Definition and Usage">the section called &#8220;<span class="command"><strong>options</strong></span> Statement Definition and
+          Usage&#8221;</a>.
+                  </p>
+                </dd>
+<dt><span class="term"><span class="command"><strong>inline-signing</strong></span></span></dt>
+<dd>
+                  <p>
+                    If <code class="literal">yes</code>, this enables
+                    "bump in the wire" signing of a zone, where a
+                    unsigned zone is transferred in or loaded from
+                    disk and a signed version of the zone is served,
+                    with possibly, a different serial number.  This
+                    behavior is disabled by default.
+                  </p>
+                </dd>
+<dt><span class="term"><span class="command"><strong>multi-master</strong></span></span></dt>
+<dd>
+                  <p>
+                    See the description of <span class="command"><strong>multi-master</strong></span> in
+                    <a class="xref" href="Bv9ARM.ch05.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
+                  </p>
+                </dd>
+<dt><span class="term"><span class="command"><strong>masterfile-format</strong></span></span></dt>
+<dd>
+                  <p>
+                    See the description of <span class="command"><strong>masterfile-format</strong></span>
+                    in <a class="xref" href="Bv9ARM.ch05.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.
+                  </p>
+                </dd>
+<dt><span class="term"><span class="command"><strong>max-zone-ttl</strong></span></span></dt>
+<dd>
+                  <p>
+                    See the description of <span class="command"><strong>max-zone-ttl</strong></span>
+                    in <a class="xref" href="Bv9ARM.ch05.html#options" title="options Statement Definition and Usage">the section called &#8220;<span class="command"><strong>options</strong></span> Statement Definition and
+          Usage&#8221;</a>.
+                  </p>
+                </dd>
+<dt><span class="term"><span class="command"><strong>dnssec-secure-to-insecure</strong></span></span></dt>
+<dd>
+                  <p>
+                    See the description of
+                    <span class="command"><strong>dnssec-secure-to-insecure</strong></span> in <a class="xref" href="Bv9ARM.ch05.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
+                  </p>
+                </dd>
+</dl></div>
+
+          </div>
+          <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="dynamic_update_policies"></a>Dynamic Update Policies</h4></div></div></div>
+
+            <p><acronym class="acronym">BIND</acronym> 9 supports two alternative
+              methods of granting clients the right to perform
+              dynamic updates to a zone, configured by the
+              <span class="command"><strong>allow-update</strong></span> and
+              <span class="command"><strong>update-policy</strong></span> option, respectively.
+            </p>
+            <p>
+              The <span class="command"><strong>allow-update</strong></span> clause works the
+              same way as in previous versions of <acronym class="acronym">BIND</acronym>.
+              It grants given clients the permission to update any
+              record of any name in the zone.
+            </p>
+            <p>
+              The <span class="command"><strong>update-policy</strong></span> clause
+              allows more fine-grained control over what updates are
+              allowed.  A set of rules is specified, where each rule
+              either grants or denies permissions for one or more
+              names to be updated by one or more identities.  If
+              the dynamic update request message is signed (that is,
+              it includes either a TSIG or SIG(0) record), the
+              identity of the signer can be determined.
+            </p>
+            <p>
+              Rules are specified in the <span class="command"><strong>update-policy</strong></span>
+              zone option, and are only meaningful for master zones.
+              When the <span class="command"><strong>update-policy</strong></span> statement
+              is present, it is a configuration error for the
+              <span class="command"><strong>allow-update</strong></span> statement to be
+              present.  The <span class="command"><strong>update-policy</strong></span> statement
+              (except when set to <code class="literal">local</code>) only
+              examines the signer of a message; the source
+              address is not relevant.
+            </p>
+            <p>
+              A pre-defined <span class="command"><strong>update-policy</strong></span> rule can be
+              switched on with the command
+              <span class="command"><strong>update-policy local;</strong></span>.
+              Switching on this rule in a zone causes
+              <span class="command"><strong>named</strong></span> to generate a TSIG session key and
+              place it in a file. That key will then be allowed to update
+              the zone, if the update request is sent from localhost.
+              By default, the session key is stored in the file
+              <code class="filename">/var/run/named/session.key</code>; the key name
+              is "local-ddns" and the key algorithm is HMAC-SHA256.
+              These values are configurable with the
+              <span class="command"><strong>session-keyfile</strong></span>,
+              <span class="command"><strong>session-keyname</strong></span> and
+              <span class="command"><strong>session-keyalg</strong></span> options, respectively).
+            </p>
+            <p>
+              A client on the local system, if it is run with appropriate
+              permissions, may read the session key from the key file and
+              use the key to sign update requests.  The zone's update
+              policy will be set to allow that key to change any record
+              within the zone.  Assuming the key name is "local-ddns",
+              this policy is:
+            </p>
+
+            <pre class="programlisting">update-policy { grant local-ddns zonesub any; };
+            </pre>
+
+            <p>
+              ...with an additional restriction that only clients
+              connecting from the local system will be permitted to send
+              updates.
+            </p>
+            <p>
+              Note that only one session key is generated; all zones
+              configured to use <span class="command"><strong>update-policy local</strong></span>
+              will accept the same key.
+            </p>
+            <p>
+              The command <span class="command"><strong>nsupdate -l</strong></span> implements this
+              feature, sending requests to localhost and signing them using
+              the key retrieved from the session key file.
+            </p>
+
+            <p>
+              Other rule definitions look like this:
+            </p>
+
+<pre class="programlisting">
+( <span class="command"><strong>grant</strong></span> | <span class="command"><strong>deny</strong></span> ) <em class="replaceable"><code>identity</code></em> <em class="replaceable"><code>nametype</code></em> [<span class="optional"> <em class="replaceable"><code>name</code></em> </span>] [<span class="optional"> <em class="replaceable"><code>types</code></em> </span>]
+</pre>
+
+            <p>
+              Each rule grants or denies privileges.  Once a message has
+              successfully matched a rule, the operation is immediately
+              granted or denied and no further rules are examined.  A rule
+              is matched when the signer matches the identity field, the
+              name matches the name field in accordance with the nametype
+              field, and the type matches the types specified in the type
+              field.
+            </p>
+            <p>
+              No signer is required for <em class="replaceable"><code>tcp-self</code></em>
+              or <em class="replaceable"><code>6to4-self</code></em> however the standard
+              reverse mapping / prefix conversion must match the identity
+              field.
+            </p>
+            <p>
+              The identity field specifies a name or a wildcard
+              name.  Normally, this is the name of the TSIG or
+              SIG(0) key used to sign the update request.  When a
+              TKEY exchange has been used to create a shared secret,
+              the identity of the shared secret is the same as the
+              identity of the key used to authenticate the TKEY
+              exchange.  TKEY is also the negotiation method used
+              by GSS-TSIG, which establishes an identity that is
+              the Kerberos principal of the client, such as
+              <strong class="userinput"><code>"user@host.domain"</code></strong>.  When the
+              <em class="replaceable"><code>identity</code></em> field specifies
+              a wildcard name, it is subject to DNS wildcard
+              expansion, so the rule will apply to multiple identities.
+              The <em class="replaceable"><code>identity</code></em> field must
+              contain a fully-qualified domain name.
+            </p>
+            <p>
+              For nametypes <code class="varname">krb5-self</code>,
+              <code class="varname">ms-self</code>, <code class="varname">krb5-subdomain</code>,
+              and <code class="varname">ms-subdomain</code> the
+              <em class="replaceable"><code>identity</code></em> field specifies
+              the Windows or Kerberos realm of the machine belongs to.
+            </p>
+            <p>
+              The <em class="replaceable"><code>nametype</code></em> field has 13
+              values:
+              <code class="varname">name</code>, <code class="varname">subdomain</code>,
+              <code class="varname">wildcard</code>, <code class="varname">self</code>,
+              <code class="varname">selfsub</code>, <code class="varname">selfwild</code>,
+              <code class="varname">krb5-self</code>, <code class="varname">ms-self</code>,
+              <code class="varname">krb5-subdomain</code>,
+              <code class="varname">ms-subdomain</code>,
+              <code class="varname">tcp-self</code>, <code class="varname">6to4-self</code>,
+              <code class="varname">zonesub</code>, and <code class="varname">external</code>.
+            </p>
+            <div class="informaltable">
+              <table border="1">
+<colgroup>
+<col width="0.819in" class="1">
+<col width="3.681in" class="2">
+</colgroup>
+<tbody>
+<tr>
+<td>
+                      <p>
+                        <code class="varname">name</code>
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Exact-match semantics.  This rule matches
+                        when the name being updated is identical
+                        to the contents of the
+                        <em class="replaceable"><code>name</code></em> field.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        <code class="varname">subdomain</code>
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        This rule matches when the name being updated
+                        is a subdomain of, or identical to, the
+                        contents of the <em class="replaceable"><code>name</code></em>
+                        field.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        <code class="varname">zonesub</code>
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        This rule is similar to subdomain, except that
+                        it matches when the name being updated is a
+                        subdomain of the zone in which the
+                        <span class="command"><strong>update-policy</strong></span> statement
+                        appears.  This obviates the need to type the zone
+                        name twice, and enables the use of a standard
+                        <span class="command"><strong>update-policy</strong></span> statement in
+                        multiple zones without modification.
+                      </p>
+                      <p>
+                        When this rule is used, the
+                        <em class="replaceable"><code>name</code></em> field is omitted.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        <code class="varname">wildcard</code>
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        The <em class="replaceable"><code>name</code></em> field
+                        is subject to DNS wildcard expansion, and
+                        this rule matches when the name being updated
+                        is a valid expansion of the wildcard.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        <code class="varname">self</code>
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        This rule matches when the name being updated
+                        matches the contents of the
+                        <em class="replaceable"><code>identity</code></em> field.
+                        The <em class="replaceable"><code>name</code></em> field
+                        is ignored, but should be the same as the
+                        <em class="replaceable"><code>identity</code></em> field.
+                        The <code class="varname">self</code> nametype is
+                        most useful when allowing using one key per
+                        name to update, where the key has the same
+                        name as the name to be updated.  The
+                        <em class="replaceable"><code>identity</code></em> would
+                        be specified as <code class="constant">*</code> (an asterisk) in
+                        this case.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        <code class="varname">selfsub</code>
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        This rule is similar to <code class="varname">self</code>
+                        except that subdomains of <code class="varname">self</code>
+                        can also be updated.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        <code class="varname">selfwild</code>
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        This rule is similar to <code class="varname">self</code>
+                        except that only subdomains of
+                        <code class="varname">self</code> can be updated.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        <code class="varname">ms-self</code>
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        This rule takes a Windows machine principal
+                        (machine$@REALM) for machine in REALM and
+                        and converts it machine.realm allowing the machine
+                        to update machine.realm.  The REALM to be matched
+                        is specified in the <em class="replaceable"><code>identity</code></em>
+                        field.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        <code class="varname">ms-subdomain</code>
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        This rule takes a Windows machine principal
+                        (machine$@REALM) for machine in REALM and
+                        converts it to machine.realm allowing the machine
+                        to update subdomains of machine.realm.  The REALM
+                        to be matched is specified in the
+                        <em class="replaceable"><code>identity</code></em> field.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        <code class="varname">krb5-self</code>
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        This rule takes a Kerberos machine principal
+                        (host/machine@REALM) for machine in REALM and
+                        and converts it machine.realm allowing the machine
+                        to update machine.realm.  The REALM to be matched
+                        is specified in the <em class="replaceable"><code>identity</code></em>
+                        field.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        <code class="varname">krb5-subdomain</code>
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        This rule takes a Kerberos machine principal
+                        (host/machine@REALM) for machine in REALM and
+                        converts it to machine.realm allowing the machine
+                        to update subdomains of machine.realm.  The REALM
+                        to be matched is specified in the
+                        <em class="replaceable"><code>identity</code></em> field.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        <code class="varname">tcp-self</code>
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Allow updates that have been sent via TCP and
+                        for which the standard mapping from the initiating
+                        IP address into the IN-ADDR.ARPA and IP6.ARPA
+                        namespaces match the name to be updated.
+                      </p>
+                      <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<h3 class="title">Note</h3>
+                        It is theoretically possible to spoof these TCP
+                        sessions.
+                      </div>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        <code class="varname">6to4-self</code>
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Allow the 6to4 prefix to be update by any TCP
+                        connection from the 6to4 network or from the
+                        corresponding IPv4 address.  This is intended
+                        to allow NS or DNAME RRsets to be added to the
+                        reverse tree.
+                      </p>
+                      <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<h3 class="title">Note</h3>
+                        It is theoretically possible to spoof these TCP
+                        sessions.
+                      </div>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        <code class="varname">external</code>
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        This rule allows <span class="command"><strong>named</strong></span>
+                        to defer the decision of whether to allow a
+                        given update to an external daemon.
+                      </p>
+                      <p>
+                        The method of communicating with the daemon is
+                        specified in the <em class="replaceable"><code>identity</code></em>
+                        field, the format of which is
+                        "<code class="constant">local:</code><em class="replaceable"><code>path</code></em>",
+                        where <em class="replaceable"><code>path</code></em> is the location
+                        of a UNIX-domain socket.  (Currently, "local" is the
+                        only supported mechanism.)
+                      </p>
+                      <p>
+                        Requests to the external daemon are sent over the
+                        UNIX-domain socket as datagrams with the following
+                        format:
+                      </p>
+                      <pre class="programlisting">
+   Protocol version number (4 bytes, network byte order, currently 1)
+   Request length (4 bytes, network byte order)
+   Signer (null-terminated string)
+   Name (null-terminated string)
+   TCP source address (null-terminated string)
+   Rdata type (null-terminated string)
+   Key (null-terminated string)
+   TKEY token length (4 bytes, network byte order)
+   TKEY token (remainder of packet)</pre>
+                      <p>
+                        The daemon replies with a four-byte value in
+                        network byte order, containing either 0 or 1; 0
+                        indicates that the specified update is not
+                        permitted, and 1 indicates that it is.
+                      </p>
+                    </td>
+</tr>
+</tbody>
+</table>
+            </div>
+
+            <p>
+              In all cases, the <em class="replaceable"><code>name</code></em>
+              field must specify a fully-qualified domain name.
+            </p>
+
+            <p>
+              If no types are explicitly specified, this rule matches
+              all types except RRSIG, NS, SOA, NSEC and NSEC3. Types
+              may be specified by name, including "ANY" (ANY matches
+              all types except NSEC and NSEC3, which can never be
+              updated).  Note that when an attempt is made to delete
+              all records associated with a name, the rules are
+              checked for each existing record type.
+            </p>
+          </div>
+
+          <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="multiple_views"></a>Multiple views</h4></div></div></div>
+
+            <p>
+              When multiple views are in use, a zone may be
+              referenced by more than one of them. Often, the views
+              will contain different zones with the same name, allowing
+              different clients to receive different answers for the same
+              queries. At times, however, it is desirable for multiple
+              views to contain identical zones.  The
+              <span class="command"><strong>in-view</strong></span> zone option provides an efficient
+              way to do this: it allows a view to reference a zone that
+              was defined in a previously configured view. Example:
+            </p>
+            <pre class="programlisting">
+view internal {
+    match-clients { 10/8; };
+
+    zone example.com {
+        type master;
+        file "example-external.db";
+    };
+};
+
+view external {
+    match-clients { any; };
+
+    zone example.com {
+        in-view internal;
+    };
+};
+            </pre>
+            <p>
+              An <span class="command"><strong>in-view</strong></span> option cannot refer to a view
+              that is configured later in the configuration file.
+            </p>
+            <p>
+              A <span class="command"><strong>zone</strong></span> statement which uses the
+              <span class="command"><strong>in-view</strong></span> option may not use any other
+              options with the exception of <span class="command"><strong>forward</strong></span>
+              and <span class="command"><strong>forwarders</strong></span>. (These options control
+              the behavior of the containing view, rather than changing
+              the zone object itself.)
+            </p>
+            <p>
+              Zone level acls (e.g. allow-query, allow-transfer) and
+              other configuration details of the zone are all set
+              in the view the referenced zone is defined in.  Care
+              need to be taken to ensure that acls are wide enough
+              for all views referencing the zone.
+            </p>
+            <p>
+              An <span class="command"><strong>in-view</strong></span> zone cannot be used as a
+              response policy zone.
+            </p>
+            <p>
+              An <span class="command"><strong>in-view</strong></span> zone is not intended to reference
+              a <span class="command"><strong>forward</strong></span> zone.
+            </p>
+          </div>
+
+        </div>
+      </div>
+      <div class="section">
+<div class="titlepage"><div><div><h2 class="title" style="clear: both">
+<a name="zone_file"></a>Zone File</h2></div></div></div>
+
+        <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="types_of_resource_records_and_when_to_use_them"></a>Types of Resource Records and When to Use Them</h3></div></div></div>
+
+          <p>
+            This section, largely borrowed from RFC 1034, describes the
+            concept of a Resource Record (RR) and explains when each is used.
+            Since the publication of RFC 1034, several new RRs have been
+            identified
+            and implemented in the DNS. These are also included.
+          </p>
+          <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="id-1.6.6.2.3"></a>Resource Records</h4></div></div></div>
+
+            <p>
+              A domain name identifies a node.  Each node has a set of
+              resource information, which may be empty.  The set of resource
+              information associated with a particular name is composed of
+              separate RRs. The order of RRs in a set is not significant and
+              need not be preserved by name servers, resolvers, or other
+              parts of the DNS. However, sorting of multiple RRs is
+              permitted for optimization purposes, for example, to specify
+              that a particular nearby server be tried first. See <a class="xref" href="Bv9ARM.ch05.html#the_sortlist_statement" title="The sortlist Statement">the section called &#8220;The <span class="command"><strong>sortlist</strong></span> Statement&#8221;</a> and <a class="xref" href="Bv9ARM.ch05.html#rrset_ordering" title="RRset Ordering">the section called &#8220;RRset Ordering&#8221;</a>.
+            </p>
+
+            <p>
+              The components of a Resource Record are:
+            </p>
+            <div class="informaltable">
+              <table border="1">
+<colgroup>
+<col width="1.000in" class="1">
+<col width="3.500in" class="2">
+</colgroup>
+<tbody>
+<tr>
+<td>
+                      <p>
+                        owner name
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        The domain name where the RR is found.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        type
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        An encoded 16-bit value that specifies
+                        the type of the resource record.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        TTL
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        The time-to-live of the RR. This field
+                        is a 32-bit integer in units of seconds, and is
+                        primarily used by
+                        resolvers when they cache RRs. The TTL describes how
+                        long a RR can
+                        be cached before it should be discarded.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        class
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        An encoded 16-bit value that identifies
+                        a protocol family or instance of a protocol.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        RDATA
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        The resource data.  The format of the
+                        data is type (and sometimes class) specific.
+                      </p>
+                    </td>
+</tr>
+</tbody>
+</table>
+            </div>
+            <p>
+              The following are <span class="emphasis"><em>types</em></span> of valid RRs:
+            </p>
+            <div class="informaltable">
+              <table border="1">
+<colgroup>
+<col width="0.875in" class="1">
+<col width="3.625in" class="2">
+</colgroup>
+<tbody>
+<tr>
+<td>
+                      <p>
+                        A
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        A host address.  In the IN class, this is a
+                        32-bit IP address.  Described in RFC 1035.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        AAAA
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        IPv6 address.  Described in RFC 1886.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        A6
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        IPv6 address.  This can be a partial
+                        address (a suffix) and an indirection to the name
+                        where the rest of the
+                        address (the prefix) can be found.  Experimental.
+                        Described in RFC 2874.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        AFSDB
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Location of AFS database servers.
+                        Experimental.  Described in RFC 1183.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        APL
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Address prefix list.  Experimental.
+                        Described in RFC 3123.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        ATMA
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        ATM Address.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        AVC
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Application Visibility and Control record.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        CAA
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Identifies which Certificate Authorities can issue
+                        certificates for this domain and what rules they
+                        need to follow when doing so. Defined in RFC 6844.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        CDNSKEY
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Identifies which DNSKEY records should be published
+                        as DS records in the parent zone.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        CDS
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Contains the set of DS records that should be published
+                        by the parent zone.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        CERT
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Holds a digital certificate.
+                        Described in RFC 2538.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        CNAME
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Identifies the canonical name of an alias.
+                        Described in RFC 1035.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        CSYNC
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Child-to-Parent Synchronization in DNS as described
+                        in RFC 7477.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        DHCID
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Is used for identifying which DHCP client is
+                        associated with this name.  Described in RFC 4701.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        DLV
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        A DNS Look-aside Validation record which contains
+                        the records that are used as trust anchors for
+                        zones in a DLV namespace.  Described in RFC 4431.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        DNAME
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Replaces the domain name specified with
+                        another name to be looked up, effectively aliasing an
+                        entire
+                        subtree of the domain name space rather than a single
+                        record
+                        as in the case of the CNAME RR.
+                        Described in RFC 2672.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        DNSKEY
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Stores a public key associated with a signed
+                        DNS zone.  Described in RFC 4034.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        DOA
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Implements the Digital Object Architecture over
+                        DNS. Experimental.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        DS
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Stores the hash of a public key associated with a
+                        signed DNS zone.  Described in RFC 4034.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        EID
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        End Point Identifier.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        EUI48
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        A 48-bit EUI address. Described in RFC 7043.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        EUI64
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        A 64-bit EUI address. Described in RFC 7043.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        GID
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Reserved.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        GPOS
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Specifies the global position.  Superseded by LOC.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        HINFO
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Identifies the CPU and OS used by a host.
+                        Described in RFC 1035.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        HIP
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Host Identity Protocol Address.
+                        Described in RFC 5205.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        IPSECKEY
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Provides a method for storing IPsec keying material in
+                        DNS.  Described in RFC 4025.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        ISDN
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Representation of ISDN addresses.
+                        Experimental.  Described in RFC 1183.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        KEY
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Stores a public key associated with a
+                        DNS name.  Used in original DNSSEC; replaced
+                        by DNSKEY in DNSSECbis, but still used with
+                        SIG(0).  Described in RFCs 2535 and 2931.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        KX
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Identifies a key exchanger for this
+                        DNS name.  Described in RFC 2230.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        L32
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Holds 32-bit Locator values for
+                        Identifier-Locator Network Protocol. Described
+                        in RFC 6742.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        L64
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Holds 64-bit Locator values for
+                        Identifier-Locator Network Protocol. Described
+                        in RFC 6742.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        LOC
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        For storing GPS info.  Described in RFC 1876.
+                        Experimental.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        LP
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Identifier-Locator Network Protocol.
+                        Described in RFC 6742.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        MB
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Mail Box.  Historical.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        MD
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Mail Destination.  Historical.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        MF
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Mail Forwarder.  Historical.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        MG
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Mail Group.  Historical.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        MINFO
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Mail Information.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        MR
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Mail Rename. Historical.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        MX
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Identifies a mail exchange for the domain with
+                        a 16-bit preference value (lower is better)
+                        followed by the host name of the mail exchange.
+                        Described in RFC 974, RFC 1035.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        NAPTR
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Name authority pointer.  Described in RFC 2915.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        NID
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Holds values for Node Identifiers in
+                        Identifier-Locator Network Protocol. Described
+                        in RFC 6742.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        NINFO
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Contains zone status information.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        NIMLOC
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Nimrod Locator.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        NSAP
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        A network service access point.
+                        Described in RFC 1706.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        NSAP-PTR
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Historical.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        NS
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        The authoritative name server for the
+                        domain.  Described in RFC 1035.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        NSEC
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Used in DNSSECbis to securely indicate that
+                        RRs with an owner name in a certain name interval do
+                        not exist in
+                        a zone and indicate what RR types are present for an
+                        existing name.
+                        Described in RFC 4034.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        NSEC3
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Used in DNSSECbis to securely indicate that
+                        RRs with an owner name in a certain name
+                        interval do not exist in a zone and indicate
+                        what RR types are present for an existing
+                        name.  NSEC3 differs from NSEC in that it
+                        prevents zone enumeration but is more
+                        computationally expensive on both the server
+                        and the client than NSEC.  Described in RFC
+                        5155.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        NSEC3PARAM
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Used in DNSSECbis to tell the authoritative
+                        server which NSEC3 chains are available to use.
+                        Described in RFC 5155.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        NULL
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        This is an opaque container.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        NXT
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Used in DNSSEC to securely indicate that
+                        RRs with an owner name in a certain name interval do
+                        not exist in
+                        a zone and indicate what RR types are present for an
+                        existing name.
+                        Used in original DNSSEC; replaced by NSEC in
+                        DNSSECbis.
+                        Described in RFC 2535.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        OPENPGPKEY
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Used to hold an OPENPGPKEY.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        PTR
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        A pointer to another part of the domain
+                        name space.  Described in RFC 1035.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        PX
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Provides mappings between RFC 822 and X.400
+                        addresses.  Described in RFC 2163.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        RKEY
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Resource key.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        RP
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Information on persons responsible
+                        for the domain.  Experimental.  Described in RFC 1183.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        RRSIG
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Contains DNSSECbis signature data.  Described
+                        in RFC 4034.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        RT
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Route-through binding for hosts that
+                        do not have their own direct wide area network
+                        addresses.
+                        Experimental.  Described in RFC 1183.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        SIG
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Contains DNSSEC signature data.  Used in
+                        original DNSSEC; replaced by RRSIG in
+                        DNSSECbis, but still used for SIG(0).
+                        Described in RFCs 2535 and 2931.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        SINK
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        The kitchen sink record.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        SMIMEA
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        The S/MIME Security Certificate Association.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        SOA
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Identifies the start of a zone of authority.
+                        Described in RFC 1035.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        SPF
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Contains the Sender Policy Framework information
+                        for a given email domain.  Described in RFC 4408.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        SRV
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Information about well known network
+                        services (replaces WKS).  Described in RFC 2782.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        SSHFP
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Provides a way to securely publish a secure shell key's
+                        fingerprint.  Described in RFC 4255.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        TA
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Trust Anchor. Experimental.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        TALINK
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Trust Anchor Link.  Experimental.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        TLSA
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Transport Layer Security Certificate Association.
+                        Described in RFC 6698.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        TXT
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Text records.  Described in RFC 1035.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        UID
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Reserved.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        UINFO
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Reserved.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        UNSPEC
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Reserved. Historical.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        URI
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Holds a URI. Described in RFC 7553.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        WKS
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Information about which well known
+                        network services, such as SMTP, that a domain
+                        supports. Historical.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        X25
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Representation of X.25 network addresses.
+                        Experimental.  Described in RFC 1183.
+                      </p>
+                    </td>
+</tr>
+</tbody>
+</table>
+            </div>
+            <p>
+              The following <span class="emphasis"><em>classes</em></span> of resource records
+              are currently valid in the DNS:
+            </p>
+            <div class="informaltable">
+<table border="1">
+<colgroup>
+<col width="0.875in" class="1">
+<col width="3.625in" class="2">
+</colgroup>
+<tbody>
+<tr>
+<td>
+                      <p>
+                        IN
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        The Internet.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        CH
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Chaosnet, a LAN protocol created at MIT in the
+                        mid-1970s.
+                        Rarely used for its historical purpose, but reused for
+                        BIND's
+                        built-in server information zones, e.g.,
+                        <code class="literal">version.bind</code>.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        HS
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Hesiod, an information service
+                        developed by MIT's Project Athena. It is used to share
+                        information
+                        about various systems databases, such as users,
+                        groups, printers
+                        and so on.
+                      </p>
+                    </td>
+</tr>
+</tbody>
+</table>
+            </div>
+
+            <p>
+              The owner name is often implicit, rather than forming an
+              integral
+              part of the RR.  For example, many name servers internally form
+              tree
+              or hash structures for the name space, and chain RRs off nodes.
+              The remaining RR parts are the fixed header (type, class, TTL)
+              which is consistent for all RRs, and a variable part (RDATA)
+              that
+              fits the needs of the resource being described.
+            </p>
+            <p>
+              The meaning of the TTL field is a time limit on how long an
+              RR can be kept in a cache.  This limit does not apply to
+              authoritative
+              data in zones; it is also timed out, but by the refreshing
+              policies
+              for the zone.  The TTL is assigned by the administrator for the
+              zone where the data originates.  While short TTLs can be used to
+              minimize caching, and a zero TTL prohibits caching, the
+              realities
+              of Internet performance suggest that these times should be on
+              the
+              order of days for the typical host.  If a change can be
+              anticipated,
+              the TTL can be reduced prior to the change to minimize
+              inconsistency
+              during the change, and then increased back to its former value
+              following
+              the change.
+            </p>
+            <p>
+              The data in the RDATA section of RRs is carried as a combination
+              of binary strings and domain names.  The domain names are
+              frequently
+              used as "pointers" to other data in the DNS.
+            </p>
+          </div>
+          <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="rr_text"></a>Textual expression of RRs</h4></div></div></div>
+
+            <p>
+              RRs are represented in binary form in the packets of the DNS
+              protocol, and are usually represented in highly encoded form
+              when
+              stored in a name server or resolver.  In the examples provided
+              in
+              RFC 1034, a style similar to that used in master files was
+              employed
+              in order to show the contents of RRs.  In this format, most RRs
+              are shown on a single line, although continuation lines are
+              possible
+              using parentheses.
+            </p>
+            <p>
+              The start of the line gives the owner of the RR.  If a line
+              begins with a blank, then the owner is assumed to be the same as
+              that of the previous RR.  Blank lines are often included for
+              readability.
+            </p>
+            <p>
+              Following the owner, we list the TTL, type, and class of the
+              RR.  Class and type use the mnemonics defined above, and TTL is
+              an integer before the type field.  In order to avoid ambiguity
+              in
+              parsing, type and class mnemonics are disjoint, TTLs are
+              integers,
+              and the type mnemonic is always last. The IN class and TTL
+              values
+              are often omitted from examples in the interests of clarity.
+            </p>
+            <p>
+              The resource data or RDATA section of the RR are given using
+              knowledge of the typical representation for the data.
+            </p>
+            <p>
+              For example, we might show the RRs carried in a message as:
+            </p>
+            <div class="informaltable">
+<table border="1">
+<colgroup>
+<col width="1.381in" class="1">
+<col width="1.020in" class="2">
+<col width="2.099in" class="3">
+</colgroup>
+<tbody>
+<tr>
+<td>
+                      <p>
+                        <code class="literal">ISI.EDU.</code>
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        <code class="literal">MX</code>
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        <code class="literal">10 VENERA.ISI.EDU.</code>
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p></p>
+                    </td>
+<td>
+                      <p>
+                        <code class="literal">MX</code>
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        <code class="literal">10 VAXA.ISI.EDU</code>
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        <code class="literal">VENERA.ISI.EDU</code>
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        <code class="literal">A</code>
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        <code class="literal">128.9.0.32</code>
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p></p>
+                    </td>
+<td>
+                      <p>
+                        <code class="literal">A</code>
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        <code class="literal">10.1.0.52</code>
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        <code class="literal">VAXA.ISI.EDU</code>
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        <code class="literal">A</code>
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        <code class="literal">10.2.0.27</code>
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p></p>
+                    </td>
+<td>
+                      <p>
+                        <code class="literal">A</code>
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        <code class="literal">128.9.0.33</code>
+                      </p>
+                    </td>
+</tr>
+</tbody>
+</table>
+            </div>
+            <p>
+              The MX RRs have an RDATA section which consists of a 16-bit
+              number followed by a domain name.  The address RRs use a
+              standard
+              IP address format to contain a 32-bit internet address.
+            </p>
+            <p>
+              The above example shows six RRs, with two RRs at each of three
+              domain names.
+            </p>
+            <p>
+              Similarly we might see:
+            </p>
+            <div class="informaltable">
+<table border="1">
+<colgroup>
+<col width="1.491in" class="1">
+<col width="1.067in" class="2">
+<col width="2.067in" class="3">
+</colgroup>
+<tbody>
+<tr>
+<td>
+                      <p>
+                        <code class="literal">XX.LCS.MIT.EDU.</code>
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        <code class="literal">IN A</code>
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        <code class="literal">10.0.0.44</code>
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td> </td>
+<td>
+                      <p>
+                        <code class="literal">CH A</code>
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        <code class="literal">MIT.EDU. 2420</code>
+                      </p>
+                    </td>
+</tr>
+</tbody>
+</table>
+            </div>
+            <p>
+              This example shows two addresses for
+              <code class="literal">XX.LCS.MIT.EDU</code>, each of a different class.
+            </p>
+          </div>
+        </div>
+
+        <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="mx_records"></a>Discussion of MX Records</h3></div></div></div>
+
+          <p>
+            As described above, domain servers store information as a
+            series of resource records, each of which contains a particular
+            piece of information about a given domain name (which is usually,
+            but not always, a host). The simplest way to think of a RR is as
+            a typed pair of data, a domain name matched with a relevant datum,
+            and stored with some additional type information to help systems
+            determine when the RR is relevant.
+          </p>
+
+          <p>
+            MX records are used to control delivery of email. The data
+            specified in the record is a priority and a domain name. The
+            priority
+            controls the order in which email delivery is attempted, with the
+            lowest number first. If two priorities are the same, a server is
+            chosen randomly. If no servers at a given priority are responding,
+            the mail transport agent will fall back to the next largest
+            priority.
+            Priority numbers do not have any absolute meaning &#8212; they are
+            relevant
+            only respective to other MX records for that domain name. The
+            domain
+            name given is the machine to which the mail will be delivered.
+            It <span class="emphasis"><em>must</em></span> have an associated address record
+            (A or AAAA) &#8212; CNAME is not sufficient.
+          </p>
+          <p>
+            For a given domain, if there is both a CNAME record and an
+            MX record, the MX record is in error, and will be ignored.
+            Instead,
+            the mail will be delivered to the server specified in the MX
+            record
+            pointed to by the CNAME.
+            For example:
+          </p>
+          <div class="informaltable">
+            <table border="1">
+<colgroup>
+<col width="1.708in" class="1">
+<col width="0.444in" class="2">
+<col width="0.444in" class="3">
+<col width="0.976in" class="4">
+<col width="1.553in" class="5">
+</colgroup>
+<tbody>
+<tr>
+<td>
+                    <p>
+                      <code class="literal">example.com.</code>
+                    </p>
+                  </td>
+<td>
+                    <p>
+                      <code class="literal">IN</code>
+                    </p>
+                  </td>
+<td>
+                    <p>
+                      <code class="literal">MX</code>
+                    </p>
+                  </td>
+<td>
+                    <p>
+                      <code class="literal">10</code>
+                    </p>
+                  </td>
+<td>
+                    <p>
+                      <code class="literal">mail.example.com.</code>
+                    </p>
+                  </td>
+</tr>
+<tr>
+<td>
+                    <p></p>
+                  </td>
+<td>
+                    <p>
+                      <code class="literal">IN</code>
+                    </p>
+                  </td>
+<td>
+                    <p>
+                      <code class="literal">MX</code>
+                    </p>
+                  </td>
+<td>
+                    <p>
+                      <code class="literal">10</code>
+                    </p>
+                  </td>
+<td>
+                    <p>
+                      <code class="literal">mail2.example.com.</code>
+                    </p>
+                  </td>
+</tr>
+<tr>
+<td>
+                    <p></p>
+                  </td>
+<td>
+                    <p>
+                      <code class="literal">IN</code>
+                    </p>
+                  </td>
+<td>
+                    <p>
+                      <code class="literal">MX</code>
+                    </p>
+                  </td>
+<td>
+                    <p>
+                      <code class="literal">20</code>
+                    </p>
+                  </td>
+<td>
+                    <p>
+                      <code class="literal">mail.backup.org.</code>
+                    </p>
+                  </td>
+</tr>
+<tr>
+<td>
+                    <p>
+                      <code class="literal">mail.example.com.</code>
+                    </p>
+                  </td>
+<td>
+                    <p>
+                      <code class="literal">IN</code>
+                    </p>
+                  </td>
+<td>
+                    <p>
+                      <code class="literal">A</code>
+                    </p>
+                  </td>
+<td>
+                    <p>
+                      <code class="literal">10.0.0.1</code>
+                    </p>
+                  </td>
+<td>
+                    <p></p>
+                  </td>
+</tr>
+<tr>
+<td>
+                    <p>
+                      <code class="literal">mail2.example.com.</code>
+                    </p>
+                  </td>
+<td>
+                    <p>
+                      <code class="literal">IN</code>
+                    </p>
+                  </td>
+<td>
+                    <p>
+                      <code class="literal">A</code>
+                    </p>
+                  </td>
+<td>
+                    <p>
+                      <code class="literal">10.0.0.2</code>
+                    </p>
+                  </td>
+<td>
+                    <p></p>
+                  </td>
+</tr>
+</tbody>
+</table>
+            </div>
+<p>
+            Mail delivery will be attempted to <code class="literal">mail.example.com</code> and
+            <code class="literal">mail2.example.com</code> (in
+            any order), and if neither of those succeed, delivery to <code class="literal">mail.backup.org</code> will
+            be attempted.
+          </p>
+        </div>
+        <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="Setting_TTLs"></a>Setting TTLs</h3></div></div></div>
+
+          <p>
+            The time-to-live of the RR field is a 32-bit integer represented
+            in units of seconds, and is primarily used by resolvers when they
+            cache RRs. The TTL describes how long a RR can be cached before it
+            should be discarded. The following three types of TTL are
+            currently
+            used in a zone file.
+          </p>
+          <div class="informaltable">
+            <table border="1">
+<colgroup>
+<col width="0.750in" class="1">
+<col width="4.375in" class="2">
+</colgroup>
+<tbody>
+<tr>
+<td>
+                    <p>
+                      SOA
+                    </p>
+                  </td>
+<td>
+                    <p>
+                      The last field in the SOA is the negative
+                      caching TTL. This controls how long other servers will
+                      cache no-such-domain
+                      (NXDOMAIN) responses from you.
+                    </p>
+                    <p>
+                      The maximum time for
+                      negative caching is 3 hours (3h).
+                    </p>
+                  </td>
+</tr>
+<tr>
+<td>
+                    <p>
+                      $TTL
+                    </p>
+                  </td>
+<td>
+                    <p>
+                      The $TTL directive at the top of the
+                      zone file (before the SOA) gives a default TTL for every
+                      RR without
+                      a specific TTL set.
+                    </p>
+                  </td>
+</tr>
+<tr>
+<td>
+                    <p>
+                      RR TTLs
+                    </p>
+                  </td>
+<td>
+                    <p>
+                      Each RR can have a TTL as the second
+                      field in the RR, which will control how long other
+                      servers can cache it.
+                    </p>
+                  </td>
+</tr>
+</tbody>
+</table>
+          </div>
+          <p>
+            All of these TTLs default to units of seconds, though units
+            can be explicitly specified, for example, <code class="literal">1h30m</code>.
+          </p>
+        </div>
+        <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="ipv4_reverse"></a>Inverse Mapping in IPv4</h3></div></div></div>
+
+          <p>
+            Reverse name resolution (that is, translation from IP address
+            to name) is achieved by means of the <span class="emphasis"><em>in-addr.arpa</em></span> domain
+            and PTR records. Entries in the in-addr.arpa domain are made in
+            least-to-most significant order, read left to right. This is the
+            opposite order to the way IP addresses are usually written. Thus,
+            a machine with an IP address of 10.1.2.3 would have a
+            corresponding
+            in-addr.arpa name of
+            3.2.1.10.in-addr.arpa. This name should have a PTR resource record
+            whose data field is the name of the machine or, optionally,
+            multiple
+            PTR records if the machine has more than one name. For example,
+            in the [<span class="optional">example.com</span>] domain:
+          </p>
+          <div class="informaltable">
+            <table border="1">
+<colgroup>
+<col width="1.125in" class="1">
+<col width="4.000in" class="2">
+</colgroup>
+<tbody>
+<tr>
+<td>
+                    <p>
+                      <code class="literal">$ORIGIN</code>
+                    </p>
+                  </td>
+<td>
+                    <p>
+                      <code class="literal">2.1.10.in-addr.arpa</code>
+                    </p>
+                  </td>
+</tr>
+<tr>
+<td>
+                    <p>
+                      <code class="literal">3</code>
+                    </p>
+                  </td>
+<td>
+                    <p>
+                      <code class="literal">IN PTR foo.example.com.</code>
+                    </p>
+                  </td>
+</tr>
+</tbody>
+</table>
+          </div>
+          <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<h3 class="title">Note</h3>
+            <p>
+              The <span class="command"><strong>$ORIGIN</strong></span> lines in the examples
+              are for providing context to the examples only &#8212; they do not
+              necessarily
+              appear in the actual usage. They are only used here to indicate
+              that the example is relative to the listed origin.
+            </p>
+          </div>
+        </div>
+        <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="zone_directives"></a>Other Zone File Directives</h3></div></div></div>
+
+          <p>
+            The Master File Format was initially defined in RFC 1035 and
+            has subsequently been extended. While the Master File Format
+            itself
+            is class independent all records in a Master File must be of the
+            same
+            class.
+          </p>
+          <p>
+            Master File Directives include <span class="command"><strong>$ORIGIN</strong></span>, <span class="command"><strong>$INCLUDE</strong></span>,
+            and <span class="command"><strong>$TTL.</strong></span>
+          </p>
+          <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="atsign"></a>The <span class="command"><strong>@</strong></span> (at-sign)</h4></div></div></div>
+
+            <p>
+              When used in the label (or name) field, the asperand or
+              at-sign (@) symbol represents the current origin.
+              At the start of the zone file, it is the
+              &lt;<code class="varname">zone_name</code>&gt; (followed by
+              trailing dot).
+            </p>
+          </div>
+          <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="origin_directive"></a>The <span class="command"><strong>$ORIGIN</strong></span> Directive</h4></div></div></div>
+
+            <p>
+              Syntax: <span class="command"><strong>$ORIGIN</strong></span>
+              <em class="replaceable"><code>domain-name</code></em>
+              [<span class="optional"><em class="replaceable"><code>comment</code></em></span>]
+            </p>
+            <p><span class="command"><strong>$ORIGIN</strong></span>
+              sets the domain name that will be appended to any
+              unqualified records. When a zone is first read in there
+              is an implicit <span class="command"><strong>$ORIGIN</strong></span>
+              &lt;<code class="varname">zone_name</code>&gt;<span class="command"><strong>.</strong></span>
+              (followed by trailing dot).
+              The current <span class="command"><strong>$ORIGIN</strong></span> is appended to
+              the domain specified in the <span class="command"><strong>$ORIGIN</strong></span>
+              argument if it is not absolute.
+            </p>
+
+<pre class="programlisting">
+$ORIGIN example.com.
+WWW     CNAME   MAIN-SERVER
+</pre>
+
+            <p>
+              is equivalent to
+            </p>
+
+<pre class="programlisting">
+WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
+</pre>
+
+          </div>
+          <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="include_directive"></a>The <span class="command"><strong>$INCLUDE</strong></span> Directive</h4></div></div></div>
+
+            <p>
+              Syntax: <span class="command"><strong>$INCLUDE</strong></span>
+              <em class="replaceable"><code>filename</code></em>
+              [<span class="optional">
+<em class="replaceable"><code>origin</code></em> </span>]
+              [<span class="optional"> <em class="replaceable"><code>comment</code></em> </span>]
+            </p>
+            <p>
+              Read and process the file <code class="filename">filename</code> as
+              if it were included into the file at this point.  If <span class="command"><strong>origin</strong></span> is
+              specified the file is processed with <span class="command"><strong>$ORIGIN</strong></span> set
+              to that value, otherwise the current <span class="command"><strong>$ORIGIN</strong></span> is
+              used.
+            </p>
+            <p>
+              The origin and the current domain name
+              revert to the values they had prior to the <span class="command"><strong>$INCLUDE</strong></span> once
+              the file has been read.
+            </p>
+            <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<h3 class="title">Note</h3>
+              <p>
+                RFC 1035 specifies that the current origin should be restored
+                after
+                an <span class="command"><strong>$INCLUDE</strong></span>, but it is silent
+                on whether the current
+                domain name should also be restored.  BIND 9 restores both of
+                them.
+                This could be construed as a deviation from RFC 1035, a
+                feature, or both.
+              </p>
+            </div>
+          </div>
+          <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="ttl_directive"></a>The <span class="command"><strong>$TTL</strong></span> Directive</h4></div></div></div>
+
+            <p>
+              Syntax: <span class="command"><strong>$TTL</strong></span>
+              <em class="replaceable"><code>default-ttl</code></em>
+              [<span class="optional">
+<em class="replaceable"><code>comment</code></em> </span>]
+            </p>
+            <p>
+              Set the default Time To Live (TTL) for subsequent records
+              with undefined TTLs. Valid TTLs are of the range 0-2147483647
+              seconds.
+            </p>
+            <p><span class="command"><strong>$TTL</strong></span>
+               is defined in RFC 2308.
+            </p>
+          </div>
+        </div>
+        <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="generate_directive"></a><acronym class="acronym">BIND</acronym> Master File Extension: the  <span class="command"><strong>$GENERATE</strong></span> Directive</h3></div></div></div>
+
+          <p>
+            Syntax: <span class="command"><strong>$GENERATE</strong></span>
+            <em class="replaceable"><code>range</code></em>
+            <em class="replaceable"><code>lhs</code></em>
+            [<span class="optional"><em class="replaceable"><code>ttl</code></em></span>]
+            [<span class="optional"><em class="replaceable"><code>class</code></em></span>]
+            <em class="replaceable"><code>type</code></em>
+            <em class="replaceable"><code>rhs</code></em>
+            [<span class="optional"><em class="replaceable"><code>comment</code></em></span>]
+          </p>
+          <p><span class="command"><strong>$GENERATE</strong></span>
+            is used to create a series of resource records that only
+            differ from each other by an
+            iterator. <span class="command"><strong>$GENERATE</strong></span> can be used to
+            easily generate the sets of records required to support
+            sub /24 reverse delegations described in RFC 2317:
+            Classless IN-ADDR.ARPA delegation.
+          </p>
+
+<pre class="programlisting">$ORIGIN 0.0.192.IN-ADDR.ARPA.
+$GENERATE 1-2 @ NS SERVER$.EXAMPLE.
+$GENERATE 1-127 $ CNAME $.0</pre>
+
+          <p>
+            is equivalent to
+          </p>
+
+<pre class="programlisting">0.0.0.192.IN-ADDR.ARPA. NS SERVER1.EXAMPLE.
+0.0.0.192.IN-ADDR.ARPA. NS SERVER2.EXAMPLE.
+1.0.0.192.IN-ADDR.ARPA. CNAME 1.0.0.0.192.IN-ADDR.ARPA.
+2.0.0.192.IN-ADDR.ARPA. CNAME 2.0.0.0.192.IN-ADDR.ARPA.
+...
+127.0.0.192.IN-ADDR.ARPA. CNAME 127.0.0.0.192.IN-ADDR.ARPA.
+</pre>
+
+           <p>
+            Generate a set of A and MX records.  Note the MX's right hand
+            side is a quoted string.  The quotes will be stripped when the
+            right hand side is processed.
+           </p>
+
+<pre class="programlisting">
+$ORIGIN EXAMPLE.
+$GENERATE 1-127 HOST-$ A 1.2.3.$
+$GENERATE 1-127 HOST-$ MX "0 ."</pre>
+
+          <p>
+            is equivalent to
+          </p>
+
+<pre class="programlisting">HOST-1.EXAMPLE.   A  1.2.3.1
+HOST-1.EXAMPLE.   MX 0 .
+HOST-2.EXAMPLE.   A  1.2.3.2
+HOST-2.EXAMPLE.   MX 0 .
+HOST-3.EXAMPLE.   A  1.2.3.3
+HOST-3.EXAMPLE.   MX 0 .
+...
+HOST-127.EXAMPLE. A  1.2.3.127
+HOST-127.EXAMPLE. MX 0 .
+</pre>
+
+          <div class="informaltable">
+            <table border="1">
+<colgroup>
+<col width="0.875in" class="1">
+<col width="4.250in" class="2">
+</colgroup>
+<tbody>
+<tr>
+<td>
+                    <p><span class="command"><strong>range</strong></span></p>
+                  </td>
+<td>
+                    <p>
+                      This can be one of two forms: start-stop
+                      or start-stop/step. If the first form is used, then step
+                      is set to 1. start, stop and step must be positive
+                      integers between 0 and (2^31)-1. start must not be
+                      larger than stop.
+                    </p>
+                  </td>
+</tr>
+<tr>
+<td>
+                    <p><span class="command"><strong>lhs</strong></span></p>
+                  </td>
+<td>
+                    <p>This
+                      describes the owner name of the resource records
+                      to be created.  Any single <span class="command"><strong>$</strong></span>
+                      (dollar sign)
+                      symbols within the <span class="command"><strong>lhs</strong></span> string
+                      are replaced by the iterator value.
+
+                      To get a $ in the output, you need to escape the
+                      <span class="command"><strong>$</strong></span> using a backslash
+                      <span class="command"><strong>\</strong></span>,
+                      e.g. <span class="command"><strong>\$</strong></span>. The
+                      <span class="command"><strong>$</strong></span> may optionally be followed
+                      by modifiers which change the offset from the
+                      iterator, field width and base.
+
+                      Modifiers are introduced by a
+                      <span class="command"><strong>{</strong></span> (left brace) immediately following the
+                      <span class="command"><strong>$</strong></span> as
+                      <span class="command"><strong>${offset[,width[,base]]}</strong></span>.
+                      For example, <span class="command"><strong>${-20,3,d}</strong></span>
+                      subtracts 20 from the current value, prints the
+                      result as a decimal in a zero-padded field of
+                      width 3.
+
+                      Available output forms are decimal
+                      (<span class="command"><strong>d</strong></span>), octal
+                      (<span class="command"><strong>o</strong></span>), hexadecimal
+                      (<span class="command"><strong>x</strong></span> or <span class="command"><strong>X</strong></span>
+                      for uppercase) and nibble
+                      (<span class="command"><strong>n</strong></span> or <span class="command"><strong>N</strong></span>\
+                      for uppercase).  The default modifier is
+                      <span class="command"><strong>${0,0,d}</strong></span>.  If the
+                      <span class="command"><strong>lhs</strong></span> is not absolute, the
+                      current <span class="command"><strong>$ORIGIN</strong></span> is appended
+                      to the name.
+                    </p>
+                    <p>
+                      In nibble mode the value will be treated as
+                      if it was a reversed hexadecimal string
+                      with each hexadecimal digit as a separate
+                      label.  The width field includes the label
+                      separator.
+                    </p>
+                    <p>
+                      For compatibility with earlier versions,
+                      <span class="command"><strong>$$</strong></span> is still recognized as
+                      indicating a literal $ in the output.
+                    </p>
+                  </td>
+</tr>
+<tr>
+<td>
+                    <p><span class="command"><strong>ttl</strong></span></p>
+                  </td>
+<td>
+                    <p>
+                      Specifies the time-to-live of the generated records. If
+                      not specified this will be inherited using the
+                      normal TTL inheritance rules.
+                    </p>
+                    <p><span class="command"><strong>class</strong></span>
+                      and <span class="command"><strong>ttl</strong></span> can be
+                      entered in either order.
+                    </p>
+                  </td>
+</tr>
+<tr>
+<td>
+                    <p><span class="command"><strong>class</strong></span></p>
+                  </td>
+<td>
+                    <p>
+                      Specifies the class of the generated records.
+                      This must match the zone class if it is
+                      specified.
+                    </p>
+                    <p><span class="command"><strong>class</strong></span>
+                      and <span class="command"><strong>ttl</strong></span> can be
+                      entered in either order.
+                    </p>
+                  </td>
+</tr>
+<tr>
+<td>
+                    <p><span class="command"><strong>type</strong></span></p>
+                  </td>
+<td>
+                    <p>
+                      Any valid type.
+                    </p>
+                  </td>
+</tr>
+<tr>
+<td>
+                    <p><span class="command"><strong>rhs</strong></span></p>
+                  </td>
+<td>
+                    <p>
+                      <span class="command"><strong>rhs</strong></span>, optionally, quoted string.
+                    </p>
+                  </td>
+</tr>
+</tbody>
+</table>
+          </div>
+          <p>
+            The <span class="command"><strong>$GENERATE</strong></span> directive is a <acronym class="acronym">BIND</acronym> extension
+            and not part of the standard zone file format.
+          </p>
+          <p>
+            BIND 8 did not support the optional TTL and CLASS fields.
+          </p>
+        </div>
+
+        <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="zonefile_format"></a>Additional File Formats</h3></div></div></div>
+
+          <p>
+            In addition to the standard textual format, BIND 9
+            supports the ability to read or dump to zone files in
+            other formats.
+          </p>
+          <p>
+            The <code class="constant">raw</code> format is
+            a binary representation of zone data in a manner similar
+            to that used in zone transfers.  Since it does not require
+            parsing text, load time is significantly reduced.
+          </p>
+          <p>
+            An even faster alternative is the <code class="constant">map</code>
+            format, which is an image of a <acronym class="acronym">BIND</acronym> 9
+            in-memory zone database; it is capable of being loaded
+            directly into memory via the <span class="command"><strong>mmap()</strong></span>
+            function; the zone can begin serving queries almost
+            immediately.
+          </p>
+          <p>
+            For a primary server, a zone file in
+            <code class="constant">raw</code> or <code class="constant">map</code>
+            format is expected to be generated from a textual zone
+            file by the <span class="command"><strong>named-compilezone</strong></span> command.
+            For a secondary server or for a dynamic zone, it is automatically
+            generated (if this format is specified by the
+            <span class="command"><strong>masterfile-format</strong></span> option) when
+            <span class="command"><strong>named</strong></span> dumps the zone contents after
+            zone transfer or when applying prior updates.
+          </p>
+          <p>
+            If a zone file in a binary format needs manual modification,
+            it first must be converted to a textual form by the
+            <span class="command"><strong>named-compilezone</strong></span> command.  All
+            necessary modification should go to the text file, which
+            should then be converted to the binary form by the
+            <span class="command"><strong>named-compilezone</strong></span> command again.
+          </p>
+          <p>
+            Note that <span class="command"><strong>map</strong></span> format is extremely
+            architecture-specific.  A <code class="constant">map</code>
+            file <span class="emphasis"><em>cannot</em></span> be used on a system
+            with different pointer size, endianness or data alignment
+            than the system on which it was generated, and should in
+            general be used only inside a single system.
+            While <code class="constant">raw</code> format uses
+            network byte order and avoids architecture-dependent
+            data alignment so that it is as portable as
+            possible, it is also primarily expected to be used
+            inside the same single system.  To export a
+            zone file in either <code class="constant">raw</code> or
+            <code class="constant">map</code> format, or make a
+            portable backup of such a file, conversion to
+            <code class="constant">text</code> format is recommended.
+          </p>
+        </div>
+      </div>
+
+      <div class="section">
+<div class="titlepage"><div><div><h2 class="title" style="clear: both">
+<a name="statistics"></a>BIND9 Statistics</h2></div></div></div>
+
+        <p>
+          <acronym class="acronym">BIND</acronym> 9 maintains lots of statistics
+          information and provides several interfaces for users to
+          get access to the statistics.
+          The available statistics include all statistics counters
+          that were available in <acronym class="acronym">BIND</acronym> 8 and
+          are meaningful in <acronym class="acronym">BIND</acronym> 9,
+          and other information that is considered useful.
+        </p>
+
+        <p>
+          The statistics information is categorized into the following
+          sections.
+        </p>
+
+        <div class="informaltable">
+          <table border="1">
+<colgroup>
+<col width="3.300in" class="1">
+<col width="2.625in" class="2">
+</colgroup>
+<tbody>
+<tr>
+<td>
+                  <p>Incoming Requests</p>
+                </td>
+<td>
+                  <p>
+                    The number of incoming DNS requests for each OPCODE.
+                  </p>
+                </td>
+</tr>
+<tr>
+<td>
+                  <p>Incoming Queries</p>
+                </td>
+<td>
+                  <p>
+                    The number of incoming queries for each RR type.
+                  </p>
+                </td>
+</tr>
+<tr>
+<td>
+                  <p>Outgoing Queries</p>
+                </td>
+<td>
+                  <p>
+                    The number of outgoing queries for each RR
+                    type sent from the internal resolver.
+                    Maintained per view.
+                  </p>
+                </td>
+</tr>
+<tr>
+<td>
+                  <p>Name Server Statistics</p>
+                </td>
+<td>
+                  <p>
+                    Statistics counters about incoming request processing.
+                  </p>
+                </td>
+</tr>
+<tr>
+<td>
+                  <p>Zone Maintenance Statistics</p>
+                </td>
+<td>
+                  <p>
+                    Statistics counters regarding zone maintenance
+                    operations such as zone transfers.
+                  </p>
+                </td>
+</tr>
+<tr>
+<td>
+                  <p>Resolver Statistics</p>
+                </td>
+<td>
+                  <p>
+                    Statistics counters about name resolution
+                    performed in the internal resolver.
+                    Maintained per view.
+                  </p>
+                </td>
+</tr>
+<tr>
+<td>
+                  <p>Cache DB RRsets</p>
+                </td>
+<td>
+                  <p>
+                    The number of RRsets per RR type and nonexistent
+                    names stored in the cache database.
+                    If the exclamation mark (!) is printed for a RR
+                    type, it means that particular type of RRset is
+                    known to be nonexistent (this is also known as
+                    "NXRRSET").  If a hash mark (#) is present then
+                    the RRset is marked for garbage collection.
+                    Maintained per view.
+                  </p>
+                </td>
+</tr>
+<tr>
+<td>
+                  <p>Socket I/O Statistics</p>
+                </td>
+<td>
+                  <p>
+                    Statistics counters about network related events.
+                  </p>
+                </td>
+</tr>
+</tbody>
+</table>
+        </div>
+
+        <p>
+          A subset of Name Server Statistics is collected and shown
+          per zone for which the server has the authority when
+          <span class="command"><strong>zone-statistics</strong></span> is set to
+          <strong class="userinput"><code>full</code></strong> (or <strong class="userinput"><code>yes</code></strong>
+          for backward compatibility. See the description of
+          <span class="command"><strong>zone-statistics</strong></span> in <a class="xref" href="Bv9ARM.ch05.html#options" title="options Statement Definition and Usage">the section called &#8220;<span class="command"><strong>options</strong></span> Statement Definition and
+          Usage&#8221;</a>
+          for further details.
+        </p>
+
+        <p>
+          These statistics counters are shown with their zone and
+          view names. The view name is omitted when the server is
+          not configured with explicit views.</p>
+
+        <p>
+          There are currently two user interfaces to get access to the
+          statistics.
+          One is in the plain text format dumped to the file specified
+          by the <span class="command"><strong>statistics-file</strong></span> configuration option.
+          The other is remotely accessible via a statistics channel
+          when the <span class="command"><strong>statistics-channels</strong></span> statement
+          is specified in the configuration file
+          (see <a class="xref" href="Bv9ARM.ch05.html#statschannels" title="statistics-channels Statement Grammar">the section called &#8220;<span class="command"><strong>statistics-channels</strong></span> Statement Grammar&#8221;</a>.)
+        </p>
+
+        <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="statsfile"></a>The Statistics File</h3></div></div></div>
+
+          <p>
+            The text format statistics dump begins with a line, like:
+          </p>
+          <p>
+            <span class="command"><strong>+++ Statistics Dump +++ (973798949)</strong></span>
+          </p>
+          <p>
+            The number in parentheses is a standard
+            Unix-style timestamp, measured as seconds since January 1, 1970.
+
+            Following
+            that line is a set of statistics information, which is categorized
+            as described above.
+            Each section begins with a line, like:
+          </p>
+
+          <p>
+            <span class="command"><strong>++ Name Server Statistics ++</strong></span>
+          </p>
+
+          <p>
+            Each section consists of lines, each containing the statistics
+            counter value followed by its textual description.
+            See below for available counters.
+            For brevity, counters that have a value of 0 are not shown
+            in the statistics file.
+          </p>
+
+          <p>
+            The statistics dump ends with the line where the
+            number is identical to the number in the beginning line; for example:
+          </p>
+          <p>
+            <span class="command"><strong>--- Statistics Dump --- (973798949)</strong></span>
+          </p>
+        </div>
+
+        <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="statistics_counters"></a>Statistics Counters</h3></div></div></div>
+
+          <p>
+            The following tables summarize statistics counters that
+            <acronym class="acronym">BIND</acronym> 9 provides.
+            For each row of the tables, the leftmost column is the
+            abbreviated symbol name of that counter.
+            These symbols are shown in the statistics information
+            accessed via an HTTP statistics channel.
+            The rightmost column gives the description of the counter,
+            which is also shown in the statistics file
+            (but, in this document, possibly with slight modification
+            for better readability).
+            Additional notes may also be provided in this column.
+            When a middle column exists between these two columns,
+            it gives the corresponding counter name of the
+            <acronym class="acronym">BIND</acronym> 8 statistics, if applicable.
+          </p>
+
+          <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="stats_counters"></a>Name Server Statistics Counters</h4></div></div></div>
+
+            <div class="informaltable">
+              <table border="1">
+<colgroup>
+<col width="1.150in" class="1">
+<col width="1.150in" class="2">
+<col width="3.350in" class="3">
+</colgroup>
+<tbody>
+<tr>
+<td>
+                      <p>
+                        <span class="emphasis"><em>Symbol</em></span>
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        <span class="emphasis"><em>BIND8 Symbol</em></span>
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        <span class="emphasis"><em>Description</em></span>
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>Requestv4</strong></span></p>
+                    </td>
+<td>
+                      <p><span class="command"><strong>RQ</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        IPv4 requests received.
+                        Note: this also counts non query requests.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>Requestv6</strong></span></p>
+                    </td>
+<td>
+                      <p><span class="command"><strong>RQ</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        IPv6 requests received.
+                        Note: this also counts non query requests.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>ReqEdns0</strong></span></p>
+                    </td>
+<td>
+                      <p><span class="command"><strong></strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Requests with EDNS(0) received.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>ReqBadEDNSVer</strong></span></p>
+                    </td>
+<td>
+                      <p><span class="command"><strong></strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Requests with unsupported EDNS version received.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>ReqTSIG</strong></span></p>
+                    </td>
+<td>
+                      <p><span class="command"><strong></strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Requests with TSIG received.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>ReqSIG0</strong></span></p>
+                    </td>
+<td>
+                      <p><span class="command"><strong></strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Requests with SIG(0) received.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>ReqBadSIG</strong></span></p>
+                    </td>
+<td>
+                      <p><span class="command"><strong></strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Requests with invalid (TSIG or SIG(0)) signature.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>ReqTCP</strong></span></p>
+                    </td>
+<td>
+                      <p><span class="command"><strong>RTCP</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        TCP requests received.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>AuthQryRej</strong></span></p>
+                    </td>
+<td>
+                      <p><span class="command"><strong>RUQ</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Authoritative (non recursive) queries rejected.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>RecQryRej</strong></span></p>
+                    </td>
+<td>
+                      <p><span class="command"><strong>RURQ</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Recursive queries rejected.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>XfrRej</strong></span></p>
+                    </td>
+<td>
+                      <p><span class="command"><strong>RUXFR</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Zone transfer requests rejected.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>UpdateRej</strong></span></p>
+                    </td>
+<td>
+                      <p><span class="command"><strong>RUUpd</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Dynamic update requests rejected.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>Response</strong></span></p>
+                    </td>
+<td>
+                      <p><span class="command"><strong>SAns</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Responses sent.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>RespTruncated</strong></span></p>
+                    </td>
+<td>
+                      <p><span class="command"><strong></strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Truncated responses sent.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>RespEDNS0</strong></span></p>
+                    </td>
+<td>
+                      <p><span class="command"><strong></strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Responses with EDNS(0) sent.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>RespTSIG</strong></span></p>
+                    </td>
+<td>
+                      <p><span class="command"><strong></strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Responses with TSIG sent.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>RespSIG0</strong></span></p>
+                    </td>
+<td>
+                      <p><span class="command"><strong></strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Responses with SIG(0) sent.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>QrySuccess</strong></span></p>
+                    </td>
+<td>
+                      <p><span class="command"><strong></strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Queries resulted in a successful answer.
+                        This means the query which returns a NOERROR response
+                        with at least one answer RR.
+                        This corresponds to the
+                        <span class="command"><strong>success</strong></span> counter
+                        of previous versions of
+                        <acronym class="acronym">BIND</acronym> 9.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>QryAuthAns</strong></span></p>
+                    </td>
+<td>
+                      <p><span class="command"><strong></strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Queries resulted in authoritative answer.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>QryNoauthAns</strong></span></p>
+                    </td>
+<td>
+                      <p><span class="command"><strong>SNaAns</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Queries resulted in non authoritative answer.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>QryReferral</strong></span></p>
+                    </td>
+<td>
+                      <p><span class="command"><strong></strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Queries resulted in referral answer.
+                        This corresponds to the
+                        <span class="command"><strong>referral</strong></span> counter
+                        of previous versions of
+                        <acronym class="acronym">BIND</acronym> 9.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>QryNxrrset</strong></span></p>
+                    </td>
+<td>
+                      <p><span class="command"><strong></strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Queries resulted in NOERROR responses with no data.
+                        This corresponds to the
+                        <span class="command"><strong>nxrrset</strong></span> counter
+                        of previous versions of
+                        <acronym class="acronym">BIND</acronym> 9.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>QrySERVFAIL</strong></span></p>
+                    </td>
+<td>
+                      <p><span class="command"><strong>SFail</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Queries resulted in SERVFAIL.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>QryFORMERR</strong></span></p>
+                    </td>
+<td>
+                      <p><span class="command"><strong>SFErr</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Queries resulted in FORMERR.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>QryNXDOMAIN</strong></span></p>
+                    </td>
+<td>
+                      <p><span class="command"><strong>SNXD</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Queries resulted in NXDOMAIN.
+                        This corresponds to the
+                        <span class="command"><strong>nxdomain</strong></span> counter
+                        of previous versions of
+                        <acronym class="acronym">BIND</acronym> 9.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>QryRecursion</strong></span></p>
+                    </td>
+<td>
+                      <p><span class="command"><strong>RFwdQ</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Queries which caused the server
+                        to perform recursion in order to find the final answer.
+                        This corresponds to the
+                        <span class="command"><strong>recursion</strong></span> counter
+                        of previous versions of
+                        <acronym class="acronym">BIND</acronym> 9.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>QryDuplicate</strong></span></p>
+                    </td>
+<td>
+                      <p><span class="command"><strong>RDupQ</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Queries which the server attempted to
+                        recurse but discovered an existing query with the same
+                        IP address, port, query ID, name, type and class
+                        already being processed.
+                        This corresponds to the
+                        <span class="command"><strong>duplicate</strong></span> counter
+                        of previous versions of
+                        <acronym class="acronym">BIND</acronym> 9.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>QryDropped</strong></span></p>
+                    </td>
+<td>
+                      <p><span class="command"><strong></strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Recursive queries for which the server
+                        discovered an excessive number of existing
+                        recursive queries for the same name, type and
+                        class and were subsequently dropped.
+                        This is the number of dropped queries due to
+                        the reason explained with the
+                        <span class="command"><strong>clients-per-query</strong></span>
+                        and
+                        <span class="command"><strong>max-clients-per-query</strong></span>
+                        options
+                        (see the description about
+                        <a class="xref" href="Bv9ARM.ch05.html#clients-per-query"><span class="command"><strong>clients-per-query</strong></span></a>.)
+                        This corresponds to the
+                        <span class="command"><strong>dropped</strong></span> counter
+                        of previous versions of
+                        <acronym class="acronym">BIND</acronym> 9.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>QryFailure</strong></span></p>
+                    </td>
+<td>
+                      <p><span class="command"><strong></strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Other query failures.
+                        This corresponds to the
+                        <span class="command"><strong>failure</strong></span> counter
+                        of previous versions of
+                        <acronym class="acronym">BIND</acronym> 9.
+                        Note: this counter is provided mainly for
+                        backward compatibility with the previous versions.
+                        Normally a more fine-grained counters such as
+                        <span class="command"><strong>AuthQryRej</strong></span> and
+                        <span class="command"><strong>RecQryRej</strong></span>
+                        that would also fall into this counter are provided,
+                        and so this counter would not be of much
+                        interest in practice.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>QryNXRedir</strong></span></p>
+                    </td>
+<td>
+                      <p><span class="command"><strong></strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Queries resulted in NXDOMAIN that were redirected.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>QryNXRedirRLookup</strong></span></p>
+                    </td>
+<td>
+                      <p><span class="command"><strong></strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Queries resulted in NXDOMAIN that were redirected
+                        and resulted in a successful remote lookup.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>XfrReqDone</strong></span></p>
+                    </td>
+<td>
+                      <p><span class="command"><strong></strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Requested zone transfers completed.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>UpdateReqFwd</strong></span></p>
+                    </td>
+<td>
+                      <p><span class="command"><strong></strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Update requests forwarded.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>UpdateRespFwd</strong></span></p>
+                    </td>
+<td>
+                      <p><span class="command"><strong></strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Update responses forwarded.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>UpdateFwdFail</strong></span></p>
+                    </td>
+<td>
+                      <p><span class="command"><strong></strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Dynamic update forward failed.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>UpdateDone</strong></span></p>
+                    </td>
+<td>
+                      <p><span class="command"><strong></strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Dynamic updates completed.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>UpdateFail</strong></span></p>
+                    </td>
+<td>
+                      <p><span class="command"><strong></strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Dynamic updates failed.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>UpdateBadPrereq</strong></span></p>
+                    </td>
+<td>
+                      <p><span class="command"><strong></strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Dynamic updates rejected due to prerequisite failure.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>RateDropped</strong></span></p>
+                    </td>
+<td>
+                      <p><span class="command"><strong></strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Responses dropped by rate limits.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>RateSlipped</strong></span></p>
+                    </td>
+<td>
+                      <p><span class="command"><strong></strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Responses truncated by rate limits.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>RPZRewrites</strong></span></p>
+                    </td>
+<td>
+                      <p><span class="command"><strong></strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Response policy zone rewrites.
+                      </p>
+                    </td>
+</tr>
+</tbody>
+</table>
+            </div>
+          </div>
+
+          <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="zone_stats"></a>Zone Maintenance Statistics Counters</h4></div></div></div>
+
+            <div class="informaltable">
+              <table border="1">
+<colgroup>
+<col width="1.150in" class="1">
+<col width="3.350in" class="2">
+</colgroup>
+<tbody>
+<tr>
+<td>
+                      <p>
+                        <span class="emphasis"><em>Symbol</em></span>
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        <span class="emphasis"><em>Description</em></span>
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>NotifyOutv4</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        IPv4 notifies sent.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>NotifyOutv6</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        IPv6 notifies sent.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>NotifyInv4</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        IPv4 notifies received.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>NotifyInv6</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        IPv6 notifies received.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>NotifyRej</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Incoming notifies rejected.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>SOAOutv4</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        IPv4 SOA queries sent.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>SOAOutv6</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        IPv6 SOA queries sent.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>AXFRReqv4</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        IPv4 AXFR requested.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>AXFRReqv6</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        IPv6 AXFR requested.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>IXFRReqv4</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        IPv4 IXFR requested.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>IXFRReqv6</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        IPv6 IXFR requested.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>XfrSuccess</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Zone transfer requests succeeded.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>XfrFail</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Zone transfer requests failed.
+                      </p>
+                    </td>
+</tr>
+</tbody>
+</table>
+            </div>
+          </div>
+
+          <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="resolver_stats"></a>Resolver Statistics Counters</h4></div></div></div>
+
+            <div class="informaltable">
+              <table border="1">
+<colgroup>
+<col width="1.150in" class="1">
+<col width="1.150in" class="2">
+<col width="3.350in" class="3">
+</colgroup>
+<tbody>
+<tr>
+<td>
+                      <p>
+                        <span class="emphasis"><em>Symbol</em></span>
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        <span class="emphasis"><em>BIND8 Symbol</em></span>
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        <span class="emphasis"><em>Description</em></span>
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>Queryv4</strong></span></p>
+                    </td>
+<td>
+                      <p><span class="command"><strong>SFwdQ</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        IPv4 queries sent.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>Queryv6</strong></span></p>
+                    </td>
+<td>
+                      <p><span class="command"><strong>SFwdQ</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        IPv6 queries sent.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>Responsev4</strong></span></p>
+                    </td>
+<td>
+                      <p><span class="command"><strong>RR</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        IPv4 responses received.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>Responsev6</strong></span></p>
+                    </td>
+<td>
+                      <p><span class="command"><strong>RR</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        IPv6 responses received.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>NXDOMAIN</strong></span></p>
+                    </td>
+<td>
+                      <p><span class="command"><strong>RNXD</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        NXDOMAIN received.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>SERVFAIL</strong></span></p>
+                    </td>
+<td>
+                      <p><span class="command"><strong>RFail</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        SERVFAIL received.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>FORMERR</strong></span></p>
+                    </td>
+<td>
+                      <p><span class="command"><strong>RFErr</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        FORMERR received.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>OtherError</strong></span></p>
+                    </td>
+<td>
+                      <p><span class="command"><strong>RErr</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Other errors received.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>EDNS0Fail</strong></span></p>
+                                                 </td>
+<td>
+                      <p><span class="command"><strong></strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        EDNS(0) query failures.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>Mismatch</strong></span></p>
+                    </td>
+<td>
+                      <p><span class="command"><strong>RDupR</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Mismatch responses received.
+                        The DNS ID, response's source address,
+                        and/or the response's source port does not
+                        match what was expected.
+                        (The port must be 53 or as defined by
+                        the <span class="command"><strong>port</strong></span> option.)
+                        This may be an indication of a cache
+                        poisoning attempt.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>Truncated</strong></span></p>
+                    </td>
+<td>
+                      <p><span class="command"><strong></strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Truncated responses received.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>Lame</strong></span></p>
+                    </td>
+<td>
+                      <p><span class="command"><strong>RLame</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Lame delegations received.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>Retry</strong></span></p>
+                    </td>
+<td>
+                      <p><span class="command"><strong>SDupQ</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Query retries performed.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>QueryAbort</strong></span></p>
+                    </td>
+<td>
+                      <p><span class="command"><strong></strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Queries aborted due to quota control.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>QuerySockFail</strong></span></p>
+                    </td>
+<td>
+                      <p><span class="command"><strong></strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Failures in opening query sockets.
+                        One common reason for such failures is a
+                        failure of opening a new socket due to a
+                        limitation on file descriptors.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>QueryTimeout</strong></span></p>
+                    </td>
+<td>
+                      <p><span class="command"><strong></strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Query timeouts.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>GlueFetchv4</strong></span></p>
+                    </td>
+<td>
+                      <p><span class="command"><strong>SSysQ</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        IPv4 NS address fetches invoked.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>GlueFetchv6</strong></span></p>
+                    </td>
+<td>
+                      <p><span class="command"><strong>SSysQ</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        IPv6 NS address fetches invoked.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>GlueFetchv4Fail</strong></span></p>
+                    </td>
+<td>
+                      <p><span class="command"><strong></strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        IPv4 NS address fetch failed.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>GlueFetchv6Fail</strong></span></p>
+                    </td>
+<td>
+                      <p><span class="command"><strong></strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        IPv6 NS address fetch failed.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>ValAttempt</strong></span></p>
+                    </td>
+<td>
+                      <p><span class="command"><strong></strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        DNSSEC validation attempted.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>ValOk</strong></span></p>
+                    </td>
+<td>
+                      <p><span class="command"><strong></strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        DNSSEC validation succeeded.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>ValNegOk</strong></span></p>
+                    </td>
+<td>
+                      <p><span class="command"><strong></strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        DNSSEC validation on negative information succeeded.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>ValFail</strong></span></p>
+                    </td>
+<td>
+                      <p><span class="command"><strong></strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        DNSSEC validation failed.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>QryRTTnn</strong></span></p>
+                    </td>
+<td>
+                      <p><span class="command"><strong></strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Frequency table on round trip times (RTTs) of
+                        queries.
+                        Each <span class="command"><strong>nn</strong></span> specifies the corresponding
+                        frequency.
+                        In the sequence of
+                        <span class="command"><strong>nn_1</strong></span>,
+                        <span class="command"><strong>nn_2</strong></span>,
+                        ...,
+                        <span class="command"><strong>nn_m</strong></span>,
+                        the value of <span class="command"><strong>nn_i</strong></span> is the
+                        number of queries whose RTTs are between
+                        <span class="command"><strong>nn_(i-1)</strong></span> (inclusive) and
+                        <span class="command"><strong>nn_i</strong></span> (exclusive) milliseconds.
+                        For the sake of convenience we define
+                        <span class="command"><strong>nn_0</strong></span> to be 0.
+                        The last entry should be represented as
+                        <span class="command"><strong>nn_m+</strong></span>, which means the
+                        number of queries whose RTTs are equal to or over
+                        <span class="command"><strong>nn_m</strong></span> milliseconds.
+                      </p>
+                    </td>
+</tr>
+</tbody>
+</table>
+            </div>
+
+          </div>
+
+          <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="socket_stats"></a>Socket I/O Statistics Counters</h4></div></div></div>
+
+            <p>
+              Socket I/O statistics counters are defined per socket
+              types, which are
+              <span class="command"><strong>UDP4</strong></span> (UDP/IPv4),
+              <span class="command"><strong>UDP6</strong></span> (UDP/IPv6),
+              <span class="command"><strong>TCP4</strong></span> (TCP/IPv4),
+              <span class="command"><strong>TCP6</strong></span> (TCP/IPv6),
+              <span class="command"><strong>Unix</strong></span> (Unix Domain), and
+              <span class="command"><strong>FDwatch</strong></span> (sockets opened outside the
+              socket module).
+              In the following table <span class="command"><strong>&lt;TYPE&gt;</strong></span>
+              represents a socket type.
+              Not all counters are available for all socket types;
+              exceptions are noted in the description field.
+            </p>
+
+            <div class="informaltable">
+              <table border="1">
+<colgroup>
+<col width="1.150in" class="1">
+<col width="3.350in" class="2">
+</colgroup>
+<tbody>
+<tr>
+<td>
+                      <p>
+                        <span class="emphasis"><em>Symbol</em></span>
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        <span class="emphasis"><em>Description</em></span>
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>&lt;TYPE&gt;Open</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Sockets opened successfully.
+                        This counter is not applicable to the
+                        <span class="command"><strong>FDwatch</strong></span> type.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>&lt;TYPE&gt;OpenFail</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Failures of opening sockets.
+                        This counter is not applicable to the
+                        <span class="command"><strong>FDwatch</strong></span> type.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>&lt;TYPE&gt;Close</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Sockets closed.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>&lt;TYPE&gt;BindFail</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Failures of binding sockets.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>&lt;TYPE&gt;ConnFail</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Failures of connecting sockets.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>&lt;TYPE&gt;Conn</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Connections established successfully.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>&lt;TYPE&gt;AcceptFail</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Failures of accepting incoming connection requests.
+                        This counter is not applicable to the
+                        <span class="command"><strong>UDP</strong></span> and
+                        <span class="command"><strong>FDwatch</strong></span> types.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>&lt;TYPE&gt;Accept</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Incoming connections successfully accepted.
+                        This counter is not applicable to the
+                        <span class="command"><strong>UDP</strong></span> and
+                        <span class="command"><strong>FDwatch</strong></span> types.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>&lt;TYPE&gt;SendErr</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Errors in socket send operations.
+                        This counter corresponds
+                        to <span class="command"><strong>SErr</strong></span> counter of
+                        <span class="command"><strong>BIND</strong></span> 8.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span class="command"><strong>&lt;TYPE&gt;RecvErr</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Errors in socket receive operations.
+                        This includes errors of send operations on a
+                        connected UDP socket notified by an ICMP error
+                        message.
+                      </p>
+                    </td>
+</tr>
+</tbody>
+</table>
+            </div>
+          </div>
+
+          <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="bind8_compatibility"></a>Compatibility with <span class="emphasis"><em>BIND</em></span> 8 Counters</h4></div></div></div>
+
+            <p>
+              Most statistics counters that were available
+              in <span class="command"><strong>BIND</strong></span> 8 are also supported in
+              <span class="command"><strong>BIND</strong></span> 9 as shown in the above tables.
+              Here are notes about other counters that do not appear
+              in these tables.
+            </p>
+
+            <div class="variablelist"><dl class="variablelist">
+<dt><span class="term"><span class="command"><strong>RFwdR,SFwdR</strong></span></span></dt>
+<dd>
+                  <p>
+                    These counters are not supported
+                    because <span class="command"><strong>BIND</strong></span> 9 does not adopt
+                    the notion of <span class="emphasis"><em>forwarding</em></span>
+                    as <span class="command"><strong>BIND</strong></span> 8 did.
+                  </p>
+                </dd>
+<dt><span class="term"><span class="command"><strong>RAXFR</strong></span></span></dt>
+<dd>
+                  <p>
+                    This counter is accessible in the Incoming Queries section.
+                  </p>
+                </dd>
+<dt><span class="term"><span class="command"><strong>RIQ</strong></span></span></dt>
+<dd>
+                  <p>
+                    This counter is accessible in the Incoming Requests section.
+                  </p>
+                </dd>
+<dt><span class="term"><span class="command"><strong>ROpts</strong></span></span></dt>
+<dd>
+                  <p>
+                    This counter is not supported
+                    because <span class="command"><strong>BIND</strong></span> 9 does not care
+                    about IP options in the first place.
+                  </p>
+                </dd>
+</dl></div>
+          </div>
+        </div>
+      </div>
+
     </div>
-  </div>
 <div class="navfooter">
 <hr>
 <table width="100%" summary="Navigation footer">
 <tr>
 <td width="40%" align="left" valign="top">Chapter 4. Advanced DNS Features </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> Chapter 6. <acronym class="acronym">BIND</acronym> 9 Configuration Reference</td>
+<td width="40%" align="right" valign="top"> Chapter 6. <acronym class="acronym">BIND</acronym> 9 Security Considerations</td>
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0-dev</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1-dev</p>
 </body>
 </html>
index 82beccfe6e802d5b3eb4a573486e55c5f4993474..03dd6961c781c4e09c94aaa5e44c53fbd447792e 100644 (file)
@@ -9,20 +9,20 @@
 <html lang="en">
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>Chapter 5. BIND 9 Configuration Reference</title>
+<title>Chapter 6. BIND 9 Security Considerations</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="prev" href="Bv9ARM.ch04.html" title="Chapter 4. Advanced DNS Features">
-<link rel="next" href="Bv9ARM.ch07.html" title="Chapter 6. BIND 9 Security Considerations">
+<link rel="prev" href="Bv9ARM.ch05.html" title="Chapter 5. BIND 9 Configuration Reference">
+<link rel="next" href="Bv9ARM.ch07.html" title="Chapter 7. Troubleshooting">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
 <table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center">Chapter 5. <acronym class="acronym">BIND</acronym> 9 Configuration Reference</th></tr>
+<tr><th colspan="3" align="center">Chapter 6. <acronym class="acronym">BIND</acronym> 9 Security Considerations</th></tr>
 <tr>
 <td width="20%" align="left">
-<a accesskey="p" href="Bv9ARM.ch04.html">Prev</a> </td>
+<a accesskey="p" href="Bv9ARM.ch05.html">Prev</a> </td>
 <th width="60%" align="center"> </th>
 <td width="20%" align="right"> <a accesskey="n" href="Bv9ARM.ch07.html">Next</a>
 </td>
 </div>
 <div class="chapter">
 <div class="titlepage"><div><div><h1 class="title">
-<a name="Bv9ARM.ch06"></a>Chapter 5. <acronym class="acronym">BIND</acronym> 9 Configuration Reference</h1></div></div></div>
+<a name="Bv9ARM.ch06"></a>Chapter 6. <acronym class="acronym">BIND</acronym> 9 Security Considerations</h1></div></div></div>
 <div class="toc">
 <p><b>Table of Contents</b></p>
 <dl class="toc">
-<dt><span class="section"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch06.html#Access_Control_Lists">Access Control Lists</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch06.html#chroot_and_setuid"><span class="command"><strong>Chroot</strong></span> and <span class="command"><strong>Setuid</strong></span></a></span></dt>
 <dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#comment_syntax">Comment Syntax</a></span></dt>
-</dl></dd>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt>
-<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#acl_grammar"><span class="command"><strong>acl</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#acl"><span class="command"><strong>acl</strong></span> Statement Definition and
-          Usage</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#controls_grammar"><span class="command"><strong>controls</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span class="command"><strong>controls</strong></span> Statement Definition and
-          Usage</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#include_grammar"><span class="command"><strong>include</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#include_statement"><span class="command"><strong>include</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#key_grammar"><span class="command"><strong>key</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#key_statement"><span class="command"><strong>key</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#logging_grammar"><span class="command"><strong>logging</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#logging_statement"><span class="command"><strong>logging</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#masters_grammar"><span class="command"><strong>masters</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#masters_statement"><span class="command"><strong>masters</strong></span> Statement Definition and
-          Usage</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#options_grammar"><span class="command"><strong>options</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#options"><span class="command"><strong>options</strong></span> Statement Definition and
-          Usage</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span class="command"><strong>server</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span class="command"><strong>server</strong></span> Statement Definition and
-            Usage</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#statschannels"><span class="command"><strong>statistics-channels</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#statistics_channels"><span class="command"><strong>statistics-channels</strong></span> Statement Definition and
-            Usage</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#trusted-keys"><span class="command"><strong>trusted-keys</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#trusted_keys"><span class="command"><strong>trusted-keys</strong></span> Statement Definition
-            and Usage</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#managed_keys"><span class="command"><strong>managed-keys</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#managed-keys"><span class="command"><strong>managed-keys</strong></span> Statement Definition
-            and Usage</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#view_statement_grammar"><span class="command"><strong>view</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#view_statement"><span class="command"><strong>view</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span class="command"><strong>zone</strong></span>
-            Statement Grammar</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#zone_statement"><span class="command"><strong>zone</strong></span> Statement Definition and Usage</a></span></dt>
-</dl></dd>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#zone_file">Zone File</a></span></dt>
-<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#mx_records">Discussion of MX Records</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#ipv4_reverse">Inverse Mapping in IPv4</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#zone_directives">Other Zone File Directives</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#generate_directive"><acronym class="acronym">BIND</acronym> Master File Extension: the  <span class="command"><strong>$GENERATE</strong></span> Directive</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#zonefile_format">Additional File Formats</a></span></dt>
-</dl></dd>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#statistics">BIND9 Statistics</a></span></dt>
-<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#statsfile">The Statistics File</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#statistics_counters">Statistics Counters</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch06.html#chroot">The <span class="command"><strong>chroot</strong></span> Environment</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch06.html#setuid">Using the <span class="command"><strong>setuid</strong></span> Function</a></span></dt>
 </dl></dd>
+<dt><span class="section"><a href="Bv9ARM.ch06.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
 </dl>
 </div>
 
-    <p>
-      <acronym class="acronym">BIND</acronym> 9 configuration is broadly similar
-      to <acronym class="acronym">BIND</acronym> 8; however, there are a few new
-      areas
-      of configuration, such as views. <acronym class="acronym">BIND</acronym>
-      8 configuration files should work with few alterations in <acronym class="acronym">BIND</acronym>
-      9, although more complex configurations should be reviewed to check
-      if they can be more efficiently implemented using the new features
-      found in <acronym class="acronym">BIND</acronym> 9.
-    </p>
-
-    <p>
-      <acronym class="acronym">BIND</acronym> 4 configuration files can be
-      converted to the new format
-      using the shell script
-      <code class="filename">contrib/named-bootconf/named-bootconf.sh</code>.
-    </p>
-    <div class="section">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="configuration_file_elements"></a>Configuration File Elements</h2></div></div></div>
-
-      <p>
-        Following is a list of elements used throughout the <acronym class="acronym">BIND</acronym> configuration
-        file documentation:
-      </p>
-      <div class="informaltable">
-        <table border="1">
-<colgroup>
-<col width="1.855in" class="1">
-<col width="3.770in" class="2">
-</colgroup>
-<tbody>
-<tr>
-<td>
-                <p>
-                  <code class="varname">acl_name</code>
-                </p>
-              </td>
-<td>
-                <p>
-                  The name of an <code class="varname">address_match_list</code> as
-                  defined by the <span class="command"><strong>acl</strong></span> statement.
-                </p>
-              </td>
-</tr>
-<tr>
-<td>
-                <p>
-                  <code class="varname">address_match_list</code>
-                </p>
-              </td>
-<td>
-                <p>
-                  A list of one or more
-                  <code class="varname">ip_addr</code>,
-                  <code class="varname">ip_prefix</code>, <code class="varname">key_id</code>,
-                  or <code class="varname">acl_name</code> elements, see
-                  <a class="xref" href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called &#8220;Address Match Lists&#8221;</a>.
-                </p>
-              </td>
-</tr>
-<tr>
-<td>
-                <p>
-                  <code class="varname">masters_list</code>
-                </p>
-              </td>
-<td>
-                <p>
-                  A named list of one or more <code class="varname">ip_addr</code>
-                  with optional <code class="varname">key_id</code> and/or
-                  <code class="varname">ip_port</code>.
-                  A <code class="varname">masters_list</code> may include other
-                  <code class="varname">masters_lists</code>.
-                </p>
-              </td>
-</tr>
-<tr>
-<td>
-                <p>
-                  <code class="varname">domain_name</code>
-                </p>
-              </td>
-<td>
-                <p>
-                  A quoted string which will be used as
-                  a DNS name, for example "<code class="literal">my.test.domain</code>".
-                </p>
-              </td>
-</tr>
-<tr>
-<td>
-                <p>
-                  <code class="varname">namelist</code>
-                </p>
-              </td>
-<td>
-                <p>
-                  A list of one or more <code class="varname">domain_name</code>
-                  elements.
-                </p>
-              </td>
-</tr>
-<tr>
-<td>
-                <p>
-                  <code class="varname">dotted_decimal</code>
-                </p>
-              </td>
-<td>
-                <p>
-                  One to four integers valued 0 through
-                  255 separated by dots (`.'), such as <span class="command"><strong>123</strong></span>,
-                  <span class="command"><strong>45.67</strong></span> or <span class="command"><strong>89.123.45.67</strong></span>.
-                </p>
-              </td>
-</tr>
-<tr>
-<td>
-                <p>
-                  <code class="varname">ip4_addr</code>
-                </p>
-              </td>
-<td>
-                <p>
-                  An IPv4 address with exactly four elements
-                  in <code class="varname">dotted_decimal</code> notation.
-                </p>
-              </td>
-</tr>
-<tr>
-<td>
-                <p>
-                  <code class="varname">ip6_addr</code>
-                </p>
-              </td>
-<td>
-                <p>
-                  An IPv6 address, such as <span class="command"><strong>2001:db8::1234</strong></span>.
-                  IPv6 scoped addresses that have ambiguity on their
-                  scope zones must be disambiguated by an appropriate
-                  zone ID with the percent character (`%') as
-                  delimiter.  It is strongly recommended to use
-                  string zone names rather than numeric identifiers,
-                  in order to be robust against system configuration
-                  changes.  However, since there is no standard
-                  mapping for such names and identifier values,
-                  currently only interface names as link identifiers
-                  are supported, assuming one-to-one mapping between
-                  interfaces and links.  For example, a link-local
-                  address <span class="command"><strong>fe80::1</strong></span> on the link
-                  attached to the interface <span class="command"><strong>ne0</strong></span>
-                  can be specified as <span class="command"><strong>fe80::1%ne0</strong></span>.
-                  Note that on most systems link-local addresses
-                  always have the ambiguity, and need to be
-                  disambiguated.
-                </p>
-              </td>
-</tr>
-<tr>
-<td>
-                <p>
-                  <code class="varname">ip_addr</code>
-                </p>
-              </td>
-<td>
-                <p>
-                  An <code class="varname">ip4_addr</code> or <code class="varname">ip6_addr</code>.
-                </p>
-              </td>
-</tr>
-<tr>
-<td>
-                <p>
-                  <code class="varname">ip_dscp</code>
-                </p>
-              </td>
-<td>
-                <p>
-                  A <code class="varname">number</code> between 0 and 63, used
-                  to select a differentiated services code point (DSCP)
-                  value for use with outgoing traffic on operating systems
-                  that support DSCP.
-                </p>
-              </td>
-</tr>
-<tr>
-<td>
-                <p>
-                  <code class="varname">ip_port</code>
-                </p>
-              </td>
-<td>
-                <p>
-                  An IP port <code class="varname">number</code>.
-                  The <code class="varname">number</code> is limited to 0
-                  through 65535, with values
-                  below 1024 typically restricted to use by processes running
-                  as root.
-                  In some cases, an asterisk (`*') character can be used as a
-                  placeholder to
-                  select a random high-numbered port.
-                </p>
-              </td>
-</tr>
-<tr>
-<td>
-                <p>
-                  <code class="varname">ip_prefix</code>
-                </p>
-              </td>
-<td>
-                <p>
-                  An IP network specified as an <code class="varname">ip_addr</code>,
-                  followed by a slash (`/') and then the number of bits in the
-                  netmask.
-                  Trailing zeros in a <code class="varname">ip_addr</code>
-                  may omitted.
-                  For example, <span class="command"><strong>127/8</strong></span> is the
-                  network <span class="command"><strong>127.0.0.0</strong></span> with
-                  netmask <span class="command"><strong>255.0.0.0</strong></span> and <span class="command"><strong>1.2.3.0/28</strong></span> is
-                  network <span class="command"><strong>1.2.3.0</strong></span> with netmask <span class="command"><strong>255.255.255.240</strong></span>.
-                </p>
-                <p>
-                  When specifying a prefix involving a IPv6 scoped address
-                  the scope may be omitted.  In that case the prefix will
-                  match packets from any scope.
-                </p>
-              </td>
-</tr>
-<tr>
-<td>
-                <p>
-                  <code class="varname">key_id</code>
-                </p>
-              </td>
-<td>
-                <p>
-                  A <code class="varname">domain_name</code> representing
-                  the name of a shared key, to be used for transaction
-                  security.
-                </p>
-              </td>
-</tr>
-<tr>
-<td>
-                <p>
-                  <code class="varname">key_list</code>
-                </p>
-              </td>
-<td>
-                <p>
-                  A list of one or more
-                  <code class="varname">key_id</code>s,
-                  separated by semicolons and ending with a semicolon.
-                </p>
-              </td>
-</tr>
-<tr>
-<td>
-                <p>
-                  <code class="varname">number</code>
-                </p>
-              </td>
-<td>
-                <p>
-                  A non-negative 32-bit integer
-                  (i.e., a number between 0 and 4294967295, inclusive).
-                  Its acceptable value might be further
-                  limited by the context in which it is used.
-                </p>
-              </td>
-</tr>
-<tr>
-<td>
-                <p>
-                  <code class="varname">fixedpoint</code>
-                </p>
-              </td>
-<td>
-                <p>
-                  A non-negative real number that can be specified to
-                  the nearest one hundredth.  Up to five digits can be
-                  specified before a decimal point, and up to two
-                  digits after, so the maximum value is 99999.99.
-                  Acceptable values might be further limited by the
-                  context in which it is used.
-                </p>
-              </td>
-</tr>
-<tr>
-<td>
-                <p>
-                  <code class="varname">path_name</code>
-                </p>
-              </td>
-<td>
-                <p>
-                  A quoted string which will be used as
-                  a pathname, such as <code class="filename">zones/master/my.test.domain</code>.
-                </p>
-              </td>
-</tr>
-<tr>
-<td>
-                <p>
-                  <code class="varname">port_list</code>
-                </p>
-              </td>
-<td>
-                <p>
-                  A list of an <code class="varname">ip_port</code> or a port
-                  range.
-                  A port range is specified in the form of
-                  <strong class="userinput"><code>range</code></strong> followed by
-                  two <code class="varname">ip_port</code>s,
-                  <code class="varname">port_low</code> and
-                  <code class="varname">port_high</code>, which represents
-                  port numbers from <code class="varname">port_low</code> through
-                  <code class="varname">port_high</code>, inclusive.
-                  <code class="varname">port_low</code> must not be larger than
-                  <code class="varname">port_high</code>.
-                  For example,
-                  <strong class="userinput"><code>range 1024 65535</code></strong> represents
-                  ports from 1024 through 65535.
-                  In either case an asterisk (`*') character is not
-                  allowed as a valid <code class="varname">ip_port</code>.
-                </p>
-              </td>
-</tr>
-<tr>
-<td>
-                <p>
-                  <code class="varname">size_spec</code>
-                </p>
-              </td>
-<td>
-                <p>
-                  A 64-bit unsigned integer, or the keywords
-                  <strong class="userinput"><code>unlimited</code></strong> or
-                  <strong class="userinput"><code>default</code></strong>.
-                </p>
-                <p>
-                  Integers may take values
-                  0 &lt;= value &lt;= 18446744073709551615, though
-                  certain parameters
-                  (such as <span class="command"><strong>max-journal-size</strong></span>) may
-                  use a more limited range within these extremes.
-                  In most cases, setting a value to 0 does not
-                  literally mean zero; it means "undefined" or
-                  "as big as possible", depending on the context.
-                  See the explanations of particular parameters
-                  that use <code class="varname">size_spec</code>
-                  for details on how they interpret its use.
-                </p>
-                <p>
-                  Numeric values can optionally be followed by a
-                  scaling factor:
-                  <strong class="userinput"><code>K</code></strong> or <strong class="userinput"><code>k</code></strong>
-                  for kilobytes,
-                  <strong class="userinput"><code>M</code></strong> or <strong class="userinput"><code>m</code></strong>
-                  for megabytes, and
-                  <strong class="userinput"><code>G</code></strong> or <strong class="userinput"><code>g</code></strong>
-                  for gigabytes, which scale by 1024, 1024*1024, and
-                  1024*1024*1024 respectively.
-                </p>
-                <p>
-                  <code class="varname">unlimited</code> generally means
-                  "as big as possible", and is usually the best
-                  way to safely set a very large number.
-                </p>
-                <p>
-                  <code class="varname">default</code>
-                  uses the limit that was in force when the server was started.
-                </p>
-              </td>
-</tr>
-<tr>
-<td>
-                <p>
-                  <code class="varname">size_or_percent</code>
-                </p>
-              </td>
-<td>
-                <p>
-                  <code class="varname">size_spec</code> or integer value
-                  followed by '%' to represent percents.
-                </p>
-                <p>
-                  The behavior is exactly the same as
-                  <code class="varname">size_spec</code>, but
-                  <code class="varname">size_or_percent</code> allows also
-                  to specify a positive integer value followed by
-                  '%' sign to represent percents.
-                </p>
-              </td>
-</tr>
-<tr>
-<td>
-                <p>
-                  <code class="varname">yes_or_no</code>
-                </p>
-              </td>
-<td>
-                <p>
-                  Either <strong class="userinput"><code>yes</code></strong> or <strong class="userinput"><code>no</code></strong>.
-                  The words <strong class="userinput"><code>true</code></strong> and <strong class="userinput"><code>false</code></strong> are
-                  also accepted, as are the numbers <strong class="userinput"><code>1</code></strong>
-                  and <strong class="userinput"><code>0</code></strong>.
-                </p>
-              </td>
-</tr>
-<tr>
-<td>
-                <p>
-                  <code class="varname">dialup_option</code>
-                </p>
-              </td>
-<td>
-                <p>
-                  One of <strong class="userinput"><code>yes</code></strong>,
-                  <strong class="userinput"><code>no</code></strong>, <strong class="userinput"><code>notify</code></strong>,
-                  <strong class="userinput"><code>notify-passive</code></strong>, <strong class="userinput"><code>refresh</code></strong> or
-                  <strong class="userinput"><code>passive</code></strong>.
-                  When used in a zone, <strong class="userinput"><code>notify-passive</code></strong>,
-                  <strong class="userinput"><code>refresh</code></strong>, and <strong class="userinput"><code>passive</code></strong>
-                  are restricted to slave and stub zones.
-                </p>
-              </td>
-</tr>
-</tbody>
-</table>
-      </div>
-      <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="address_match_lists"></a>Address Match Lists</h3></div></div></div>
-
-        <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id-1.6.4.4.2"></a>Syntax</h4></div></div></div>
-
-<pre class="programlisting"><em class="replaceable"><code>address_match_list</code></em> = <em class="replaceable"><code>address_match_list_element</code></em> <span class="command"><strong>;</strong></span> ...
-
-<em class="replaceable"><code>address_match_list_element</code></em> = [ <span class="command"><strong>!</strong></span> ] ( <em class="replaceable"><code>ip_address</code></em> | <em class="replaceable"><code>ip_prefix</code></em> |
-     <span class="command"><strong>key</strong></span> <em class="replaceable"><code>key_id</code></em> | <em class="replaceable"><code>acl_name</code></em> | <span class="command"><strong>{</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> )
-</pre>
-
-        </div>
-        <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id-1.6.4.4.3"></a>Definition and Usage</h4></div></div></div>
-
-          <p>
-            Address match lists are primarily used to determine access
-            control for various server operations. They are also used in
-            the <span class="command"><strong>listen-on</strong></span> and <span class="command"><strong>sortlist</strong></span>
-            statements. The elements which constitute an address match
-            list can be any of the following:
-          </p>
-          <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-              an IP address (IPv4 or IPv6)
-            </li>
-<li class="listitem">
-              an IP prefix (in `/' notation)
-            </li>
-<li class="listitem">
-              
-                a key ID, as defined by the <span class="command"><strong>key</strong></span>
-                statement
-              
-            </li>
-<li class="listitem">
-              the name of an address match list defined with
-                the <span class="command"><strong>acl</strong></span> statement
-              
-            </li>
-<li class="listitem">
-              a nested address match list enclosed in braces
-            </li>
-</ul></div>
-
-          <p>
-            Elements can be negated with a leading exclamation mark (`!'),
-            and the match list names "any", "none", "localhost", and
-            "localnets" are predefined. More information on those names
-            can be found in the description of the acl statement.
-          </p>
-
-          <p>
-            The addition of the key clause made the name of this syntactic
-            element something of a misnomer, since security keys can be used
-            to validate access without regard to a host or network address.
-            Nonetheless, the term "address match list" is still used
-            throughout the documentation.
-          </p>
-
-          <p>
-            When a given IP address or prefix is compared to an address
-            match list, the comparison takes place in approximately O(1)
-            time.  However, key comparisons require that the list of keys
-            be traversed until a matching key is found, and therefore may
-            be somewhat slower.
-          </p>
-
-          <p>
-            The interpretation of a match depends on whether the list is being
-            used for access control, defining <span class="command"><strong>listen-on</strong></span> ports, or in a
-            <span class="command"><strong>sortlist</strong></span>, and whether the element was negated.
-          </p>
-
-          <p>
-            When used as an access control list, a non-negated match
-            allows access and a negated match denies access. If
-            there is no match, access is denied. The clauses
-            <span class="command"><strong>allow-notify</strong></span>,
-            <span class="command"><strong>allow-recursion</strong></span>,
-            <span class="command"><strong>allow-recursion-on</strong></span>,
-            <span class="command"><strong>allow-query</strong></span>,
-            <span class="command"><strong>allow-query-on</strong></span>,
-            <span class="command"><strong>allow-query-cache</strong></span>,
-            <span class="command"><strong>allow-query-cache-on</strong></span>,
-            <span class="command"><strong>allow-transfer</strong></span>,
-            <span class="command"><strong>allow-update</strong></span>,
-            <span class="command"><strong>allow-update-forwarding</strong></span>,
-            <span class="command"><strong>blackhole</strong></span>, and
-            <span class="command"><strong>keep-response-order</strong></span> all use address match
-            lists.  Similarly, the <span class="command"><strong>listen-on</strong></span> option will cause the
-            server to refuse queries on any of the machine's
-            addresses which do not match the list.
-          </p>
-
-          <p>
-            Order of insertion is significant.  If more than one element
-            in an ACL is found to match a given IP address or prefix,
-            preference will be given to the one that came
-            <span class="emphasis"><em>first</em></span> in the ACL definition.
-            Because of this first-match behavior, an element that
-            defines a subset of another element in the list should
-            come before the broader element, regardless of whether
-            either is negated. For example, in
-            <span class="command"><strong>1.2.3/24; ! 1.2.3.13;</strong></span>
-            the 1.2.3.13 element is completely useless because the
-            algorithm will match any lookup for 1.2.3.13 to the 1.2.3/24
-            element.  Using <span class="command"><strong>! 1.2.3.13; 1.2.3/24</strong></span> fixes
-            that problem by having 1.2.3.13 blocked by the negation, but
-            all other 1.2.3.* hosts fall through.
-          </p>
-        </div>
-      </div>
-
       <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="comment_syntax"></a>Comment Syntax</h3></div></div></div>
+<div class="titlepage"><div><div><h2 class="title" style="clear: both">
+<a name="Access_Control_Lists"></a>Access Control Lists</h2></div></div></div>
 
         <p>
-          The <acronym class="acronym">BIND</acronym> 9 comment syntax allows for
-          comments to appear
-          anywhere that whitespace may appear in a <acronym class="acronym">BIND</acronym> configuration
-          file. To appeal to programmers of all kinds, they can be written
-          in the C, C++, or shell/perl style.
+          Access Control Lists (ACLs) are address match lists that
+          you can set up and nickname for future use in
+          <span class="command"><strong>allow-notify</strong></span>, <span class="command"><strong>allow-query</strong></span>,
+          <span class="command"><strong>allow-query-on</strong></span>, <span class="command"><strong>allow-recursion</strong></span>,
+          <span class="command"><strong>blackhole</strong></span>, <span class="command"><strong>allow-transfer</strong></span>,
+          <span class="command"><strong>match-clients</strong></span>, etc.
+        </p>
+        <p>
+          Using ACLs allows you to have finer control over who can access
+          your name server, without cluttering up your config files with huge
+          lists of IP addresses.
+        </p>
+        <p>
+          It is a <span class="emphasis"><em>good idea</em></span> to use ACLs, and to
+          control access to your server. Limiting access to your server by
+          outside parties can help prevent spoofing and denial of service
+          (DoS) attacks against your server.
+        </p>
+        <p>
+          ACLs match clients on the basis of up to three characteristics:
+          1) The client's IP address; 2) the TSIG or SIG(0) key that was
+          used to sign the request, if any; and 3) an address prefix
+          encoded in an EDNS Client Subnet option, if any.
+        </p>
+        <p>
+          Here is an example of ACLs based on client addresses:
         </p>
 
-        <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id-1.6.4.5.3"></a>Syntax</h4></div></div></div>
-
-          <p>
-            </p>
-<pre class="programlisting">/* This is a <acronym class="acronym">BIND</acronym> comment as in C */</pre>
-<p>
-            </p>
-<pre class="programlisting">// This is a <acronym class="acronym">BIND</acronym> comment as in C++</pre>
-<p>
-            </p>
-<pre class="programlisting"># This is a <acronym class="acronym">BIND</acronym> comment as in common UNIX shells
-# and perl</pre>
-<p>
-          </p>
-        </div>
-        <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id-1.6.4.5.4"></a>Definition and Usage</h4></div></div></div>
-
-          <p>
-            Comments may appear anywhere that whitespace may appear in
-            a <acronym class="acronym">BIND</acronym> configuration file.
-          </p>
-          <p>
-            C-style comments start with the two characters /* (slash,
-            star) and end with */ (star, slash). Because they are completely
-            delimited with these characters, they can be used to comment only
-            a portion of a line or to span multiple lines.
-          </p>
-          <p>
-            C-style comments cannot be nested. For example, the following
-            is not valid because the entire comment ends with the first */:
-          </p>
-          <p>
-
-</p>
-<pre class="programlisting">/* This is the start of a comment.
-   This is still part of the comment.
-/* This is an incorrect attempt at nesting a comment. */
-   This is no longer in any comment. */
-</pre>
-<p>
-
-          </p>
-
-          <p>
-            C++-style comments start with the two characters // (slash,
-            slash) and continue to the end of the physical line. They cannot
-            be continued across multiple physical lines; to have one logical
-            comment span multiple lines, each line must use the // pair.
-            For example:
-          </p>
-          <p>
-
-</p>
-<pre class="programlisting">// This is the start of a comment.  The next line
-// is a new comment, even though it is logically
-// part of the previous comment.
-</pre>
-<p>
-
-          </p>
-          <p>
-            Shell-style (or perl-style, if you prefer) comments start
-            with the character <code class="literal">#</code> (number sign)
-            and continue to the end of the
-            physical line, as in C++ comments.
-            For example:
-          </p>
-
-          <p>
-
-</p>
-<pre class="programlisting"># This is the start of a comment.  The next line
-# is a new comment, even though it is logically
-# part of the previous comment.
-</pre>
-<p>
-
-          </p>
-
-          <div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Warning</h3>
-            <p>
-              You cannot use the semicolon (`;') character
-              to start a comment such as you would in a zone file. The
-              semicolon indicates the end of a configuration
-              statement.
-            </p>
-          </div>
-        </div>
-      </div>
-    </div>
-
-    <div class="section">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="Configuration_File_Grammar"></a>Configuration File Grammar</h2></div></div></div>
-
-      <p>
-        A <acronym class="acronym">BIND</acronym> 9 configuration consists of
-        statements and comments.
-        Statements end with a semicolon. Statements and comments are the
-        only elements that can appear without enclosing braces. Many
-        statements contain a block of sub-statements, which are also
-        terminated with a semicolon.
-      </p>
-
-      <p>
-        The following statements are supported:
-      </p>
-
-      <div class="informaltable">
-        <table border="1">
-<colgroup>
-<col width="1.336in" class="1">
-<col width="3.778in" class="2">
-</colgroup>
-<tbody>
-<tr>
-<td>
-                <p><span class="command"><strong>acl</strong></span></p>
-              </td>
-<td>
-                <p>
-                  defines a named IP address
-                  matching list, for access control and other uses.
-                </p>
-              </td>
-</tr>
-<tr>
-<td>
-                <p><span class="command"><strong>controls</strong></span></p>
-              </td>
-<td>
-                <p>
-                  declares control channels to be used
-                  by the <span class="command"><strong>rndc</strong></span> utility.
-                </p>
-              </td>
-</tr>
-<tr>
-<td>
-                <p><span class="command"><strong>include</strong></span></p>
-              </td>
-<td>
-                <p>
-                  includes a file.
-                </p>
-              </td>
-</tr>
-<tr>
-<td>
-                <p><span class="command"><strong>key</strong></span></p>
-              </td>
-<td>
-                <p>
-                  specifies key information for use in
-                  authentication and authorization using TSIG.
-                </p>
-              </td>
-</tr>
-<tr>
-<td>
-                <p><span class="command"><strong>logging</strong></span></p>
-              </td>
-<td>
-                <p>
-                  specifies what the server logs, and where
-                  the log messages are sent.
-                </p>
-              </td>
-</tr>
-<tr>
-<td>
-                <p><span class="command"><strong>masters</strong></span></p>
-              </td>
-<td>
-                <p>
-                  defines a named masters list for
-                  inclusion in stub and slave zones'
-                  <span class="command"><strong>masters</strong></span> or
-                  <span class="command"><strong>also-notify</strong></span> lists.
-                </p>
-              </td>
-</tr>
-<tr>
-<td>
-                <p><span class="command"><strong>options</strong></span></p>
-              </td>
-<td>
-                <p>
-                  controls global server configuration
-                  options and sets defaults for other statements.
-                </p>
-              </td>
-</tr>
-<tr>
-<td>
-                <p><span class="command"><strong>server</strong></span></p>
-              </td>
-<td>
-                <p>
-                  sets certain configuration options on
-                  a per-server basis.
-                </p>
-              </td>
-</tr>
-<tr>
-<td>
-                <p><span class="command"><strong>statistics-channels</strong></span></p>
-              </td>
-<td>
-                <p>
-                  declares communication channels to get access to
-                  <span class="command"><strong>named</strong></span> statistics.
-                </p>
-              </td>
-</tr>
-<tr>
-<td>
-                <p><span class="command"><strong>trusted-keys</strong></span></p>
-              </td>
-<td>
-                <p>
-                  defines trusted DNSSEC keys.
-                </p>
-              </td>
-</tr>
-<tr>
-<td>
-                <p><span class="command"><strong>managed-keys</strong></span></p>
-              </td>
-<td>
-                <p>
-                  lists DNSSEC keys to be kept up to date
-                  using RFC 5011 trust anchor maintenance.
-                </p>
-              </td>
-</tr>
-<tr>
-<td>
-                <p><span class="command"><strong>view</strong></span></p>
-              </td>
-<td>
-                <p>
-                  defines a view.
-                </p>
-              </td>
-</tr>
-<tr>
-<td>
-                <p><span class="command"><strong>zone</strong></span></p>
-              </td>
-<td>
-                <p>
-                  defines a zone.
-                </p>
-              </td>
-</tr>
-</tbody>
-</table>
-      </div>
+<pre class="programlisting">
+// Set up an ACL named "bogusnets" that will block
+// RFC1918 space and some reserved space, which is
+// commonly used in spoofing attacks.
+acl bogusnets {
+        0.0.0.0/8;  192.0.2.0/24; 224.0.0.0/3;
+        10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16;
+};
 
-      <p>
-        The <span class="command"><strong>logging</strong></span> and
-        <span class="command"><strong>options</strong></span> statements may only occur once
-        per
-        configuration.
-      </p>
+// Set up an ACL called our-nets. Replace this with the
+// real IP numbers.
+acl our-nets { x.x.x.x/24; x.x.x.x/21; };
+options {
+  ...
+  ...
+  allow-query { our-nets; };
+  allow-recursion { our-nets; };
+  ...
+  blackhole { bogusnets; };
+  ...
+};
 
-      <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="acl_grammar"></a><span class="command"><strong>acl</strong></span> Statement Grammar</h3></div></div></div>
-        <pre class="programlisting">
-<span class="command"><strong>acl</strong></span> <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>address_match_element</code></em>; ... };
+zone "example.com" {
+  type master;
+  file "m/example.com";
+  allow-query { any; };
+};
 </pre>
-      </div>
-      <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="acl"></a><span class="command"><strong>acl</strong></span> Statement Definition and
-          Usage</h3></div></div></div>
 
         <p>
-          The <span class="command"><strong>acl</strong></span> statement assigns a symbolic
-          name to an address match list. It gets its name from a primary
-          use of address match lists: Access Control Lists (ACLs).
+          This allows authoritative queries for "example.com" from any
+          address, but recursive queries only from the networks specified
+          in "our-nets", and no queries at all from the networks
+          specified in "bogusnets".
         </p>
-
         <p>
-          The following ACLs are built-in:
+          In addition to network addresses and prefixes, which are
+          matched against the source address of the DNS request, ACLs
+          may include <code class="option">key</code> elements, which specify the
+          name of a TSIG or SIG(0) key, or <code class="option">ecs</code>
+          elements, which specify a network prefix but are only matched
+          if that prefix matches an EDNS client subnet option included
+          in the request.
+        </p>
+        <p>
+          The EDNS Client Subnet (ECS) option is used by a recursive
+          resolver to inform an authoritative name server of the network
+          address block from which the original query was received, enabling
+          authoritative servers to give different answers to the same
+          resolver for different resolver clients.  An ACL containing
+          an element of the form
+          <span class="command"><strong>ecs <em class="replaceable"><code>prefix</code></em></strong></span>
+          will match if a request arrives in containing an ECS option
+          encoding an address within that prefix.  If the request has no
+          ECS option, then "ecs" elements are simply ignored.  Addresses
+          in ACLs that are not prefixed with "ecs" are matched only
+          against the source address.
+        </p>
+        <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<h3 class="title">Note</h3>
+          <p>
+            (Note: The authoritative ECS implementation in
+            <span class="command"><strong>named</strong></span> is based on an early version of the
+            specification, and is known to have incompatibilities with
+            other implementations.  It is also inefficient, requiring
+            a separate view for each client subnet to be sent different
+            answers, and it is unable to correct for overlapping subnets in
+            the configuration.  It can be used for testing purposes, but is
+            not recommended for production use.)
+          </p>
+        </div>
+        <p>
+          When <acronym class="acronym">BIND</acronym> 9 is built with GeoIP support,
+          ACLs can also be used for geographic access restrictions.
+          This is done by specifying an ACL element of the form:
+          <span class="command"><strong>geoip [<span class="optional">db <em class="replaceable"><code>database</code></em></span>] <em class="replaceable"><code>field</code></em> <em class="replaceable"><code>value</code></em></strong></span>
+        </p>
+        <p>
+          The <em class="replaceable"><code>field</code></em> indicates which field
+          to search for a match.  Available fields are "country",
+          "region", "city", "continent", "postal" (postal code),
+          "metro" (metro code), "area" (area code), "tz" (timezone),
+          "isp", "org", "asnum", "domain" and "netspeed".
+        </p>
+        <p>
+          <em class="replaceable"><code>value</code></em> is the value to search
+          for within the database.  A string may be quoted if it
+          contains spaces or other special characters.  If this is
+          an "asnum" search, then the leading "ASNNNN" string can be
+          used, otherwise the full description must be used (e.g.
+          "ASNNNN Example Company Name").  If this is a "country"
+          search and the string is two characters long, then it must
+          be a standard ISO-3166-1 two-letter country code, and if it
+          is three characters long then it must be an ISO-3166-1
+          three-letter country code; otherwise it is the full name
+          of the country.  Similarly, if this is a "region" search
+          and the string is two characters long, then it must be a
+          standard two-letter state or province abbreviation;
+          otherwise it is the full name of the state or province.
+        </p>
+        <p>
+          The <em class="replaceable"><code>database</code></em> field indicates which
+          GeoIP database to search for a match.  In most cases this is
+          unnecessary, because most search fields can only be found in
+          a single database.  However, searches for country can be
+          answered from the "city", "region", or "country" databases,
+          and searches for region (i.e., state or province) can be
+          answered from the "city" or "region" databases.  For these
+          search types, specifying a <em class="replaceable"><code>database</code></em>
+          will force the query to be answered from that database and no
+          other.  If <em class="replaceable"><code>database</code></em> is not
+          specified, then these queries will be answered from the "city",
+          database if it is installed, or the "region" database if it is
+          installed, or the "country" database, in that order.
+        </p>
+        <p>
+          By default, if a DNS query includes an EDNS Client Subnet (ECS)
+          option which encodes a non-zero address prefix, then GeoIP ACLs
+          will be matched against that address prefix.  Otherwise, they
+          are matched against the source address of the query.  To
+          prevent GeoIP ACLs from matching against ECS options, set
+          the <span class="command"><strong>geoip-use-ecs</strong></span> to <code class="literal">no</code>.
+        </p>
+        <p>
+          Some example GeoIP ACLs:
+        </p>
+        <pre class="programlisting">geoip country US;
+geoip country JAP;
+geoip db country country Canada;
+geoip db region region WA;
+geoip city "San Francisco";
+geoip region Oklahoma;
+geoip postal 95062;
+geoip tz "America/Los_Angeles";
+geoip org "Internet Systems Consortium";
+</pre>
+
+        <p>
+          ACLs use a "first-match" logic rather than "best-match":
+          if an address prefix matches an ACL element, then that ACL
+          is considered to have matched even if a later element would
+          have matched more specifically.  For example, the ACL
+          <span class="command"><strong> { 10/8; !10.0.0.1; }</strong></span> would actually
+          match a query from 10.0.0.1, because the first element
+          indicated that the query should be accepted, and the second
+          element is ignored.
+        </p>
+        <p>
+          When using "nested" ACLs (that is, ACLs included or referenced
+          within other ACLs), a negative match of a nested ACL will
+          the containing ACL to continue looking for matches.  This
+          enables complex ACLs to be constructed, in which multiple
+          client characteristics can be checked at the same time. For
+          example, to construct an ACL which allows queries only when
+          it originates from a particular network <span class="emphasis"><em>and</em></span>
+          only when it is signed with a particular key, use:
         </p>
-
-        <div class="informaltable">
-          <table border="1">
-<colgroup>
-<col width="1.130in" class="1">
-<col width="4.000in" class="2">
-</colgroup>
-<tbody>
-<tr>
-<td>
-                  <p><span class="command"><strong>any</strong></span></p>
-                </td>
-<td>
-                  <p>
-                    Matches all hosts.
-                  </p>
-                </td>
-</tr>
-<tr>
-<td>
-                  <p><span class="command"><strong>none</strong></span></p>
-                </td>
-<td>
-                  <p>
-                    Matches no hosts.
-                  </p>
-                </td>
-</tr>
-<tr>
-<td>
-                  <p><span class="command"><strong>localhost</strong></span></p>
-                </td>
-<td>
-                  <p>
-                    Matches the IPv4 and IPv6 addresses of all network
-                    interfaces on the system.  When addresses are
-                    added or removed, the <span class="command"><strong>localhost</strong></span>
-                    ACL element is updated to reflect the changes.
-                  </p>
-                </td>
-</tr>
-<tr>
-<td>
-                  <p><span class="command"><strong>localnets</strong></span></p>
-                </td>
-<td>
-                  <p>
-                    Matches any host on an IPv4 or IPv6 network
-                    for which the system has an interface.
-                    When addresses are added or removed,
-                    the <span class="command"><strong>localnets</strong></span>
-                    ACL element is updated to reflect the changes.
-                    Some systems do not provide a way to determine the prefix
-                    lengths of
-                    local IPv6 addresses.
-                    In such a case, <span class="command"><strong>localnets</strong></span>
-                    only matches the local
-                    IPv6 addresses, just like <span class="command"><strong>localhost</strong></span>.
-                  </p>
-                </td>
-</tr>
-</tbody>
-</table>
-        </div>
-      </div>
-      <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="controls_grammar"></a><span class="command"><strong>controls</strong></span> Statement Grammar</h3></div></div></div>
         <pre class="programlisting">
-<span class="command"><strong>controls</strong></span> {
-       <span class="command"><strong>inet</strong></span> ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> |
-           * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] allow
-           { <em class="replaceable"><code>address_match_element</code></em>; ... } [
-           <span class="command"><strong>keys</strong></span> { <em class="replaceable"><code>string</code></em>; ... } ] [ read-only
-           <em class="replaceable"><code>boolean</code></em> ];
-       <span class="command"><strong>unix</strong></span> <em class="replaceable"><code>quoted_string</code></em> perm <em class="replaceable"><code>integer</code></em>
-           <span class="command"><strong>owner</strong></span> <em class="replaceable"><code>integer</code></em> group <em class="replaceable"><code>integer</code></em> [
-           <span class="command"><strong>keys</strong></span> { <em class="replaceable"><code>string</code></em>; ... } ] [ read-only
-           <em class="replaceable"><code>boolean</code></em> ];
-};
+allow-query { !{ !10/8; any; }; key example; };
 </pre>
+        <p>
+          Within the nested ACL, any address that is
+          <span class="emphasis"><em>not</em></span> in the 10/8 network prefix will
+          be rejected, and this will terminate processing of the
+          ACL.  Any address that <span class="emphasis"><em>is</em></span> in the 10/8
+          network prefix will be accepted, but this causes a negative
+          match of the nested ACL, so the containing ACL continues
+          processing. The query will then be accepted if it is signed
+          by the key "example", and rejected otherwise.  The ACL, then,
+          will only matches when <span class="emphasis"><em>both</em></span> conditions
+          are true.
+        </p>
       </div>
 
       <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="controls_statement_definition_and_usage"></a><span class="command"><strong>controls</strong></span> Statement Definition and
-          Usage</h3></div></div></div>
-
-        <p>
-          The <span class="command"><strong>controls</strong></span> statement declares control
-          channels to be used by system administrators to control the
-          operation of the name server. These control channels are
-          used by the <span class="command"><strong>rndc</strong></span> utility to send
-          commands to and retrieve non-DNS results from a name server.
-        </p>
+<div class="titlepage"><div><div><h2 class="title" style="clear: both">
+<a name="chroot_and_setuid"></a><span class="command"><strong>Chroot</strong></span> and <span class="command"><strong>Setuid</strong></span>
+</h2></div></div></div>
 
         <p>
-          An <span class="command"><strong>inet</strong></span> control channel is a TCP socket
-          listening at the specified <span class="command"><strong>ip_port</strong></span> on the
-          specified <span class="command"><strong>ip_addr</strong></span>, which can be an IPv4 or IPv6
-          address.  An <span class="command"><strong>ip_addr</strong></span> of <code class="literal">*</code> (asterisk) is
-          interpreted as the IPv4 wildcard address; connections will be
-          accepted on any of the system's IPv4 addresses.
-          To listen on the IPv6 wildcard address,
-          use an <span class="command"><strong>ip_addr</strong></span> of <code class="literal">::</code>.
-          If you will only use <span class="command"><strong>rndc</strong></span> on the local host,
-          using the loopback address (<code class="literal">127.0.0.1</code>
-          or <code class="literal">::1</code>) is recommended for maximum security.
+          On UNIX servers, it is possible to run <acronym class="acronym">BIND</acronym>
+          in a <span class="emphasis"><em>chrooted</em></span> environment (using
+          the <span class="command"><strong>chroot()</strong></span> function) by specifying
+          the <code class="option">-t</code> option for <span class="command"><strong>named</strong></span>.
+          This can help improve system security by placing
+          <acronym class="acronym">BIND</acronym> in a "sandbox", which will limit
+          the damage done if a server is compromised.
         </p>
-
         <p>
-          If no port is specified, port 953 is used. The asterisk
-          "<code class="literal">*</code>" cannot be used for <span class="command"><strong>ip_port</strong></span>.
+          Another useful feature in the UNIX version of <acronym class="acronym">BIND</acronym> is the
+          ability to run the daemon as an unprivileged user ( <code class="option">-u</code> <em class="replaceable"><code>user</code></em> ).
+          We suggest running as an unprivileged user when using the <span class="command"><strong>chroot</strong></span> feature.
         </p>
-
         <p>
-          The ability to issue commands over the control channel is
-          restricted by the <span class="command"><strong>allow</strong></span> and
-          <span class="command"><strong>keys</strong></span> clauses.
-          Connections to the control channel are permitted based on the
-          <span class="command"><strong>address_match_list</strong></span>.  This is for simple
-          IP address based filtering only; any <span class="command"><strong>key_id</strong></span>
-          elements of the <span class="command"><strong>address_match_list</strong></span>
-          are ignored.
+          Here is an example command line to load <acronym class="acronym">BIND</acronym> in a <span class="command"><strong>chroot</strong></span> sandbox,
+          <span class="command"><strong>/var/named</strong></span>, and to run <span class="command"><strong>named</strong></span> <span class="command"><strong>setuid</strong></span> to
+          user 202:
         </p>
-
         <p>
-          A <span class="command"><strong>unix</strong></span> control channel is a UNIX domain
-          socket listening at the specified path in the file system.
-          Access to the socket is specified by the <span class="command"><strong>perm</strong></span>,
-          <span class="command"><strong>owner</strong></span> and <span class="command"><strong>group</strong></span> clauses.
-          Note on some platforms (SunOS and Solaris) the permissions
-          (<span class="command"><strong>perm</strong></span>) are applied to the parent directory
-          as the permissions on the socket itself are ignored.
+          <strong class="userinput"><code>/usr/local/sbin/named -u 202 -t /var/named</code></strong>
         </p>
 
-        <p>
-          The primary authorization mechanism of the command
-          channel is the <span class="command"><strong>key_list</strong></span>, which
-          contains a list of <span class="command"><strong>key_id</strong></span>s.
-          Each <span class="command"><strong>key_id</strong></span> in the <span class="command"><strong>key_list</strong></span>
-          is authorized to execute commands over the control channel.
-          See <a class="xref" href="Bv9ARM.ch03.html#rndc">Remote Name Daemon Control application</a> in <a class="xref" href="Bv9ARM.ch03.html#admin_tools" title="Administrative Tools">the section called &#8220;Administrative Tools&#8221;</a>)
-          for information about configuring keys in <span class="command"><strong>rndc</strong></span>.
-        </p>
+        <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="chroot"></a>The <span class="command"><strong>chroot</strong></span> Environment</h3></div></div></div>
 
-        <p>
-          If the <span class="command"><strong>read-only</strong></span> clause is enabled, the
-          control channel is limited to the following set of read-only
-          commands: <span class="command"><strong>nta -dump</strong></span>,
-          <span class="command"><strong>null</strong></span>, <span class="command"><strong>status</strong></span>,
-          <span class="command"><strong>showzone</strong></span>, <span class="command"><strong>testgen</strong></span>, and
-          <span class="command"><strong>zonestatus</strong></span>. By default,
-          <span class="command"><strong>read-only</strong></span> is not enabled and the control
-          channel allows read-write access.
-        </p>
+          <p>
+            In order for a <span class="command"><strong>chroot</strong></span> environment
+            to work properly in a particular directory (for example,
+            <code class="filename">/var/named</code>), you will need to set
+            up an environment that includes everything
+            <acronym class="acronym">BIND</acronym> needs to run.  From
+            <acronym class="acronym">BIND</acronym>'s point of view,
+            <code class="filename">/var/named</code> is the root of the
+            filesystem.  You will need to adjust the values of
+            options like <span class="command"><strong>directory</strong></span> and
+            <span class="command"><strong>pid-file</strong></span> to account for this.
+          </p>
+          <p>
+            Unlike with earlier versions of BIND, you typically will
+            <span class="emphasis"><em>not</em></span> need to compile <span class="command"><strong>named</strong></span>
+            statically nor install shared libraries under the new root.
+            However, depending on your operating system, you may need
+            to set up things like
+            <code class="filename">/dev/zero</code>,
+            <code class="filename">/dev/random</code>,
+            <code class="filename">/dev/log</code>, and
+            <code class="filename">/etc/localtime</code>.
+          </p>
+        </div>
 
-        <p>
-          If no <span class="command"><strong>controls</strong></span> statement is present,
-          <span class="command"><strong>named</strong></span> will set up a default
-          control channel listening on the loopback address 127.0.0.1
-          and its IPv6 counterpart ::1.
-          In this case, and also when the <span class="command"><strong>controls</strong></span> statement
-          is present but does not have a <span class="command"><strong>keys</strong></span> clause,
-          <span class="command"><strong>named</strong></span> will attempt to load the command channel key
-          from the file <code class="filename">rndc.key</code> in
-          <code class="filename">/etc</code> (or whatever <code class="varname">sysconfdir</code>
-          was specified as when <acronym class="acronym">BIND</acronym> was built).
-          To create a <code class="filename">rndc.key</code> file, run
-          <strong class="userinput"><code>rndc-confgen -a</code></strong>.
-        </p>
+        <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="setuid"></a>Using the <span class="command"><strong>setuid</strong></span> Function</h3></div></div></div>
 
-        <p>
-          The <code class="filename">rndc.key</code> feature was created to
-          ease the transition of systems from <acronym class="acronym">BIND</acronym> 8,
-          which did not have digital signatures on its command channel
-          messages and thus did not have a <span class="command"><strong>keys</strong></span> clause.
+          <p>
+            Prior to running the <span class="command"><strong>named</strong></span> daemon,
+            use
+            the <span class="command"><strong>touch</strong></span> utility (to change file
+            access and
+            modification times) or the <span class="command"><strong>chown</strong></span>
+            utility (to
+            set the user id and/or group id) on files
+            to which you want <acronym class="acronym">BIND</acronym>
+            to write.
+          </p>
+          <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<h3 class="title">Note</h3>
+<p>
+            If the <span class="command"><strong>named</strong></span> daemon is running as an
+            unprivileged user, it will not be able to bind to new restricted
+            ports if the server is reloaded.
+          </p>
+</div>
+        </div>
+      </div>
 
-          It makes it possible to use an existing <acronym class="acronym">BIND</acronym> 8
-          configuration file in <acronym class="acronym">BIND</acronym> 9 unchanged,
-          and still have <span class="command"><strong>rndc</strong></span> work the same way
-          <span class="command"><strong>ndc</strong></span> worked in BIND 8, simply by executing the
-          command <strong class="userinput"><code>rndc-confgen -a</code></strong> after BIND 9 is
-          installed.
-        </p>
+      <div class="section">
+<div class="titlepage"><div><div><h2 class="title" style="clear: both">
+<a name="dynamic_update_security"></a>Dynamic Update Security</h2></div></div></div>
 
         <p>
-          Since the <code class="filename">rndc.key</code> feature
-          is only intended to allow the backward-compatible usage of
-          <acronym class="acronym">BIND</acronym> 8 configuration files, this
-          feature does not
-          have a high degree of configurability.  You cannot easily change
-          the key name or the size of the secret, so you should make a
-          <code class="filename">rndc.conf</code> with your own key if you
-          wish to change
-          those things.  The <code class="filename">rndc.key</code> file
-          also has its
-          permissions set such that only the owner of the file (the user that
-          <span class="command"><strong>named</strong></span> is running as) can access it.
-          If you
-          desire greater flexibility in allowing other users to access
-          <span class="command"><strong>rndc</strong></span> commands, then you need to create
-          a
-          <code class="filename">rndc.conf</code> file and make it group
-          readable by a group
-          that contains the users who should have access.
+          Access to the dynamic
+          update facility should be strictly limited.  In earlier versions of
+          <acronym class="acronym">BIND</acronym>, the only way to do this was
+          based on the IP
+          address of the host requesting the update, by listing an IP address
+          or
+          network prefix in the <span class="command"><strong>allow-update</strong></span>
+          zone option.
+          This method is insecure since the source address of the update UDP
+          packet
+          is easily forged.  Also note that if the IP addresses allowed by the
+          <span class="command"><strong>allow-update</strong></span> option include the
+          address of a slave
+          server which performs forwarding of dynamic updates, the master can
+          be
+          trivially attacked by sending the update to the slave, which will
+          forward it to the master with its own source IP address causing the
+          master to approve it without question.
         </p>
 
         <p>
-          To disable the command channel, use an empty
-          <span class="command"><strong>controls</strong></span> statement:
-          <span class="command"><strong>controls { };</strong></span>.
+          For these reasons, we strongly recommend that updates be
+          cryptographically authenticated by means of transaction signatures
+          (TSIG).  That is, the <span class="command"><strong>allow-update</strong></span>
+          option should
+          list only TSIG key names, not IP addresses or network
+          prefixes. Alternatively, the new <span class="command"><strong>update-policy</strong></span>
+          option can be used.
         </p>
 
-      </div>
-      <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="include_grammar"></a><span class="command"><strong>include</strong></span> Statement Grammar</h3></div></div></div>
-
-        <pre class="programlisting"><span class="command"><strong>include</strong></span> <em class="replaceable"><code>filename</code></em><span class="command"><strong>;</strong></span></pre>
-      </div>
-      <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="include_statement"></a><span class="command"><strong>include</strong></span> Statement Definition and Usage</h3></div></div></div>
-
         <p>
-          The <span class="command"><strong>include</strong></span> statement inserts the
-          specified file at the point where the <span class="command"><strong>include</strong></span>
-          statement is encountered. The <span class="command"><strong>include</strong></span>
-                statement facilitates the administration of configuration
-          files
-          by permitting the reading or writing of some things but not
-          others. For example, the statement could include private keys
-          that are readable only by the name server.
+          Some sites choose to keep all dynamically-updated DNS data
+          in a subdomain and delegate that subdomain to a separate zone. This
+          way, the top-level zone containing critical data such as the IP
+          addresses
+          of public web and mail servers need not allow dynamic update at
+          all.
         </p>
 
       </div>
-      <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="key_grammar"></a><span class="command"><strong>key</strong></span> Statement Grammar</h3></div></div></div>
-        <pre class="programlisting">
-<span class="command"><strong>key</strong></span> <em class="replaceable"><code>string</code></em> {
-       <span class="command"><strong>algorithm</strong></span> <em class="replaceable"><code>string</code></em>;
-       <span class="command"><strong>secret</strong></span> <em class="replaceable"><code>string</code></em>;
-};
-</pre>
-      </div>
-
-      <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="key_statement"></a><span class="command"><strong>key</strong></span> Statement Definition and Usage</h3></div></div></div>
-
-        <p>
-          The <span class="command"><strong>key</strong></span> statement defines a shared
-          secret key for use with TSIG (see <a class="xref" href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called &#8220;TSIG&#8221;</a>)
-          or the command channel
-          (see <a class="xref" href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and Usage">the section called &#8220;<span class="command"><strong>controls</strong></span> Statement Definition and
-          Usage&#8221;</a>).
-        </p>
-
-        <p>
-          The <span class="command"><strong>key</strong></span> statement can occur at the
-          top level
-          of the configuration file or inside a <span class="command"><strong>view</strong></span>
-          statement.  Keys defined in top-level <span class="command"><strong>key</strong></span>
-          statements can be used in all views.  Keys intended for use in
-          a <span class="command"><strong>controls</strong></span> statement
-          (see <a class="xref" href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and Usage">the section called &#8220;<span class="command"><strong>controls</strong></span> Statement Definition and
-          Usage&#8221;</a>)
-          must be defined at the top level.
-        </p>
-
-        <p>
-          The <em class="replaceable"><code>key_id</code></em>, also known as the
-          key name, is a domain name uniquely identifying the key. It can
-          be used in a <span class="command"><strong>server</strong></span>
-          statement to cause requests sent to that
-          server to be signed with this key, or in address match lists to
-          verify that incoming requests have been signed with a key
-          matching this name, algorithm, and secret.
-        </p>
-
-        <p>
-          The <em class="replaceable"><code>algorithm_id</code></em> is a string
-          that specifies a security/authentication algorithm.  The
-          <span class="command"><strong>named</strong></span> server supports <code class="literal">hmac-md5</code>,
-          <code class="literal">hmac-sha1</code>, <code class="literal">hmac-sha224</code>,
-          <code class="literal">hmac-sha256</code>, <code class="literal">hmac-sha384</code>
-          and <code class="literal">hmac-sha512</code> TSIG authentication.
-          Truncated hashes are supported by appending the minimum
-          number of required bits preceded by a dash, e.g.
-          <code class="literal">hmac-sha1-80</code>.  The
-          <em class="replaceable"><code>secret_string</code></em> is the secret
-          to be used by the algorithm, and is treated as a Base64
-          encoded string.
-        </p>
-
-      </div>
-      <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="logging_grammar"></a><span class="command"><strong>logging</strong></span> Statement Grammar</h3></div></div></div>
-        <pre class="programlisting">
-<span class="command"><strong>logging</strong></span> {
-       <span class="command"><strong>category</strong></span> <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };
-       <span class="command"><strong>channel</strong></span> <em class="replaceable"><code>string</code></em> {
-               <span class="command"><strong>buffered</strong></span> <em class="replaceable"><code>boolean</code></em>;
-               <span class="command"><strong>file</strong></span> <em class="replaceable"><code>quoted_string</code></em> [ versions ( unlimited | <em class="replaceable"><code>integer</code></em> ) ]
-                   [ size <em class="replaceable"><code>size</code></em> ] [ suffix ( increment | timestamp ) ];
-               <span class="command"><strong>null</strong></span>;
-               <span class="command"><strong>print-category</strong></span> <em class="replaceable"><code>boolean</code></em>;
-               <span class="command"><strong>print-severity</strong></span> <em class="replaceable"><code>boolean</code></em>;
-               <span class="command"><strong>print-time</strong></span> ( iso8601 | iso8601-utc | local | <em class="replaceable"><code>boolean</code></em> );
-               <span class="command"><strong>severity</strong></span> <em class="replaceable"><code>log_severity</code></em>;
-               <span class="command"><strong>stderr</strong></span>;
-               <span class="command"><strong>syslog</strong></span> [ <em class="replaceable"><code>syslog_facility</code></em> ];
-       };
-};
-</pre>
-      </div>
-
-      <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="logging_statement"></a><span class="command"><strong>logging</strong></span> Statement Definition and Usage</h3></div></div></div>
-
-        <p>
-          The <span class="command"><strong>logging</strong></span> statement configures a
-          wide
-          variety of logging options for the name server. Its <span class="command"><strong>channel</strong></span> phrase
-          associates output methods, format options and severity levels with
-          a name that can then be used with the <span class="command"><strong>category</strong></span> phrase
-          to select how various classes of messages are logged.
-        </p>
-        <p>
-          Only one <span class="command"><strong>logging</strong></span> statement is used to
-          define
-          as many channels and categories as are wanted. If there is no <span class="command"><strong>logging</strong></span> statement,
-          the logging configuration will be:
-        </p>
-
-<pre class="programlisting">logging {
-     category default { default_syslog; default_debug; };
-     category unmatched { null; };
-};
-</pre>
-
-        <p>
-          If <span class="command"><strong>named</strong></span> is started with the
-          <code class="option">-L</code> option, it logs to the specified file
-          at startup, instead of using syslog. In this case the logging
-          configuration will be:
-        </p>
-
-<pre class="programlisting">logging {
-     category default { default_logfile; default_debug; };
-     category unmatched { null; };
-};
-</pre>
-
-        <p>
-          In <acronym class="acronym">BIND</acronym> 9, the logging configuration
-          is only established when
-          the entire configuration file has been parsed.  In <acronym class="acronym">BIND</acronym> 8, it was
-          established as soon as the <span class="command"><strong>logging</strong></span>
-          statement
-          was parsed. When the server is starting up, all logging messages
-          regarding syntax errors in the configuration file go to the default
-          channels, or to standard error if the <code class="option">-g</code> option
-          was specified.
-        </p>
-
-        <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="channel"></a>The <span class="command"><strong>channel</strong></span> Phrase</h4></div></div></div>
-
-          <p>
-            All log output goes to one or more <span class="emphasis"><em>channels</em></span>;
-            you can make as many of them as you want.
-          </p>
-
-          <p>
-            Every channel definition must include a destination clause that
-            says whether messages selected for the channel go to a file, to a
-            particular syslog facility, to the standard error stream, or are
-            discarded. It can optionally also limit the message severity level
-            that will be accepted by the channel (the default is
-            <span class="command"><strong>info</strong></span>), and whether to include a
-            <span class="command"><strong>named</strong></span>-generated time stamp, the
-            category name
-            and/or severity level (the default is not to include any).
-          </p>
-
-          <p>
-            The <span class="command"><strong>null</strong></span> destination clause
-            causes all messages sent to the channel to be discarded;
-            in that case, other options for the channel are meaningless.
-          </p>
-
-          <p>
-            The <span class="command"><strong>file</strong></span> destination clause directs
-            the channel to a disk file.  It can include additional
-            arguments to specify how large the file is allowed to
-            become before it is rolled to a backup file
-            (<span class="command"><strong>size</strong></span>), how many backup versions of
-            the file will be saved each time this happens
-            (<span class="command"><strong>versions</strong></span>), and the format to use
-            for naming backup versions (<span class="command"><strong>suffix</strong></span>).
-          </p>
-
-          <p>
-            The <span class="command"><strong>size</strong></span> option is used to limit
-            log file growth. If the file ever exceeds the specified
-            size, then <span class="command"><strong>named</strong></span> will stop writing to the
-            file unless it has a <span class="command"><strong>versions</strong></span> option
-            associated with it. If backup versions are kept, the files
-            are rolled as described below.  If there is no
-            <span class="command"><strong>versions</strong></span> option, no more data will
-            be written to the log until some out-of-band mechanism
-            removes or truncates the log to less than the maximum size.
-            The default behavior is not to limit the size of the file.
-          </p>
-          <p>
-            File rolling only occurs when the file exceeds the size
-            specified with the <span class="command"><strong>size</strong></span> option. No
-            backup versions are kept by default; any existing
-            log file is simply appended.  The
-            <span class="command"><strong>versions</strong></span> option specifies
-            how many backup versions of the file should be kept.
-            If set to <code class="literal">unlimited</code>, there is no limit.
-          </p>
-          <p>
-            The <span class="command"><strong>suffix</strong></span> option can be set to
-            either <code class="literal">increment</code> or
-            <code class="literal">timestamp</code>.  If set to
-            <code class="literal">timestamp</code>, then when a log file is
-            rolled, it is saved with the current timestamp as a
-            file suffix. If set to <code class="literal">increment</code>,
-            then backup files are saved with incrementing numbers
-            as suffixes; older files are renamed when rolling.
-            For example, if <span class="command"><strong>versions</strong></span>
-            is set to 3 and <span class="command"><strong>suffix</strong></span> to
-            <code class="literal">increment</code>, then when
-            <code class="filename">filename.log</code> reaches the size
-            specified by <span class="command"><strong>size</strong></span>,
-            <code class="filename">filename.log.1</code> is renamed to
-            <code class="filename">filename.log.2</code>,
-            <code class="filename">filename.log.0</code> is renamed
-            to <code class="filename">filename.log.1</code>,
-            and <code class="filename">filename.log</code> is
-            renamed to <code class="filename">filename.log.0</code>,
-            whereupon a new <code class="filename">filename.log</code> is
-            opened.
-          </p>
-
-          <p>
-            Example usage of the <span class="command"><strong>size</strong></span>,
-            <span class="command"><strong>versions</strong></span>, and <span class="command"><strong>suffix</strong></span>
-            options:
-          </p>
-
-<pre class="programlisting">channel an_example_channel {
-    file "example.log" versions 3 size 20m suffix increment;
-    print-time yes;
-    print-category yes;
-};
-</pre>
-
-          <p>
-            The <span class="command"><strong>syslog</strong></span> destination clause
-            directs the
-            channel to the system log.  Its argument is a
-            syslog facility as described in the <span class="command"><strong>syslog</strong></span> man
-            page. Known facilities are <span class="command"><strong>kern</strong></span>, <span class="command"><strong>user</strong></span>,
-            <span class="command"><strong>mail</strong></span>, <span class="command"><strong>daemon</strong></span>, <span class="command"><strong>auth</strong></span>,
-            <span class="command"><strong>syslog</strong></span>, <span class="command"><strong>lpr</strong></span>, <span class="command"><strong>news</strong></span>,
-            <span class="command"><strong>uucp</strong></span>, <span class="command"><strong>cron</strong></span>, <span class="command"><strong>authpriv</strong></span>,
-            <span class="command"><strong>ftp</strong></span>, <span class="command"><strong>local0</strong></span>, <span class="command"><strong>local1</strong></span>,
-            <span class="command"><strong>local2</strong></span>, <span class="command"><strong>local3</strong></span>, <span class="command"><strong>local4</strong></span>,
-            <span class="command"><strong>local5</strong></span>, <span class="command"><strong>local6</strong></span> and
-            <span class="command"><strong>local7</strong></span>, however not all facilities
-            are supported on
-            all operating systems.
-            How <span class="command"><strong>syslog</strong></span> will handle messages
-            sent to
-            this facility is described in the <span class="command"><strong>syslog.conf</strong></span> man
-            page. If you have a system which uses a very old version of <span class="command"><strong>syslog</strong></span> that
-            only uses two arguments to the <span class="command"><strong>openlog()</strong></span> function,
-            then this clause is silently ignored.
-          </p>
-          <p>
-            On Windows machines syslog messages are directed to the EventViewer.
-          </p>
-          <p>
-            The <span class="command"><strong>severity</strong></span> clause works like <span class="command"><strong>syslog</strong></span>'s
-            "priorities", except that they can also be used if you are writing
-            straight to a file rather than using <span class="command"><strong>syslog</strong></span>.
-            Messages which are not at least of the severity level given will
-            not be selected for the channel; messages of higher severity
-            levels
-            will be accepted.
-          </p>
-          <p>
-            If you are using <span class="command"><strong>syslog</strong></span>, then the <span class="command"><strong>syslog.conf</strong></span> priorities
-            will also determine what eventually passes through. For example,
-            defining a channel facility and severity as <span class="command"><strong>daemon</strong></span> and <span class="command"><strong>debug</strong></span> but
-            only logging <span class="command"><strong>daemon.warning</strong></span> via <span class="command"><strong>syslog.conf</strong></span> will
-            cause messages of severity <span class="command"><strong>info</strong></span> and
-            <span class="command"><strong>notice</strong></span> to
-            be dropped. If the situation were reversed, with <span class="command"><strong>named</strong></span> writing
-            messages of only <span class="command"><strong>warning</strong></span> or higher,
-            then <span class="command"><strong>syslogd</strong></span> would
-            print all messages it received from the channel.
-          </p>
-
-          <p>
-            The <span class="command"><strong>stderr</strong></span> destination clause
-            directs the
-            channel to the server's standard error stream.  This is intended
-            for
-            use when the server is running as a foreground process, for
-            example
-            when debugging a configuration.
-          </p>
-
-          <p>
-            The server can supply extensive debugging information when
-            it is in debugging mode. If the server's global debug level is
-            greater
-            than zero, then debugging mode will be active. The global debug
-            level is set either by starting the <span class="command"><strong>named</strong></span> server
-            with the <code class="option">-d</code> flag followed by a positive integer,
-            or by running <span class="command"><strong>rndc trace</strong></span>.
-            The global debug level
-            can be set to zero, and debugging mode turned off, by running <span class="command"><strong>rndc
-notrace</strong></span>. All debugging messages in the server have a debug
-            level, and higher debug levels give more detailed output. Channels
-            that specify a specific debug severity, for example:
-          </p>
-
-<pre class="programlisting">channel specific_debug_level {
-    file "foo";
-    severity debug 3;
-};
-</pre>
-
-          <p>
-            will get debugging output of level 3 or less any time the
-            server is in debugging mode, regardless of the global debugging
-            level. Channels with <span class="command"><strong>dynamic</strong></span>
-            severity use the
-            server's global debug level to determine what messages to print.
-          </p>
-          <p>
-            <span class="command"><strong>print-time</strong></span> can be set to
-            <strong class="userinput"><code>yes</code></strong>, <strong class="userinput"><code>no</code></strong>,
-            or a time format specifier, which may be one of
-            <strong class="userinput"><code>local</code></strong>, <strong class="userinput"><code>iso8601</code></strong> or
-            <strong class="userinput"><code>iso8601-utc</code></strong>.  If set to
-            <strong class="userinput"><code>no</code></strong>, then the date and time will
-            not be logged.  If set to <strong class="userinput"><code>yes</code></strong>
-            or <strong class="userinput"><code>local</code></strong>, the date and time are logged
-            in a human readable format, using the local time zone.
-            If set to <strong class="userinput"><code>iso8601</code></strong> the local time is
-            logged in ISO8601 format.  If set to
-            <strong class="userinput"><code>iso8601-utc</code></strong>, then the date and time
-            are logged in ISO8601 format, with time zone set to
-            UTC. The default is <strong class="userinput"><code>no</code></strong>.
-          </p>
-          <p>
-            <span class="command"><strong>print-time</strong></span> may
-            be specified for a <span class="command"><strong>syslog</strong></span> channel,
-            but it is usually
-            pointless since <span class="command"><strong>syslog</strong></span> also logs
-            the date and time.
-          </p>
-          <p>
-            If <span class="command"><strong>print-category</strong></span> is
-            requested, then the
-            category of the message will be logged as well. Finally, if <span class="command"><strong>print-severity</strong></span> is
-            on, then the severity level of the message will be logged. The <span class="command"><strong>print-</strong></span> options may
-            be used in any combination, and will always be printed in the
-            following
-            order: time, category, severity. Here is an example where all
-            three <span class="command"><strong>print-</strong></span> options
-            are on:
-          </p>
-
-          <p>
-            <code class="computeroutput">28-Feb-2000 15:05:32.863 general: notice: running</code>
-          </p>
-
-          <p>
-            If <span class="command"><strong>buffered</strong></span> has been turned on the output
-            to files will not be flushed after each log entry.  By default
-            all log messages are flushed.
-          </p>
-
-          <p>
-            There are four predefined channels that are used for
-            <span class="command"><strong>named</strong></span>'s default logging as follows.
-            If <span class="command"><strong>named</strong></span> is started with the
-            <code class="option">-L</code> then a
-            fifth channel <span class="command"><strong>default_logfile</strong></span> is added.
-            How they are
-            used is described in <a class="xref" href="Bv9ARM.ch06.html#the_category_phrase" title="The category Phrase">the section called &#8220;The <span class="command"><strong>category</strong></span> Phrase&#8221;</a>.
-          </p>
-
-<pre class="programlisting">channel default_syslog {
-    // send to syslog's daemon facility
-    syslog daemon;
-    // only send priority info and higher
-    severity info;
-
-channel default_debug {
-    // write to named.run in the working directory
-    // Note: stderr is used instead of "named.run" if
-    // the server is started with the '-g' option.
-    file "named.run";
-    // log at the server's current debug level
-    severity dynamic;
-};
-
-channel default_stderr {
-    // writes to stderr
-    stderr;
-    // only send priority info and higher
-    severity info;
-};
-
-channel null {
-   // toss anything sent to this channel
-   null;
-};
-
-channel default_logfile {
-    // this channel is only present if named is
-    // started with the -L option, whose argument
-    // provides the file name
-    file "...";
-    // log at the server's current debug level
-    severity dynamic;
-};
-</pre>
-
-          <p>
-            The <span class="command"><strong>default_debug</strong></span> channel has the
-            special
-            property that it only produces output when the server's debug
-            level is
-            nonzero.  It normally writes to a file called <code class="filename">named.run</code>
-            in the server's working directory.
-          </p>
-
-          <p>
-            For security reasons, when the <code class="option">-u</code>
-            command line option is used, the <code class="filename">named.run</code> file
-            is created only after <span class="command"><strong>named</strong></span> has
-            changed to the
-            new UID, and any debug output generated while <span class="command"><strong>named</strong></span> is
-            starting up and still running as root is discarded.  If you need
-            to capture this output, you must run the server with the <code class="option">-L</code>
-            option to specify a default logfile, or the <code class="option">-g</code>
-            option to log to standard error which you can redirect to a file.
-          </p>
-
-          <p>
-            Once a channel is defined, it cannot be redefined. Thus you
-            cannot alter the built-in channels directly, but you can modify
-            the default logging by pointing categories at channels you have
-            defined.
-          </p>
-        </div>
-
-        <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="the_category_phrase"></a>The <span class="command"><strong>category</strong></span> Phrase</h4></div></div></div>
-
-          <p>
-            There are many categories, so you can send the logs you want
-            to see wherever you want, without seeing logs you don't want. If
-            you don't specify a list of channels for a category, then log
-            messages
-            in that category will be sent to the <span class="command"><strong>default</strong></span> category
-            instead. If you don't specify a default category, the following
-            "default default" is used:
-          </p>
-
-<pre class="programlisting">category default { default_syslog; default_debug; };
-</pre>
-
-          <p>
-            If you start <span class="command"><strong>named</strong></span> with the
-            <code class="option">-L</code> option then the default category is:
-          </p>
-
-<pre class="programlisting">category default { default_logfile; default_debug; };
-</pre>
-
-          <p>
-            As an example, let's say you want to log security events to
-            a file, but you also want keep the default logging behavior. You'd
-            specify the following:
-          </p>
-
-<pre class="programlisting">channel my_security_channel {
-    file "my_security_file";
-    severity info;
-};
-category security {
-    my_security_channel;
-    default_syslog;
-    default_debug;
-};</pre>
-
-          <p>
-            To discard all messages in a category, specify the <span class="command"><strong>null</strong></span> channel:
-          </p>
-
-<pre class="programlisting">category xfer-out { null; };
-category notify { null; };
-</pre>
-
-          <p>
-            Following are the available categories and brief descriptions
-            of the types of log information they contain. More
-            categories may be added in future <acronym class="acronym">BIND</acronym> releases.
-          </p>
-          <div class="informaltable">
-  <table border="1">
-<colgroup>
-<col width="1.150in" class="1">
-<col width="3.350in" class="2">
-</colgroup>
-<tbody>
-<tr>
-<td>
-         <p><span class="command"><strong>client</strong></span></p>
-       </td>
-<td>
-         <p>
-           Processing of client requests.
-         </p>
-       </td>
-</tr>
-<tr>
-<td>
-         <p><span class="command"><strong>cname</strong></span></p>
-       </td>
-<td>
-         <p>
-           Logs nameservers that are skipped due to them being
-           a CNAME rather than A / AAAA records.
-         </p>
-       </td>
-</tr>
-<tr>
-<td>
-         <p><span class="command"><strong>config</strong></span></p>
-       </td>
-<td>
-         <p>
-           Configuration file parsing and processing.
-         </p>
-       </td>
-</tr>
-<tr>
-<td>
-         <p><span class="command"><strong>database</strong></span></p>
-       </td>
-<td>
-         <p>
-           Messages relating to the databases used
-           internally by the name server to store zone and cache
-           data.
-         </p>
-       </td>
-</tr>
-<tr>
-<td>
-         <p><span class="command"><strong>default</strong></span></p>
-       </td>
-<td>
-         <p>
-           The default category defines the logging
-           options for those categories where no specific
-           configuration has been
-           defined.
-         </p>
-       </td>
-</tr>
-<tr>
-<td>
-         <p><span class="command"><strong>delegation-only</strong></span></p>
-       </td>
-<td>
-         <p>
-           Delegation only.  Logs queries that have been
-           forced to NXDOMAIN as the result of a
-           delegation-only zone or a
-           <span class="command"><strong>delegation-only</strong></span> in a
-           forward, hint or stub zone declaration.
-         </p>
-       </td>
-</tr>
-<tr>
-<td>
-         <p><span class="command"><strong>dispatch</strong></span></p>
-       </td>
-<td>
-         <p>
-           Dispatching of incoming packets to the
-           server modules where they are to be processed.
-         </p>
-       </td>
-</tr>
-<tr>
-<td>
-         <p><span class="command"><strong>dnssec</strong></span></p>
-       </td>
-<td>
-         <p>
-           DNSSEC and TSIG protocol processing.
-         </p>
-       </td>
-</tr>
-<tr>
-<td>
-         <p><span class="command"><strong>dnstap</strong></span></p>
-       </td>
-<td>
-         <p>
-           The "dnstap" DNS traffic capture system.
-         </p>
-       </td>
-</tr>
-<tr>
-<td>
-         <p><span class="command"><strong>edns-disabled</strong></span></p>
-       </td>
-<td>
-         <p>
-           Log queries that have been forced to use plain
-           DNS due to timeouts.  This is often due to
-           the remote servers not being RFC 1034 compliant
-           (not always returning FORMERR or similar to
-           EDNS queries and other extensions to the DNS
-           when they are not understood).  In other words, this is
-           targeted at servers that fail to respond to
-           DNS queries that they don't understand.
-         </p>
-         <p>
-           Note: the log message can also be due to
-           packet loss.  Before reporting servers for
-           non-RFC 1034 compliance they should be re-tested
-           to determine the nature of the non-compliance.
-           This testing should prevent or reduce the
-           number of false-positive reports.
-         </p>
-         <p>
-           Note: eventually <span class="command"><strong>named</strong></span> will have to stop
-           treating such timeouts as due to RFC 1034 non
-           compliance and start treating it as plain
-           packet loss.  Falsely classifying packet
-           loss as due to RFC 1034 non compliance impacts
-           on DNSSEC validation which requires EDNS for
-           the DNSSEC records to be returned.
-         </p>
-       </td>
-</tr>
-<tr>
-<td>
-         <p><span class="command"><strong>general</strong></span></p>
-       </td>
-<td>
-         <p>
-           The catch-all. Many things still aren't
-           classified into categories, and they all end up here.
-         </p>
-       </td>
-</tr>
-<tr>
-<td>
-         <p><span class="command"><strong>lame-servers</strong></span></p>
-       </td>
-<td>
-         <p>
-           Lame servers.  These are misconfigurations
-           in remote servers, discovered by BIND 9 when trying to
-           query those servers during resolution.
-         </p>
-       </td>
-</tr>
-<tr>
-<td>
-         <p><span class="command"><strong>network</strong></span></p>
-       </td>
-<td>
-         <p>
-           Network operations.
-         </p>
-       </td>
-</tr>
-<tr>
-<td>
-         <p><span class="command"><strong>notify</strong></span></p>
-       </td>
-<td>
-         <p>
-           The NOTIFY protocol.
-         </p>
-       </td>
-</tr>
-<tr>
-<td>
-         <p><span class="command"><strong>queries</strong></span></p>
-       </td>
-<td>
-         <p>
-           Specify where queries should be logged to.
-         </p>
-         <p>
-           At startup, specifying the category <span class="command"><strong>queries</strong></span> will also
-           enable query logging unless <span class="command"><strong>querylog</strong></span> option has been
-           specified.
-         </p>
-
-         <p>
-           The query log entry first reports a client object
-           identifier in @0x&lt;hexadecimal-number&gt;
-           format. Next, it reports the client's IP
-           address and port number, and the query name,
-           class and type.  Next, it reports whether the
-           Recursion Desired flag was set (+ if set, -
-           if not set), whether the query was signed (S),
-           whether EDNS was in use along with the EDNS version
-           number (E(#)), whether TCP was used (T), whether
-           DO (DNSSEC Ok) was set (D), whether CD (Checking
-           Disabled) was set (C), whether a valid DNS Server
-           COOKIE was received (V), and whether a DNS
-           COOKIE option without a valid Server COOKIE was
-           present (K).  After this the destination
-           address the query was sent to is reported.
-           Finally, if any CLIENT-SUBNET option
-           was present in the client query, it is
-           included in square brackets in the format
-           [ECS <em class="replaceable"><code>address/source/scope</code></em>].
-         </p>
-
-         <p>
-           <code class="computeroutput">client 127.0.0.1#62536 (www.example.com): query: www.example.com IN AAAA +SE</code>
-         </p>
-         <p>
-           <code class="computeroutput">client ::1#62537 (www.example.net): query: www.example.net IN AAAA -SE</code>
-         </p>
-         <p>
-           (The first part of this log message, showing the
-           client address/port number and query name, is
-           repeated in all subsequent log messages related
-           to the same query.)
-         </p>
-       </td>
-</tr>
-<tr>
-<td>
-         <p><span class="command"><strong>query-errors</strong></span></p>
-       </td>
-<td>
-         <p>
-           Information about queries that resulted in some
-           failure.
-         </p>
-       </td>
-</tr>
-<tr>
-<td>
-         <p><span class="command"><strong>rate-limit</strong></span></p>
-       </td>
-<td>
-         <p>
-           The start, periodic, and final notices of the
-           rate limiting of a stream of responses are logged at
-           <span class="command"><strong>info</strong></span> severity in this category.
-           These messages include a hash value of the domain name
-           of the response and the name itself,
-           except when there is insufficient memory to record
-           the name for the final notice
-           The final notice is normally delayed until about one
-           minute after rate limit stops.
-           A lack of memory can hurry the final notice,
-           in which case it starts with an asterisk (*).
-           Various internal events are logged at debug 1 level
-           and higher.
-         </p>
-         <p>
-           Rate limiting of individual requests
-           is logged in the <span class="command"><strong>query-errors</strong></span> category.
-         </p>
-       </td>
-</tr>
-<tr>
-<td>
-         <p><span class="command"><strong>resolver</strong></span></p>
-       </td>
-<td>
-         <p>
-           DNS resolution, such as the recursive
-           lookups performed on behalf of clients by a caching name
-           server.
-         </p>
-       </td>
-</tr>
-<tr>
-<td>
-         <p><span class="command"><strong>rpz</strong></span></p>
-       </td>
-<td>
-         <p>
-           Information about errors in response policy zone files,
-           rewritten responses, and at the highest
-           <span class="command"><strong>debug</strong></span> levels, mere rewriting
-           attempts.
-         </p>
-       </td>
-</tr>
-<tr>
-<td>
-         <p><span class="command"><strong>security</strong></span></p>
-       </td>
-<td>
-         <p>
-           Approval and denial of requests.
-         </p>
-       </td>
-</tr>
-<tr>
-<td>
-         <p><span class="command"><strong>spill</strong></span></p>
-       </td>
-<td>
-         <p>
-           Logs queries that have been terminated, either by dropping
-           or responding with SERVFAIL, as a result of a fetchlimit
-           quota being exceeded.
-         </p>
-       </td>
-</tr>
-<tr>
-<td>
-         <p><span class="command"><strong>trust-anchor-telemetry</strong></span></p>
-       </td>
-<td>
-         <p>
-           Logs trust-anchor-telemetry requests received by named.
-         </p>
-       </td>
-</tr>
-<tr>
-<td>
-         <p><span class="command"><strong>unmatched</strong></span></p>
-       </td>
-<td>
-         <p>
-           Messages that <span class="command"><strong>named</strong></span> was unable to determine the
-           class of or for which there was no matching <span class="command"><strong>view</strong></span>.
-           A one line summary is also logged to the <span class="command"><strong>client</strong></span> category.
-           This category is best sent to a file or stderr, by
-           default it is sent to
-           the <span class="command"><strong>null</strong></span> channel.
-         </p>
-       </td>
-</tr>
-<tr>
-<td>
-         <p><span class="command"><strong>update</strong></span></p>
-       </td>
-<td>
-         <p>
-           Dynamic updates.
-         </p>
-       </td>
-</tr>
-<tr>
-<td>
-         <p><span class="command"><strong>update-security</strong></span></p>
-       </td>
-<td>
-         <p>
-           Approval and denial of update requests.
-         </p>
-       </td>
-</tr>
-<tr>
-<td>
-         <p><span class="command"><strong>xfer-in</strong></span></p>
-       </td>
-<td>
-         <p>
-           Zone transfers the server is receiving.
-         </p>
-       </td>
-</tr>
-<tr>
-<td>
-         <p><span class="command"><strong>xfer-out</strong></span></p>
-       </td>
-<td>
-         <p>
-           Zone transfers the server is sending.
-         </p>
-       </td>
-</tr>
-<tr>
-<td>
-         <p><span class="command"><strong>zoneload</strong></span></p>
-       </td>
-<td>
-         <p>
-           Loading of zones and creation of automatic empty zones.
-         </p>
-       </td>
-</tr>
-</tbody>
-</table>
-</div>
-        </div>
-        <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="query_errors"></a>The <span class="command"><strong>query-errors</strong></span> Category</h4></div></div></div>
-          <p>
-            The <span class="command"><strong>query-errors</strong></span> category is
-            specifically intended for debugging purposes: To identify
-            why and how specific queries result in responses which
-            indicate an error.
-            Messages of this category are therefore only logged
-            with <span class="command"><strong>debug</strong></span> levels.
-          </p>
-
-          <p>
-            At the debug levels of 1 or higher, each response with the
-            rcode of SERVFAIL is logged as follows:
-          </p>
-          <p>
-            <code class="computeroutput">client 127.0.0.1#61502: query failed (SERVFAIL) for www.example.com/IN/AAAA at query.c:3880</code>
-          </p>
-          <p>
-            This means an error resulting in SERVFAIL was
-            detected at line 3880 of source file
-            <code class="filename">query.c</code>.
-            Log messages of this level will particularly
-            help identify the cause of SERVFAIL for an
-            authoritative server.
-          </p>
-          <p>
-            At the debug levels of 2 or higher, detailed context
-            information of recursive resolutions that resulted in
-            SERVFAIL is logged.
-            The log message will look like as follows:
-          </p>
-          <p>
-
-            </p>
-<pre class="programlisting">
-fetch completed at resolver.c:2970 for www.example.com/A
-in 30.000183: timed out/success [domain:example.com,
-referral:2,restart:7,qrysent:8,timeout:5,lame:0,neterr:0,
-badresp:1,adberr:0,findfail:0,valfail:0]
-            </pre>
-<p>
-          </p>
-          <p>
-            The first part before the colon shows that a recursive
-            resolution for AAAA records of www.example.com completed
-            in 30.000183 seconds and the final result that led to the
-            SERVFAIL was determined at line 2970 of source file
-            <code class="filename">resolver.c</code>.
-          </p>
-          <p>
-            The following part shows the detected final result and the
-            latest result of DNSSEC validation.
-            The latter is always success when no validation attempt
-            is made.
-            In this example, this query resulted in SERVFAIL probably
-            because all name servers are down or unreachable, leading
-            to a timeout in 30 seconds.
-            DNSSEC validation was probably not attempted.
-          </p>
-          <p>
-            The last part enclosed in square brackets shows statistics
-            information collected for this particular resolution
-            attempt.
-            The <code class="varname">domain</code> field shows the deepest zone
-            that the resolver reached;
-            it is the zone where the error was finally detected.
-            The meaning of the other fields is summarized in the
-            following table.
-          </p>
-
-          <div class="informaltable">
-            <table border="1">
-<colgroup>
-<col width="1.150in" class="1">
-<col width="3.350in" class="2">
-</colgroup>
-<tbody>
-<tr>
-<td>
-                    <p><code class="varname">referral</code></p>
-                  </td>
-<td>
-                    <p>
-                      The number of referrals the resolver received
-                      throughout the resolution process.
-                      In the above example this is 2, which are most
-                      likely com and example.com.
-                    </p>
-                  </td>
-</tr>
-<tr>
-<td>
-                    <p><code class="varname">restart</code></p>
-                  </td>
-<td>
-                    <p>
-                      The number of cycles that the resolver tried
-                      remote servers at the <code class="varname">domain</code>
-                      zone.
-                      In each cycle the resolver sends one query
-                      (possibly resending it, depending on the response)
-                      to each known name server of
-                      the <code class="varname">domain</code> zone.
-                    </p>
-                  </td>
-</tr>
-<tr>
-<td>
-                    <p><code class="varname">qrysent</code></p>
-                  </td>
-<td>
-                    <p>
-                      The number of queries the resolver sent at the
-                      <code class="varname">domain</code> zone.
-                    </p>
-                  </td>
-</tr>
-<tr>
-<td>
-                    <p><code class="varname">timeout</code></p>
-                  </td>
-<td>
-                    <p>
-                      The number of timeouts since the resolver
-                      received the last response.
-                    </p>
-                  </td>
-</tr>
-<tr>
-<td>
-                    <p><code class="varname">lame</code></p>
-                  </td>
-<td>
-                    <p>
-                      The number of lame servers the resolver detected
-                      at the <code class="varname">domain</code> zone.
-                      A server is detected to be lame either by an
-                      invalid response or as a result of lookup in
-                      BIND9's address database (ADB), where lame
-                      servers are cached.
-                    </p>
-                  </td>
-</tr>
-<tr>
-<td>
-                    <p><code class="varname">neterr</code></p>
-                  </td>
-<td>
-                    <p>
-                      The number of erroneous results that the
-                      resolver encountered in sending queries
-                      at the <code class="varname">domain</code> zone.
-                      One common case is the remote server is
-                      unreachable and the resolver receives an ICMP
-                      unreachable error message.
-                    </p>
-                  </td>
-</tr>
-<tr>
-<td>
-                    <p><code class="varname">badresp</code></p>
-                  </td>
-<td>
-                    <p>
-                      The number of unexpected responses (other than
-                      <code class="varname">lame</code>) to queries sent by the
-                      resolver at the <code class="varname">domain</code> zone.
-                    </p>
-                  </td>
-</tr>
-<tr>
-<td>
-                    <p><code class="varname">adberr</code></p>
-                  </td>
-<td>
-                    <p>
-                      Failures in finding remote server addresses
-                      of the <code class="varname">domain</code> zone in the ADB.
-                      One common case of this is that the remote
-                      server's name does not have any address records.
-                    </p>
-                  </td>
-</tr>
-<tr>
-<td>
-                    <p><code class="varname">findfail</code></p>
-                  </td>
-<td>
-                    <p>
-                      Failures of resolving remote server addresses.
-                      This is a total number of failures throughout
-                      the resolution process.
-                    </p>
-                  </td>
-</tr>
-<tr>
-<td>
-                    <p><code class="varname">valfail</code></p>
-                  </td>
-<td>
-                    <p>
-                      Failures of DNSSEC validation.
-                      Validation failures are counted throughout
-                      the resolution process (not limited to
-                      the <code class="varname">domain</code> zone), but should
-                      only happen in <code class="varname">domain</code>.
-                    </p>
-                  </td>
-</tr>
-</tbody>
-</table>
-          </div>
-          <p>
-            At the debug levels of 3 or higher, the same messages
-            as those at the debug 1 level are logged for other errors
-            than SERVFAIL.
-            Note that negative responses such as NXDOMAIN are not
-            regarded as errors here.
-          </p>
-          <p>
-            At the debug levels of 4 or higher, the same messages
-            as those at the debug 2 level are logged for other errors
-            than SERVFAIL.
-            Unlike the above case of level 3, messages are logged for
-            negative responses.
-            This is because any unexpected results can be difficult to
-            debug in the recursion case.
-          </p>
-        </div>
-      </div>
-
-      <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="masters_grammar"></a><span class="command"><strong>masters</strong></span> Statement Grammar</h3></div></div></div>
-        <pre class="programlisting">
-<span class="command"><strong>masters</strong></span> <em class="replaceable"><code>string</code></em> [ port <em class="replaceable"><code>integer</code></em> ] [ dscp
-    <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [
-    <span class="command"><strong>port</strong></span> <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [ port
-    <em class="replaceable"><code>integer</code></em> ] ) [ key <em class="replaceable"><code>string</code></em> ]; ... };
-</pre>
-      </div>
-
-      <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="masters_statement"></a><span class="command"><strong>masters</strong></span> Statement Definition and
-          Usage</h3></div></div></div>
-
-        <p><span class="command"><strong>masters</strong></span>
-          lists allow for a common set of masters to be easily used by
-          multiple stub and slave zones in their <span class="command"><strong>masters</strong></span>
-          or <span class="command"><strong>also-notify</strong></span> lists.
-        </p>
-      </div>
-
-      <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="options_grammar"></a><span class="command"><strong>options</strong></span> Statement Grammar</h3></div></div></div>
-
-        <p>
-          This is the grammar of the <span class="command"><strong>options</strong></span>
-          statement in the <code class="filename">named.conf</code> file:
-        </p>
-        <pre class="programlisting">
-<span class="command"><strong>options</strong></span> {
-       <span class="command"><strong>allow-new-zones</strong></span> <em class="replaceable"><code>boolean</code></em>;
-       <span class="command"><strong>allow-notify</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
-       <span class="command"><strong>allow-query</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
-       <span class="command"><strong>allow-query-cache</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
-       <span class="command"><strong>allow-query-cache-on</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
-       <span class="command"><strong>allow-query-on</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
-       <span class="command"><strong>allow-recursion</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
-       <span class="command"><strong>allow-recursion-on</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
-       <span class="command"><strong>allow-transfer</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
-       <span class="command"><strong>allow-update</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
-       <span class="command"><strong>allow-update-forwarding</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
-       <span class="command"><strong>also-notify</strong></span> [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> |
-           <em class="replaceable"><code>ipv4_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [ port
-           <em class="replaceable"><code>integer</code></em> ] ) [ key <em class="replaceable"><code>string</code></em> ]; ... };
-       <span class="command"><strong>alt-transfer-source</strong></span> ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * )
-           ] [ dscp <em class="replaceable"><code>integer</code></em> ];
-       <span class="command"><strong>alt-transfer-source-v6</strong></span> ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> |
-           * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];
-       <span class="command"><strong>attach-cache</strong></span> <em class="replaceable"><code>string</code></em>;
-       <span class="command"><strong>auth-nxdomain</strong></span> <em class="replaceable"><code>boolean</code></em>; // default changed
-       <span class="command"><strong>auto-dnssec</strong></span> ( allow | maintain | off );
-       <span class="command"><strong>automatic-interface-scan</strong></span> <em class="replaceable"><code>boolean</code></em>;
-       <span class="command"><strong>avoid-v4-udp-ports</strong></span> { <em class="replaceable"><code>portrange</code></em>; ... };
-       <span class="command"><strong>avoid-v6-udp-ports</strong></span> { <em class="replaceable"><code>portrange</code></em>; ... };
-       <span class="command"><strong>bindkeys-file</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
-       <span class="command"><strong>blackhole</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
-       <span class="command"><strong>cache-file</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
-       <span class="command"><strong>catalog-zones</strong></span> { zone <em class="replaceable"><code>quoted_string</code></em> [ default-masters [ port
-           <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [
-           <span class="command"><strong>port</strong></span> <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] ) [ key
-           <em class="replaceable"><code>string</code></em> ]; ... } ] [ zone-directory <em class="replaceable"><code>quoted_string</code></em> ] [
-           <span class="command"><strong>in-memory</strong></span> <em class="replaceable"><code>boolean</code></em> ] [ min-update-interval <em class="replaceable"><code>integer</code></em> ]; ... };
-       <span class="command"><strong>check-dup-records</strong></span> ( fail | warn | ignore );
-       <span class="command"><strong>check-integrity</strong></span> <em class="replaceable"><code>boolean</code></em>;
-       <span class="command"><strong>check-mx</strong></span> ( fail | warn | ignore );
-       <span class="command"><strong>check-mx-cname</strong></span> ( fail | warn | ignore );
-       <span class="command"><strong>check-names</strong></span> ( primary | master |
-           <span class="command"><strong>secondary</strong></span> | slave | response ) (
-           <span class="command"><strong>fail</strong></span> | warn | ignore );
-       <span class="command"><strong>check-sibling</strong></span> <em class="replaceable"><code>boolean</code></em>;
-       <span class="command"><strong>check-spf</strong></span> ( warn | ignore );
-       <span class="command"><strong>check-srv-cname</strong></span> ( fail | warn | ignore );
-       <span class="command"><strong>check-wildcard</strong></span> <em class="replaceable"><code>boolean</code></em>;
-       <span class="command"><strong>cleaning-interval</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>clients-per-query</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>cookie-algorithm</strong></span> ( aes | sha1 | sha256 );
-       <span class="command"><strong>cookie-secret</strong></span> <em class="replaceable"><code>string</code></em>;
-       <span class="command"><strong>coresize</strong></span> ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );
-       <span class="command"><strong>datasize</strong></span> ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );
-       <span class="command"><strong>deny-answer-addresses</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... } [
-           <span class="command"><strong>except-from</strong></span> { <em class="replaceable"><code>quoted_string</code></em>; ... } ];
-       <span class="command"><strong>deny-answer-aliases</strong></span> { <em class="replaceable"><code>quoted_string</code></em>; ... } [ except-from {
-           <em class="replaceable"><code>quoted_string</code></em>; ... } ];
-       <span class="command"><strong>dialup</strong></span> ( notify | notify-passive | passive | refresh | <em class="replaceable"><code>boolean</code></em> );
-       <span class="command"><strong>directory</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
-       <span class="command"><strong>disable-algorithms</strong></span> <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>;
-           ... };
-       <span class="command"><strong>disable-ds-digests</strong></span> <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>;
-           ... };
-       <span class="command"><strong>disable-empty-zone</strong></span> <em class="replaceable"><code>string</code></em>;
-       <span class="command"><strong>dns64</strong></span> <em class="replaceable"><code>netprefix</code></em> {
-               <span class="command"><strong>break-dnssec</strong></span> <em class="replaceable"><code>boolean</code></em>;
-               <span class="command"><strong>clients</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
-               <span class="command"><strong>exclude</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
-               <span class="command"><strong>mapped</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
-               <span class="command"><strong>recursive-only</strong></span> <em class="replaceable"><code>boolean</code></em>;
-               <span class="command"><strong>suffix</strong></span> <em class="replaceable"><code>ipv6_address</code></em>;
-       };
-       <span class="command"><strong>dns64-contact</strong></span> <em class="replaceable"><code>string</code></em>;
-       <span class="command"><strong>dns64-server</strong></span> <em class="replaceable"><code>string</code></em>;
-       <span class="command"><strong>dnsrps-enable</strong></span> <em class="replaceable"><code>boolean</code></em>;
-       <span class="command"><strong>dnsrps-options</strong></span> { <em class="replaceable"><code>unspecified-text</code></em> };
-       <span class="command"><strong>dnssec-accept-expired</strong></span> <em class="replaceable"><code>boolean</code></em>;
-       <span class="command"><strong>dnssec-dnskey-kskonly</strong></span> <em class="replaceable"><code>boolean</code></em>;
-       <span class="command"><strong>dnssec-enable</strong></span> <em class="replaceable"><code>boolean</code></em>;
-       <span class="command"><strong>dnssec-loadkeys-interval</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>dnssec-lookaside</strong></span> ( <em class="replaceable"><code>string</code></em> trust-anchor
-           <em class="replaceable"><code>string</code></em> | auto | no );
-       <span class="command"><strong>dnssec-must-be-secure</strong></span> <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;
-       <span class="command"><strong>dnssec-secure-to-insecure</strong></span> <em class="replaceable"><code>boolean</code></em>;
-       <span class="command"><strong>dnssec-update-mode</strong></span> ( maintain | no-resign );
-       <span class="command"><strong>dnssec-validation</strong></span> ( yes | no | auto );
-       <span class="command"><strong>dnstap</strong></span> { ( all | auth | client | forwarder |
-           <span class="command"><strong>resolver</strong></span> ) [ ( query | response ) ]; ... };
-       <span class="command"><strong>dnstap-identity</strong></span> ( <em class="replaceable"><code>quoted_string</code></em> | none |
-           <span class="command"><strong>hostname</strong></span> );
-       <span class="command"><strong>dnstap-output</strong></span> ( file | unix ) <em class="replaceable"><code>quoted_string</code></em> [
-           <span class="command"><strong>size</strong></span> ( unlimited | <em class="replaceable"><code>size</code></em> ) ] [ versions (
-           <span class="command"><strong>unlimited</strong></span> | <em class="replaceable"><code>integer</code></em> ) ] [ suffix ( increment
-           | timestamp ) ];
-       <span class="command"><strong>dnstap-version</strong></span> ( <em class="replaceable"><code>quoted_string</code></em> | none );
-       <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>dual-stack-servers</strong></span> [ port <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>quoted_string</code></em> [ port
-           <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv4_address</code></em> [ port
-           <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [ port
-           <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] ); ... };
-       <span class="command"><strong>dump-file</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
-       <span class="command"><strong>edns-udp-size</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>empty-contact</strong></span> <em class="replaceable"><code>string</code></em>;
-       <span class="command"><strong>empty-server</strong></span> <em class="replaceable"><code>string</code></em>;
-       <span class="command"><strong>empty-zones-enable</strong></span> <em class="replaceable"><code>boolean</code></em>;
-       <span class="command"><strong>fetch-quota-params</strong></span> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>fixedpoint</code></em> <em class="replaceable"><code>fixedpoint</code></em> <em class="replaceable"><code>fixedpoint</code></em>;
-       <span class="command"><strong>fetches-per-server</strong></span> <em class="replaceable"><code>integer</code></em> [ ( drop | fail ) ];
-       <span class="command"><strong>fetches-per-zone</strong></span> <em class="replaceable"><code>integer</code></em> [ ( drop | fail ) ];
-       <span class="command"><strong>files</strong></span> ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );
-       <span class="command"><strong>filter-aaaa</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
-       <span class="command"><strong>filter-aaaa-on-v4</strong></span> ( break-dnssec | <em class="replaceable"><code>boolean</code></em> );
-       <span class="command"><strong>filter-aaaa-on-v6</strong></span> ( break-dnssec | <em class="replaceable"><code>boolean</code></em> );
-       <span class="command"><strong>flush-zones-on-shutdown</strong></span> <em class="replaceable"><code>boolean</code></em>;
-       <span class="command"><strong>forward</strong></span> ( first | only );
-       <span class="command"><strong>forwarders</strong></span> [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>ipv4_address</code></em>
-           | <em class="replaceable"><code>ipv6_address</code></em> ) [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ]; ... };
-       <span class="command"><strong>fstrm-set-buffer-hint</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>fstrm-set-flush-timeout</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>fstrm-set-input-queue-size</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>fstrm-set-output-notify-threshold</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>fstrm-set-output-queue-model</strong></span> ( mpsc | spsc );
-       <span class="command"><strong>fstrm-set-output-queue-size</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>fstrm-set-reopen-interval</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>geoip-directory</strong></span> ( <em class="replaceable"><code>quoted_string</code></em> | none );
-       <span class="command"><strong>geoip-use-ecs</strong></span> <em class="replaceable"><code>boolean</code></em>;
-       <span class="command"><strong>glue-cache</strong></span> <em class="replaceable"><code>boolean</code></em>;
-       <span class="command"><strong>heartbeat-interval</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>hostname</strong></span> ( <em class="replaceable"><code>quoted_string</code></em> | none );
-       <span class="command"><strong>inline-signing</strong></span> <em class="replaceable"><code>boolean</code></em>;
-       <span class="command"><strong>interface-interval</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>ixfr-from-differences</strong></span> ( primary | master | secondary | slave |
-           <em class="replaceable"><code>boolean</code></em> );
-       <span class="command"><strong>keep-response-order</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
-       <span class="command"><strong>key-directory</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
-       <span class="command"><strong>lame-ttl</strong></span> <em class="replaceable"><code>ttlval</code></em>;
-       <span class="command"><strong>listen-on</strong></span> [ port <em class="replaceable"><code>integer</code></em> ] [ dscp
-           <em class="replaceable"><code>integer</code></em> ] {
-           <em class="replaceable"><code>address_match_element</code></em>; ... };
-       <span class="command"><strong>listen-on-v6</strong></span> [ port <em class="replaceable"><code>integer</code></em> ] [ dscp
-           <em class="replaceable"><code>integer</code></em> ] {
-           <em class="replaceable"><code>address_match_element</code></em>; ... };
-       <span class="command"><strong>lmdb-mapsize</strong></span> <em class="replaceable"><code>sizeval</code></em>;
-       <span class="command"><strong>lock-file</strong></span> ( <em class="replaceable"><code>quoted_string</code></em> | none );
-       <span class="command"><strong>managed-keys-directory</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
-       <span class="command"><strong>masterfile-format</strong></span> ( map | raw | text );
-       <span class="command"><strong>masterfile-style</strong></span> ( full | relative );
-       <span class="command"><strong>match-mapped-addresses</strong></span> <em class="replaceable"><code>boolean</code></em>;
-       <span class="command"><strong>max-cache-size</strong></span> ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> | <em class="replaceable"><code>percentage</code></em> );
-       <span class="command"><strong>max-cache-ttl</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>max-clients-per-query</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>max-journal-size</strong></span> ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );
-       <span class="command"><strong>max-ncache-ttl</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>max-records</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>max-recursion-depth</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>max-recursion-queries</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>max-refresh-time</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>max-retry-time</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>max-rsa-exponent-size</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>max-stale-ttl</strong></span> <em class="replaceable"><code>ttlval</code></em>;
-       <span class="command"><strong>max-transfer-idle-in</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>max-transfer-idle-out</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>max-transfer-time-in</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>max-transfer-time-out</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>max-udp-size</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>max-zone-ttl</strong></span> ( unlimited | <em class="replaceable"><code>ttlval</code></em> );
-       <span class="command"><strong>memstatistics</strong></span> <em class="replaceable"><code>boolean</code></em>;
-       <span class="command"><strong>memstatistics-file</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
-       <span class="command"><strong>message-compression</strong></span> <em class="replaceable"><code>boolean</code></em>;
-       <span class="command"><strong>min-refresh-time</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>min-retry-time</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>minimal-any</strong></span> <em class="replaceable"><code>boolean</code></em>;
-       <span class="command"><strong>minimal-responses</strong></span> ( no-auth | no-auth-recursive | <em class="replaceable"><code>boolean</code></em> );
-       <span class="command"><strong>multi-master</strong></span> <em class="replaceable"><code>boolean</code></em>;
-       <span class="command"><strong>new-zones-directory</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
-       <span class="command"><strong>no-case-compress</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
-       <span class="command"><strong>nocookie-udp-size</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>notify</strong></span> ( explicit | master-only | <em class="replaceable"><code>boolean</code></em> );
-       <span class="command"><strong>notify-delay</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>notify-rate</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>notify-source</strong></span> ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [
-           <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>integer</code></em> ];
-       <span class="command"><strong>notify-source-v6</strong></span> ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ]
-           [ dscp <em class="replaceable"><code>integer</code></em> ];
-       <span class="command"><strong>notify-to-soa</strong></span> <em class="replaceable"><code>boolean</code></em>;
-       <span class="command"><strong>nta-lifetime</strong></span> <em class="replaceable"><code>ttlval</code></em>;
-       <span class="command"><strong>nta-recheck</strong></span> <em class="replaceable"><code>ttlval</code></em>;
-       <span class="command"><strong>nxdomain-redirect</strong></span> <em class="replaceable"><code>string</code></em>;
-       <span class="command"><strong>pid-file</strong></span> ( <em class="replaceable"><code>quoted_string</code></em> | none );
-       <span class="command"><strong>port</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>preferred-glue</strong></span> <em class="replaceable"><code>string</code></em>;
-       <span class="command"><strong>prefetch</strong></span> <em class="replaceable"><code>integer</code></em> [ <em class="replaceable"><code>integer</code></em> ];
-       <span class="command"><strong>provide-ixfr</strong></span> <em class="replaceable"><code>boolean</code></em>;
-       <span class="command"><strong>query-source</strong></span> ( ( [ address ] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port (
-           <em class="replaceable"><code>integer</code></em> | * ) ] ) | ( [ [ address ] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) ]
-           <span class="command"><strong>port</strong></span> ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [ dscp <em class="replaceable"><code>integer</code></em> ];
-       <span class="command"><strong>query-source-v6</strong></span> ( ( [ address ] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port (
-           <em class="replaceable"><code>integer</code></em> | * ) ] ) | ( [ [ address ] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) ]
-           <span class="command"><strong>port</strong></span> ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [ dscp <em class="replaceable"><code>integer</code></em> ];
-       <span class="command"><strong>querylog</strong></span> <em class="replaceable"><code>boolean</code></em>;
-       <span class="command"><strong>random-device</strong></span> ( <em class="replaceable"><code>quoted_string</code></em> | none );
-       <span class="command"><strong>rate-limit</strong></span> {
-               <span class="command"><strong>all-per-second</strong></span> <em class="replaceable"><code>integer</code></em>;
-               <span class="command"><strong>errors-per-second</strong></span> <em class="replaceable"><code>integer</code></em>;
-               <span class="command"><strong>exempt-clients</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
-               <span class="command"><strong>ipv4-prefix-length</strong></span> <em class="replaceable"><code>integer</code></em>;
-               <span class="command"><strong>ipv6-prefix-length</strong></span> <em class="replaceable"><code>integer</code></em>;
-               <span class="command"><strong>log-only</strong></span> <em class="replaceable"><code>boolean</code></em>;
-               <span class="command"><strong>max-table-size</strong></span> <em class="replaceable"><code>integer</code></em>;
-               <span class="command"><strong>min-table-size</strong></span> <em class="replaceable"><code>integer</code></em>;
-               <span class="command"><strong>nodata-per-second</strong></span> <em class="replaceable"><code>integer</code></em>;
-               <span class="command"><strong>nxdomains-per-second</strong></span> <em class="replaceable"><code>integer</code></em>;
-               <span class="command"><strong>qps-scale</strong></span> <em class="replaceable"><code>integer</code></em>;
-               <span class="command"><strong>referrals-per-second</strong></span> <em class="replaceable"><code>integer</code></em>;
-               <span class="command"><strong>responses-per-second</strong></span> <em class="replaceable"><code>integer</code></em>;
-               <span class="command"><strong>slip</strong></span> <em class="replaceable"><code>integer</code></em>;
-               <span class="command"><strong>window</strong></span> <em class="replaceable"><code>integer</code></em>;
-       };
-       <span class="command"><strong>recursing-file</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
-       <span class="command"><strong>recursion</strong></span> <em class="replaceable"><code>boolean</code></em>;
-       <span class="command"><strong>recursive-clients</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>request-expire</strong></span> <em class="replaceable"><code>boolean</code></em>;
-       <span class="command"><strong>request-ixfr</strong></span> <em class="replaceable"><code>boolean</code></em>;
-       <span class="command"><strong>request-nsid</strong></span> <em class="replaceable"><code>boolean</code></em>;
-       <span class="command"><strong>require-server-cookie</strong></span> <em class="replaceable"><code>boolean</code></em>;
-       <span class="command"><strong>reserved-sockets</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>resolver-nonbackoff-tries</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>resolver-query-timeout</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>resolver-retry-interval</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>response-padding</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... } block-size
-           <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>response-policy</strong></span> { zone <em class="replaceable"><code>quoted_string</code></em> [ log <em class="replaceable"><code>boolean</code></em> ] [
-           <span class="command"><strong>max-policy-ttl</strong></span> <em class="replaceable"><code>integer</code></em> ] [ min-update-interval <em class="replaceable"><code>integer</code></em> ] [
-           <span class="command"><strong>policy</strong></span> ( cname | disabled | drop | given | no-op | nodata |
-           <span class="command"><strong>nxdomain</strong></span> | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [
-           <span class="command"><strong>recursive-only</strong></span> <em class="replaceable"><code>boolean</code></em> ] [ nsip-enable <em class="replaceable"><code>boolean</code></em> ] [
-           <span class="command"><strong>nsdname-enable</strong></span> <em class="replaceable"><code>boolean</code></em> ]; ... } [ break-dnssec <em class="replaceable"><code>boolean</code></em> ] [
-           <span class="command"><strong>max-policy-ttl</strong></span> <em class="replaceable"><code>integer</code></em> ] [ min-update-interval <em class="replaceable"><code>integer</code></em> ] [
-           <span class="command"><strong>min-ns-dots</strong></span> <em class="replaceable"><code>integer</code></em> ] [ nsip-wait-recurse <em class="replaceable"><code>boolean</code></em> ] [
-           <span class="command"><strong>qname-wait-recurse</strong></span> <em class="replaceable"><code>boolean</code></em> ] [ recursive-only <em class="replaceable"><code>boolean</code></em> ] [
-           <span class="command"><strong>nsip-enable</strong></span> <em class="replaceable"><code>boolean</code></em> ] [ nsdname-enable <em class="replaceable"><code>boolean</code></em> ] [
-           <span class="command"><strong>dnsrps-enable</strong></span> <em class="replaceable"><code>boolean</code></em> ] [ dnsrps-options { <em class="replaceable"><code>unspecified-text</code></em>
-           } ];
-       <span class="command"><strong>root-delegation-only</strong></span> [ exclude { <em class="replaceable"><code>quoted_string</code></em>; ... } ];
-       <span class="command"><strong>rrset-order</strong></span> { [ class <em class="replaceable"><code>string</code></em> ] [ type <em class="replaceable"><code>string</code></em> ] [ name
-           <em class="replaceable"><code>quoted_string</code></em> ] <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em>; ... };
-       <span class="command"><strong>secroots-file</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
-       <span class="command"><strong>send-cookie</strong></span> <em class="replaceable"><code>boolean</code></em>;
-       <span class="command"><strong>serial-query-rate</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>serial-update-method</strong></span> ( date | increment | unixtime );
-       <span class="command"><strong>server-id</strong></span> ( <em class="replaceable"><code>quoted_string</code></em> | none | hostname );
-       <span class="command"><strong>servfail-ttl</strong></span> <em class="replaceable"><code>ttlval</code></em>;
-       <span class="command"><strong>session-keyalg</strong></span> <em class="replaceable"><code>string</code></em>;
-       <span class="command"><strong>session-keyfile</strong></span> ( <em class="replaceable"><code>quoted_string</code></em> | none );
-       <span class="command"><strong>session-keyname</strong></span> <em class="replaceable"><code>string</code></em>;
-       <span class="command"><strong>sig-signing-nodes</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>sig-signing-signatures</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>sig-signing-type</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>sig-validity-interval</strong></span> <em class="replaceable"><code>integer</code></em> [ <em class="replaceable"><code>integer</code></em> ];
-       <span class="command"><strong>sortlist</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
-       <span class="command"><strong>stacksize</strong></span> ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );
-       <span class="command"><strong>stale-answer-enable</strong></span> <em class="replaceable"><code>boolean</code></em>;
-       <span class="command"><strong>stale-answer-ttl</strong></span> <em class="replaceable"><code>ttlval</code></em>;
-       <span class="command"><strong>startup-notify-rate</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>statistics-file</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
-       <span class="command"><strong>synth-from-dnssec</strong></span> <em class="replaceable"><code>boolean</code></em>;
-       <span class="command"><strong>tcp-advertised-timeout</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>tcp-clients</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>tcp-idle-timeout</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>tcp-initial-timeout</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>tcp-keepalive-timeout</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>tcp-listen-queue</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>tkey-dhkey</strong></span> <em class="replaceable"><code>quoted_string</code></em> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>tkey-domain</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
-       <span class="command"><strong>tkey-gssapi-credential</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
-       <span class="command"><strong>tkey-gssapi-keytab</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
-       <span class="command"><strong>transfer-format</strong></span> ( many-answers | one-answer );
-       <span class="command"><strong>transfer-message-size</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>transfer-source</strong></span> ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [
-           <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>integer</code></em> ];
-       <span class="command"><strong>transfer-source-v6</strong></span> ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * )
-           ] [ dscp <em class="replaceable"><code>integer</code></em> ];
-       <span class="command"><strong>transfers-in</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>transfers-out</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>transfers-per-ns</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>trust-anchor-telemetry</strong></span> <em class="replaceable"><code>boolean</code></em>; // experimental
-       <span class="command"><strong>try-tcp-refresh</strong></span> <em class="replaceable"><code>boolean</code></em>;
-       <span class="command"><strong>update-check-ksk</strong></span> <em class="replaceable"><code>boolean</code></em>;
-       <span class="command"><strong>use-alt-transfer-source</strong></span> <em class="replaceable"><code>boolean</code></em>;
-       <span class="command"><strong>use-v4-udp-ports</strong></span> { <em class="replaceable"><code>portrange</code></em>; ... };
-       <span class="command"><strong>use-v6-udp-ports</strong></span> { <em class="replaceable"><code>portrange</code></em>; ... };
-       <span class="command"><strong>v6-bias</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>version</strong></span> ( <em class="replaceable"><code>quoted_string</code></em> | none );
-       <span class="command"><strong>zero-no-soa-ttl</strong></span> <em class="replaceable"><code>boolean</code></em>;
-       <span class="command"><strong>zero-no-soa-ttl-cache</strong></span> <em class="replaceable"><code>boolean</code></em>;
-       <span class="command"><strong>zone-statistics</strong></span> ( full | terse | none | <em class="replaceable"><code>boolean</code></em> );
-};
-</pre>
-      </div>
-
-      <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="options"></a><span class="command"><strong>options</strong></span> Statement Definition and
-          Usage</h3></div></div></div>
-
-        <p>
-          The <span class="command"><strong>options</strong></span> statement sets up global
-          options
-          to be used by <acronym class="acronym">BIND</acronym>. This statement
-          may appear only
-          once in a configuration file. If there is no <span class="command"><strong>options</strong></span>
-          statement, an options block with each option set to its default will
-          be used.
-        </p>
-
-        <div class="variablelist"><dl class="variablelist">
-<dt><span class="term"><span class="command"><strong>attach-cache</strong></span></span></dt>
-<dd>
-                <p>
-                  Allows multiple views to share a single cache
-                  database.
-                  Each view has its own cache database by default, but
-                  if multiple views have the same operational policy
-                  for name resolution and caching, those views can
-                  share a single cache to save memory and possibly
-                  improve resolution efficiency by using this option.
-                </p>
-
-                <p>
-                  The <span class="command"><strong>attach-cache</strong></span> option
-                  may also be specified in <span class="command"><strong>view</strong></span>
-                  statements, in which case it overrides the
-                  global <span class="command"><strong>attach-cache</strong></span> option.
-                </p>
-
-                <p>
-                  The <em class="replaceable"><code>cache_name</code></em> specifies
-                  the cache to be shared.
-                  When the <span class="command"><strong>named</strong></span> server configures
-                  views which are supposed to share a cache, it
-                  creates a cache with the specified name for the
-                  first view of these sharing views.
-                  The rest of the views will simply refer to the
-                  already created cache.
-                </p>
-
-                <p>
-                  One common configuration to share a cache would be to
-                  allow all views to share a single cache.
-                  This can be done by specifying
-                  the <span class="command"><strong>attach-cache</strong></span> as a global
-                  option with an arbitrary name.
-                </p>
-
-                <p>
-                  Another possible operation is to allow a subset of
-                  all views to share a cache while the others to
-                  retain their own caches.
-                  For example, if there are three views A, B, and C,
-                  and only A and B should share a cache, specify the
-                  <span class="command"><strong>attach-cache</strong></span> option as a view A (or
-                  B)'s option, referring to the other view name:
-                </p>
-
-<pre class="programlisting">
-  view "A" {
-    // this view has its own cache
-    ...
-  };
-  view "B" {
-    // this view refers to A's cache
-    attach-cache "A";
-  };
-  view "C" {
-    // this view has its own cache
-    ...
-  };
-</pre>
-
-                <p>
-                  Views that share a cache must have the same policy
-                  on configurable parameters that may affect caching.
-                  The current implementation requires the following
-                  configurable options be consistent among these
-                  views:
-                  <span class="command"><strong>check-names</strong></span>,
-                  <span class="command"><strong>cleaning-interval</strong></span>,
-                  <span class="command"><strong>dnssec-accept-expired</strong></span>,
-                  <span class="command"><strong>dnssec-validation</strong></span>,
-                  <span class="command"><strong>max-cache-ttl</strong></span>,
-                  <span class="command"><strong>max-ncache-ttl</strong></span>,
-                  <span class="command"><strong>max-stale-ttl</strong></span>,
-                  <span class="command"><strong>max-cache-size</strong></span>, and
-                  <span class="command"><strong>zero-no-soa-ttl</strong></span>.
-                </p>
-
-                <p>
-                  Note that there may be other parameters that may
-                  cause confusion if they are inconsistent for
-                  different views that share a single cache.
-                  For example, if these views define different sets of
-                  forwarders that can return different answers for the
-                  same question, sharing the answer does not make
-                  sense or could even be harmful.
-                  It is administrator's responsibility to ensure
-                  configuration differences in different views do
-                  not cause disruption with a shared cache.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>directory</strong></span></span></dt>
-<dd>
-              <p>
-                The working directory of the server.
-                Any non-absolute pathnames in the configuration file will
-                be taken as relative to this directory. The default
-                location for most server output files
-                (e.g. <code class="filename">named.run</code>) is this directory.
-                If a directory is not specified, the working directory
-                defaults to `<code class="filename">.</code>', the directory from
-                which the server was started. The directory specified
-                should be an absolute path, and <span class="emphasis"><em>must</em></span>
-                be writable by the effective user ID of the
-                <span class="command"><strong>named</strong></span> process.
-              </p>
-            </dd>
-<dt><span class="term"><span class="command"><strong>dnstap</strong></span></span></dt>
-<dd>
-              <p>
-                <span class="command"><strong>dnstap</strong></span> is a fast, flexible method
-                for capturing and logging DNS traffic. Developed by
-                Robert Edmonds at Farsight Security, Inc., and supported
-                by multiple DNS implementations, <span class="command"><strong>dnstap</strong></span>
-                uses
-                <span class="command"><strong>libfstrm</strong></span> (a lightweight high-speed
-                framing library, see
-                <a class="link" href="https://github.com/farsightsec/fstrm" target="_top">https://github.com/farsightsec/fstrm</a>) to send
-                event payloads which are encoded using Protocol Buffers
-                (<span class="command"><strong>libprotobuf-c</strong></span>, a mechanism for
-                serializing structured data developed
-                by Google, Inc.; see
-                <a class="link" href="https://developers.google.com/protocol-buffers/" target="_top">https://developers.google.com/protocol-buffers</a>).
-              </p>
-              <p>
-                To enable <span class="command"><strong>dnstap</strong></span> at compile time,
-                the <span class="command"><strong>fstrm</strong></span> and <span class="command"><strong>protobuf-c</strong></span>
-                libraries must be available, and BIND must be configured with
-                <code class="option">--enable-dnstap</code>.
-              </p>
-              <p>
-                The <span class="command"><strong>dnstap</strong></span> option is a bracketed list
-                of message types to be logged. These may be set differently
-                for each view. Supported types are <code class="literal">client</code>,
-                <code class="literal">auth</code>, <code class="literal">resolver</code>, and
-                <code class="literal">forwarder</code>.  Specifying type
-                <code class="literal">all</code> will cause all <span class="command"><strong>dnstap</strong></span>
-                messages to be logged, regardless of type.
-              </p>
-              <p>
-                Each type may take an additional argument to indicate whether
-                to log <code class="literal">query</code> messages or
-                <code class="literal">response</code> messages; if not specified,
-                both queries and responses are logged.
-              </p>
-              <p>
-                Example: To log all authoritative queries and responses,
-                recursive client responses, and upstream queries sent by
-                the resolver, use:
-</p>
-<pre class="programlisting">dnstap {
-  auth;
-  client response;
-  resolver query;
-};
-</pre>
-<p>
-              </p>
-              <p>
-                Logged <span class="command"><strong>dnstap</strong></span> messages can be parsed
-                using the <span class="command"><strong>dnstap-read</strong></span> utility (see
-                <a class="xref" href="man.dnstap-read.html" title="dnstap-read"><span class="refentrytitle"><span class="application">dnstap-read</span></span>(1)</a> for details).
-              </p>
-              <p>
-                For more information on <span class="command"><strong>dnstap</strong></span>, see
-                <a class="link" href="http://dnstap.info" target="_top">http://dnstap.info</a>.
-              </p>
-              <p>
-                The fstrm library has a number of tunables that are exposed
-                in <code class="filename">named.conf</code>, and can be modified
-                if necessary to improve performance or prevent loss of data.
-                These are:
-              </p>
-              <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-                  
-                    <span class="command"><strong>fstrm-set-buffer-hint</strong></span>: The
-                    threshold number of bytes to accumulate in the output
-                    buffer before forcing a buffer flush. The minimum is
-                    1024, the maximum is 65536, and the default is 8192.
-                  
-                </li>
-<li class="listitem">
-                  
-                    <span class="command"><strong>fstrm-set-flush-timeout</strong></span>: The number
-                    of seconds to allow unflushed data to remain in the
-                    output buffer. The minimum is 1 second, the maximum is
-                    600 seconds (10 minutes), and the default is 1 second.
-                  
-                </li>
-<li class="listitem">
-                  
-                    <span class="command"><strong>fstrm-set-output-notify-threshold</strong></span>:
-                    The number of outstanding queue entries to allow on
-                    an input queue before waking the I/O thread.
-                    The minimum is 1 and the default is 32.
-                  
-                </li>
-<li class="listitem">
-                  
-                    <span class="command"><strong>fstrm-set-output-queue-model</strong></span>:
-                    Controls the queuing semantics to use for queue
-                    objects. The default is <code class="literal">mpsc</code>
-                    (multiple producer, single consumer); the other
-                    option is <code class="literal">spsc</code> (single producer,
-                    single consumer).
-                  
-                </li>
-<li class="listitem">
-                  
-                    <span class="command"><strong>fstrm-set-input-queue-size</strong></span>: The
-                    number of queue entries to allocate for each
-                    input queue. This value must be a power of 2.
-                    The minimum is 2, the maximum is 16384, and
-                    the default is 512.
-                  
-                </li>
-<li class="listitem">
-                  
-                    <span class="command"><strong>fstrm-set-output-queue-size</strong></span>:
-                    The number of queue entries to allocate for each
-                    output queue. The minimum is 2, the maximum is
-                    system-dependent and based on <code class="option">IOV_MAX</code>,
-                    and the default is 64.
-                  
-                </li>
-<li class="listitem">
-                  
-                    <span class="command"><strong>fstrm-set-reopen-interval</strong></span>:
-                    The number of seconds to wait between attempts to
-                    reopen a closed output stream. The minimum is 1 second,
-                    the maximum is 600 seconds (10 minutes), and the default
-                    is 5 seconds.
-                  
-                </li>
-</ul></div>
-              <p>
-                Note that all of the above minimum, maximum, and default
-                values are set by the <span class="command"><strong>libfstrm</strong></span> library,
-                and may be subject to change in future versions of the
-                library. See the <span class="command"><strong>libfstrm</strong></span> documentation
-                for more information.
-              </p>
-            </dd>
-<dt><span class="term"><span class="command"><strong>dnstap-output</strong></span></span></dt>
-<dd>
-              <p>
-                Configures the path to which the <span class="command"><strong>dnstap</strong></span>
-                frame stream will be sent if <span class="command"><strong>dnstap</strong></span>
-                is enabled at compile time and active.
-              </p>
-              <p>
-                The first argument is either <code class="literal">file</code> or
-                <code class="literal">unix</code>, indicating whether the destination
-                is a file or a UNIX domain socket.  The second argument
-                is the path of the file or socket.  (Note: when using a
-                socket, <span class="command"><strong>dnstap</strong></span> messages will
-                only be sent if another process such as
-                <span class="command"><strong>fstrm_capture</strong></span>
-                (provided with <span class="command"><strong>libfstrm</strong></span>) is listening on
-                the socket.)
-              </p>
-              <p>
-                If the first argument is <code class="literal">file</code>, then
-                up to three additional options can be added:
-                <span class="command"><strong>size</strong></span> indicates the size to which a
-                <span class="command"><strong>dnstap</strong></span> log file can grow before being
-                rolled to a new file; <span class="command"><strong>versions</strong></span>
-                specifies the number of rolled log files to retain; and
-                <span class="command"><strong>suffix</strong></span> indicates whether to retain
-                rolled log files with an incrementing counter as the
-                suffix (<code class="literal">increment</code>) or with the
-                current timestamp (<code class="literal">timestamp</code>).
-                These are similar to the <span class="command"><strong>size</strong></span>,
-                <span class="command"><strong>versions</strong></span>, and <span class="command"><strong>suffix</strong></span>
-                options in a <span class="command"><strong>logging</strong></span> channel.
-                The default is to allow <span class="command"><strong>dnstap</strong></span> log
-                files to grow to any size without rolling.
-              </p>
-              <p>
-                <span class="command"><strong>dnstap-output</strong></span> can only be set globally
-                in <span class="command"><strong>options</strong></span>. Currently, it can only be
-                set once while <span class="command"><strong>named</strong></span> is running;
-                once set, it cannot be changed by
-                <span class="command"><strong>rndc reload</strong></span> or
-                <span class="command"><strong>rndc reconfig</strong></span>.
-              </p>
-            </dd>
-<dt><span class="term"><span class="command"><strong>dnstap-identity</strong></span></span></dt>
-<dd>
-              <p>
-                Specifies an <span class="command"><strong>identity</strong></span> string to send in
-                <span class="command"><strong>dnstap</strong></span> messages. If set to
-                <code class="literal">hostname</code>, which is the default, the
-                server's hostname will be sent. If set to
-                <code class="literal">none</code>, no identity string will be sent.
-              </p>
-            </dd>
-<dt><span class="term"><span class="command"><strong>dnstap-version</strong></span></span></dt>
-<dd>
-              <p>
-                Specifies a <span class="command"><strong>version</strong></span> string to send in
-                <span class="command"><strong>dnstap</strong></span> messages. The default is the
-                version number of the BIND release. If set to
-                <code class="literal">none</code>, no version string will be sent.
-              </p>
-            </dd>
-<dt><span class="term"><span class="command"><strong>geoip-directory</strong></span></span></dt>
-<dd>
-              <p>
-                Specifies the directory containing GeoIP
-                <code class="filename">.dat</code> database files for GeoIP
-                initialization.  By default, this option is unset
-                and the GeoIP support will use libGeoIP's
-                built-in directory.
-                (For details, see <a class="xref" href="Bv9ARM.ch06.html#acl" title="acl Statement Definition and Usage">the section called &#8220;<span class="command"><strong>acl</strong></span> Statement Definition and
-          Usage&#8221;</a> about the
-                <span class="command"><strong>geoip</strong></span> ACL.)
-              </p>
-            </dd>
-<dt><span class="term"><span class="command"><strong>key-directory</strong></span></span></dt>
-<dd>
-              <p>
-                When performing dynamic update of secure zones, the
-                directory where the public and private DNSSEC key files
-                should be found, if different than the current working
-                directory.  (Note that this option has no effect on the
-                paths for files containing non-DNSSEC keys such as
-                <code class="filename">bind.keys</code>,
-                <code class="filename">rndc.key</code> or
-                <code class="filename">session.key</code>.)
-              </p>
-            </dd>
-<dt><span class="term"><span class="command"><strong>lmdb-mapsize</strong></span></span></dt>
-<dd>
-              <p>
-                When <span class="command"><strong>named</strong></span> is built with liblmdb,
-                this option sets a maximum size for the memory map of
-                the new-zone database (NZD) in LMDB database format.
-                This database is used to store configuration information
-                for zones added using <span class="command"><strong>rndc addzone</strong></span>.
-                Note that this is not the NZD database file size, but
-                the largest size that the database may grow to.
-              </p>
-              <p>
-                Because the database file is memory mapped, its size is
-                limited by the address space of the named process.  The
-                default of 32 megabytes was chosen to be usable with
-                32-bit <span class="command"><strong>named</strong></span> builds.  The largest
-                permitted value is 1 terabyte. Given typical zone
-                configurations without elaborate ACLs, a 32 MB NZD file
-                ought to be able to hold configurations of about 100,000
-                zones.
-              </p>
-            </dd>
-<dt><span class="term"><span class="command"><strong>managed-keys-directory</strong></span></span></dt>
-<dd>
-              <p>
-                Specifies the directory in which to store the files that
-                track managed DNSSEC keys.  By default, this is the working
-                directory.  The directory <span class="emphasis"><em>must</em></span>
-                be writable by the effective user ID of the
-                <span class="command"><strong>named</strong></span> process.
-              </p>
-              <p>
-                If <span class="command"><strong>named</strong></span> is not configured to use views,
-                then managed keys for the server will be tracked in a single
-                file called <code class="filename">managed-keys.bind</code>.
-                Otherwise, managed keys will be tracked in separate files,
-                one file per view; each file name will be the view name
-                (or, if it contains characters that are incompatible with
-                use as a file name, the SHA256 hash of the view name),
-                followed by the extension
-                <code class="filename">.mkeys</code>.
-              </p>
-              <p>
-                (Note: in previous releases, file names for views
-                always used the SHA256 hash of the view name. To ensure
-                compatibility after upgrade, if a file using the old
-                name format is found to exist, it will be used instead
-                of the new format.)
-              </p>
-            </dd>
-<dt><span class="term"><span class="command"><strong>new-zones-directory</strong></span></span></dt>
-<dd>
-              <p>
-                Specifies the directory in which to store the configuration
-                parameters for zones added via <span class="command"><strong>rndc addzone</strong></span>.
-                By default, this is the working directory. If set to a relative
-                path, it will be relative to the working directory. The
-                directory <span class="emphasis"><em>must</em></span> be writable by the
-                effective user ID of the <span class="command"><strong>named</strong></span> process.
-              </p>
-            </dd>
-<dt><span class="term"><span class="command"><strong>named-xfer</strong></span></span></dt>
-<dd>
-              <p>
-                <span class="emphasis"><em>This option is obsolete.</em></span> It
-                was used in <acronym class="acronym">BIND</acronym> 8 to specify
-                the pathname to the <span class="command"><strong>named-xfer</strong></span>
-                program.  In <acronym class="acronym">BIND</acronym> 9, no separate
-                <span class="command"><strong>named-xfer</strong></span> program is needed;
-                its functionality is built into the name server.
-              </p>
-            </dd>
-<dt><span class="term"><span class="command"><strong>tkey-gssapi-keytab</strong></span></span></dt>
-<dd>
-              <p>
-                The KRB5 keytab file to use for GSS-TSIG updates. If
-                this option is set and tkey-gssapi-credential is not
-                set, then updates will be allowed with any key
-                matching a principal in the specified keytab.
-              </p>
-            </dd>
-<dt><span class="term"><span class="command"><strong>tkey-gssapi-credential</strong></span></span></dt>
-<dd>
-              <p>
-                The security credential with which the server should
-                authenticate keys requested by the GSS-TSIG protocol.
-                Currently only Kerberos 5 authentication is available
-                and the credential is a Kerberos principal which the
-                server can acquire through the default system key
-                file, normally <code class="filename">/etc/krb5.keytab</code>.
-                The location keytab file can be overridden using the
-                tkey-gssapi-keytab option. Normally this principal is
-                of the form "<strong class="userinput"><code>DNS/</code></strong><code class="varname">server.domain</code>".
-                To use GSS-TSIG, <span class="command"><strong>tkey-domain</strong></span> must
-                also be set if a specific keytab is not set with
-                tkey-gssapi-keytab.
-              </p>
-            </dd>
-<dt><span class="term"><span class="command"><strong>tkey-domain</strong></span></span></dt>
-<dd>
-              <p>
-                The domain appended to the names of all shared keys
-                generated with <span class="command"><strong>TKEY</strong></span>.  When a
-                client requests a <span class="command"><strong>TKEY</strong></span> exchange,
-                it may or may not specify the desired name for the
-                key. If present, the name of the shared key will
-                be <code class="varname">client specified part</code> +
-                <code class="varname">tkey-domain</code>.  Otherwise, the
-                name of the shared key will be <code class="varname">random hex
-                digits</code> + <code class="varname">tkey-domain</code>.
-                In most cases, the <span class="command"><strong>domainname</strong></span>
-                should be the server's domain name, or an otherwise
-                non-existent subdomain like
-                "_tkey.<code class="varname">domainname</code>".  If you are
-                using GSS-TSIG, this variable must be defined, unless
-                you specify a specific keytab using tkey-gssapi-keytab.
-              </p>
-            </dd>
-<dt><span class="term"><span class="command"><strong>tkey-dhkey</strong></span></span></dt>
-<dd>
-              <p>
-                The Diffie-Hellman key used by the server
-                to generate shared keys with clients using the Diffie-Hellman
-                mode
-                of <span class="command"><strong>TKEY</strong></span>. The server must be
-                able to load the
-                public and private keys from files in the working directory.
-                In
-                most cases, the <code class="varname">key_name</code> should be the server's host name.
-              </p>
-            </dd>
-<dt><span class="term"><span class="command"><strong>cache-file</strong></span></span></dt>
-<dd>
-              <p>
-                This is for testing only.  Do not use.
-              </p>
-            </dd>
-<dt><span class="term"><span class="command"><strong>dump-file</strong></span></span></dt>
-<dd>
-              <p>
-                The pathname of the file the server dumps
-                the database to when instructed to do so with
-                <span class="command"><strong>rndc dumpdb</strong></span>.
-                If not specified, the default is <code class="filename">named_dump.db</code>.
-              </p>
-            </dd>
-<dt><span class="term"><span class="command"><strong>memstatistics-file</strong></span></span></dt>
-<dd>
-              <p>
-                The pathname of the file the server writes memory
-                usage statistics to on exit. If not specified,
-                the default is <code class="filename">named.memstats</code>.
-              </p>
-            </dd>
-<dt><span class="term"><span class="command"><strong>lock-file</strong></span></span></dt>
-<dd>
-              <p>
-                The pathname of a file on which <span class="command"><strong>named</strong></span> will
-                attempt to acquire a file lock when starting up for
-                the first time; if unsuccessful, the server will
-                will terminate, under the assumption that another
-                server is already running.  If not specified, the default is
-                <code class="filename">/var/run/named/named.lock</code>.
-              </p>
-              <p>
-                Specifying <span class="command"><strong>lock-file none</strong></span> disables the
-                use of a lock file.  <span class="command"><strong>lock-file</strong></span> is
-                ignored if <span class="command"><strong>named</strong></span> was run using the <code class="option">-X</code>
-                option, which overrides it.  Changes to
-                <span class="command"><strong>lock-file</strong></span> are ignored if
-                <span class="command"><strong>named</strong></span> is being reloaded or
-                reconfigured; it is only effective when the server is
-                first started up.
-              </p>
-            </dd>
-<dt><span class="term"><span class="command"><strong>pid-file</strong></span></span></dt>
-<dd>
-              <p>
-                The pathname of the file the server writes its process ID
-                in. If not specified, the default is
-                <code class="filename">/var/run/named/named.pid</code>.
-                The PID file is used by programs that want to send signals to
-                the running
-                name server. Specifying <span class="command"><strong>pid-file none</strong></span> disables the
-                use of a PID file &#8212; no file will be written and any
-                existing one will be removed.  Note that <span class="command"><strong>none</strong></span>
-                is a keyword, not a filename, and therefore is not enclosed
-                in
-                double quotes.
-              </p>
-            </dd>
-<dt><span class="term"><span class="command"><strong>recursing-file</strong></span></span></dt>
-<dd>
-              <p>
-                The pathname of the file the server dumps
-                the queries that are currently recursing when instructed
-                to do so with <span class="command"><strong>rndc recursing</strong></span>.
-                If not specified, the default is <code class="filename">named.recursing</code>.
-              </p>
-            </dd>
-<dt><span class="term"><span class="command"><strong>statistics-file</strong></span></span></dt>
-<dd>
-              <p>
-                The pathname of the file the server appends statistics
-                to when instructed to do so using <span class="command"><strong>rndc stats</strong></span>.
-                If not specified, the default is <code class="filename">named.stats</code> in the
-                server's current directory.  The format of the file is
-                described
-                in <a class="xref" href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called &#8220;The Statistics File&#8221;</a>.
-              </p>
-            </dd>
-<dt><span class="term"><span class="command"><strong>bindkeys-file</strong></span></span></dt>
-<dd>
-              <p>
-                The pathname of a file to override the built-in trusted
-                keys provided by <span class="command"><strong>named</strong></span>.
-                See the discussion of <span class="command"><strong>dnssec-validation</strong></span>
-                for details.  If not specified, the default is
-                <code class="filename">/etc/bind.keys</code>.
-              </p>
-            </dd>
-<dt><span class="term"><span class="command"><strong>secroots-file</strong></span></span></dt>
-<dd>
-              <p>
-                The pathname of the file the server dumps
-                security roots to when instructed to do so with
-                <span class="command"><strong>rndc secroots</strong></span>.
-                If not specified, the default is
-                <code class="filename">named.secroots</code>.
-              </p>
-            </dd>
-<dt><span class="term"><span class="command"><strong>session-keyfile</strong></span></span></dt>
-<dd>
-              <p>
-                The pathname of the file into which to write a TSIG
-                session key generated by <span class="command"><strong>named</strong></span> for use by
-                <span class="command"><strong>nsupdate -l</strong></span>.  If not specified, the
-                default is <code class="filename">/var/run/named/session.key</code>.
-                (See <a class="xref" href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called &#8220;Dynamic Update Policies&#8221;</a>, and in
-                particular the discussion of the
-                <span class="command"><strong>update-policy</strong></span> statement's
-                <strong class="userinput"><code>local</code></strong> option for more
-                information about this feature.)
-              </p>
-            </dd>
-<dt><span class="term"><span class="command"><strong>session-keyname</strong></span></span></dt>
-<dd>
-              <p>
-                The key name to use for the TSIG session key.
-                If not specified, the default is "local-ddns".
-              </p>
-            </dd>
-<dt><span class="term"><span class="command"><strong>session-keyalg</strong></span></span></dt>
-<dd>
-              <p>
-                The algorithm to use for the TSIG session key.
-                Valid values are hmac-sha1, hmac-sha224, hmac-sha256,
-                hmac-sha384, hmac-sha512 and hmac-md5.  If not
-                specified, the default is hmac-sha256.
-              </p>
-            </dd>
-<dt><span class="term"><span class="command"><strong>port</strong></span></span></dt>
-<dd>
-              <p>
-                The UDP/TCP port number the server uses for
-                receiving and sending DNS protocol traffic.
-                The default is 53.  This option is mainly intended for server
-                testing;
-                a server using a port other than 53 will not be able to
-                communicate with
-                the global DNS.
-              </p>
-            </dd>
-<dt><span class="term"><span class="command"><strong>dscp</strong></span></span></dt>
-<dd>
-              <p>
-                The global Differentiated Services Code Point (DSCP)
-                value to classify outgoing DNS traffic on operating
-                systems that support DSCP. Valid values are 0 through 63.
-                It is not configured by default.
-              </p>
-            </dd>
-<dt><span class="term"><span class="command"><strong>random-device</strong></span></span></dt>
-<dd>
-              <p>
-                Specifies a source of entropy to be used by the server.
-                This is a device or file from which to read entropy.
-                If it is a file, operations requiring entropy
-                will fail when the file has been exhausted.
-              </p>
-              <p>
-                Entropy is needed for cryptographic operations such as
-                TKEY transactions, dynamic update of signed zones, and
-                generation of TSIG session keys. It is also used for
-                seeding and stirring the pseudo-random number generator,
-                which is used for less critical functions requiring
-                randomness such as generation of DNS message transaction
-                ID's.
-              </p>
-              <p>
-                If <span class="command"><strong>random-device</strong></span> is not specified, or
-                if it is set to <code class="literal">none</code>, entropy will be
-                read from the random number generation function supplied
-                by the cryptographic library with which BIND was linked
-                (i.e.  OpenSSL or a PKCS#11 provider).
-              </p>
-              <p>
-                The <span class="command"><strong>random-device</strong></span> option takes
-                effect during the initial configuration load at server
-                startup time and is ignored on subsequent reloads.
-              </p>
-              <p>
-                If BIND is built with
-                <span class="command"><strong>configure --disable-crypto-rand</strong></span>, then
-                entropy is <span class="emphasis"><em>not</em></span> sourced from the
-                cryptographic library. In this case, if
-                <span class="command"><strong>random-device</strong></span> is not specified, the
-                default value is the system random device,
-                <code class="filename">/dev/random</code> or the equivalent.
-                This default can be overridden with
-                <span class="command"><strong>configure --with-randomdev</strong></span>.
-                If no system random device exists, then no entropy source
-                will be configured, and <span class="command"><strong>named</strong></span> will only
-                be able to use pseudo-random numbers.
-              </p>
-            </dd>
-<dt><span class="term"><span class="command"><strong>preferred-glue</strong></span></span></dt>
-<dd>
-              <p>
-                If specified, the listed type (A or AAAA) will be emitted
-                before other glue
-                in the additional section of a query response.
-                The default is to prefer A records when responding
-                to queries that arrived via IPv4 and AAAA when
-                responding to queries that arrived via IPv6.
-              </p>
-            </dd>
-<dt>
-<a name="root_delegation_only"></a><span class="term"><span class="command"><strong>root-delegation-only</strong></span></span>
-</dt>
-<dd>
-              <p>
-                Turn on enforcement of delegation-only in TLDs
-                (top level domains) and root zones with an optional
-                exclude list.
-              </p>
-              <p>
-                DS queries are expected to be made to and be answered by
-                delegation only zones.  Such queries and responses are
-                treated as an exception to delegation-only processing
-                and are not converted to NXDOMAIN responses provided
-                a CNAME is not discovered at the query name.
-              </p>
-              <p>
-                If a delegation only zone server also serves a child
-                zone it is not always possible to determine whether
-                an answer comes from the delegation only zone or the
-                child zone.  SOA NS and DNSKEY records are apex
-                only records and a matching response that contains
-                these records or DS is treated as coming from a
-                child zone.  RRSIG records are also examined to see
-                if they are signed by a child zone or not.  The
-                authority section is also examined to see if there
-                is evidence that the answer is from the child zone.
-                Answers that are determined to be from a child zone
-                are not converted to NXDOMAIN responses.  Despite
-                all these checks there is still a possibility of
-                false negatives when a child zone is being served.
-              </p>
-              <p>
-                Similarly false positives can arise from empty nodes
-                (no records at the name) in the delegation only zone
-                when the query type is not ANY.
-              </p>
-              <p>
-                Note some TLDs are not delegation only (e.g. "DE", "LV",
-                "US" and "MUSEUM").  This list is not exhaustive.
-              </p>
-
-<pre class="programlisting">
-options {
-        root-delegation-only exclude { "de"; "lv"; "us"; "museum"; };
-};
-</pre>
-
-            </dd>
-<dt><span class="term"><span class="command"><strong>disable-algorithms</strong></span></span></dt>
-<dd>
-              <p>
-                Disable the specified DNSSEC algorithms at and below the
-                specified name.
-                Multiple <span class="command"><strong>disable-algorithms</strong></span>
-                statements are allowed.
-                Only the best match <span class="command"><strong>disable-algorithms</strong></span>
-                clause will be used to determine which algorithms are used.
-              </p>
-              <p>
-                If all supported algorithms are disabled, the zones covered
-                by the <span class="command"><strong>disable-algorithms</strong></span> will be treated
-                as insecure.
-              </p>
-            </dd>
-<dt><span class="term"><span class="command"><strong>disable-ds-digests</strong></span></span></dt>
-<dd>
-              <p>
-                Disable the specified DS/DLV digest types at and below the
-                specified name.
-                Multiple <span class="command"><strong>disable-ds-digests</strong></span>
-                statements are allowed.
-                Only the best match <span class="command"><strong>disable-ds-digests</strong></span>
-                clause will be used to determine which digest types are used.
-              </p>
-              <p>
-                If all supported digest types are disabled, the zones covered
-                by the <span class="command"><strong>disable-ds-digests</strong></span> will be treated
-                as insecure.
-              </p>
-            </dd>
-<dt><span class="term"><span class="command"><strong>dnssec-lookaside</strong></span></span></dt>
-<dd>
-              <p>
-                When set, <span class="command"><strong>dnssec-lookaside</strong></span> provides the
-                validator with an alternate method to validate DNSKEY
-                records at the top of a zone.  When a DNSKEY is at or
-                below a domain specified by the deepest
-                <span class="command"><strong>dnssec-lookaside</strong></span>, and the normal DNSSEC
-                validation has left the key untrusted, the trust-anchor
-                will be appended to the key name and a DLV record will be
-                looked up to see if it can validate the key.  If the DLV
-                record validates a DNSKEY (similarly to the way a DS
-                record does) the DNSKEY RRset is deemed to be trusted.
-              </p>
-              <p>
-                If <span class="command"><strong>dnssec-lookaside</strong></span> is set to
-                <strong class="userinput"><code>no</code></strong>, then dnssec-lookaside
-                is not used.
-              </p>
-              <p>
-                NOTE: The ISC-provided DLV service at
-                <code class="literal">dlv.isc.org</code>, has been shut down.
-                The <span class="command"><strong>dnssec-lookaside auto;</strong></span>
-                configuration option, which set <span class="command"><strong>named</strong></span>
-                up to use ISC DLV with minimal configuration, has
-                accordingly been removed.
-              </p>
-            </dd>
-<dt><span class="term"><span class="command"><strong>dnssec-must-be-secure</strong></span></span></dt>
-<dd>
-              <p>
-                Specify hierarchies which must be or may not be secure
-                (signed and validated).  If <strong class="userinput"><code>yes</code></strong>,
-                then <span class="command"><strong>named</strong></span> will only accept answers if
-                they are secure.  If <strong class="userinput"><code>no</code></strong>, then normal
-                DNSSEC validation applies allowing for insecure answers to
-                be accepted.  The specified domain must be under a
-                <span class="command"><strong>trusted-keys</strong></span> or
-                <span class="command"><strong>managed-keys</strong></span> statement, or
-                <span class="command"><strong>dnssec-validation auto</strong></span> must be active.
-              </p>
-            </dd>
-<dt><span class="term"><span class="command"><strong>dns64</strong></span></span></dt>
-<dd>
-              <p>
-                This directive instructs <span class="command"><strong>named</strong></span> to
-                return mapped IPv4 addresses to AAAA queries when
-                there are no AAAA records.  It is intended to be
-                used in conjunction with a NAT64.  Each
-                <span class="command"><strong>dns64</strong></span> defines one DNS64 prefix.
-                Multiple DNS64 prefixes can be defined.
-              </p>
-              <p>
-                Compatible IPv6 prefixes have lengths of 32, 40, 48, 56,
-                64 and 96 as per RFC 6052.
-              </p>
-              <p>
-                Additionally a reverse IP6.ARPA zone will be created for
-                the prefix to provide a mapping from the IP6.ARPA names
-                to the corresponding IN-ADDR.ARPA names using synthesized
-                CNAMEs.  <span class="command"><strong>dns64-server</strong></span> and
-                <span class="command"><strong>dns64-contact</strong></span> can be used to specify
-                the name of the server and contact for the zones. These
-                are settable at the view / options level.  These are
-                not settable on a per-prefix basis.
-              </p>
-              <p>
-                Each <span class="command"><strong>dns64</strong></span> supports an optional
-                <span class="command"><strong>clients</strong></span> ACL that determines which
-                clients are affected by this directive.  If not defined,
-                it defaults to <strong class="userinput"><code>any;</code></strong>.
-              </p>
-              <p>
-                Each <span class="command"><strong>dns64</strong></span> supports an optional
-                <span class="command"><strong>mapped</strong></span> ACL that selects which
-                IPv4 addresses are to be mapped in the corresponding
-                A RRset.  If not defined it defaults to
-                <strong class="userinput"><code>any;</code></strong>.
-              </p>
-              <p>
-                Normally, DNS64 won't apply to a domain name that
-                owns one or more AAAA records; these records will
-                simply be returned.  The optional
-                <span class="command"><strong>exclude</strong></span> ACL allows specification
-                of a list of IPv6 addresses that will be ignored
-                if they appear in a domain name's AAAA records, and
-                DNS64 will be applied to any A records the domain
-                name owns.  If not defined, <span class="command"><strong>exclude</strong></span>
-                defaults to ::ffff:0.0.0.0/96.
-              </p>
-              <p>
-                A optional <span class="command"><strong>suffix</strong></span> can also
-                be defined to set the bits trailing the mapped
-                IPv4 address bits.  By default these bits are
-                set to <strong class="userinput"><code>::</code></strong>.  The bits
-                matching the prefix and mapped IPv4 address
-                must be zero.
-              </p>
-              <p>
-                If <span class="command"><strong>recursive-only</strong></span> is set to
-                <span class="command"><strong>yes</strong></span> the DNS64 synthesis will
-                only happen for recursive queries.  The default
-                is <span class="command"><strong>no</strong></span>.
-              </p>
-              <p>
-                If <span class="command"><strong>break-dnssec</strong></span> is set to
-                <span class="command"><strong>yes</strong></span> the DNS64 synthesis will
-                happen even if the result, if validated, would
-                cause a DNSSEC validation failure.  If this option
-                is set to <span class="command"><strong>no</strong></span> (the default), the DO
-                is set on the incoming query, and there are RRSIGs on
-                the applicable records, then synthesis will not happen.
-              </p>
-<pre class="programlisting">
-        acl rfc1918 { 10/8; 192.168/16; 172.16/12; };
-
-        dns64 64:FF9B::/96 {
-                clients { any; };
-                mapped { !rfc1918; any; };
-                exclude { 64:FF9B::/96; ::ffff:0000:0000/96; };
-                suffix ::;
-        };
-</pre>
-            </dd>
-<dt><span class="term"><span class="command"><strong>dnssec-loadkeys-interval</strong></span></span></dt>
-<dd>
-                <p>
-                  When a zone is configured with <span class="command"><strong>auto-dnssec
-                  maintain;</strong></span> its key repository must be checked
-                  periodically to see if any new keys have been added
-                  or any existing keys' timing metadata has been updated
-                  (see <a class="xref" href="man.dnssec-keygen.html" title="dnssec-keygen"><span class="refentrytitle"><span class="application">dnssec-keygen</span></span>(8)</a> and
-                  <a class="xref" href="man.dnssec-settime.html" title="dnssec-settime"><span class="refentrytitle"><span class="application">dnssec-settime</span></span>(8)</a>).  The
-                  <span class="command"><strong>dnssec-loadkeys-interval</strong></span> option
-                  sets the frequency of automatic repository checks, in
-                  minutes.  The default is <code class="literal">60</code> (1 hour),
-                  the minimum is <code class="literal">1</code> (1 minute), and the
-                  maximum is <code class="literal">1440</code> (24 hours); any higher
-                  value is silently reduced.
-                </p>
-            </dd>
-<dt><span class="term"><span class="command"><strong>dnssec-update-mode</strong></span></span></dt>
-<dd>
-                <p>
-                  If this option is set to its default value of
-                  <code class="literal">maintain</code> in a zone of type
-                  <code class="literal">master</code> which is DNSSEC-signed
-                  and configured to allow dynamic updates (see
-                  <a class="xref" href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called &#8220;Dynamic Update Policies&#8221;</a>), and
-                  if <span class="command"><strong>named</strong></span> has access to the
-                  private signing key(s) for the zone, then
-                  <span class="command"><strong>named</strong></span> will automatically sign all new
-                  or changed records and maintain signatures for the zone
-                  by regenerating RRSIG records whenever they approach
-                  their expiration date.
-                </p>
-                <p>
-                  If the option is changed to <code class="literal">no-resign</code>,
-                  then <span class="command"><strong>named</strong></span> will sign all new or
-                  changed records, but scheduled maintenance of
-                  signatures is disabled.
-                </p>
-                <p>
-                  With either of these settings, <span class="command"><strong>named</strong></span>
-                  will reject updates to a DNSSEC-signed zone when the
-                  signing keys are inactive or unavailable to
-                  <span class="command"><strong>named</strong></span>.  (A planned third option,
-                  <code class="literal">external</code>, will disable all automatic
-                  signing and allow DNSSEC data to be submitted into a zone
-                  via dynamic update; this is not yet implemented.)
-                </p>
-            </dd>
-<dt><span class="term"><span class="command"><strong>nta-lifetime</strong></span></span></dt>
-<dd>
-                <p>
-                  Species the default lifetime, in seconds,
-                  that will be used for negative trust anchors added
-                  via <span class="command"><strong>rndc nta</strong></span>.
-                </p>
-                <p>
-                  A negative trust anchor selectively disables
-                  DNSSEC validation for zones that are known to be
-                  failing because of misconfiguration rather than
-                  an attack.  When data to be validated is
-                  at or below an active NTA (and above any other
-                  configured trust anchors), <span class="command"><strong>named</strong></span> will
-                  abort the DNSSEC validation process and treat the data as
-                  insecure rather than bogus.  This continues until the
-                  NTA's lifetime is elapsed. NTAs persist
-                  across <span class="command"><strong>named</strong></span> restarts.
-                </p>
-                <p>
-                  For convenience, TTL-style time unit suffixes can be
-                  used to specify the NTA lifetime in seconds, minutes
-                  or hours.  <code class="option">nta-lifetime</code> defaults to
-                  one hour.  It cannot exceed one week.
-                </p>
-            </dd>
-<dt><span class="term"><span class="command"><strong>nta-recheck</strong></span></span></dt>
-<dd>
-                <p>
-                  Species how often to check whether negative
-                  trust anchors added via <span class="command"><strong>rndc nta</strong></span>
-                  are still necessary.
-                </p>
-                <p>
-                  A negative trust anchor is normally used when a
-                  domain has stopped validating due to operator error;
-                  it temporarily disables DNSSEC validation for that
-                  domain. In the interest of ensuring that DNSSEC
-                  validation is turned back on as soon as possible,
-                  <span class="command"><strong>named</strong></span> will periodically send a
-                  query to the domain, ignoring negative trust anchors,
-                  to find out whether it can now be validated.  If so,
-                  the negative trust anchor is allowed to expire early.
-                </p>
-                <p>
-                  Validity checks can be disabled for an individual
-                  NTA by using <span class="command"><strong>rndc nta -f</strong></span>, or
-                  for all NTAs by setting <code class="option">nta-recheck</code>
-                  to zero.
-                </p>
-                <p>
-                  For convenience, TTL-style time unit suffixes can be
-                  used to specify the NTA recheck interval in seconds,
-                  minutes or hours.  The default is five minutes.  It
-                  cannot be longer than <code class="option">nta-lifetime</code>
-                  (which cannot be longer than a week).
-                </p>
-            </dd>
-<dt><span class="term"><span class="command"><strong>max-zone-ttl</strong></span></span></dt>
-<dd>
-              <p>
-                Specifies a maximum permissible TTL value in seconds.
-                For convenience, TTL-style time unit suffixes may be
-                used to specify the maximum value.
-                When loading a zone file using a
-                <code class="option">masterfile-format</code> of
-                <code class="constant">text</code> or <code class="constant">raw</code>,
-                any record encountered with a TTL higher than
-                <code class="option">max-zone-ttl</code> will cause the zone to
-                be rejected.
-              </p>
-              <p>
-                This is useful in DNSSEC-signed zones because when
-                rolling to a new DNSKEY, the old key needs to remain
-                available until RRSIG records have expired from
-                caches.  The <code class="option">max-zone-ttl</code> option guarantees
-                that the largest TTL in the zone will be no higher
-                than the set value.
-              </p>
-              <p>
-                (NOTE: Because <code class="constant">map</code>-format files
-                load directly into memory, this option cannot be
-                used with them.)
-              </p>
-              <p>
-                The default value is <code class="constant">unlimited</code>.
-                A <code class="option">max-zone-ttl</code> of zero is treated as
-                <code class="constant">unlimited</code>.
-              </p>
-            </dd>
-<dt><span class="term"><span class="command"><strong>stale-answer-ttl</strong></span></span></dt>
-<dd>
-              <p>
-                Specifies the TTL to be returned on stale answers.
-                The default is 1 second. The minimum allowed is
-                also 1 second; a value of 0 will be updated silently
-                to 1 second.  For stale answers to be returned,
-                they must be enabled (either in the configuration file
-                using <span class="command"><strong>stale-answer-enable</strong></span> or via
-                <span class="command"><strong>rndc</strong></span>), and
-                <code class="option">max-stale-ttl</code> must be set to a
-                nonzero value.
-              </p>
-            </dd>
-<dt><span class="term"><span class="command"><strong>serial-update-method</strong></span></span></dt>
-<dd>
-              <p>
-                Zones configured for dynamic DNS may use this
-                option to set the update method that will be used for
-                the zone serial number in the SOA record.
-              </p>
-              <p>
-                With the default setting of
-                <span class="command"><strong>serial-update-method increment;</strong></span>, the
-                SOA serial number will be incremented by one each time
-                the zone is updated.
-              </p>
-              <p>
-                When set to
-                <span class="command"><strong>serial-update-method unixtime;</strong></span>, the
-                SOA serial number will be set to the number of seconds
-                since the UNIX epoch, unless the serial number is
-                already greater than or equal to that value, in which
-                case it is simply incremented by one.
-              </p>
-              <p>
-                When set to
-                <span class="command"><strong>serial-update-method date;</strong></span>, the
-                new SOA serial number will be the current date
-                in the form "YYYYMMDD", followed by two zeroes,
-                unless the existing serial number is already greater
-                than or equal to that value, in which case it is
-                incremented by one.
-              </p>
-            </dd>
-<dt><span class="term"><span class="command"><strong>zone-statistics</strong></span></span></dt>
-<dd>
-              <p>
-                If <strong class="userinput"><code>full</code></strong>, the server will collect
-                statistical data on all zones (unless specifically
-                turned off on a per-zone basis by specifying
-                <span class="command"><strong>zone-statistics terse</strong></span> or
-                <span class="command"><strong>zone-statistics none</strong></span>
-                in the <span class="command"><strong>zone</strong></span> statement).
-                The default is <strong class="userinput"><code>terse</code></strong>, providing
-                minimal statistics on zones (including name and
-                current serial number, but not query type
-                counters).
-              </p>
-              <p>
-                These statistics may be accessed via the
-                <span class="command"><strong>statistics-channel</strong></span> or
-                using <span class="command"><strong>rndc stats</strong></span>, which
-                will dump them to the file listed
-                in the <span class="command"><strong>statistics-file</strong></span>.  See
-                also <a class="xref" href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called &#8220;The Statistics File&#8221;</a>.
-              </p>
-              <p>
-                For backward compatibility with earlier versions
-                of BIND 9, the <span class="command"><strong>zone-statistics</strong></span>
-                option can also accept <strong class="userinput"><code>yes</code></strong>
-                or <strong class="userinput"><code>no</code></strong>; <strong class="userinput"><code>yes</code></strong>
-                has the same meaning as <strong class="userinput"><code>full</code></strong>.
-                As of <acronym class="acronym">BIND</acronym> 9.10,
-                <strong class="userinput"><code>no</code></strong> has the same meaning
-                as <strong class="userinput"><code>none</code></strong>; previously, it
-                was the same as <strong class="userinput"><code>terse</code></strong>.
-              </p>
-            </dd>
-</dl></div>
-
-        <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="boolean_options"></a>Boolean Options</h4></div></div></div>
-
-          <div class="variablelist"><dl class="variablelist">
-<dt><span class="term"><span class="command"><strong>automatic-interface-scan</strong></span></span></dt>
-<dd>
-                <p>
-                  If <strong class="userinput"><code>yes</code></strong> and supported by the OS,
-                  automatically rescan network interfaces when the interface
-                  addresses are added or removed.  The default is
-                  <strong class="userinput"><code>yes</code></strong>.
-                </p>
-                <p>
-                  Currently the OS needs to support routing sockets for
-                  <span class="command"><strong>automatic-interface-scan</strong></span> to be
-                  supported.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>allow-new-zones</strong></span></span></dt>
-<dd>
-                <p>
-                  If <strong class="userinput"><code>yes</code></strong>, then zones can be
-                  added at runtime via <span class="command"><strong>rndc addzone</strong></span>.
-                  The default is <strong class="userinput"><code>no</code></strong>.
-                </p>
-                <p>
-                  Newly added zones' configuration parameters
-                  are stored so that they can persist after the
-                  server is restarted.  The configuration information
-                  is saved in a file called
-                  <code class="filename"><em class="replaceable"><code>viewname</code></em>.nzf</code>
-                  (or, if <span class="command"><strong>named</strong></span> is compiled with
-                  liblmdb, in an LMDB database file called
-                  <code class="filename"><em class="replaceable"><code>viewname</code></em>.nzd</code>).
-                  <em class="replaceable"><code>viewname</code></em> is the name of the
-                  view, unless the view name contains characters that are
-                  incompatible with use as a file name, in which case a
-                  cryptographic hash of the view name is used instead.
-                </p>
-                <p>
-                  Zones added at runtime will have their configuration
-                  stored either in a new-zone file (NZF) or a new-zone
-                  database (NZD) depending on whether
-                  <span class="command"><strong>named</strong></span> was linked with
-                  liblmdb at compile time.
-                  See <a class="xref" href="man.rndc.html" title="rndc"><span class="refentrytitle"><span class="application">rndc</span></span>(8)</a> for further details
-                  about <span class="command"><strong>rndc addzone</strong></span>.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>auth-nxdomain</strong></span></span></dt>
-<dd>
-                <p>
-                  If <strong class="userinput"><code>yes</code></strong>, then the <span class="command"><strong>AA</strong></span> bit
-                  is always set on NXDOMAIN responses, even if the server is
-                  not actually
-                  authoritative. The default is <strong class="userinput"><code>no</code></strong>;
-                  this is
-                  a change from <acronym class="acronym">BIND</acronym> 8. If you
-                  are using very old DNS software, you
-                  may need to set it to <strong class="userinput"><code>yes</code></strong>.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>deallocate-on-exit</strong></span></span></dt>
-<dd>
-                <p>
-                  This option was used in <acronym class="acronym">BIND</acronym>
-                  8 to enable checking
-                  for memory leaks on exit. <acronym class="acronym">BIND</acronym> 9 ignores the option and always performs
-                  the checks.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>memstatistics</strong></span></span></dt>
-<dd>
-                <p>
-                  Write memory statistics to the file specified by
-                  <span class="command"><strong>memstatistics-file</strong></span> at exit.
-                  The default is <strong class="userinput"><code>no</code></strong> unless
-                  '-m record' is specified on the command line in
-                  which case it is <strong class="userinput"><code>yes</code></strong>.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>dialup</strong></span></span></dt>
-<dd>
-                <p>
-                  If <strong class="userinput"><code>yes</code></strong>, then the
-                  server treats all zones as if they are doing zone transfers
-                  across
-                  a dial-on-demand dialup link, which can be brought up by
-                  traffic
-                  originating from this server. This has different effects
-                  according
-                  to zone type and concentrates the zone maintenance so that
-                  it all
-                  happens in a short interval, once every <span class="command"><strong>heartbeat-interval</strong></span> and
-                  hopefully during the one call. It also suppresses some of
-                  the normal
-                  zone maintenance traffic. The default is <strong class="userinput"><code>no</code></strong>.
-                </p>
-                <p>
-                  The <span class="command"><strong>dialup</strong></span> option
-                  may also be specified in the <span class="command"><strong>view</strong></span> and
-                  <span class="command"><strong>zone</strong></span> statements,
-                  in which case it overrides the global <span class="command"><strong>dialup</strong></span>
-                  option.
-                </p>
-                <p>
-                  If the zone is a master zone, then the server will send out a
-                  NOTIFY
-                  request to all the slaves (default). This should trigger the
-                  zone serial
-                  number check in the slave (providing it supports NOTIFY)
-                  allowing the slave
-                  to verify the zone while the connection is active.
-                  The set of servers to which NOTIFY is sent can be controlled
-                  by
-                  <span class="command"><strong>notify</strong></span> and <span class="command"><strong>also-notify</strong></span>.
-                </p>
-                <p>
-                  If the
-                  zone is a slave or stub zone, then the server will suppress
-                  the regular
-                  "zone up to date" (refresh) queries and only perform them
-                  when the
-                  <span class="command"><strong>heartbeat-interval</strong></span> expires in
-                  addition to sending
-                  NOTIFY requests.
-                </p>
-                <p>
-                  Finer control can be achieved by using
-                  <strong class="userinput"><code>notify</code></strong> which only sends NOTIFY
-                  messages,
-                  <strong class="userinput"><code>notify-passive</code></strong> which sends NOTIFY
-                  messages and
-                  suppresses the normal refresh queries, <strong class="userinput"><code>refresh</code></strong>
-                  which suppresses normal refresh processing and sends refresh
-                  queries
-                  when the <span class="command"><strong>heartbeat-interval</strong></span>
-                  expires, and
-                  <strong class="userinput"><code>passive</code></strong> which just disables normal
-                  refresh
-                  processing.
-                </p>
-
-                <div class="informaltable">
-                  <table border="1">
-<colgroup>
-<col width="1.150in" class="1">
-<col width="1.150in" class="2">
-<col width="1.150in" class="3">
-<col width="1.150in" class="4">
-</colgroup>
-<tbody>
-<tr>
-<td>
-                          <p>
-                            dialup mode
-                          </p>
-                        </td>
-<td>
-                          <p>
-                            normal refresh
-                          </p>
-                        </td>
-<td>
-                          <p>
-                            heart-beat refresh
-                          </p>
-                        </td>
-<td>
-                          <p>
-                            heart-beat notify
-                          </p>
-                        </td>
-</tr>
-<tr>
-<td>
-                          <p><span class="command"><strong>no</strong></span> (default)</p>
-                        </td>
-<td>
-                          <p>
-                            yes
-                          </p>
-                        </td>
-<td>
-                          <p>
-                            no
-                          </p>
-                        </td>
-<td>
-                          <p>
-                            no
-                          </p>
-                        </td>
-</tr>
-<tr>
-<td>
-                          <p><span class="command"><strong>yes</strong></span></p>
-                        </td>
-<td>
-                          <p>
-                            no
-                          </p>
-                        </td>
-<td>
-                          <p>
-                            yes
-                          </p>
-                        </td>
-<td>
-                          <p>
-                            yes
-                          </p>
-                        </td>
-</tr>
-<tr>
-<td>
-                          <p><span class="command"><strong>notify</strong></span></p>
-                        </td>
-<td>
-                          <p>
-                            yes
-                          </p>
-                        </td>
-<td>
-                          <p>
-                            no
-                          </p>
-                        </td>
-<td>
-                          <p>
-                            yes
-                          </p>
-                        </td>
-</tr>
-<tr>
-<td>
-                          <p><span class="command"><strong>refresh</strong></span></p>
-                        </td>
-<td>
-                          <p>
-                            no
-                          </p>
-                        </td>
-<td>
-                          <p>
-                            yes
-                          </p>
-                        </td>
-<td>
-                          <p>
-                            no
-                          </p>
-                        </td>
-</tr>
-<tr>
-<td>
-                          <p><span class="command"><strong>passive</strong></span></p>
-                        </td>
-<td>
-                          <p>
-                            no
-                          </p>
-                        </td>
-<td>
-                          <p>
-                            no
-                          </p>
-                        </td>
-<td>
-                          <p>
-                            no
-                          </p>
-                        </td>
-</tr>
-<tr>
-<td>
-                          <p><span class="command"><strong>notify-passive</strong></span></p>
-                        </td>
-<td>
-                          <p>
-                            no
-                          </p>
-                        </td>
-<td>
-                          <p>
-                            no
-                          </p>
-                        </td>
-<td>
-                          <p>
-                            yes
-                          </p>
-                        </td>
-</tr>
-</tbody>
-</table>
-                </div>
-
-                <p>
-                  Note that normal NOTIFY processing is not affected by
-                  <span class="command"><strong>dialup</strong></span>.
-                </p>
-
-              </dd>
-<dt><span class="term"><span class="command"><strong>fake-iquery</strong></span></span></dt>
-<dd>
-                <p>
-                  In <acronym class="acronym">BIND</acronym> 8, this option
-                  enabled simulating the obsolete DNS query type
-                  IQUERY. <acronym class="acronym">BIND</acronym> 9 never does
-                  IQUERY simulation.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>fetch-glue</strong></span></span></dt>
-<dd>
-                <p>
-                  This option is obsolete.
-                  In BIND 8, <strong class="userinput"><code>fetch-glue yes</code></strong>
-                  caused the server to attempt to fetch glue resource records
-                  it
-                  didn't have when constructing the additional
-                  data section of a response.  This is now considered a bad
-                  idea
-                  and BIND 9 never does it.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>flush-zones-on-shutdown</strong></span></span></dt>
-<dd>
-                <p>
-                  When the nameserver exits due receiving SIGTERM,
-                  flush or do not flush any pending zone writes.  The default
-                  is
-                  <span class="command"><strong>flush-zones-on-shutdown</strong></span> <strong class="userinput"><code>no</code></strong>.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>geoip-use-ecs</strong></span></span></dt>
-<dd>
-                <p>
-                  When BIND is compiled with GeoIP support and configured
-                  with "geoip" ACL elements, this option indicates whether
-                  the EDNS Client Subnet option, if present in a request,
-                  should be used for matching against the GeoIP database.
-                  The default is
-                  <span class="command"><strong>geoip-use-ecs</strong></span> <strong class="userinput"><code>yes</code></strong>.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>has-old-clients</strong></span></span></dt>
-<dd>
-                <p>
-                  This option was incorrectly implemented
-                  in <acronym class="acronym">BIND</acronym> 8, and is ignored by <acronym class="acronym">BIND</acronym> 9.
-                  To achieve the intended effect
-                  of
-                  <span class="command"><strong>has-old-clients</strong></span> <strong class="userinput"><code>yes</code></strong>, specify
-                  the two separate options <span class="command"><strong>auth-nxdomain</strong></span> <strong class="userinput"><code>yes</code></strong>
-                  and <span class="command"><strong>rfc2308-type1</strong></span> <strong class="userinput"><code>no</code></strong> instead.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>host-statistics</strong></span></span></dt>
-<dd>
-                <p>
-                  In BIND 8, this enabled keeping of
-                  statistics for every host that the name server interacts
-                  with.
-                  Not implemented in BIND 9.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>maintain-ixfr-base</strong></span></span></dt>
-<dd>
-                <p>
-                  <span class="emphasis"><em>This option is obsolete</em></span>.
-                  It was used in <acronym class="acronym">BIND</acronym> 8 to
-                  determine whether a transaction log was
-                  kept for Incremental Zone Transfer. <acronym class="acronym">BIND</acronym> 9 maintains a transaction
-                  log whenever possible.  If you need to disable outgoing
-                  incremental zone
-                  transfers, use <span class="command"><strong>provide-ixfr</strong></span> <strong class="userinput"><code>no</code></strong>.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>message-compression</strong></span></span></dt>
-<dd>
-                <p>
-                  If <strong class="userinput"><code>yes</code></strong>, DNS name compression is
-                  used in responses to regular queries (not including
-                  AXFR or IXFR, which always uses compression).  Setting
-                  this option to <strong class="userinput"><code>no</code></strong> reduces CPU
-                  usage on servers and may improve throughput.  However,
-                  it increases response size, which may cause more queries
-                  to be processed using TCP; a server with compression
-                  disabled is out of compliance with RFC 1123 Section
-                  6.1.3.2. The default is <strong class="userinput"><code>yes</code></strong>.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>minimal-responses</strong></span></span></dt>
-<dd>
-                <p>
-                  If set to <strong class="userinput"><code>yes</code></strong>, then when generating
-                  responses the server will only add records to the authority
-                  and additional data sections when they are required (e.g.
-                  delegations, negative responses).  This may improve the
-                  performance of the server.
-                </p>
-                <p>
-                  When set to <strong class="userinput"><code>no-auth</code></strong>, the
-                  server will omit records from the authority section
-                  unless they are required, but it may still add
-                  records to the additional section.  When set to
-                  <strong class="userinput"><code>no-auth-recursive</code></strong>, this
-                  is only done if the query is recursive.  When the
-                  query is not recursive, the effect is same as if
-                  <strong class="userinput"><code>no</code></strong> was specified. These
-                  settings are useful when answering stub clients,
-                  which usually ignore the authority section.
-                  <strong class="userinput"><code>no-auth-recursive</code></strong> is
-                  designed for mixed-mode servers which handle
-                  both authoritative and recursive queries.
-                </p>
-                <p>
-                  The default is
-                  <strong class="userinput"><code>no-auth-recursive</code></strong>.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>glue-cache</strong></span></span></dt>
-<dd>
-                <p>
-                  When set to <strong class="userinput"><code>yes</code></strong>, a cache is
-                  used to improve query performance when adding
-                  address-type (A and AAAA) glue records to the
-                  additional section of DNS response messages that
-                  delegate to a child zone.
-                </p>
-                <p>
-                  The glue cache uses memory proportional to the number
-                  of delegations in the zone. The default setting is
-                  <strong class="userinput"><code>yes</code></strong>, which improves performance
-                  at the cost of increased memory usage for the zone. If
-                  you don't want this, set it to <strong class="userinput"><code>no</code></strong>.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>minimal-any</strong></span></span></dt>
-<dd>
-                <p>
-                  If set to <strong class="userinput"><code>yes</code></strong>, then when
-                  generating a positive response to a query of type
-                  ANY over UDP, the server will reply with only one
-                  of the RRsets for the query name, and its covering
-                  RRSIGs if any, instead of replying with all known
-                  RRsets for the name.  Similarly, a query for type
-                  RRSIG will be answered with the RRSIG records covering
-                  only one type. This can reduce the impact of some kinds
-                  of attack traffic, without harming legitimate
-                  clients.  (Note, however, that the RRset returned is the
-                  first one found in the database; it is not necessarily
-                  the smallest available RRset.)
-                  Additionally, <code class="option">minimal-responses</code> is
-                  turned on for these queries, so no unnecessary records
-                  will be added to the authority or additional sections.
-                  The default is <strong class="userinput"><code>no</code></strong>.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>multiple-cnames</strong></span></span></dt>
-<dd>
-                <p>
-                  This option was used in <acronym class="acronym">BIND</acronym> 8 to allow
-                  a domain name to have multiple CNAME records in violation of
-                  the DNS standards.  <acronym class="acronym">BIND</acronym> 9.2 onwards
-                  always strictly enforces the CNAME rules both in master
-                  files and dynamic updates.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>notify</strong></span></span></dt>
-<dd>
-                <p>
-                  If <strong class="userinput"><code>yes</code></strong> (the default),
-                  DNS NOTIFY messages are sent when a zone the server is
-                  authoritative for
-                  changes, see <a class="xref" href="Bv9ARM.ch04.html#notify" title="Notify">the section called &#8220;Notify&#8221;</a>.  The messages are
-                  sent to the
-                  servers listed in the zone's NS records (except the master
-                  server identified
-                  in the SOA MNAME field), and to any servers listed in the
-                  <span class="command"><strong>also-notify</strong></span> option.
-                </p>
-                <p>
-                  If <strong class="userinput"><code>master-only</code></strong>, notifies are only
-                  sent
-                  for master zones.
-                  If <strong class="userinput"><code>explicit</code></strong>, notifies are sent only
-                  to
-                  servers explicitly listed using <span class="command"><strong>also-notify</strong></span>.
-                  If <strong class="userinput"><code>no</code></strong>, no notifies are sent.
-                </p>
-                <p>
-                  The <span class="command"><strong>notify</strong></span> option may also be
-                  specified in the <span class="command"><strong>zone</strong></span>
-                  statement,
-                  in which case it overrides the <span class="command"><strong>options notify</strong></span> statement.
-                  It would only be necessary to turn off this option if it
-                  caused slaves
-                  to crash.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>notify-to-soa</strong></span></span></dt>
-<dd>
-                <p>
-                  If <strong class="userinput"><code>yes</code></strong> do not check the nameservers
-                  in the NS RRset against the SOA MNAME.  Normally a NOTIFY
-                  message is not sent to the SOA MNAME (SOA ORIGIN) as it is
-                  supposed to contain the name of the ultimate master.
-                  Sometimes, however, a slave is listed as the SOA MNAME in
-                  hidden master configurations and in that case you would
-                  want the ultimate master to still send NOTIFY messages to
-                  all the nameservers listed in the NS RRset.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>recursion</strong></span></span></dt>
-<dd>
-                <p>
-                  If <strong class="userinput"><code>yes</code></strong>, and a
-                  DNS query requests recursion, then the server will attempt
-                  to do
-                  all the work required to answer the query. If recursion is
-                  off
-                  and the server does not already know the answer, it will
-                  return a
-                  referral response. The default is
-                  <strong class="userinput"><code>yes</code></strong>.
-                  Note that setting <span class="command"><strong>recursion no</strong></span> does not prevent
-                  clients from getting data from the server's cache; it only
-                  prevents new data from being cached as an effect of client
-                  queries.
-                  Caching may still occur as an effect the server's internal
-                  operation, such as NOTIFY address lookups.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>request-nsid</strong></span></span></dt>
-<dd>
-                <p>
-                  If <strong class="userinput"><code>yes</code></strong>, then an empty EDNS(0)
-                  NSID (Name Server Identifier) option is sent with all
-                  queries to authoritative name servers during iterative
-                  resolution. If the authoritative server returns an NSID
-                  option in its response, then its contents are logged in
-                  the <span class="command"><strong>resolver</strong></span> category at level
-                  <span class="command"><strong>info</strong></span>.
-                  The default is <strong class="userinput"><code>no</code></strong>.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>request-sit</strong></span></span></dt>
-<dd>
-                <p>
-                  This experimental option is obsolete.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>require-server-cookie</strong></span></span></dt>
-<dd>
-                <p>
-                  Require a valid server cookie before sending a full
-                  response to a UDP request from a cookie aware client.
-                  BADCOOKIE is sent if there is a bad or no existent
-                  server cookie.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>send-cookie</strong></span></span></dt>
-<dd>
-                <p>
-                  If <strong class="userinput"><code>yes</code></strong>, then a COOKIE EDNS
-                  option is sent along with the query.  If the
-                  resolver has previously talked to the server, the
-                  COOKIE returned in the previous transaction is sent.
-                  This is used by the server to determine whether
-                  the resolver has talked to it before. A resolver
-                  sending the correct COOKIE is assumed not to be an
-                  off-path attacker sending a spoofed-source query;
-                  the query is therefore unlikely to be part of a
-                  reflection/amplification attack, so resolvers
-                  sending a correct COOKIE option are not subject to
-                  response rate limiting (RRL).  Resolvers which
-                  do not send a correct COOKIE option may be limited
-                  to receiving smaller responses via the
-                  <span class="command"><strong>nocookie-udp-size</strong></span> option.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>stale-answer-enable</strong></span></span></dt>
-<dd>
-                <p>
-                  Enable the returning of stale answers when the
-                  nameservers for the zone are not answering.  This
-                  is off by default, but can be enabled/disabled via
-                  <span class="command"><strong>rndc serve-stale on</strong></span> and
-                  <span class="command"><strong>rndc serve-stale off</strong></span>, which
-                  override the <code class="filename">named.conf</code>
-                  setting.  <span class="command"><strong>rndc serve-stale reset</strong></span>
-                  restores the setting to the one specified in
-                  <code class="filename">named.conf</code>.  Note that
-                  reloading or reconfiguring <span class="command"><strong>named</strong></span>
-                  will not re-enable serving of stale records if they
-                  have been disabled via <span class="command"><strong>rndc</strong></span>.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>nocookie-udp-size</strong></span></span></dt>
-<dd>
-                <p>
-                  Sets the maximum size of UDP responses that will be
-                  sent to queries without a valid server COOKIE. A value
-                  below 128 will be silently raised to 128. The default
-                  value is 4096, but the <span class="command"><strong>max-udp-size</strong></span>
-                  option may further limit the response size.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>sit-secret</strong></span></span></dt>
-<dd>
-                <p>
-                  This experimental option is obsolete.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>cookie-algorithm</strong></span></span></dt>
-<dd>
-                <p>
-                  Set the algorithm to be used when generating the
-                  server cookie.  One of "aes", "sha1" or "sha256".
-                  The default is "aes" if supported by the cryptographic
-                  library or otherwise "sha256".
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>cookie-secret</strong></span></span></dt>
-<dd>
-                <p>
-                  If set, this is a shared secret used for generating
-                  and verifying EDNS COOKIE options
-                  within an anycast cluster.  If not set, the system
-                  will generate a random secret at startup.  The
-                  shared secret is encoded as a hex string and needs
-                  to be 128 bits for AES128, 160 bits for SHA1 and
-                  256 bits for SHA256.
-                </p>
-                <p>
-                  If there are multiple secrets specified, the first
-                  one listed in <code class="filename">named.conf</code> is
-                  used to generate new server cookies.  The others
-                  will only be used to verify returned cookies.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>response-padding</strong></span></span></dt>
-<dd>
-                <p>
-                  The EDNS Padding option is intended to improve
-                  confidentiality when DNS queries are sent over an
-                  encrypted channel by reducing the variability in
-                  packet sizes.  If a query:
-                  </p>
-<div class="orderedlist"><ol class="orderedlist" type="1">
-<li class="listitem">
-                      contains an EDNS Padding option,
-                    </li>
-<li class="listitem">
-                      includes a valid server cookie or uses TCP,
-                    </li>
-<li class="listitem">
-                      is <span class="emphasis"><em>not</em></span> signed using TSIG or
-                      SIG(0), and
-                    </li>
-<li class="listitem">
-                      is from a client whose address matches the specified ACL,
-                    </li>
-</ol></div>
-<p>
-                  then the response is padded with an EDNS Padding option
-                  to a multiple of <code class="varname">block-size</code> bytes.
-                  If these conditions are not met, the response is not
-                  padded.
-                </p>
-                <p>
-                  If <code class="varname">block-size</code> is 0 or the ACL is
-                  <span class="command"><strong>none;</strong></span>, then this feature is
-                  disabled and no padding will occur; this is the
-                  default.  If <code class="varname">block-size</code> is greater
-                  than 512, a warning is logged and the value is truncated
-                  to 512.  Block sizes are ordinarily expected to be powers
-                  of two (for instance, 128), but this is not mandatory.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>rfc2308-type1</strong></span></span></dt>
-<dd>
-                <p>
-                  Setting this to <strong class="userinput"><code>yes</code></strong> will
-                  cause the server to send NS records along with the SOA
-                  record for negative
-                  answers. The default is <strong class="userinput"><code>no</code></strong>.
-                </p>
-                <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-                  <p>
-                    Not yet implemented in <acronym class="acronym">BIND</acronym>
-                    9.
-                  </p>
-                </div>
-              </dd>
-<dt><span class="term"><span class="command"><strong>trust-anchor-telemetry</strong></span></span></dt>
-<dd>
-                <p>
-                  Causes <span class="command"><strong>named</strong></span> to send specially-formed
-                  queries once per day to domains for which trust anchors
-                  have been configured via <span class="command"><strong>trusted-keys</strong></span>,
-                  <span class="command"><strong>managed-keys</strong></span>, or
-                  <span class="command"><strong>dnssec-validation auto</strong></span>.
-                </p>
-                <p>
-                  The query name used for these queries has the
-                  form "_ta-xxxx(-xxxx)(...)".&lt;domain&gt;, where
-                  each "xxxx" is a group of four hexadecimal digits
-                  representing the key ID of a trusted DNSSEC key.
-                  The key IDs for each domain are sorted smallest
-                  to largest prior to encoding. The query type is NULL.
-                </p>
-                <p>
-                  By monitoring these queries, zone operators will
-                  be able to see which resolvers have been updated to
-                  trust a new key; this may help them decide when it
-                  is safe to remove an old one.
-                </p>
-                <p>
-                  The default is <strong class="userinput"><code>yes</code></strong>.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>use-id-pool</strong></span></span></dt>
-<dd>
-                <p>
-                  <span class="emphasis"><em>This option is obsolete</em></span>.
-                  <acronym class="acronym">BIND</acronym> 9 always allocates query
-                  IDs from a pool.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>use-ixfr</strong></span></span></dt>
-<dd>
-                <p>
-                  <span class="emphasis"><em>This option is obsolete</em></span>.
-                  If you need to disable IXFR to a particular server or
-                  servers, see
-                  the information on the <span class="command"><strong>provide-ixfr</strong></span> option
-                  in <a class="xref" href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and Usage">the section called &#8220;<span class="command"><strong>server</strong></span> Statement Definition and
-            Usage&#8221;</a>.
-                  See also
-                  <a class="xref" href="Bv9ARM.ch04.html#incremental_zone_transfers" title="Incremental Zone Transfers (IXFR)">the section called &#8220;Incremental Zone Transfers (IXFR)&#8221;</a>.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>provide-ixfr</strong></span></span></dt>
-<dd>
-                <p>
-                  See the description of
-                  <span class="command"><strong>provide-ixfr</strong></span> in
-                  <a class="xref" href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and Usage">the section called &#8220;<span class="command"><strong>server</strong></span> Statement Definition and
-            Usage&#8221;</a>.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>request-ixfr</strong></span></span></dt>
-<dd>
-                <p>
-                  See the description of
-                  <span class="command"><strong>request-ixfr</strong></span> in
-                  <a class="xref" href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and Usage">the section called &#8220;<span class="command"><strong>server</strong></span> Statement Definition and
-            Usage&#8221;</a>.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>request-expire</strong></span></span></dt>
-<dd>
-                <p>
-                  See the description of
-                  <span class="command"><strong>request-expire</strong></span> in
-                  <a class="xref" href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and Usage">the section called &#8220;<span class="command"><strong>server</strong></span> Statement Definition and
-            Usage&#8221;</a>.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>treat-cr-as-space</strong></span></span></dt>
-<dd>
-                <p>
-                  This option was used in <acronym class="acronym">BIND</acronym>
-                  8 to make
-                  the server treat carriage return ("<span class="command"><strong>\r</strong></span>") characters the same way
-                  as a space or tab character,
-                  to facilitate loading of zone files on a UNIX system that
-                  were generated
-                  on an NT or DOS machine. In <acronym class="acronym">BIND</acronym> 9, both UNIX "<span class="command"><strong>\n</strong></span>"
-                  and NT/DOS "<span class="command"><strong>\r\n</strong></span>" newlines
-                  are always accepted,
-                  and the option is ignored.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>match-mapped-addresses</strong></span></span></dt>
-<dd>
-                <p>
-                  If <strong class="userinput"><code>yes</code></strong>, then an
-                  IPv4-mapped IPv6 address will match any address match
-                  list entries that match the corresponding IPv4 address.
-                </p>
-                <p>
-                  This option was introduced to work around a kernel quirk
-                  in some operating systems that causes IPv4 TCP
-                  connections, such as zone transfers, to be accepted on an
-                  IPv6 socket using mapped addresses.  This caused address
-                  match lists designed for IPv4 to fail to match.  However,
-                  <span class="command"><strong>named</strong></span> now solves this problem
-                  internally.  The use of this option is discouraged.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>filter-aaaa-on-v4</strong></span></span></dt>
-<dd>
-                <p>
-                  This option is intended to help the
-                  transition from IPv4 to IPv6 by not giving IPv6 addresses
-                  to DNS clients unless they have connections to the IPv6
-                  Internet.  This is not recommended unless absolutely
-                  necessary.  The default is <strong class="userinput"><code>no</code></strong>.
-                  The <span class="command"><strong>filter-aaaa-on-v4</strong></span> option
-                  may also be specified in <span class="command"><strong>view</strong></span> statements
-                  to override the global <span class="command"><strong>filter-aaaa-on-v4</strong></span>
-                  option.
-                </p>
-                <p>
-                  If <strong class="userinput"><code>yes</code></strong>,
-                  the DNS client is at an IPv4 address, in <span class="command"><strong>filter-aaaa</strong></span>,
-                  and if the response does not include DNSSEC signatures,
-                  then all AAAA records are deleted from the response.
-                  This filtering applies to all responses and not only
-                  authoritative responses.
-                </p>
-                <p>
-                  If <strong class="userinput"><code>break-dnssec</code></strong>,
-                  then AAAA records are deleted even when DNSSEC is enabled.
-                  As suggested by the name, this makes the response not verify,
-                  because the DNSSEC protocol is designed detect deletions.
-                </p>
-                <p>
-                  This mechanism can erroneously cause other servers to
-                  not give AAAA records to their clients.
-                  A recursing server with both IPv6 and IPv4 network connections
-                  that queries an authoritative server using this mechanism
-                  via IPv4 will be denied AAAA records even if its client is
-                  using IPv6.
-                </p>
-                <p>
-                  This mechanism is applied to authoritative as well as
-                  non-authoritative records.
-                  A client using IPv4 that is not allowed recursion can
-                  erroneously be given AAAA records because the server is not
-                  allowed to check for A records.
-                </p>
-                <p>
-                  Some AAAA records are given to IPv4 clients in glue records.
-                  IPv4 clients that are servers can then erroneously
-                  answer requests for AAAA records received via IPv4.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>filter-aaaa-on-v6</strong></span></span></dt>
-<dd>
-                <p>
-                  Identical to <span class="command"><strong>filter-aaaa-on-v4</strong></span>,
-                  except it filters AAAA responses to queries from IPv6
-                  clients instead of IPv4 clients.  To filter all
-                  responses, set both options to <strong class="userinput"><code>yes</code></strong>.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>ixfr-from-differences</strong></span></span></dt>
-<dd>
-                <p>
-                  When <strong class="userinput"><code>yes</code></strong> and the server loads a new
-                  version of a master zone from its zone file or receives a
-                  new version of a slave file via zone transfer, it will
-                  compare the new version to the previous one and calculate
-                  a set of differences.  The differences are then logged in
-                  the zone's journal file such that the changes can be
-                  transmitted to downstream slaves as an incremental zone
-                  transfer.
-                </p>
-                <p>
-                  By allowing incremental zone transfers to be used for
-                  non-dynamic zones, this option saves bandwidth at the
-                  expense of increased CPU and memory consumption at the
-                  master.
-                  In particular, if the new version of a zone is completely
-                  different from the previous one, the set of differences
-                  will be of a size comparable to the combined size of the
-                  old and new zone version, and the server will need to
-                  temporarily allocate memory to hold this complete
-                  difference set.
-                </p>
-                <p><span class="command"><strong>ixfr-from-differences</strong></span>
-                  also accepts <span class="command"><strong>master</strong></span> (or
-                  <span class="command"><strong>primary</strong></span>) and
-                  <span class="command"><strong>slave</strong></span> (or <span class="command"><strong>secondary</strong></span>)
-                  at the view and options levels, which causes
-                  <span class="command"><strong>ixfr-from-differences</strong></span> to be enabled for
-                  all primary or secondary zones, respectively.
-                  It is off for all zones by default.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>multi-master</strong></span></span></dt>
-<dd>
-                <p>
-                  This should be set when you have multiple masters for a zone
-                  and the
-                  addresses refer to different machines.  If <strong class="userinput"><code>yes</code></strong>, <span class="command"><strong>named</strong></span> will
-                  not log
-                  when the serial number on the master is less than what <span class="command"><strong>named</strong></span>
-                  currently
-                  has.  The default is <strong class="userinput"><code>no</code></strong>.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>auto-dnssec</strong></span></span></dt>
-<dd>
-                <p>
-                  Zones configured for dynamic DNS may use this
-                  option to allow varying levels of automatic DNSSEC key
-                  management. There are three possible settings:
-                </p>
-                <p>
-                  <span class="command"><strong>auto-dnssec allow;</strong></span> permits
-                  keys to be updated and the zone fully re-signed
-                  whenever the user issues the command <span class="command"><strong>rndc sign
-                  <em class="replaceable"><code>zonename</code></em></strong></span>.
-                </p>
-                <p>
-                  <span class="command"><strong>auto-dnssec maintain;</strong></span> includes the
-                  above, but also automatically adjusts the zone's DNSSEC
-                  keys on schedule, according to the keys' timing metadata
-                  (see <a class="xref" href="man.dnssec-keygen.html" title="dnssec-keygen"><span class="refentrytitle"><span class="application">dnssec-keygen</span></span>(8)</a> and
-                  <a class="xref" href="man.dnssec-settime.html" title="dnssec-settime"><span class="refentrytitle"><span class="application">dnssec-settime</span></span>(8)</a>).  The command
-                  <span class="command"><strong>rndc sign
-                  <em class="replaceable"><code>zonename</code></em></strong></span> causes
-                  <span class="command"><strong>named</strong></span> to load keys from the key
-                  repository and sign the zone with all keys that are
-                  active.
-                  <span class="command"><strong>rndc loadkeys
-                  <em class="replaceable"><code>zonename</code></em></strong></span> causes
-                  <span class="command"><strong>named</strong></span> to load keys from the key
-                  repository and schedule key maintenance events to occur
-                  in the future, but it does not sign the full zone
-                  immediately.  Note: once keys have been loaded for a
-                  zone the first time, the repository will be searched
-                  for changes periodically, regardless of whether
-                  <span class="command"><strong>rndc loadkeys</strong></span> is used.  The recheck
-                  interval is defined by
-                  <span class="command"><strong>dnssec-loadkeys-interval</strong></span>.)
-                </p>
-                <p>
-                  The default setting is <span class="command"><strong>auto-dnssec off</strong></span>.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>dnssec-enable</strong></span></span></dt>
-<dd>
-                <p>
-                  This indicates whether DNSSEC-related resource
-                  records are to be returned by <span class="command"><strong>named</strong></span>.
-                  If set to <strong class="userinput"><code>no</code></strong>,
-                  <span class="command"><strong>named</strong></span> will not return DNSSEC-related
-                  resource records unless specifically queried for.
-                  The default is <strong class="userinput"><code>yes</code></strong>.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>dnssec-validation</strong></span></span></dt>
-<dd>
-                <p>
-                  Enable DNSSEC validation in <span class="command"><strong>named</strong></span>.
-                  Note <span class="command"><strong>dnssec-enable</strong></span> also needs to be
-                  set to <strong class="userinput"><code>yes</code></strong> to be effective.
-                  If set to <strong class="userinput"><code>no</code></strong>, DNSSEC validation
-                  is disabled.
-                </p>
-                <p>
-                  If set to <strong class="userinput"><code>auto</code></strong>, DNSSEC validation
-                  is enabled, and a default trust anchor for the DNS root
-                  zone is used.  If set to <strong class="userinput"><code>yes</code></strong>,
-                  DNSSEC validation is enabled, but a trust anchor must be
-                  manually configured using a <span class="command"><strong>trusted-keys</strong></span>
-                  or <span class="command"><strong>managed-keys</strong></span> statement.  The default
-                  is <strong class="userinput"><code>yes</code></strong>.
-                </p>
-                <p>
-                  The default root trust anchor is stored in the file
-                  <code class="filename">bind.keys</code>.
-                  <span class="command"><strong>named</strong></span> will load that key at
-                  startup if <span class="command"><strong>dnssec-validation</strong></span> is
-                  set to <code class="constant">auto</code>.  A copy of the file is
-                  installed along with BIND 9, and is current as of the
-                  release date.  If the root key expires, a new copy of
-                  <code class="filename">bind.keys</code> can be downloaded
-                  from <a class="link" href="https://www.isc.org/bind-keys" target="_top">https://www.isc.org/bind-keys</a>.
-                </p>
-                <p>
-                  To prevent problems if <code class="filename">bind.keys</code> is
-                  not found, the current trust anchor is also compiled in
-                  to <span class="command"><strong>named</strong></span>.  Relying on this is not
-                  recommended, however, as it requires <span class="command"><strong>named</strong></span>
-                  to be recompiled with a new key when the root key expires.)
-                </p>
-                <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-                  <p>
-                    <span class="command"><strong>named</strong></span> <span class="emphasis"><em>only</em></span>
-                    loads the root key from <code class="filename">bind.keys</code>.
-                    The file cannot be used to store keys for other zones.
-                    The root key in <code class="filename">bind.keys</code> is ignored
-                    if <span class="command"><strong>dnssec-validation auto</strong></span> is not in
-                    use.
-                  </p>
-                  <p>
-                    Whenever the resolver sends out queries to an
-                    EDNS-compliant server, it always sets the DO bit
-                    indicating it can support DNSSEC responses even if
-                    <span class="command"><strong>dnssec-validation</strong></span> is off.
-                  </p>
-                </div>
-              </dd>
-<dt><span class="term"><span class="command"><strong>dnssec-accept-expired</strong></span></span></dt>
-<dd>
-                <p>
-                  Accept expired signatures when verifying DNSSEC signatures.
-                  The default is <strong class="userinput"><code>no</code></strong>.
-                  Setting this option to <strong class="userinput"><code>yes</code></strong>
-                  leaves <span class="command"><strong>named</strong></span> vulnerable to
-                  replay attacks.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>querylog</strong></span></span></dt>
-<dd>
-                <p>
-                  Specify whether query logging should be started when <span class="command"><strong>named</strong></span>
-                  starts.
-                  If <span class="command"><strong>querylog</strong></span> is not specified,
-                  then the query logging
-                  is determined by the presence of the logging category <span class="command"><strong>queries</strong></span>.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>check-names</strong></span></span></dt>
-<dd>
-                <p>
-                  This option is used to restrict the character set and syntax
-                  of
-                  certain domain names in master files and/or DNS responses
-                  received
-                  from the network.  The default varies according to usage
-                  area.  For
-                  <span class="command"><strong>master</strong></span> zones the default is <span class="command"><strong>fail</strong></span>.
-                  For <span class="command"><strong>slave</strong></span> zones the default
-                  is <span class="command"><strong>warn</strong></span>.
-                  For answers received from the network (<span class="command"><strong>response</strong></span>)
-                  the default is <span class="command"><strong>ignore</strong></span>.
-                </p>
-                <p>
-                  The rules for legal hostnames and mail domains are derived
-                  from RFC 952 and RFC 821 as modified by RFC 1123.
-                </p>
-                <p><span class="command"><strong>check-names</strong></span>
-                  applies to the owner names of A, AAAA and MX records.
-                  It also applies to the domain names in the RDATA of NS, SOA,
-                  MX, and SRV records.
-                  It also applies to the RDATA of PTR records where the owner
-                  name indicated that it is a reverse lookup of a hostname
-                  (the owner name ends in IN-ADDR.ARPA, IP6.ARPA, or IP6.INT).
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>check-dup-records</strong></span></span></dt>
-<dd>
-                <p>
-                  Check master zones for records that are treated as different
-                  by DNSSEC but are semantically equal in plain DNS.  The
-                  default is to <span class="command"><strong>warn</strong></span>.  Other possible
-                  values are <span class="command"><strong>fail</strong></span> and
-                  <span class="command"><strong>ignore</strong></span>.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>check-mx</strong></span></span></dt>
-<dd>
-                <p>
-                  Check whether the MX record appears to refer to a IP address.
-                  The default is to <span class="command"><strong>warn</strong></span>.  Other possible
-                  values are <span class="command"><strong>fail</strong></span> and
-                  <span class="command"><strong>ignore</strong></span>.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>check-wildcard</strong></span></span></dt>
-<dd>
-                <p>
-                  This option is used to check for non-terminal wildcards.
-                  The use of non-terminal wildcards is almost always as a
-                  result of a failure
-                  to understand the wildcard matching algorithm (RFC 1034).
-                  This option
-                  affects master zones.  The default (<span class="command"><strong>yes</strong></span>) is to check
-                  for non-terminal wildcards and issue a warning.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>check-integrity</strong></span></span></dt>
-<dd>
-                <p>
-                  Perform post load zone integrity checks on master
-                  zones.  This checks that MX and SRV records refer
-                  to address (A or AAAA) records and that glue
-                  address records exist for delegated zones.  For
-                  MX and SRV records only in-zone hostnames are
-                  checked (for out-of-zone hostnames use
-                  <span class="command"><strong>named-checkzone</strong></span>).
-                  For NS records only names below top of zone are
-                  checked (for out-of-zone names and glue consistency
-                  checks use <span class="command"><strong>named-checkzone</strong></span>).
-                  The default is <span class="command"><strong>yes</strong></span>.
-                </p>
-                <p>
-                  The use of the SPF record for publishing Sender
-                  Policy Framework is deprecated as the migration
-                  from using TXT records to SPF records was abandoned.
-                  Enabling this option also checks that a TXT Sender
-                  Policy Framework record exists (starts with "v=spf1")
-                  if there is an SPF record. Warnings are emitted if the
-                  TXT record does not exist and can be suppressed with
-                  <span class="command"><strong>check-spf</strong></span>.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>check-mx-cname</strong></span></span></dt>
-<dd>
-                <p>
-                  If <span class="command"><strong>check-integrity</strong></span> is set then
-                  fail, warn or ignore MX records that refer
-                  to CNAMES.  The default is to <span class="command"><strong>warn</strong></span>.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>check-srv-cname</strong></span></span></dt>
-<dd>
-                <p>
-                  If <span class="command"><strong>check-integrity</strong></span> is set then
-                  fail, warn or ignore SRV records that refer
-                  to CNAMES.  The default is to <span class="command"><strong>warn</strong></span>.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>check-sibling</strong></span></span></dt>
-<dd>
-                <p>
-                  When performing integrity checks, also check that
-                  sibling glue exists.  The default is <span class="command"><strong>yes</strong></span>.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>check-spf</strong></span></span></dt>
-<dd>
-                <p>
-                  If <span class="command"><strong>check-integrity</strong></span> is set then
-                  check that there is a TXT Sender Policy Framework
-                  record present (starts with "v=spf1") if there is an
-                  SPF record present. The default is
-                  <span class="command"><strong>warn</strong></span>.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>zero-no-soa-ttl</strong></span></span></dt>
-<dd>
-                <p>
-                  When returning authoritative negative responses to
-                  SOA queries set the TTL of the SOA record returned in
-                  the authority section to zero.
-                  The default is <span class="command"><strong>yes</strong></span>.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>zero-no-soa-ttl-cache</strong></span></span></dt>
-<dd>
-                <p>
-                  When caching a negative response to a SOA query
-                  set the TTL to zero.
-                  The default is <span class="command"><strong>no</strong></span>.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>update-check-ksk</strong></span></span></dt>
-<dd>
-                <p>
-                  When set to the default value of <code class="literal">yes</code>,
-                  check the KSK bit in each key to determine how the key
-                  should be used when generating RRSIGs for a secure zone.
-                </p>
-                <p>
-                  Ordinarily, zone-signing keys (that is, keys without the
-                  KSK bit set) are used to sign the entire zone, while
-                  key-signing keys (keys with the KSK bit set) are only
-                  used to sign the DNSKEY RRset at the zone apex.
-                  However, if this option is set to <code class="literal">no</code>,
-                  then the KSK bit is ignored; KSKs are treated as if they
-                  were ZSKs and are used to sign the entire zone.  This is
-                  similar to the <span class="command"><strong>dnssec-signzone -z</strong></span>
-                  command line option.
-                </p>
-                <p>
-                  When this option is set to <code class="literal">yes</code>, there
-                  must be at least two active keys for every algorithm
-                  represented in the DNSKEY RRset: at least one KSK and one
-                  ZSK per algorithm.  If there is any algorithm for which
-                  this requirement is not met, this option will be ignored
-                  for that algorithm.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>dnssec-dnskey-kskonly</strong></span></span></dt>
-<dd>
-                <p>
-                  When this option and <span class="command"><strong>update-check-ksk</strong></span>
-                  are both set to <code class="literal">yes</code>, only key-signing
-                  keys (that is, keys with the KSK bit set) will be used
-                  to sign the DNSKEY, CDNSKEY, and CDS RRsets at the zone apex.
-                  Zone-signing keys (keys without the KSK bit set) will be used
-                  to sign the remainder of the zone, but not the DNSKEY RRset.
-                  This is similar to the
-                  <span class="command"><strong>dnssec-signzone -x</strong></span> command line option.
-                </p>
-                <p>
-                  The default is <span class="command"><strong>no</strong></span>.  If
-                  <span class="command"><strong>update-check-ksk</strong></span> is set to
-                  <code class="literal">no</code>, this option is ignored.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>try-tcp-refresh</strong></span></span></dt>
-<dd>
-                <p>
-                  Try to refresh the zone using TCP if UDP queries fail.
-                  For BIND 8 compatibility, the default is
-                  <span class="command"><strong>yes</strong></span>.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>dnssec-secure-to-insecure</strong></span></span></dt>
-<dd>
-                <p>
-                  Allow a dynamic zone to transition from secure to
-                  insecure (i.e., signed to unsigned) by deleting all
-                  of the DNSKEY records.  The default is <span class="command"><strong>no</strong></span>.
-                  If set to <span class="command"><strong>yes</strong></span>, and if the DNSKEY RRset
-                  at the zone apex is deleted, all RRSIG and NSEC records
-                  will be removed from the zone as well.
-                </p>
-                <p>
-                  If the zone uses NSEC3, then it is also necessary to
-                  delete the NSEC3PARAM RRset from the zone apex; this will
-                  cause the removal of all corresponding NSEC3 records.
-                  (It is expected that this requirement will be eliminated
-                  in a future release.)
-                </p>
-                <p>
-                  Note that if a zone has been configured with
-                  <span class="command"><strong>auto-dnssec maintain</strong></span> and the
-                  private keys remain accessible in the key repository,
-                  then the zone will be automatically signed again the
-                  next time <span class="command"><strong>named</strong></span> is started.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>synth-from-dnssec</strong></span></span></dt>
-<dd>
-                <p>
-                  Synthesize answers from cached NSEC, NSEC3 and
-                  other RRsets that have been proved to be correct
-                  using DNSSEC.  The default is <span class="command"><strong>yes</strong></span>.
-                </p>
-                <p>
-                  Note:
-                  </p>
-<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
-                      <p>
-                        DNSSEC validation must be enabled for this
-                        option to be effective.
-                      </p>
-                      <p>
-                        This initial implementation only covers synthesis
-                        of answers from NSEC records.  Synthesis from NSEC3
-                        is planned for the future.  This will also be
-                        controlled by <span class="command"><strong>synth-from-dnssec</strong></span>.
-                      </p>
-                    </li></ul></div>
-<p>
-                </p>
-              </dd>
-</dl></div>
-
-        </div>
-
-        <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="forwarding"></a>Forwarding</h4></div></div></div>
-
-          <p>
-            The forwarding facility can be used to create a large site-wide
-            cache on a few servers, reducing traffic over links to external
-            name servers. It can also be used to allow queries by servers that
-            do not have direct access to the Internet, but wish to look up
-            exterior
-            names anyway. Forwarding occurs only on those queries for which
-            the server is not authoritative and does not have the answer in
-            its cache.
-          </p>
-
-          <div class="variablelist"><dl class="variablelist">
-<dt><span class="term"><span class="command"><strong>forward</strong></span></span></dt>
-<dd>
-                <p>
-                  This option is only meaningful if the
-                  forwarders list is not empty. A value of <code class="varname">first</code>,
-                  the default, causes the server to query the forwarders
-                  first &#8212; and
-                  if that doesn't answer the question, the server will then
-                  look for
-                  the answer itself. If <code class="varname">only</code> is
-                  specified, the
-                  server will only query the forwarders.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>forwarders</strong></span></span></dt>
-<dd>
-                <p>
-                  Specifies the IP addresses to be used
-                  for forwarding. The default is the empty list (no
-                  forwarding).
-                </p>
-              </dd>
-</dl></div>
-
-          <p>
-            Forwarding can also be configured on a per-domain basis, allowing
-            for the global forwarding options to be overridden in a variety
-            of ways. You can set particular domains to use different
-            forwarders,
-            or have a different <span class="command"><strong>forward only/first</strong></span> behavior,
-            or not forward at all, see <a class="xref" href="Bv9ARM.ch06.html#zone_statement_grammar" title="zone Statement Grammar">the section called &#8220;<span class="command"><strong>zone</strong></span>
-            Statement Grammar&#8221;</a>.
-          </p>
-        </div>
-
-        <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="dual_stack"></a>Dual-stack Servers</h4></div></div></div>
-
-          <p>
-            Dual-stack servers are used as servers of last resort to work
-            around
-            problems in reachability due the lack of support for either IPv4
-            or IPv6
-            on the host machine.
-          </p>
-
-          <div class="variablelist"><dl class="variablelist">
-<dt><span class="term"><span class="command"><strong>dual-stack-servers</strong></span></span></dt>
-<dd>
-                <p>
-                  Specifies host names or addresses of machines with access to
-                  both IPv4 and IPv6 transports. If a hostname is used, the
-                  server must be able
-                  to resolve the name using only the transport it has.  If the
-                  machine is dual
-                  stacked, then the <span class="command"><strong>dual-stack-servers</strong></span> have no effect unless
-                  access to a transport has been disabled on the command line
-                  (e.g. <span class="command"><strong>named -4</strong></span>).
-                </p>
-              </dd>
-</dl></div>
-        </div>
-
-        <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="access_control"></a>Access Control</h4></div></div></div>
-
-
-          <p>
-            Access to the server can be restricted based on the IP address
-            of the requesting system. See <a class="xref" href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called &#8220;Address Match Lists&#8221;</a> for
-            details on how to specify IP address lists.
-          </p>
-
-          <div class="variablelist"><dl class="variablelist">
-<dt><span class="term"><span class="command"><strong>allow-notify</strong></span></span></dt>
-<dd>
-                <p>
-                  Specifies which hosts are allowed to
-                  notify this server, a slave, of zone changes in addition
-                  to the zone masters.
-                  <span class="command"><strong>allow-notify</strong></span> may also be
-                  specified in the
-                  <span class="command"><strong>zone</strong></span> statement, in which case
-                  it overrides the
-                  <span class="command"><strong>options allow-notify</strong></span>
-                  statement.  It is only meaningful
-                  for a slave zone.  If not specified, the default is to
-                  process notify messages
-                  only from a zone's master.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>allow-query</strong></span></span></dt>
-<dd>
-                <p>
-                  Specifies which hosts are allowed to ask ordinary
-                  DNS questions. <span class="command"><strong>allow-query</strong></span> may
-                  also be specified in the <span class="command"><strong>zone</strong></span>
-                  statement, in which case it overrides the
-                  <span class="command"><strong>options allow-query</strong></span> statement.
-                  If not specified, the default is to allow queries
-                  from all hosts.
-                </p>
-                <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-                  <p>
-                    <span class="command"><strong>allow-query-cache</strong></span> is now
-                    used to specify access to the cache.
-                  </p>
-                </div>
-              </dd>
-<dt><span class="term"><span class="command"><strong>allow-query-on</strong></span></span></dt>
-<dd>
-                <p>
-                  Specifies which local addresses can accept ordinary
-                  DNS questions. This makes it possible, for instance,
-                  to allow queries on internal-facing interfaces but
-                  disallow them on external-facing ones, without
-                  necessarily knowing the internal network's addresses.
-                </p>
-                <p>
-                  Note that <span class="command"><strong>allow-query-on</strong></span> is only
-                  checked for queries that are permitted by
-                  <span class="command"><strong>allow-query</strong></span>.  A query must be
-                  allowed by both ACLs, or it will be refused.
-                </p>
-                <p>
-                  <span class="command"><strong>allow-query-on</strong></span> may
-                  also be specified in the <span class="command"><strong>zone</strong></span>
-                  statement, in which case it overrides the
-                  <span class="command"><strong>options allow-query-on</strong></span> statement.
-                </p>
-                <p>
-                  If not specified, the default is to allow queries
-                  on all addresses.
-                </p>
-                <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-                  <p>
-                    <span class="command"><strong>allow-query-cache</strong></span> is
-                    used to specify access to the cache.
-                  </p>
-                </div>
-              </dd>
-<dt><span class="term"><span class="command"><strong>allow-query-cache</strong></span></span></dt>
-<dd>
-                <p>
-                  Specifies which hosts are allowed to get answers
-                  from the cache.  If <span class="command"><strong>allow-query-cache</strong></span>
-                  is not set then <span class="command"><strong>allow-recursion</strong></span>
-                  is used if set, otherwise <span class="command"><strong>allow-query</strong></span>
-                  is used if set unless <span class="command"><strong>recursion no;</strong></span> is
-                  set in which case <span class="command"><strong>none;</strong></span> is used,
-                  otherwise the default (<span class="command"><strong>localnets;</strong></span>
-                  <span class="command"><strong>localhost;</strong></span>) is used.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>allow-query-cache-on</strong></span></span></dt>
-<dd>
-                <p>
-                  Specifies which local addresses can give answers
-                  from the cache.  If not specified, the default is
-                  to allow cache queries on any address,
-                  <span class="command"><strong>localnets</strong></span> and
-                  <span class="command"><strong>localhost</strong></span>.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>allow-recursion</strong></span></span></dt>
-<dd>
-                <p>
-                  Specifies which hosts are allowed to make recursive
-                  queries through this server. If
-                  <span class="command"><strong>allow-recursion</strong></span> is not set
-                  then <span class="command"><strong>allow-query-cache</strong></span> is
-                  used if set, otherwise <span class="command"><strong>allow-query</strong></span>
-                  is used if set, otherwise the default
-                  (<span class="command"><strong>localnets;</strong></span>
-                  <span class="command"><strong>localhost;</strong></span>) is used.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>allow-recursion-on</strong></span></span></dt>
-<dd>
-                <p>
-                  Specifies which local addresses can accept recursive
-                  queries.  If not specified, the default is to allow
-                  recursive queries on all addresses.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>allow-update</strong></span></span></dt>
-<dd>
-                <p>
-                  Specifies which hosts are allowed to
-                  submit Dynamic DNS updates for master zones. The default is
-                  to deny
-                  updates from all hosts.  Note that allowing updates based
-                  on the requestor's IP address is insecure; see
-                  <a class="xref" href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called &#8220;Dynamic Update Security&#8221;</a> for details.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>allow-update-forwarding</strong></span></span></dt>
-<dd>
-                <p>
-                  Specifies which hosts are allowed to
-                  submit Dynamic DNS updates to slave zones to be forwarded to
-                  the
-                  master.  The default is <strong class="userinput"><code>{ none; }</code></strong>,
-                  which
-                  means that no update forwarding will be performed.  To
-                  enable
-                  update forwarding, specify
-                  <strong class="userinput"><code>allow-update-forwarding { any; };</code></strong>.
-                  Specifying values other than <strong class="userinput"><code>{ none; }</code></strong> or
-                  <strong class="userinput"><code>{ any; }</code></strong> is usually
-                  counterproductive, since
-                  the responsibility for update access control should rest
-                  with the
-                  master server, not the slaves.
-                </p>
-                <p>
-                  Note that enabling the update forwarding feature on a slave
-                  server
-                  may expose master servers relying on insecure IP address
-                  based
-                  access control to attacks; see <a class="xref" href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called &#8220;Dynamic Update Security&#8221;</a>
-                  for more details.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>allow-v6-synthesis</strong></span></span></dt>
-<dd>
-                <p>
-                  This option was introduced for the smooth transition from
-                  AAAA
-                  to A6 and from "nibble labels" to binary labels.
-                  However, since both A6 and binary labels were then
-                  deprecated,
-                  this option was also deprecated.
-                  It is now ignored with some warning messages.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>allow-transfer</strong></span></span></dt>
-<dd>
-                <p>
-                  Specifies which hosts are allowed to
-                  receive zone transfers from the server. <span class="command"><strong>allow-transfer</strong></span> may
-                  also be specified in the <span class="command"><strong>zone</strong></span>
-                  statement, in which
-                  case it overrides the <span class="command"><strong>options allow-transfer</strong></span> statement.
-                  If not specified, the default is to allow transfers to all
-                  hosts.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>blackhole</strong></span></span></dt>
-<dd>
-                <p>
-                  Specifies a list of addresses that the
-                  server will not accept queries from or use to resolve a
-                  query. Queries
-                  from these addresses will not be responded to. The default
-                  is <strong class="userinput"><code>none</code></strong>.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>filter-aaaa</strong></span></span></dt>
-<dd>
-                <p>
-                  Specifies a list of addresses to which
-                  <span class="command"><strong>filter-aaaa-on-v4</strong></span>
-                  and <span class="command"><strong>filter-aaaa-on-v6</strong></span>
-                  apply.  The default is <strong class="userinput"><code>any</code></strong>.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>keep-response-order</strong></span></span></dt>
-<dd>
-                <p>
-                  Specifies a list of addresses to which the server
-                  will send responses to TCP queries in the same order
-                  in which they were received.  This disables the
-                  processing of TCP queries in parallel. The default
-                  is <strong class="userinput"><code>none</code></strong>.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>no-case-compress</strong></span></span></dt>
-<dd>
-                <p>
-                  Specifies a list of addresses which require responses
-                  to use case-insensitive compression.  This ACL can be
-                  used when <span class="command"><strong>named</strong></span> needs to work with
-                  clients that do not comply with the requirement in RFC
-                  1034 to use case-insensitive name comparisons when
-                  checking for matching domain names.
-                </p>
-                <p>
-                  If left undefined, the ACL defaults to
-                  <span class="command"><strong>none</strong></span>: case-insensitive compression
-                  will be used for all clients.  If the ACL is defined and
-                  matches a client, then case will be ignored when
-                  compressing domain names in DNS responses sent to that
-                  client.
-                </p>
-                <p>
-                  This can result in slightly smaller responses: if
-                  a response contains the names "example.com" and
-                  "example.COM", case-insensitive compression would treat
-                  the second one as a duplicate.  It also ensures
-                  that the case of the query name exactly matches the
-                  case of the owner names of returned records, rather
-                  than matching the case of the records entered in
-                  the zone file.  This allows responses to exactly
-                  match the query, which is required by some clients
-                  due to incorrect use of case-sensitive comparisons.
-                </p>
-                <p>
-                  Case-insensitive compression is <span class="emphasis"><em>always</em></span>
-                  used in AXFR and IXFR responses, regardless of whether
-                  the client matches this ACL.
-                </p>
-                <p>
-                  There are circumstances in which <span class="command"><strong>named</strong></span>
-                  will not preserve the case of owner names of records:
-                  if a zone file defines records of different types with
-                  the same name, but the capitalization of the name is
-                  different (e.g., "www.example.com/A" and
-                  "WWW.EXAMPLE.COM/AAAA"), then all responses for that
-                  name will use the <span class="emphasis"><em>first</em></span> version
-                  of the name that was used in the zone file.  This
-                  limitation may be addressed in a future release.  However,
-                  domain names specified in the rdata of resource records
-                  (i.e., records of type NS, MX, CNAME, etc) will always
-                  have their case preserved unless the client matches this
-                  ACL.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>resolver-query-timeout</strong></span></span></dt>
-<dd>
-                <p>
-                  The amount of time in milliseconds that the resolver
-                  will spend attempting to resolve a recursive
-                  query before failing.  The default and minimum
-                  is <code class="literal">10000</code> and the maximum is
-                  <code class="literal">30000</code>.  Setting it to
-                  <code class="literal">0</code> will result in the default
-                  being used.
-                </p>
-                <p>
-                  This value was originally specified in seconds.
-                  Values less than or equal to 300 will be be treated
-                  as seconds and converted to milliseconds before
-                  applying the above limits.
-                </p>
-              </dd>
-</dl></div>
-
-        </div>
-
-        <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="interfaces"></a>Interfaces</h4></div></div></div>
-
-          <p>
-            The interfaces and ports that the server will answer queries
-            from may be specified using the <span class="command"><strong>listen-on</strong></span> option. <span class="command"><strong>listen-on</strong></span> takes
-            an optional port and an <code class="varname">address_match_list</code>
-            of IPv4 addresses.  (IPv6 addresses are ignored, with a
-            logged warning.)
-            The server will listen on all interfaces allowed by the address
-            match list. If a port is not specified, port 53 will be used.
-          </p>
-          <p>
-            Multiple <span class="command"><strong>listen-on</strong></span> statements are
-            allowed.
-            For example,
-          </p>
-
-<pre class="programlisting">listen-on { 5.6.7.8; };
-listen-on port 1234 { !1.2.3.4; 1.2/16; };
-</pre>
-
-          <p>
-            will enable the name server on port 53 for the IP address
-            5.6.7.8, and on port 1234 of an address on the machine in net
-            1.2 that is not 1.2.3.4.
-          </p>
-
-          <p>
-            If no <span class="command"><strong>listen-on</strong></span> is specified, the
-            server will listen on port 53 on all IPv4 interfaces.
-          </p>
-
-          <p>
-            The <span class="command"><strong>listen-on-v6</strong></span> option is used to
-            specify the interfaces and the ports on which the server will
-            listen for incoming queries sent using IPv6.  If not specified,
-            the server will listen on port 53 on all IPv6 interfaces.
-          </p>
-
-          <p>
-            When </p>
-<pre class="programlisting">{ any; }</pre>
-<p> is
-            specified
-            as the <code class="varname">address_match_list</code> for the
-            <span class="command"><strong>listen-on-v6</strong></span> option,
-            the server does not bind a separate socket to each IPv6 interface
-            address as it does for IPv4 if the operating system has enough API
-            support for IPv6 (specifically if it conforms to RFC 3493 and RFC
-            3542).
-            Instead, it listens on the IPv6 wildcard address.
-            If the system only has incomplete API support for IPv6, however,
-            the behavior is the same as that for IPv4.
-          </p>
-
-          <p>
-            A list of particular IPv6 addresses can also be specified, in
-            which case
-            the server listens on a separate socket for each specified
-            address,
-            regardless of whether the desired API is supported by the system.
-            IPv4 addresses specified in <span class="command"><strong>listen-on-v6</strong></span>
-            will be ignored, with a logged warning.
-          </p>
-
-          <p>
-            Multiple <span class="command"><strong>listen-on-v6</strong></span> options can
-            be used.
-            For example,
-          </p>
-
-<pre class="programlisting">listen-on-v6 { any; };
-listen-on-v6 port 1234 { !2001:db8::/32; any; };
-</pre>
-
-          <p>
-            will enable the name server on port 53 for any IPv6 addresses
-            (with a single wildcard socket),
-            and on port 1234 of IPv6 addresses that is not in the prefix
-            2001:db8::/32 (with separate sockets for each matched address.)
-          </p>
-
-          <p>
-            To make the server not listen on any IPv6 address, use
-          </p>
-
-<pre class="programlisting">listen-on-v6 { none; };
-</pre>
-
-        </div>
-
-        <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="query_address"></a>Query Address</h4></div></div></div>
-
-          <p>
-            If the server doesn't know the answer to a question, it will
-            query other name servers. <span class="command"><strong>query-source</strong></span> specifies
-            the address and port used for such queries. For queries sent over
-            IPv6, there is a separate <span class="command"><strong>query-source-v6</strong></span> option.
-            If <span class="command"><strong>address</strong></span> is <span class="command"><strong>*</strong></span> (asterisk) or is omitted,
-            a wildcard IP address (<span class="command"><strong>INADDR_ANY</strong></span>)
-            will be used.
-          </p>
-
-          <p>
-            If <span class="command"><strong>port</strong></span> is <span class="command"><strong>*</strong></span> or is omitted,
-            a random port number from a pre-configured
-            range is picked up and will be used for each query.
-            The port range(s) is that specified in
-            the <span class="command"><strong>use-v4-udp-ports</strong></span> (for IPv4)
-            and <span class="command"><strong>use-v6-udp-ports</strong></span> (for IPv6)
-            options, excluding the ranges specified in
-            the <span class="command"><strong>avoid-v4-udp-ports</strong></span>
-            and <span class="command"><strong>avoid-v6-udp-ports</strong></span> options, respectively.
-          </p>
-
-          <p>
-            The defaults of the <span class="command"><strong>query-source</strong></span> and
-            <span class="command"><strong>query-source-v6</strong></span> options
-            are:
-          </p>
-
-<pre class="programlisting">query-source address * port *;
-query-source-v6 address * port *;
-</pre>
-
-          <p>
-            If <span class="command"><strong>use-v4-udp-ports</strong></span> or
-            <span class="command"><strong>use-v6-udp-ports</strong></span> is unspecified,
-            <span class="command"><strong>named</strong></span> will check if the operating
-            system provides a programming interface to retrieve the
-            system's default range for ephemeral ports.
-            If such an interface is available,
-            <span class="command"><strong>named</strong></span> will use the corresponding system
-            default range; otherwise, it will use its own defaults:
-         </p>
-
-<pre class="programlisting">use-v4-udp-ports { range 1024 65535; };
-use-v6-udp-ports { range 1024 65535; };
-</pre>
-
-          <p>
-            Note: make sure the ranges be sufficiently large for
-            security.  A desirable size depends on various parameters,
-            but we generally recommend it contain at least 16384 ports
-            (14 bits of entropy).
-            Note also that the system's default range when used may be
-            too small for this purpose, and that the range may even be
-            changed while <span class="command"><strong>named</strong></span> is running; the new
-            range will automatically be applied when <span class="command"><strong>named</strong></span>
-            is reloaded.
-            It is encouraged to
-            configure <span class="command"><strong>use-v4-udp-ports</strong></span> and
-            <span class="command"><strong>use-v6-udp-ports</strong></span> explicitly so that the
-            ranges are sufficiently large and are reasonably
-            independent from the ranges used by other applications.
-          </p>
-
-          <p>
-            Note: the operational configuration
-            where <span class="command"><strong>named</strong></span> runs may prohibit the use
-            of some ports.  For example, UNIX systems will not allow
-            <span class="command"><strong>named</strong></span> running without a root privilege
-            to use ports less than 1024.
-            If such ports are included in the specified (or detected)
-            set of query ports, the corresponding query attempts will
-            fail, resulting in resolution failures or delay.
-            It is therefore important to configure the set of ports
-            that can be safely used in the expected operational environment.
-          </p>
-
-          <p>
-            The defaults of the <span class="command"><strong>avoid-v4-udp-ports</strong></span> and
-            <span class="command"><strong>avoid-v6-udp-ports</strong></span> options
-            are:
-          </p>
-
-<pre class="programlisting">avoid-v4-udp-ports {};
-avoid-v6-udp-ports {};
-</pre>
-
-          <p>
-            Note: BIND 9.5.0 introduced
-            the <span class="command"><strong>use-queryport-pool</strong></span>
-            option to support a pool of such random ports, but this
-            option is now obsolete because reusing the same ports in
-            the pool may not be sufficiently secure.
-            For the same reason, it is generally strongly discouraged to
-            specify a particular port for the
-            <span class="command"><strong>query-source</strong></span> or
-            <span class="command"><strong>query-source-v6</strong></span> options;
-            it implicitly disables the use of randomized port numbers.
-          </p>
-
-          <div class="variablelist"><dl class="variablelist">
-<dt><span class="term"><span class="command"><strong>use-queryport-pool</strong></span></span></dt>
-<dd>
-                <p>
-                  This option is obsolete.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>queryport-pool-ports</strong></span></span></dt>
-<dd>
-                <p>
-                  This option is obsolete.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>queryport-pool-updateinterval</strong></span></span></dt>
-<dd>
-                <p>
-                  This option is obsolete.
-                </p>
-              </dd>
-</dl></div>
-          <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-            <p>
-              The address specified in the <span class="command"><strong>query-source</strong></span> option
-              is used for both UDP and TCP queries, but the port applies only
-              to UDP queries.  TCP queries always use a random
-              unprivileged port.
-            </p>
-          </div>
-          <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-            <p>
-              Solaris 2.5.1 and earlier does not support setting the source
-              address for TCP sockets.
-            </p>
-          </div>
-          <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-            <p>
-              See also <span class="command"><strong>transfer-source</strong></span> and
-              <span class="command"><strong>notify-source</strong></span>.
-            </p>
-          </div>
-        </div>
-
-        <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="zone_transfers"></a>Zone Transfers</h4></div></div></div>
-
-          <p>
-            <acronym class="acronym">BIND</acronym> has mechanisms in place to
-            facilitate zone transfers
-            and set limits on the amount of load that transfers place on the
-            system. The following options apply to zone transfers.
-          </p>
-
-          <div class="variablelist"><dl class="variablelist">
-<dt><span class="term"><span class="command"><strong>also-notify</strong></span></span></dt>
-<dd>
-                <p>
-                  Defines a global list of IP addresses of name servers
-                  that are also sent NOTIFY messages whenever a fresh copy of
-                  the
-                  zone is loaded, in addition to the servers listed in the
-                  zone's NS records.
-                  This helps to ensure that copies of the zones will
-                  quickly converge on stealth servers.
-                  Optionally, a port may be specified with each
-                  <span class="command"><strong>also-notify</strong></span> address to send
-                  the notify messages to a port other than the
-                  default of 53.
-                  An optional TSIG key can also be specified with each
-                  address to cause the notify messages to be signed; this
-                  can be useful when sending notifies to multiple views.
-                  In place of explicit addresses, one or more named
-                  <span class="command"><strong>masters</strong></span> lists can be used.
-                </p>
-                <p>
-                  If an <span class="command"><strong>also-notify</strong></span> list
-                  is given in a <span class="command"><strong>zone</strong></span> statement,
-                  it will override
-                  the <span class="command"><strong>options also-notify</strong></span>
-                  statement. When a <span class="command"><strong>zone notify</strong></span>
-                  statement
-                  is set to <span class="command"><strong>no</strong></span>, the IP
-                  addresses in the global <span class="command"><strong>also-notify</strong></span> list will
-                  not be sent NOTIFY messages for that zone. The default is
-                  the empty
-                  list (no global notification list).
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>max-transfer-time-in</strong></span></span></dt>
-<dd>
-                <p>
-                  Inbound zone transfers running longer than
-                  this many minutes will be terminated. The default is 120
-                  minutes
-                  (2 hours).  The maximum value is 28 days (40320 minutes).
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>max-transfer-idle-in</strong></span></span></dt>
-<dd>
-                <p>
-                  Inbound zone transfers making no progress
-                  in this many minutes will be terminated. The default is 60
-                  minutes
-                  (1 hour).  The maximum value is 28 days (40320 minutes).
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>max-transfer-time-out</strong></span></span></dt>
-<dd>
-                <p>
-                  Outbound zone transfers running longer than
-                  this many minutes will be terminated. The default is 120
-                  minutes
-                  (2 hours).  The maximum value is 28 days (40320 minutes).
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>max-transfer-idle-out</strong></span></span></dt>
-<dd>
-                <p>
-                  Outbound zone transfers making no progress
-                  in this many minutes will be terminated.  The default is 60
-                  minutes (1
-                  hour).  The maximum value is 28 days (40320 minutes).
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>notify-rate</strong></span></span></dt>
-<dd>
-                <p>
-                  The rate at which NOTIFY requests will be sent
-                  during normal zone maintenance operations. (NOTIFY
-                  requests due to initial zone loading are subject
-                  to a separate rate limit; see below.) The default is
-                  20 per second.
-                  The lowest possible rate is one per second; when set
-                  to zero, it will be silently raised to one.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>startup-notify-rate</strong></span></span></dt>
-<dd>
-                <p>
-                  The rate at which NOTIFY requests will be sent
-                  when the name server is first starting up, or when
-                  zones have been newly added to the nameserver.
-                  The default is 20 per second.
-                  The lowest possible rate is one per second; when set
-                  to zero, it will be silently raised to one.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>serial-query-rate</strong></span></span></dt>
-<dd>
-                <p>
-                  Slave servers will periodically query master
-                  servers to find out if zone serial numbers have
-                  changed. Each such query uses a minute amount of
-                  the slave server's network bandwidth.  To limit
-                  the amount of bandwidth used, BIND 9 limits the
-                  rate at which queries are sent.  The value of the
-                  <span class="command"><strong>serial-query-rate</strong></span> option, an
-                  integer, is the maximum number of queries sent
-                  per second.  The default is 20 per second.
-                  The lowest possible rate is one per second; when set
-                  to zero, it will be silently raised to one.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>serial-queries</strong></span></span></dt>
-<dd>
-                <p>
-                  In BIND 8, the <span class="command"><strong>serial-queries</strong></span>
-                  option
-                  set the maximum number of concurrent serial number queries
-                  allowed to be outstanding at any given time.
-                  BIND 9 does not limit the number of outstanding
-                  serial queries and ignores the <span class="command"><strong>serial-queries</strong></span> option.
-                  Instead, it limits the rate at which the queries are sent
-                  as defined using the <span class="command"><strong>serial-query-rate</strong></span> option.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>transfer-format</strong></span></span></dt>
-<dd>
-
-                <p>
-                  Zone transfers can be sent using two different formats,
-                  <span class="command"><strong>one-answer</strong></span> and
-                  <span class="command"><strong>many-answers</strong></span>.
-                  The <span class="command"><strong>transfer-format</strong></span> option is used
-                  on the master server to determine which format it sends.
-                  <span class="command"><strong>one-answer</strong></span> uses one DNS message per
-                  resource record transferred.
-                  <span class="command"><strong>many-answers</strong></span> packs as many resource
-                  records as possible into a message.
-                  <span class="command"><strong>many-answers</strong></span> is more efficient, but is
-                  only supported by relatively new slave servers,
-                  such as <acronym class="acronym">BIND</acronym> 9, <acronym class="acronym">BIND</acronym>
-                  8.x and <acronym class="acronym">BIND</acronym> 4.9.5 onwards.
-                  The <span class="command"><strong>many-answers</strong></span> format is also supported by
-                  recent Microsoft Windows nameservers.
-                  The default is <span class="command"><strong>many-answers</strong></span>.
-                  <span class="command"><strong>transfer-format</strong></span> may be overridden on a
-                  per-server basis by using the <span class="command"><strong>server</strong></span>
-                  statement.
-                </p>
-
-              </dd>
-<dt><span class="term"><span class="command"><strong>transfer-message-size</strong></span></span></dt>
-<dd>
-                <p>
-                  This is an upper bound on the uncompressed size of DNS
-                  messages used in zone transfers over TCP.  If a message
-                  grows larger than this size, additional messages will be
-                  used to complete the zone transfer.  (Note, however,
-                  that this is a hint, not a hard limit; if a message
-                  contains a single resource record whose RDATA does not
-                  fit within the size limit, a larger message will be
-                  permitted so the record can be transferred.)
-                </p>
-                <p>
-                  Valid values are between 512 and 65535 octets, and any
-                  values outside that range will be adjusted to the nearest
-                  value within it.  The default is <code class="literal">20480</code>,
-                  which was selected to improve message compression:
-                  most DNS messages of this size will compress to less
-                  than 16536 bytes.  Larger messages cannot be compressed
-                  as effectively, because 16536 is the largest permissible
-                  compression offset pointer in a DNS message.
-                </p>
-                <p>
-                  This option is mainly intended for server testing;
-                  there is rarely any benefit in setting a value other
-                  than the default.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>transfers-in</strong></span></span></dt>
-<dd>
-                <p>
-                  The maximum number of inbound zone transfers
-                  that can be running concurrently. The default value is <code class="literal">10</code>.
-                  Increasing <span class="command"><strong>transfers-in</strong></span> may
-                  speed up the convergence
-                  of slave zones, but it also may increase the load on the
-                  local system.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>transfers-out</strong></span></span></dt>
-<dd>
-                <p>
-                  The maximum number of outbound zone transfers
-                  that can be running concurrently. Zone transfer requests in
-                  excess
-                  of the limit will be refused. The default value is <code class="literal">10</code>.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>transfers-per-ns</strong></span></span></dt>
-<dd>
-                <p>
-                  The maximum number of inbound zone transfers
-                  that can be concurrently transferring from a given remote
-                  name server.
-                  The default value is <code class="literal">2</code>.
-                  Increasing <span class="command"><strong>transfers-per-ns</strong></span>
-                  may
-                  speed up the convergence of slave zones, but it also may
-                  increase
-                  the load on the remote name server. <span class="command"><strong>transfers-per-ns</strong></span> may
-                  be overridden on a per-server basis by using the <span class="command"><strong>transfers</strong></span> phrase
-                  of the <span class="command"><strong>server</strong></span> statement.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>transfer-source</strong></span></span></dt>
-<dd>
-                <p><span class="command"><strong>transfer-source</strong></span>
-                  determines which local address will be bound to IPv4
-                  TCP connections used to fetch zones transferred
-                  inbound by the server.  It also determines the
-                  source IPv4 address, and optionally the UDP port,
-                  used for the refresh queries and forwarded dynamic
-                  updates.  If not set, it defaults to a system
-                  controlled value which will usually be the address
-                  of the interface "closest to" the remote end. This
-                  address must appear in the remote end's
-                  <span class="command"><strong>allow-transfer</strong></span> option for the
-                  zone being transferred, if one is specified. This
-                  statement sets the
-                  <span class="command"><strong>transfer-source</strong></span> for all zones,
-                  but can be overridden on a per-view or per-zone
-                  basis by including a
-                  <span class="command"><strong>transfer-source</strong></span> statement within
-                  the <span class="command"><strong>view</strong></span> or
-                  <span class="command"><strong>zone</strong></span> block in the configuration
-                  file.
-                </p>
-                <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-                  <p>
-                    Solaris 2.5.1 and earlier does not support setting the
-                    source address for TCP sockets.
-                  </p>
-                </div>
-              </dd>
-<dt><span class="term"><span class="command"><strong>transfer-source-v6</strong></span></span></dt>
-<dd>
-                <p>
-                  The same as <span class="command"><strong>transfer-source</strong></span>,
-                  except zone transfers are performed using IPv6.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>alt-transfer-source</strong></span></span></dt>
-<dd>
-                <p>
-                  An alternate transfer source if the one listed in
-                  <span class="command"><strong>transfer-source</strong></span> fails and
-                  <span class="command"><strong>use-alt-transfer-source</strong></span> is
-                  set.
-                </p>
-                <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p>
-                  If you do not wish the alternate transfer source
-                  to be used, you should set
-                  <span class="command"><strong>use-alt-transfer-source</strong></span>
-                  appropriately and you should not depend upon
-                  getting an answer back to the first refresh
-                  query.
-                </p>
-</div>
-              </dd>
-<dt><span class="term"><span class="command"><strong>alt-transfer-source-v6</strong></span></span></dt>
-<dd>
-                <p>
-                  An alternate transfer source if the one listed in
-                  <span class="command"><strong>transfer-source-v6</strong></span> fails and
-                  <span class="command"><strong>use-alt-transfer-source</strong></span> is
-                  set.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>use-alt-transfer-source</strong></span></span></dt>
-<dd>
-                <p>
-                  Use the alternate transfer sources or not.  If views are
-                  specified this defaults to <span class="command"><strong>no</strong></span>
-                  otherwise it defaults to
-                  <span class="command"><strong>yes</strong></span> (for BIND 8
-                  compatibility).
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>notify-source</strong></span></span></dt>
-<dd>
-                <p><span class="command"><strong>notify-source</strong></span>
-                  determines which local source address, and
-                  optionally UDP port, will be used to send NOTIFY
-                  messages.  This address must appear in the slave
-                  server's <span class="command"><strong>masters</strong></span> zone clause or
-                  in an <span class="command"><strong>allow-notify</strong></span> clause.  This
-                  statement sets the <span class="command"><strong>notify-source</strong></span>
-                  for all zones, but can be overridden on a per-zone or
-                  per-view basis by including a
-                  <span class="command"><strong>notify-source</strong></span> statement within
-                  the <span class="command"><strong>zone</strong></span> or
-                  <span class="command"><strong>view</strong></span> block in the configuration
-                  file.
-                </p>
-                <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-                  <p>
-                    Solaris 2.5.1 and earlier does not support setting the
-                    source address for TCP sockets.
-                  </p>
-                </div>
-              </dd>
-<dt><span class="term"><span class="command"><strong>notify-source-v6</strong></span></span></dt>
-<dd>
-                <p>
-                  Like <span class="command"><strong>notify-source</strong></span>,
-                  but applies to notify messages sent to IPv6 addresses.
-                </p>
-              </dd>
-</dl></div>
-
-        </div>
-
-        <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="port_lists"></a>UDP Port Lists</h4></div></div></div>
-
-          <p>
-            <span class="command"><strong>use-v4-udp-ports</strong></span>,
-            <span class="command"><strong>avoid-v4-udp-ports</strong></span>,
-            <span class="command"><strong>use-v6-udp-ports</strong></span>, and
-            <span class="command"><strong>avoid-v6-udp-ports</strong></span>
-            specify a list of IPv4 and IPv6 UDP ports that will be
-            used or not used as source ports for UDP messages.
-            See <a class="xref" href="Bv9ARM.ch06.html#query_address" title="Query Address">the section called &#8220;Query Address&#8221;</a> about how the
-            available ports are determined.
-            For example, with the following configuration
-          </p>
-
-<pre class="programlisting">
-use-v6-udp-ports { range 32768 65535; };
-avoid-v6-udp-ports { 40000; range 50000 60000; };
-</pre>
-
-           <p>
-             UDP ports of IPv6 messages sent
-             from <span class="command"><strong>named</strong></span> will be in one
-             of the following ranges: 32768 to 39999, 40001 to 49999,
-             and 60001 to 65535.
-           </p>
-
-           <p>
-             <span class="command"><strong>avoid-v4-udp-ports</strong></span> and
-             <span class="command"><strong>avoid-v6-udp-ports</strong></span> can be used
-             to prevent <span class="command"><strong>named</strong></span> from choosing as its random source port a
-             port that is blocked by your firewall or a port that is
-             used by other applications;
-             if a query went out with a source port blocked by a
-             firewall, the
-             answer would not get by the firewall and the name server would
-             have to query again.
-             Note: the desired range can also be represented only with
-             <span class="command"><strong>use-v4-udp-ports</strong></span> and
-             <span class="command"><strong>use-v6-udp-ports</strong></span>, and the
-             <span class="command"><strong>avoid-</strong></span> options are redundant in that
-             sense; they are provided for backward compatibility and
-             to possibly simplify the port specification.
-           </p>
-        </div>
-
-        <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="resource_limits"></a>Operating System Resource Limits</h4></div></div></div>
-
-          <p>
-            The server's usage of many system resources can be limited.
-            Scaled values are allowed when specifying resource limits.  For
-            example, <span class="command"><strong>1G</strong></span> can be used instead of
-            <span class="command"><strong>1073741824</strong></span> to specify a limit of
-            one
-            gigabyte. <span class="command"><strong>unlimited</strong></span> requests
-            unlimited use, or the
-            maximum available amount. <span class="command"><strong>default</strong></span>
-            uses the limit
-            that was in force when the server was started. See the description
-            of <span class="command"><strong>size_spec</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#configuration_file_elements" title="Configuration File Elements">the section called &#8220;Configuration File Elements&#8221;</a>.
-          </p>
-
-          <p>
-            The following options set operating system resource limits for
-            the name server process.  Some operating systems don't support
-            some or
-            any of the limits. On such systems, a warning will be issued if
-            the
-            unsupported limit is used.
-          </p>
-
-          <div class="variablelist"><dl class="variablelist">
-<dt><span class="term"><span class="command"><strong>coresize</strong></span></span></dt>
-<dd>
-                <p>
-                  The maximum size of a core dump. The default
-                  is <code class="literal">default</code>.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>datasize</strong></span></span></dt>
-<dd>
-                <p>
-                  The maximum amount of data memory the server
-                  may use. The default is <code class="literal">default</code>.
-                  This is a hard limit on server memory usage.
-                  If the server attempts to allocate memory in excess of this
-                  limit, the allocation will fail, which may in turn leave
-                  the server unable to perform DNS service.  Therefore,
-                  this option is rarely useful as a way of limiting the
-                  amount of memory used by the server, but it can be used
-                  to raise an operating system data size limit that is
-                  too small by default.  If you wish to limit the amount
-                  of memory used by the server, use the
-                  <span class="command"><strong>max-cache-size</strong></span> and
-                  <span class="command"><strong>recursive-clients</strong></span>
-                  options instead.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>files</strong></span></span></dt>
-<dd>
-                <p>
-                  The maximum number of files the server
-                  may have open concurrently. The default is <code class="literal">unlimited</code>.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>stacksize</strong></span></span></dt>
-<dd>
-                <p>
-                  The maximum amount of stack memory the server
-                  may use. The default is <code class="literal">default</code>.
-                </p>
-              </dd>
-</dl></div>
-
-        </div>
-
-        <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="server_resource_limits"></a>Server  Resource Limits</h4></div></div></div>
-
-          <p>
-            The following options set limits on the server's
-            resource consumption that are enforced internally by the
-            server rather than the operating system.
-          </p>
-
-          <div class="variablelist"><dl class="variablelist">
-<dt><span class="term"><span class="command"><strong>max-ixfr-log-size</strong></span></span></dt>
-<dd>
-                <p>
-                  This option is obsolete; it is accepted
-                  and ignored for BIND 8 compatibility.  The option
-                  <span class="command"><strong>max-journal-size</strong></span> performs a
-                  similar function in BIND 9.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>max-journal-size</strong></span></span></dt>
-<dd>
-                <p>
-                  Sets a maximum size for each journal file (see
-                  <a class="xref" href="Bv9ARM.ch04.html#journal" title="The journal file">the section called &#8220;The journal file&#8221;</a>), expressed in bytes
-                  or, if followed by an optional unit suffix ('k',
-                  'm', or 'g'), in kilobytes, megabytes, or gigabytes.
-                  When the journal file approaches the specified size,
-                  some of the oldest transactions in the journal
-                  will be automatically removed. The largest
-                  permitted value is 2 gigabytes.  Very small
-                  values are rounded up to 4096 bytes.  You
-                  can specify <code class="literal">unlimited</code>, which
-                  also means 2 gigabytes. If you set the limit to
-                  <code class="literal">default</code> or leave it unset, the
-                  journal is allowed to grow up to twice as large as
-                  the zone. (There is little benefit in storing
-                  larger journals.)
-                </p>
-                <p>
-                  This option may also be set on a per-zone basis.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>max-records</strong></span></span></dt>
-<dd>
-                <p>
-                  The maximum number of records permitted in a zone.
-                  The default is zero which means unlimited.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>host-statistics-max</strong></span></span></dt>
-<dd>
-                <p>
-                  In BIND 8, specifies the maximum number of host statistics
-                  entries to be kept.
-                  Not implemented in BIND 9.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>recursive-clients</strong></span></span></dt>
-<dd>
-                <p>
-                  The maximum number ("hard quota") of simultaneous
-                  recursive lookups the server will perform on behalf
-                  of clients.  The default is
-                  <code class="literal">1000</code>.  Because each recursing
-                  client uses a fair
-                  bit of memory (on the order of 20 kilobytes), the
-                  value of the
-                  <span class="command"><strong>recursive-clients</strong></span> option may
-                  have to be decreased on hosts with limited memory.
-                </p>
-                <p>
-                  <code class="option">recursive-clients</code> defines a "hard
-                  quota" limit for pending recursive clients: when more
-                  clients than this are pending, new incoming requests
-                  will not be accepted, and for each incoming request
-                  a previous pending request will also be dropped.
-                </p>
-                <p>
-                  A "soft quota" is also set.  When this lower
-                  quota is exceeded, incoming requests are accepted, but
-                  for each one, a pending request will be dropped.
-                  If <code class="option">recursive-clients</code> is greater than
-                  1000, the soft quota is set to
-                  <code class="option">recursive-clients</code> minus 100;
-                  otherwise it is set to 90% of
-                  <code class="option">recursive-clients</code>.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>tcp-clients</strong></span></span></dt>
-<dd>
-                <p>
-                  The maximum number of simultaneous client TCP
-                  connections that the server will accept.
-                  The default is <code class="literal">150</code>.
-                </p>
-              </dd>
-<dt>
-<a name="clients-per-query"></a><span class="term"><a name="cpq_term"></a><span class="command"><strong>clients-per-query</strong></span>, </span><span class="term"><span class="command"><strong>max-clients-per-query</strong></span></span>
-</dt>
-<dd>
-                <p>These set the
-                  initial value (minimum) and maximum number of recursive
-                  simultaneous clients for any given query
-                  (&lt;qname,qtype,qclass&gt;) that the server will accept
-                  before dropping additional clients.  <span class="command"><strong>named</strong></span> will attempt to
-                  self tune this value and changes will be logged.  The
-                  default values are 10 and 100.
-                </p>
-                <p>
-                  This value should reflect how many queries come in for
-                  a given name in the time it takes to resolve that name.
-                  If the number of queries exceed this value, <span class="command"><strong>named</strong></span> will
-                  assume that it is dealing with a non-responsive zone
-                  and will drop additional queries.  If it gets a response
-                  after dropping queries, it will raise the estimate.  The
-                  estimate will then be lowered in 20 minutes if it has
-                  remained unchanged.
-                </p>
-                <p>
-                  If <span class="command"><strong>clients-per-query</strong></span> is set to zero,
-                  then there is no limit on the number of clients per query
-                  and no queries will be dropped.
-                </p>
-                <p>
-                  If <span class="command"><strong>max-clients-per-query</strong></span> is set to zero,
-                  then there is no upper bound other than imposed by
-                  <span class="command"><strong>recursive-clients</strong></span>.
-                </p>
-              </dd>
-<dt>
-<a name="fetches-per-zone"></a><span class="term"><span class="command"><strong>fetches-per-zone</strong></span></span>
-</dt>
-<dd>
-                <p>
-                  The maximum number of simultaneous iterative
-                  queries to any one domain that the server will
-                  permit before blocking new queries for data
-                  in or beneath that zone.
-                  This value should reflect how many fetches would
-                  normally be sent to any one zone in the time it
-                  would take to resolve them.  It should be smaller
-                  than <code class="option">recursive-clients</code>.
-                </p>
-                <p>
-                  When many clients simultaneously query for the
-                  same name and type, the clients will all be attached
-                  to the same fetch, up to the
-                  <code class="option">max-clients-per-query</code> limit,
-                  and only one iterative query will be sent.
-                  However, when clients are simultaneously
-                  querying for <span class="emphasis"><em>different</em></span> names
-                  or types, multiple queries will be sent and
-                  <code class="option">max-clients-per-query</code> is not
-                  effective as a limit.
-                </p>
-                <p>
-                  Optionally, this value may be followed by the keyword
-                  <code class="literal">drop</code> or <code class="literal">fail</code>,
-                  indicating whether queries which exceed the fetch
-                  quota for a zone will be dropped with no response,
-                  or answered with SERVFAIL.  The default is
-                  <code class="literal">drop</code>.
-                </p>
-                <p>
-                  If <span class="command"><strong>fetches-per-zone</strong></span> is set to zero,
-                  then there is no limit on the number of fetches per query
-                  and no queries will be dropped.  The default is zero.
-                </p>
-                <p>
-                  The current list of active fetches can be dumped by
-                  running <span class="command"><strong>rndc recursing</strong></span>.  The list
-                  includes the number of active fetches for each
-                  domain and the number of queries that have been
-                  passed or dropped as a result of the
-                  <code class="option">fetches-per-zone</code> limit.  (Note:
-                  these counters are not cumulative over time; whenever
-                  the number of active fetches for a domain drops to
-                  zero, the counter for that domain is deleted, and the
-                  next time a fetch is sent to that domain, it is
-                  recreated with the counters set to zero.)
-                </p>
-              </dd>
-<dt>
-<a name="fetches-per-server"></a><span class="term"><span class="command"><strong>fetches-per-server</strong></span></span>
-</dt>
-<dd>
-                <p>
-                  The maximum number of simultaneous iterative
-                  queries that the server will allow to be sent to
-                  a single upstream name server before blocking
-                  additional queries.
-                  This value should reflect how many fetches would
-                  normally be sent to any one server in the time it
-                  would take to resolve them.  It should be smaller
-                  than <code class="option">recursive-clients</code>.
-                </p>
-                <p>
-                  Optionally, this value may be followed by the keyword
-                  <code class="literal">drop</code> or <code class="literal">fail</code>,
-                  indicating whether queries will be dropped with no
-                  response, or answered with SERVFAIL, when all of the
-                  servers authoritative for a zone are found to have
-                  exceeded the per-server quota.  The default is
-                  <code class="literal">fail</code>.
-                </p>
-                <p>
-                  If <span class="command"><strong>fetches-per-server</strong></span> is set to zero,
-                  then there is no limit on the number of fetches per query
-                  and no queries will be dropped.  The default is zero.
-                </p>
-                <p>
-                  The <span class="command"><strong>fetches-per-server</strong></span> quota is
-                  dynamically adjusted in response to detected
-                  congestion. As queries are sent to a server
-                  and are either answered or time out, an
-                  exponentially weighted moving average is calculated
-                  of the ratio of timeouts to responses.  If the
-                  current average timeout ratio rises above a "high"
-                  threshold, then <span class="command"><strong>fetches-per-server</strong></span>
-                  is reduced for that server.  If the timeout ratio
-                  drops below a "low" threshold, then
-                  <span class="command"><strong>fetches-per-server</strong></span> is increased.
-                  The <span class="command"><strong>fetch-quota-params</strong></span> options
-                  can be used to adjust the parameters for this
-                  calculation.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>fetch-quota-params</strong></span></span></dt>
-<dd>
-                <p>
-                  Sets the parameters to use for dynamic resizing of
-                  the <code class="option">fetches-per-server</code> quota in
-                  response to detected congestion.
-                </p>
-                <p>
-                  The first argument is an integer value indicating
-                  how frequently to recalculate the moving average
-                  of the ratio of timeouts to responses for each
-                  server.  The default is 100, meaning we recalculate
-                  the average ratio after every 100 queries have either
-                  been answered or timed out.
-                </p>
-                <p>
-                  The remaining three arguments represent the "low"
-                  threshold (defaulting to a timeout ratio of 0.1),
-                  the "high" threshold (defaulting to a timeout
-                  ratio of 0.3), and the discount rate for
-                  the moving average (defaulting to 0.7).
-                  A higher discount rate causes recent events to
-                  weigh more heavily when calculating the moving
-                  average; a lower discount rate causes past
-                  events to weigh more heavily, smoothing out
-                  short-term blips in the timeout ratio.
-                  These arguments are all fixed-point numbers with
-                  precision of 1/100: at most two places after
-                  the decimal point are significant.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>reserved-sockets</strong></span></span></dt>
-<dd>
-                <p>
-                  The number of file descriptors reserved for TCP, stdio,
-                  etc.  This needs to be big enough to cover the number of
-                  interfaces <span class="command"><strong>named</strong></span> listens on, <span class="command"><strong>tcp-clients</strong></span> as well as
-                  to provide room for outgoing TCP queries and incoming zone
-                  transfers.  The default is <code class="literal">512</code>.
-                  The minimum value is <code class="literal">128</code> and the
-                  maximum value is <code class="literal">128</code> less than
-                  maxsockets (-S).  This option may be removed in the future.
-                </p>
-                <p>
-                  This option has little effect on Windows.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>max-cache-size</strong></span></span></dt>
-<dd>
-                <p>
-                  The maximum amount of memory to use for the
-                  server's cache, in bytes or % of total physical memory.
-                  When the amount of data in the cache
-                  reaches this limit, the server will cause records to
-                  expire prematurely based on an LRU based strategy so
-                  that the limit is not exceeded.
-                  The keyword <strong class="userinput"><code>unlimited</code></strong>,
-                  or the value 0, will place no limit on cache size;
-                  records will be purged from the cache only when their
-                  TTLs expire.
-                  Any positive values less than 2MB will be ignored
-                  and reset to 2MB.
-                  In a server with multiple views, the limit applies
-                  separately to the cache of each view.
-                  The default is <strong class="userinput"><code>90%</code></strong>.
-                  On systems where detection of amount of physical
-                  memory is not supported values represented as %
-                  fall back to unlimited.
-                  Note that the detection of physical memory is done only
-                  once at startup, so <span class="command"><strong>named</strong></span> will not
-                  adjust the cache size if the amount of physical memory
-                  is changed during runtime.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>tcp-listen-queue</strong></span></span></dt>
-<dd>
-                <p>
-                  The listen queue depth.  The default and minimum is 10.
-                  If the kernel supports the accept filter "dataready" this
-                  also controls how
-                  many TCP connections that will be queued in kernel space
-                  waiting for
-                  some data before being passed to accept.  Nonzero values
-                  less than 10 will be silently raised. A value of 0 may also
-                  be used; on most platforms this sets the listen queue
-                  length to a system-defined default value.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>tcp-initial-timeout</strong></span></span></dt>
-<dd>
-                <p>
-                  The amount of time (in units of 100 milliseconds) the
-                  server waits on a new TCP connection for the first message
-                  from the client. The default is 300 (30 seconds),
-                  the minimum is 25 (2.5 seconds), and the maximum is
-                  1200 (two minutes). Values above the maximum or below
-                  the minimum will be adjusted with a logged warning.
-                  (Note: This value must be greater than the expected
-                  round trip delay time; otherwise no client will ever
-                  have enough time to submit a message.)
-                  This value can be updated at runtime by using
-                  <span class="command"><strong>rndc tcp-timeouts</strong></span>.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>tcp-idle-timeout</strong></span></span></dt>
-<dd>
-                <p>
-                  The amount of time (in units of 100 milliseconds) the
-                  server waits on an idle TCP connection before closing
-                  it when the client is not using the EDNS TCP keepalive
-                  option.  The default is 300 (30 seconds), the maximum
-                  is 1200 (two minutes), and the minimum is 1 (one tenth
-                  of a second). Values above the maximum or below the minimum
-                  will be adjusted with a logged warning.
-                  See <span class="command"><strong>tcp-keepalive-timeout</strong></span>
-                  for clients using the EDNS TCP keepalive option.
-                  This value can be updated at runtime by using
-                  <span class="command"><strong>rndc tcp-timeouts</strong></span>.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>tcp-keepalive-timeout</strong></span></span></dt>
-<dd>
-                <p>
-                  The amount of time (in units of 100 milliseconds) the
-                  server waits on an idle TCP connection before closing
-                  it when the client is using the EDNS TCP keepalive
-                  option.  The default is 300 (30 seconds), the maximum
-                  is 65535 (about 1.8 hours), and the minimum is 1 (one tenth
-                  of a second). Values above the maximum or below the minimum
-                  will be adjusted with a logged warning.
-                  This value may be greater than
-                  <span class="command"><strong>tcp-idle-timeout</strong></span>, because
-                  clients using the EDNS TCP keepalive option are expected
-                  to use TCP connections for more than one message.
-                  This value can be updated at runtime by using
-                  <span class="command"><strong>rndc tcp-timeouts</strong></span>.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>tcp-advertised-timeout</strong></span></span></dt>
-<dd>
-                <p>
-                  The timeout value (in units of 100 milliseconds) the
-                  server will send in respones containing the EDNS TCP
-                  keepalive option. This informs a client of the
-                  amount of time it may keep the session open.
-                  The default is 300 (30 seconds), the maximum is
-                  65535 (about 1.8 hours), and the minimum is 0, which
-                  signals that the clients must close TCP connections
-                  immediately.  Ordinarily this should be set to the
-                  same value as <span class="command"><strong>tcp-keepalive-timeout</strong></span>.
-                  This value can be updated at runtime by using
-                  <span class="command"><strong>rndc tcp-timeouts</strong></span>.
-                </p>
-              </dd>
-</dl></div>
-
-        </div>
-
-        <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="intervals"></a>Periodic Task Intervals</h4></div></div></div>
-
-          <div class="variablelist"><dl class="variablelist">
-<dt><span class="term"><span class="command"><strong>cleaning-interval</strong></span></span></dt>
-<dd>
-                <p>
-                  This interval is effectively obsolete.  Previously,
-                  the server would remove expired resource records
-                  from the cache every <span class="command"><strong>cleaning-interval</strong></span> minutes.
-                  <acronym class="acronym">BIND</acronym> 9 now manages cache
-                  memory in a more sophisticated manner and does not
-                  rely on the periodic cleaning any more.
-                  Specifying this option therefore has no effect on
-                  the server's behavior.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>heartbeat-interval</strong></span></span></dt>
-<dd>
-                <p>
-                  The server will perform zone maintenance tasks
-                  for all zones marked as <span class="command"><strong>dialup</strong></span> whenever this
-                  interval expires. The default is 60 minutes. Reasonable
-                  values are up
-                  to 1 day (1440 minutes).  The maximum value is 28 days
-                  (40320 minutes).
-                  If set to 0, no zone maintenance for these zones will occur.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>interface-interval</strong></span></span></dt>
-<dd>
-                <p>
-                  The server will scan the network interface list
-                  every <span class="command"><strong>interface-interval</strong></span>
-                  minutes. The default
-                  is 60 minutes. The maximum value is 28 days (40320 minutes).
-                  If set to 0, interface scanning will only occur when
-                  the configuration file is  loaded. After the scan, the
-                  server will
-                  begin listening for queries on any newly discovered
-                  interfaces (provided they are allowed by the
-                  <span class="command"><strong>listen-on</strong></span> configuration), and
-                  will
-                  stop listening on interfaces that have gone away.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>statistics-interval</strong></span></span></dt>
-<dd>
-                <p>
-                  Name server statistics will be logged
-                  every <span class="command"><strong>statistics-interval</strong></span>
-                  minutes. The default is
-                  60. The maximum value is 28 days (40320 minutes).
-                  If set to 0, no statistics will be logged.
-                  </p>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-                  <p>
-                    Not yet implemented in
-                    <acronym class="acronym">BIND</acronym> 9.
-                  </p>
-                </div>
-              </dd>
-<dt><span class="term"><span class="command"><strong>topology</strong></span></span></dt>
-<dd>
-                <p>
-                  In BIND 8, this option indicated network topology
-                  so that preferential treatment could be given to
-                  the topologicaly closest name servers when sending
-                  queries. It is not implemented in BIND 9.
-                </p>
-              </dd>
-</dl></div>
-
-        </div>
-
-        <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="the_sortlist_statement"></a>The <span class="command"><strong>sortlist</strong></span> Statement</h4></div></div></div>
-
-          <p>
-            The response to a DNS query may consist of multiple resource
-            records (RRs) forming a resource record set (RRset).  The name
-            server will normally return the RRs within the RRset in an
-            indeterminate order (but see the <span class="command"><strong>rrset-order</strong></span>
-            statement in <a class="xref" href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called &#8220;RRset Ordering&#8221;</a>).  The client
-            resolver code should rearrange the RRs as appropriate, that is,
-            using any addresses on the local net in preference to other
-            addresses.  However, not all resolvers can do this or are
-            correctly configured.  When a client is using a local server,
-            the sorting can be performed in the server, based on the
-            client's address. This only requires configuring the name
-            servers, not all the clients.
-          </p>
-
-          <p>
-            The <span class="command"><strong>sortlist</strong></span> statement (see below) takes an
-            <span class="command"><strong>address_match_list</strong></span> and interprets it in a
-            special way.  Each top level statement in the
-            <span class="command"><strong>sortlist</strong></span> must itself be an explicit
-            <span class="command"><strong>address_match_list</strong></span> with one or two elements.
-            The first element (which may be an IP address, an IP prefix, an
-            ACL name or a nested <span class="command"><strong>address_match_list</strong></span>) of
-            each top level list is checked against the source address of
-            the query until a match is found.
-          </p>
-          <p>
-            Once the source address of the query has been matched, if the
-            top level statement contains only one element, the actual
-            primitive element that matched the source address is used to
-            select the address in the response to move to the beginning of
-            the response. If the statement is a list of two elements, then
-            the second element is interpreted as a topology preference
-            list.  Each top level element is assigned a distance and the
-            address in the response with the minimum distance is moved to
-            the beginning of the response.
-          </p>
-          <p>
-            In the following example, any queries received from any of the
-            addresses of the host itself will get responses preferring
-            addresses on any of the locally connected networks. Next most
-            preferred are addresses on the 192.168.1/24 network, and after
-            that either the 192.168.2/24 or 192.168.3/24 network with no
-            preference shown between these two networks. Queries received
-            from a host on the 192.168.1/24 network will prefer other
-            addresses on that network to the 192.168.2/24 and 192.168.3/24
-            networks. Queries received from a host on the 192.168.4/24 or
-            the 192.168.5/24 network will only prefer other addresses on
-            their directly connected networks.
-          </p>
-
-<pre class="programlisting">sortlist {
-    // IF the local host
-    // THEN first fit on the following nets
-    { localhost;
-        { localnets;
-            192.168.1/24;
-            { 192.168.2/24; 192.168.3/24; }; }; };
-    // IF on class C 192.168.1 THEN use .1, or .2 or .3
-    { 192.168.1/24;
-        { 192.168.1/24;
-            { 192.168.2/24; 192.168.3/24; }; }; };
-    // IF on class C 192.168.2 THEN use .2, or .1 or .3
-    { 192.168.2/24;
-        { 192.168.2/24;
-            { 192.168.1/24; 192.168.3/24; }; }; };
-    // IF on class C 192.168.3 THEN use .3, or .1 or .2
-    { 192.168.3/24;
-        { 192.168.3/24;
-            { 192.168.1/24; 192.168.2/24; }; }; };
-    // IF .4 or .5 THEN prefer that net
-    { { 192.168.4/24; 192.168.5/24; };
-    };
-};</pre>
-
-          <p>
-            The following example will give reasonable behavior for the
-            local host and hosts on directly connected networks. It is
-            similar to the behavior of the address sort in
-            <acronym class="acronym">BIND</acronym> 4.9.x. Responses sent to queries from
-            the local host will favor any of the directly connected
-            networks. Responses sent to queries from any other hosts on a
-            directly connected network will prefer addresses on that same
-            network.  Responses to other queries will not be sorted.
-          </p>
-
-<pre class="programlisting">sortlist {
-           { localhost; localnets; };
-           { localnets; };
-};
-</pre>
-
-        </div>
-        <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="rrset_ordering"></a>RRset Ordering</h4></div></div></div>
-
-          <p>
-            When multiple records are returned in an answer it may be
-            useful to configure the order of the records placed into the
-            response.  The <span class="command"><strong>rrset-order</strong></span> statement permits
-            configuration of the ordering of the records in a
-            multiple-record response.
-            See also the <span class="command"><strong>sortlist</strong></span> statement,
-            <a class="xref" href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called &#8220;The <span class="command"><strong>sortlist</strong></span> Statement&#8221;</a>.
-          </p>
-          <p>
-            An <span class="command"><strong>order_spec</strong></span> is defined as follows:
-          </p>
-          <p>
-            [<span class="optional">class <em class="replaceable"><code>class_name</code></em></span>]
-            [<span class="optional">type <em class="replaceable"><code>type_name</code></em></span>]
-            [<span class="optional">name <em class="replaceable"><code>"domain_name"</code></em></span>]
-            order <em class="replaceable"><code>ordering</code></em>
-          </p>
-          <p>
-            If no class is specified, the default is <span class="command"><strong>ANY</strong></span>.
-            If no type is specified, the default is <span class="command"><strong>ANY</strong></span>.
-            If no name is specified, the default is "<span class="command"><strong>*</strong></span>" (asterisk).
-          </p>
-          <p>
-            The legal values for <span class="command"><strong>ordering</strong></span> are:
-          </p>
-          <div class="informaltable">
-            <table border="1">
-<colgroup>
-<col width="0.750in" class="1">
-<col width="3.750in" class="2">
-</colgroup>
-<tbody>
-<tr>
-<td>
-                    <p><span class="command"><strong>fixed</strong></span></p>
-                  </td>
-<td>
-                    <p>
-                      Records are returned in the order they
-                      are defined in the zone file. This option
-                      is only available if <acronym class="acronym">BIND</acronym>
-                      is configured with "--enable-fixed-rrset" at
-                      compile time.
-                    </p>
-                  </td>
-</tr>
-<tr>
-<td>
-                    <p><span class="command"><strong>random</strong></span></p>
-                  </td>
-<td>
-                    <p>
-                      Records are returned in some random order.
-                    </p>
-                  </td>
-</tr>
-<tr>
-<td>
-                    <p><span class="command"><strong>cyclic</strong></span></p>
-                  </td>
-<td>
-                    <p>
-                      Records are returned in a cyclic round-robin order,
-                      rotating by one record per query.
-                    </p>
-                    <p>
-                      If <acronym class="acronym">BIND</acronym> is configured with
-                      "--enable-fixed-rrset" at compile time, then
-                      the initial ordering of the RRset will match the
-                      one specified in the zone file; otherwise the
-                      initial ordering is indeterminate.
-                    </p>
-                  </td>
-</tr>
-<tr>
-<td>
-                    <p><span class="command"><strong>none</strong></span></p>
-                  </td>
-<td>
-                    <p>
-                      Records are returned in whatever order they were
-                      retrieved from the database.  This order is
-                      indeterminate, but will be consistent as long as the
-                      database is not modified. When no ordering is
-                      specified, this is the default.
-                    </p>
-                  </td>
-</tr>
-</tbody>
-</table>
-          </div>
-          <p>
-          </p>
-          <p>
-            For example:
-          </p>
-<pre class="programlisting">rrset-order {
-   class IN type A name "host.example.com" order random;
-   order cyclic;
-};
-</pre>
-          <p>
-            will cause any responses for type A records in class IN that
-            have "<code class="literal">host.example.com</code>" as a
-            suffix, to always be returned
-            in random order. All other records are returned in cyclic order.
-          </p>
-          <p>
-            If multiple <span class="command"><strong>rrset-order</strong></span> statements
-            appear, they are not combined &#8212; the last one applies.
-          </p>
-          <p>
-            By default, records are returned in indeterminate but
-            consistent order (see <span class="command"><strong>none</strong></span> above).
-          </p>
-
-          <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-            <p>
-              In this release of <acronym class="acronym">BIND</acronym> 9, the
-              <span class="command"><strong>rrset-order</strong></span> statement does not support
-              "fixed" ordering by default.  Fixed ordering can be enabled
-              at compile time by specifying "--enable-fixed-rrset" on
-              the "configure" command line.
-            </p>
-          </div>
-        </div>
-
-        <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="tuning"></a>Tuning</h4></div></div></div>
-
-          <div class="variablelist"><dl class="variablelist">
-<dt><span class="term"><span class="command"><strong>lame-ttl</strong></span></span></dt>
-<dd>
-                <p>
-                  Sets the number of seconds to cache a
-                  lame server indication. 0 disables caching. (This is
-                  <span class="bold"><strong>NOT</strong></span> recommended.)
-                  The default is <code class="literal">600</code> (10 minutes) and the
-                  maximum value is
-                  <code class="literal">1800</code> (30 minutes).
-                </p>
-
-              </dd>
-<dt><span class="term"><span class="command"><strong>servfail-ttl</strong></span></span></dt>
-<dd>
-                <p>
-                  Sets the number of seconds to cache a
-                  SERVFAIL response due to DNSSEC validation failure or
-                  other general server failure.  If set to
-                  <code class="literal">0</code>, SERVFAIL caching is disabled.
-                  The SERVFAIL cache is not consulted if a query has
-                  the CD (Checking Disabled) bit set; this allows a
-                  query that failed due to DNSSEC validation to be retried
-                  without waiting for the SERVFAIL TTL to expire.
-                </p>
-                <p>
-                  The maximum value is <code class="literal">30</code>
-                  seconds; any higher value will be silently
-                  reduced. The default is <code class="literal">1</code>
-                  second.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>max-ncache-ttl</strong></span></span></dt>
-<dd>
-                <p>
-                  To reduce network traffic and increase performance,
-                  the server stores negative answers. <span class="command"><strong>max-ncache-ttl</strong></span> is
-                  used to set a maximum retention time for these answers in
-                  the server
-                  in seconds. The default
-                  <span class="command"><strong>max-ncache-ttl</strong></span> is <code class="literal">10800</code> seconds (3 hours).
-                  <span class="command"><strong>max-ncache-ttl</strong></span> cannot exceed
-                  7 days and will
-                  be silently truncated to 7 days if set to a greater value.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>max-cache-ttl</strong></span></span></dt>
-<dd>
-                <p>
-                  Sets the maximum time for which the server will
-                  cache ordinary (positive) answers in seconds.
-                  The default is 604800 (one week).
-                  A value of zero may cause all queries to return
-                  SERVFAIL, because of lost caches of intermediate
-                  RRsets (such as NS and glue AAAA/A records) in the
-                  resolution process.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>max-stale-ttl</strong></span></span></dt>
-<dd>
-                <p>
-                  Sets the maximum time for which the server will
-                  retain records past their normal expiry to
-                  return them as stale records when the servers
-                  for those records are not reachable.  The default
-                  is to not retain the record.
-                </p>
-                <p>
-                  <span class="command"><strong>rndc serve-stale</strong></span> can be used
-                  to disable and re-enable the serving of stale
-                  records at runtime.  Reloading or reconfiguring
-                  <span class="command"><strong>named</strong></span> will not re-enable serving
-                  of stale records if they have been disabled via
-                  <span class="command"><strong>rndc</strong></span>.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>min-roots</strong></span></span></dt>
-<dd>
-                <p>
-                  The minimum number of root servers that
-                  is required for a request for the root servers to be
-                  accepted. The default
-                  is <strong class="userinput"><code>2</code></strong>.
-                </p>
-                <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-                  <p>
-                    Not implemented in <acronym class="acronym">BIND</acronym> 9.
-                  </p>
-                </div>
-              </dd>
-<dt><span class="term"><span class="command"><strong>sig-validity-interval</strong></span></span></dt>
-<dd>
-                <p>
-                  Specifies the number of days into the future when
-                  DNSSEC signatures automatically generated as a
-                  result of dynamic updates (<a class="xref" href="Bv9ARM.ch04.html#dynamic_update" title="Dynamic Update">the section called &#8220;Dynamic Update&#8221;</a>) will expire.  There
-                  is an optional second field which specifies how
-                  long before expiry that the signatures will be
-                  regenerated.  If not specified, the signatures will
-                  be regenerated at 1/4 of base interval.  The second
-                  field is specified in days if the base interval is
-                  greater than 7 days otherwise it is specified in hours.
-                  The default base interval is <code class="literal">30</code> days
-                  giving a re-signing interval of 7 1/2 days.  The maximum
-                  values are 10 years (3660 days).
-                </p>
-                <p>
-                  The signature inception time is unconditionally
-                  set to one hour before the current time to allow
-                  for a limited amount of clock skew.
-                </p>
-                <p>
-                  The <span class="command"><strong>sig-validity-interval</strong></span>
-                  should be, at least, several multiples of the SOA
-                  expire interval to allow for reasonable interaction
-                  between the various timer and expiry dates.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>sig-signing-nodes</strong></span></span></dt>
-<dd>
-                <p>
-                  Specify the maximum number of nodes to be
-                  examined in each quantum when signing a zone with
-                  a new DNSKEY. The default is
-                  <code class="literal">100</code>.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>sig-signing-signatures</strong></span></span></dt>
-<dd>
-                <p>
-                  Specify a threshold number of signatures that
-                  will terminate processing a quantum when signing
-                  a zone with a new DNSKEY.  The default is
-                  <code class="literal">10</code>.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>sig-signing-type</strong></span></span></dt>
-<dd>
-                <p>
-                  Specify a private RDATA type to be used when generating
-                  signing state records.  The default is
-                  <code class="literal">65534</code>.
-                </p>
-                <p>
-                  It is expected that this parameter may be removed
-                  in a future version once there is a standard type.
-                </p>
-                <p>
-                  Signing state records are used to internally by
-                  <span class="command"><strong>named</strong></span> to track the current state of
-                  a zone-signing process, i.e., whether it is still active
-                  or has been completed.  The records can be inspected
-                  using the command
-                  <span class="command"><strong>rndc signing -list <em class="replaceable"><code>zone</code></em></strong></span>.
-                  Once <span class="command"><strong>named</strong></span> has finished signing
-                  a zone with a particular key, the signing state
-                  record associated with that key can be removed from
-                  the zone by running
-                  <span class="command"><strong>rndc signing -clear <em class="replaceable"><code>keyid/algorithm</code></em> <em class="replaceable"><code>zone</code></em></strong></span>.
-                  To clear all of the completed signing state
-                  records for a zone, use
-                  <span class="command"><strong>rndc signing -clear all <em class="replaceable"><code>zone</code></em></strong></span>.
-                </p>
-              </dd>
-<dt>
-<span class="term"><span class="command"><strong>min-refresh-time</strong></span>, </span><span class="term"><span class="command"><strong>max-refresh-time</strong></span>, </span><span class="term"><span class="command"><strong>min-retry-time</strong></span>, </span><span class="term"><span class="command"><strong>max-retry-time</strong></span></span>
-</dt>
-<dd>
-                <p>
-                  These options control the server's behavior on refreshing a
-                  zone (querying for SOA changes) or retrying failed
-                  transfers.  Usually the SOA values for the zone are used,
-                  up to a hard-coded maximum expiry of 24 weeks. However,
-                  these values are set by the master, giving slave server
-                  administrators little control over their contents.
-                </p>
-                <p>
-                  These options allow the administrator to set a minimum and
-                  maximum refresh and retry time in seconds per-zone,
-                  per-view, or globally.  These options are valid for
-                  slave and stub zones, and clamp the SOA refresh and
-                  retry times to the specified values.
-                </p>
-                <p>
-                  The following defaults apply.
-                  <span class="command"><strong>min-refresh-time</strong></span> 300 seconds,
-                  <span class="command"><strong>max-refresh-time</strong></span> 2419200 seconds
-                  (4 weeks), <span class="command"><strong>min-retry-time</strong></span> 500 seconds,
-                  and <span class="command"><strong>max-retry-time</strong></span> 1209600 seconds
-                  (2 weeks).
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>edns-udp-size</strong></span></span></dt>
-<dd>
-                <p>
-                  Sets the maximum advertised EDNS UDP buffer size in
-                  bytes, to control the size of packets received from
-                  authoritative servers in response to recursive queries.
-                  Valid values are 512 to 4096 (values outside this range
-                  will be silently adjusted to the nearest value within
-                  it).  The default value is 4096.
-                </p>
-                <p>
-                  The usual reason for setting
-                  <span class="command"><strong>edns-udp-size</strong></span> to a non-default value
-                  is to get UDP answers to pass through broken firewalls
-                  that block fragmented packets and/or block UDP DNS
-                  packets that are greater than 512 bytes.
-                </p>
-                <p>
-                  When <span class="command"><strong>named</strong></span> first queries a remote
-                  server, it will advertise a UDP buffer size of 512, as
-                  this has the greatest chance of success on the first try.
-                </p>
-                <p>
-                  If the initial response times out, <span class="command"><strong>named</strong></span>
-                  will try again with plain DNS, and if that is successful,
-                  it will be taken as evidence that the server does not
-                  support EDNS. After enough failures using EDNS and
-                  successes using plain DNS, <span class="command"><strong>named</strong></span>
-                  will default to plain DNS for future communications
-                  with that server.  (Periodically, <span class="command"><strong>named</strong></span>
-                  will send an EDNS query to see if the situation has
-                  improved.)
-                </p>
-                <p>
-                  However, if the initial query is successful with
-                  EDNS advertising a buffer size of 512, then
-                  <span class="command"><strong>named</strong></span> will advertise progressively
-                  larger buffer sizes on successive queries, until
-                  responses begin timing out or
-                  <span class="command"><strong>edns-udp-size</strong></span> is reached.
-                </p>
-                <p>
-                  The default buffer sizes used by <span class="command"><strong>named</strong></span>
-                  are 512, 1232, 1432, and 4096, but never exceeding
-                  <span class="command"><strong>edns-udp-size</strong></span>.  (The values 1232 and
-                  1432 are chosen to allow for an IPv4/IPv6 encapsulated
-                  UDP message to be sent without fragmentation at the
-                  minimum MTU sizes for Ethernet and IPv6 networks.)
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>max-udp-size</strong></span></span></dt>
-<dd>
-                <p>
-                  Sets the maximum EDNS UDP message size
-                  <span class="command"><strong>named</strong></span> will send in bytes.
-                  Valid values are 512 to 4096 (values outside this
-                  range will be silently adjusted to the nearest
-                  value within it).  The default value is 4096.
-                </p>
-                <p>
-                  This value applies to responses sent by a server; to
-                  set the advertised buffer size in queries, see
-                  <span class="command"><strong>edns-udp-size</strong></span>.
-                </p>
-                <p>
-                  The usual reason for setting
-                  <span class="command"><strong>max-udp-size</strong></span> to a non-default
-                  value is to get UDP answers to pass through broken
-                  firewalls that block fragmented packets and/or
-                  block UDP packets that are greater than 512 bytes.
-                  This is independent of the advertised receive
-                  buffer (<span class="command"><strong>edns-udp-size</strong></span>).
-                </p>
-                <p>
-                  Setting this to a low value will encourage additional
-                  TCP traffic to the nameserver.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>masterfile-format</strong></span></span></dt>
-<dd>
-                <p>Specifies
-                  the file format of zone files (see
-                  <a class="xref" href="Bv9ARM.ch06.html#zonefile_format" title="Additional File Formats">the section called &#8220;Additional File Formats&#8221;</a>).
-                  The default value is <code class="constant">text</code>, which is the
-                  standard textual representation, except for slave zones,
-                  in which the default value is <code class="constant">raw</code>.
-                  Files in other formats than <code class="constant">text</code> are
-                  typically expected to be generated by the
-                  <span class="command"><strong>named-compilezone</strong></span> tool, or dumped by
-                  <span class="command"><strong>named</strong></span>.
-                </p>
-                <p>
-                  Note that when a zone file in a different format than
-                  <code class="constant">text</code> is loaded, <span class="command"><strong>named</strong></span>
-                  may omit some of the checks which would be performed for a
-                  file in the <code class="constant">text</code> format.  In particular,
-                  <span class="command"><strong>check-names</strong></span> checks do not apply
-                  for the <code class="constant">raw</code> format.  This means
-                  a zone file in the <code class="constant">raw</code> format
-                  must be generated with the same check level as that
-                  specified in the <span class="command"><strong>named</strong></span> configuration
-                  file.  Also, <code class="constant">map</code> format files are
-                  loaded directly into memory via memory mapping, with only
-                  minimal checking.
-                </p>
-                <p>
-                  This statement sets the
-                  <span class="command"><strong>masterfile-format</strong></span> for all zones,
-                  but can be overridden on a per-zone or per-view basis
-                  by including a <span class="command"><strong>masterfile-format</strong></span>
-                  statement within the <span class="command"><strong>zone</strong></span> or
-                  <span class="command"><strong>view</strong></span> block in the configuration
-                  file.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>masterfile-style</strong></span></span></dt>
-<dd>
-                <p>
-                  Specifies the formatting of zone files during dump
-                  when the <code class="option">masterfile-format</code> is
-                  <code class="constant">text</code>. (This option is ignored
-                  with any other <code class="option">masterfile-format</code>.)
-                </p>
-                <p>
-                  When set to <code class="constant">relative</code>,
-                  records are printed in a multi-line format with owner
-                  names expressed relative to a shared origin.  When set
-                  to <code class="constant">full</code>, records are printed in
-                  a single-line format with absolute owner names.
-                  The <code class="constant">full</code> format is most suitable
-                  when a zone file needs to be processed automatically
-                  by a script.  The <code class="constant">relative</code> format
-                  is more human-readable, and is thus suitable when a
-                  zone is to be edited by hand.  The default is
-                  <code class="constant">relative</code>.
-                </p>
-              </dd>
-<dt>
-<a name="max-recursion-depth"></a><span class="term"><span class="command"><strong>max-recursion-depth</strong></span></span>
-</dt>
-<dd>
-                <p>
-                  Sets the maximum number of levels of recursion
-                  that are permitted at any one time while servicing
-                  a recursive query. Resolving a name may require
-                  looking up a name server address, which in turn
-                  requires resolving another name, etc; if the number
-                  of indirections exceeds this value, the recursive
-                  query is terminated and returns SERVFAIL.  The
-                  default is 7.
-                </p>
-              </dd>
-<dt>
-<a name="max-recursion-queries"></a><span class="term"><span class="command"><strong>max-recursion-queries</strong></span></span>
-</dt>
-<dd>
-                <p>
-                  Sets the maximum number of iterative queries that
-                  may be sent while servicing a recursive query.
-                  If more queries are sent, the recursive query
-                  is terminated and returns SERVFAIL. Queries to
-                  look up top level domains such as "com" and "net"
-                  and the DNS root zone are exempt from this limitation.
-                  The default is 75.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>notify-delay</strong></span></span></dt>
-<dd>
-                <p>
-                  The delay, in seconds, between sending sets of notify
-                  messages for a zone.  The default is five (5) seconds.
-                </p>
-                <p>
-                  The overall rate that NOTIFY messages are sent for all
-                  zones is controlled by <span class="command"><strong>serial-query-rate</strong></span>.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>max-rsa-exponent-size</strong></span></span></dt>
-<dd>
-                <p>
-                  The maximum RSA exponent size, in bits, that will
-                  be accepted when validating.  Valid values are 35
-                  to 4096 bits.  The default zero (0) is also accepted
-                  and is equivalent to 4096.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>prefetch</strong></span></span></dt>
-<dd>
-                <p>
-                  When a query is received for cached data which
-                  is to expire shortly, <span class="command"><strong>named</strong></span> can
-                  refresh the data from the authoritative server
-                  immediately, ensuring that the cache always has an
-                  answer available.
-                </p>
-                <p>
-                  The <code class="option">prefetch</code> specifies the
-                  "trigger" TTL value at which prefetch of the current
-                  query will take place: when a cache record with a
-                  lower TTL value is encountered during query processing,
-                  it will be refreshed.  Valid trigger TTL values are 1 to
-                  10 seconds.  Values larger than 10 seconds will be silently
-                  reduced to 10.
-                  Setting a trigger TTL to zero (0) causes
-                  prefetch to be disabled.
-                  The default trigger TTL is <code class="literal">2</code>.
-                </p>
-                <p>
-                  An optional second argument specifies the "eligibility"
-                  TTL: the smallest <span class="emphasis"><em>original</em></span>
-                  TTL value that will be accepted for a record to be
-                  eligible for prefetching.  The eligibility TTL must
-                  be at least six seconds longer than the trigger TTL;
-                  if it isn't, <span class="command"><strong>named</strong></span> will silently
-                  adjust it upward.
-                  The default eligibility TTL is <code class="literal">9</code>.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>v6-bias</strong></span></span></dt>
-<dd>
-                <p>
-                  When determining the next nameserver to try
-                  preference IPv6 nameservers by this many milliseconds.
-                  The default is <code class="literal">50</code> milliseconds.
-                </p>
-              </dd>
-</dl></div>
-
-        </div>
-
-        <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="builtin"></a>Built-in server information zones</h4></div></div></div>
-
-          <p>
-            The server provides some helpful diagnostic information
-            through a number of built-in zones under the
-            pseudo-top-level-domain <code class="literal">bind</code> in the
-            <span class="command"><strong>CHAOS</strong></span> class.  These zones are part
-            of a
-            built-in view (see <a class="xref" href="Bv9ARM.ch06.html#view_statement_grammar" title="view Statement Grammar">the section called &#8220;<span class="command"><strong>view</strong></span> Statement Grammar&#8221;</a>) of
-            class
-            <span class="command"><strong>CHAOS</strong></span> which is separate from the
-            default view of class <span class="command"><strong>IN</strong></span>. Most global
-            configuration options (<span class="command"><strong>allow-query</strong></span>,
-            etc) will apply to this view, but some are locally
-            overridden: <span class="command"><strong>notify</strong></span>,
-            <span class="command"><strong>recursion</strong></span> and
-            <span class="command"><strong>allow-new-zones</strong></span> are
-            always set to <strong class="userinput"><code>no</code></strong>, and
-            <span class="command"><strong>rate-limit</strong></span> is set to allow
-            three responses per second.
-          </p>
-          <p>
-            If you need to disable these zones, use the options
-            below, or hide the built-in <span class="command"><strong>CHAOS</strong></span>
-            view by
-            defining an explicit view of class <span class="command"><strong>CHAOS</strong></span>
-            that matches all clients.
-          </p>
-
-          <div class="variablelist"><dl class="variablelist">
-<dt><span class="term"><span class="command"><strong>version</strong></span></span></dt>
-<dd>
-                <p>
-                  The version the server should report
-                  via a query of the name <code class="literal">version.bind</code>
-                  with type <span class="command"><strong>TXT</strong></span>, class <span class="command"><strong>CHAOS</strong></span>.
-                  The default is the real version number of this server.
-                  Specifying <span class="command"><strong>version none</strong></span>
-                  disables processing of the queries.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>hostname</strong></span></span></dt>
-<dd>
-                <p>
-                  The hostname the server should report via a query of
-                  the name <code class="filename">hostname.bind</code>
-                  with type <span class="command"><strong>TXT</strong></span>, class <span class="command"><strong>CHAOS</strong></span>.
-                  This defaults to the hostname of the machine hosting the
-                  name server as
-                  found by the gethostname() function.  The primary purpose of such queries
-                  is to
-                  identify which of a group of anycast servers is actually
-                  answering your queries.  Specifying <span class="command"><strong>hostname none;</strong></span>
-                  disables processing of the queries.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>server-id</strong></span></span></dt>
-<dd>
-                <p>
-                  The ID the server should report when receiving a Name
-                  Server Identifier (NSID) query, or a query of the name
-                  <code class="filename">ID.SERVER</code> with type
-                  <span class="command"><strong>TXT</strong></span>, class <span class="command"><strong>CHAOS</strong></span>.
-                  The primary purpose of such queries is to
-                  identify which of a group of anycast servers is actually
-                  answering your queries.  Specifying <span class="command"><strong>server-id none;</strong></span>
-                  disables processing of the queries.
-                  Specifying <span class="command"><strong>server-id hostname;</strong></span> will cause <span class="command"><strong>named</strong></span> to
-                  use the hostname as found by the gethostname() function.
-                  The default <span class="command"><strong>server-id</strong></span> is <span class="command"><strong>none</strong></span>.
-                </p>
-              </dd>
-</dl></div>
-
-        </div>
-
-        <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="empty"></a>Built-in Empty Zones</h4></div></div></div>
-
-          <p>
-            The <span class="command"><strong>named</strong></span> server has some built-in
-            empty zones (SOA and NS records only).
-            These are for zones that should normally be answered locally
-            and which queries should not be sent to the Internet's root
-            servers.  The official servers which cover these namespaces
-            return NXDOMAIN responses to these queries.  In particular,
-            these cover the reverse namespaces for addresses from
-            RFC 1918, RFC 4193, RFC 5737 and RFC 6598.  They also include the
-            reverse namespace for IPv6 local address (locally assigned),
-            IPv6 link local addresses, the IPv6 loopback address and the
-            IPv6 unknown address.
-          </p>
-          <p>
-            The server will attempt to determine if a built-in zone
-            already exists or is active (covered by a forward-only
-            forwarding declaration) and will not create an empty
-            zone in that case.
-          </p>
-          <p>
-            The current list of empty zones is:
-            </p>
-<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">10.IN-ADDR.ARPA</li>
-<li class="listitem">16.172.IN-ADDR.ARPA</li>
-<li class="listitem">17.172.IN-ADDR.ARPA</li>
-<li class="listitem">18.172.IN-ADDR.ARPA</li>
-<li class="listitem">19.172.IN-ADDR.ARPA</li>
-<li class="listitem">20.172.IN-ADDR.ARPA</li>
-<li class="listitem">21.172.IN-ADDR.ARPA</li>
-<li class="listitem">22.172.IN-ADDR.ARPA</li>
-<li class="listitem">23.172.IN-ADDR.ARPA</li>
-<li class="listitem">24.172.IN-ADDR.ARPA</li>
-<li class="listitem">25.172.IN-ADDR.ARPA</li>
-<li class="listitem">26.172.IN-ADDR.ARPA</li>
-<li class="listitem">27.172.IN-ADDR.ARPA</li>
-<li class="listitem">28.172.IN-ADDR.ARPA</li>
-<li class="listitem">29.172.IN-ADDR.ARPA</li>
-<li class="listitem">30.172.IN-ADDR.ARPA</li>
-<li class="listitem">31.172.IN-ADDR.ARPA</li>
-<li class="listitem">168.192.IN-ADDR.ARPA</li>
-<li class="listitem">64.100.IN-ADDR.ARPA</li>
-<li class="listitem">65.100.IN-ADDR.ARPA</li>
-<li class="listitem">66.100.IN-ADDR.ARPA</li>
-<li class="listitem">67.100.IN-ADDR.ARPA</li>
-<li class="listitem">68.100.IN-ADDR.ARPA</li>
-<li class="listitem">69.100.IN-ADDR.ARPA</li>
-<li class="listitem">70.100.IN-ADDR.ARPA</li>
-<li class="listitem">71.100.IN-ADDR.ARPA</li>
-<li class="listitem">72.100.IN-ADDR.ARPA</li>
-<li class="listitem">73.100.IN-ADDR.ARPA</li>
-<li class="listitem">74.100.IN-ADDR.ARPA</li>
-<li class="listitem">75.100.IN-ADDR.ARPA</li>
-<li class="listitem">76.100.IN-ADDR.ARPA</li>
-<li class="listitem">77.100.IN-ADDR.ARPA</li>
-<li class="listitem">78.100.IN-ADDR.ARPA</li>
-<li class="listitem">79.100.IN-ADDR.ARPA</li>
-<li class="listitem">80.100.IN-ADDR.ARPA</li>
-<li class="listitem">81.100.IN-ADDR.ARPA</li>
-<li class="listitem">82.100.IN-ADDR.ARPA</li>
-<li class="listitem">83.100.IN-ADDR.ARPA</li>
-<li class="listitem">84.100.IN-ADDR.ARPA</li>
-<li class="listitem">85.100.IN-ADDR.ARPA</li>
-<li class="listitem">86.100.IN-ADDR.ARPA</li>
-<li class="listitem">87.100.IN-ADDR.ARPA</li>
-<li class="listitem">88.100.IN-ADDR.ARPA</li>
-<li class="listitem">89.100.IN-ADDR.ARPA</li>
-<li class="listitem">90.100.IN-ADDR.ARPA</li>
-<li class="listitem">91.100.IN-ADDR.ARPA</li>
-<li class="listitem">92.100.IN-ADDR.ARPA</li>
-<li class="listitem">93.100.IN-ADDR.ARPA</li>
-<li class="listitem">94.100.IN-ADDR.ARPA</li>
-<li class="listitem">95.100.IN-ADDR.ARPA</li>
-<li class="listitem">96.100.IN-ADDR.ARPA</li>
-<li class="listitem">97.100.IN-ADDR.ARPA</li>
-<li class="listitem">98.100.IN-ADDR.ARPA</li>
-<li class="listitem">99.100.IN-ADDR.ARPA</li>
-<li class="listitem">100.100.IN-ADDR.ARPA</li>
-<li class="listitem">101.100.IN-ADDR.ARPA</li>
-<li class="listitem">102.100.IN-ADDR.ARPA</li>
-<li class="listitem">103.100.IN-ADDR.ARPA</li>
-<li class="listitem">104.100.IN-ADDR.ARPA</li>
-<li class="listitem">105.100.IN-ADDR.ARPA</li>
-<li class="listitem">106.100.IN-ADDR.ARPA</li>
-<li class="listitem">107.100.IN-ADDR.ARPA</li>
-<li class="listitem">108.100.IN-ADDR.ARPA</li>
-<li class="listitem">109.100.IN-ADDR.ARPA</li>
-<li class="listitem">110.100.IN-ADDR.ARPA</li>
-<li class="listitem">111.100.IN-ADDR.ARPA</li>
-<li class="listitem">112.100.IN-ADDR.ARPA</li>
-<li class="listitem">113.100.IN-ADDR.ARPA</li>
-<li class="listitem">114.100.IN-ADDR.ARPA</li>
-<li class="listitem">115.100.IN-ADDR.ARPA</li>
-<li class="listitem">116.100.IN-ADDR.ARPA</li>
-<li class="listitem">117.100.IN-ADDR.ARPA</li>
-<li class="listitem">118.100.IN-ADDR.ARPA</li>
-<li class="listitem">119.100.IN-ADDR.ARPA</li>
-<li class="listitem">120.100.IN-ADDR.ARPA</li>
-<li class="listitem">121.100.IN-ADDR.ARPA</li>
-<li class="listitem">122.100.IN-ADDR.ARPA</li>
-<li class="listitem">123.100.IN-ADDR.ARPA</li>
-<li class="listitem">124.100.IN-ADDR.ARPA</li>
-<li class="listitem">125.100.IN-ADDR.ARPA</li>
-<li class="listitem">126.100.IN-ADDR.ARPA</li>
-<li class="listitem">127.100.IN-ADDR.ARPA</li>
-<li class="listitem">0.IN-ADDR.ARPA</li>
-<li class="listitem">127.IN-ADDR.ARPA</li>
-<li class="listitem">254.169.IN-ADDR.ARPA</li>
-<li class="listitem">2.0.192.IN-ADDR.ARPA</li>
-<li class="listitem">100.51.198.IN-ADDR.ARPA</li>
-<li class="listitem">113.0.203.IN-ADDR.ARPA</li>
-<li class="listitem">255.255.255.255.IN-ADDR.ARPA</li>
-<li class="listitem">0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA</li>
-<li class="listitem">1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA</li>
-<li class="listitem">8.B.D.0.1.0.0.2.IP6.ARPA</li>
-<li class="listitem">D.F.IP6.ARPA</li>
-<li class="listitem">8.E.F.IP6.ARPA</li>
-<li class="listitem">9.E.F.IP6.ARPA</li>
-<li class="listitem">A.E.F.IP6.ARPA</li>
-<li class="listitem">B.E.F.IP6.ARPA</li>
-</ul></div>
-<p>
-          </p>
-          <p>
-            Empty zones are settable at the view level and only apply to
-            views of class IN.  Disabled empty zones are only inherited
-            from options if there are no disabled empty zones specified
-            at the view level.  To override the options list of disabled
-            zones, you can disable the root zone at the view level, for example:
-</p>
-<pre class="programlisting">
-            disable-empty-zone ".";
-</pre>
-<p>
-          </p>
-          <p>
-            If you are using the address ranges covered here, you should
-            already have reverse zones covering the addresses you use.
-            In practice this appears to not be the case with many queries
-            being made to the infrastructure servers for names in these
-            spaces.  So many in fact that sacrificial servers were needed
-            to be deployed to channel the query load away from the
-            infrastructure servers.
-          </p>
-          <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p>
-            The real parent servers for these zones should disable all
-            empty zone under the parent zone they serve.  For the real
-            root servers, this is all built-in empty zones.  This will
-            enable them to return referrals to deeper in the tree.
-          </p>
-</div>
-          <div class="variablelist"><dl class="variablelist">
-<dt><span class="term"><span class="command"><strong>empty-server</strong></span></span></dt>
-<dd>
-                <p>
-                  Specify what server name will appear in the returned
-                  SOA record for empty zones.  If none is specified, then
-                  the zone's name will be used.
-                </p>
-               </dd>
-<dt><span class="term"><span class="command"><strong>empty-contact</strong></span></span></dt>
-<dd>
-                <p>
-                  Specify what contact name will appear in the returned
-                  SOA record for empty zones.  If none is specified, then
-                  "." will be used.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>empty-zones-enable</strong></span></span></dt>
-<dd>
-                <p>
-                  Enable or disable all empty zones.  By default, they
-                  are enabled.
-                </p>
-              </dd>
-<dt><span class="term"><span class="command"><strong>disable-empty-zone</strong></span></span></dt>
-<dd>
-                <p>
-                  Disable individual empty zones.  By default, none are
-                  disabled.  This option can be specified multiple times.
-                </p>
-              </dd>
-</dl></div>
-        </div>
-
-        <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="content_filtering"></a>Content Filtering</h4></div></div></div>
-
-          <p>
-            <acronym class="acronym">BIND</acronym> 9 provides the ability to filter
-            out DNS responses from external DNS servers containing
-            certain types of data in the answer section.
-            Specifically, it can reject address (A or AAAA) records if
-            the corresponding IPv4 or IPv6 addresses match the given
-            <code class="varname">address_match_list</code> of the
-            <span class="command"><strong>deny-answer-addresses</strong></span> option.
-            It can also reject CNAME or DNAME records if the "alias"
-            name (i.e., the CNAME alias or the substituted query name
-            due to DNAME) matches the
-            given <code class="varname">namelist</code> of the
-            <span class="command"><strong>deny-answer-aliases</strong></span> option, where
-            "match" means the alias name is a subdomain of one of
-            the <code class="varname">name_list</code> elements.
-            If the optional <code class="varname">namelist</code> is specified
-            with <span class="command"><strong>except-from</strong></span>, records whose query name
-            matches the list will be accepted regardless of the filter
-            setting.
-            Likewise, if the alias name is a subdomain of the
-            corresponding zone, the <span class="command"><strong>deny-answer-aliases</strong></span>
-            filter will not apply;
-            for example, even if "example.com" is specified for
-            <span class="command"><strong>deny-answer-aliases</strong></span>,
-          </p>
-<pre class="programlisting">www.example.com. CNAME xxx.example.com.</pre>
-
-          <p>
-            returned by an "example.com" server will be accepted.
-          </p>
-
-          <p>
-            In the <code class="varname">address_match_list</code> of the
-            <span class="command"><strong>deny-answer-addresses</strong></span> option, only
-            <code class="varname">ip_addr</code>
-            and <code class="varname">ip_prefix</code>
-            are meaningful;
-            any <code class="varname">key_id</code> will be silently ignored.
-          </p>
-
-          <p>
-            If a response message is rejected due to the filtering,
-            the entire message is discarded without being cached, and
-            a SERVFAIL error will be returned to the client.
-          </p>
-
-          <p>
-            This filtering is intended to prevent "DNS rebinding attacks," in
-            which an attacker, in response to a query for a domain name the
-            attacker controls, returns an IP address within your own network or
-            an alias name within your own domain.
-            A naive web browser or script could then serve as an
-            unintended proxy, allowing the attacker
-            to get access to an internal node of your local network
-            that couldn't be externally accessed otherwise.
-            See the paper available at
-            <a class="link" href="http://portal.acm.org/citation.cfm?id=1315245.1315298" target="_top">
-            http://portal.acm.org/citation.cfm?id=1315245.1315298
-            </a>
-            for more details about the attacks.
-          </p>
-
-          <p>
-            For example, if you own a domain named "example.net" and
-            your internal network uses an IPv4 prefix 192.0.2.0/24,
-            you might specify the following rules:
-          </p>
-
-<pre class="programlisting">deny-answer-addresses { 192.0.2.0/24; } except-from { "example.net"; };
-deny-answer-aliases { "example.net"; };
-</pre>
-
-          <p>
-            If an external attacker lets a web browser in your local
-            network look up an IPv4 address of "attacker.example.com",
-            the attacker's DNS server would return a response like this:
-          </p>
-
-<pre class="programlisting">attacker.example.com. A 192.0.2.1</pre>
-
-          <p>
-            in the answer section.
-            Since the rdata of this record (the IPv4 address) matches
-            the specified prefix 192.0.2.0/24, this response will be
-            ignored.
-          </p>
-
-          <p>
-            On the other hand, if the browser looks up a legitimate
-            internal web server "www.example.net" and the
-            following response is returned to
-            the <acronym class="acronym">BIND</acronym> 9 server
-          </p>
-
-<pre class="programlisting">www.example.net. A 192.0.2.2</pre>
-
-          <p>
-            it will be accepted since the owner name "www.example.net"
-            matches the <span class="command"><strong>except-from</strong></span> element,
-            "example.net".
-          </p>
-
-          <p>
-            Note that this is not really an attack on the DNS per se.
-            In fact, there is nothing wrong for an "external" name to
-            be mapped to your "internal" IP address or domain name
-            from the DNS point of view.
-            It might actually be provided for a legitimate purpose,
-            such as for debugging.
-            As long as the mapping is provided by the correct owner,
-            it is not possible or does not make sense to detect
-            whether the intent of the mapping is legitimate or not
-            within the DNS.
-            The "rebinding" attack must primarily be protected at the
-            application that uses the DNS.
-            For a large site, however, it may be difficult to protect
-            all possible applications at once.
-            This filtering feature is provided only to help such an
-            operational environment;
-            it is generally discouraged to turn it on unless you are
-            very sure you have no other choice and the attack is a
-            real threat for your applications.
-          </p>
-
-          <p>
-            Care should be particularly taken if you want to use this
-            option for addresses within 127.0.0.0/8.
-            These addresses are obviously "internal", but many
-            applications conventionally rely on a DNS mapping from
-            some name to such an address.
-            Filtering out DNS records containing this address
-            spuriously can break such applications.
-          </p>
-        </div>
-
-        <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="rpz"></a>Response Policy Zone (RPZ) Rewriting</h4></div></div></div>
-
-          <p>
-            <acronym class="acronym">BIND</acronym> 9 includes a limited
-            mechanism to modify DNS responses for requests
-            analogous to email anti-spam DNS blacklists.
-            Responses can be changed to deny the existence of domains (NXDOMAIN),
-            deny the existence of IP addresses for domains (NODATA),
-            or contain other IP addresses or data.
-          </p>
-
-          <p>
-            Response policy zones are named in the
-            <span class="command"><strong>response-policy</strong></span> option for the view or among the
-            global options if there is no response-policy option for the view.
-            Response policy zones are ordinary DNS zones containing RRsets
-            that can be queried normally if allowed.
-            It is usually best to restrict those queries with something like
-            <span class="command"><strong>allow-query { localhost; };</strong></span>.
-            Note that zones using <span class="command"><strong>masterfile-format map</strong></span>
-            cannot be used as policy zones.
-          </p>
-
-          <p>
-            A <span class="command"><strong>response-policy</strong></span> option can support
-            multiple policy zones.  To maximize performance, a radix
-            tree is used to quickly identify response policy zones
-            containing triggers that match the current query.  This
-            imposes an upper limit of 32 on the number of policy zones
-            in a single <span class="command"><strong>response-policy</strong></span> option; more
-            than that is a configuration error.
-          </p>
-
-          <p>
-            Five policy triggers can be encoded in RPZ records.
-            </p>
-<div class="variablelist"><dl class="variablelist">
-<dt><span class="term"><span class="command"><strong>RPZ-CLIENT-IP</strong></span></span></dt>
-<dd>
-                  <p>
-                    IP records are triggered by the IP address of the
-                    DNS client.
-                    Client IP address triggers are encoded in records that have
-                    owner names that are subdomains of
-                    <span class="command"><strong>rpz-client-ip</strong></span> relativized to the
-                    policy zone origin name
-                    and encode an address or address block.
-                    IPv4 addresses are represented as
-                    <strong class="userinput"><code>prefixlength.B4.B3.B2.B1.rpz-client-ip</code></strong>.
-                    The IPv4 prefix length must be between 1 and 32.
-                    All four bytes, B4, B3, B2, and B1, must be present.
-                    B4 is the decimal value of the least significant byte of the
-                    IPv4 address as in IN-ADDR.ARPA.
-                  </p>
-
-                  <p>
-                    IPv6 addresses are encoded in a format similar
-                    to the standard IPv6 text representation,
-                    <strong class="userinput"><code>prefixlength.W8.W7.W6.W5.W4.W3.W2.W1.rpz-client-ip</code></strong>.
-                    Each of W8,...,W1 is a one to four digit hexadecimal number
-                    representing 16 bits of the IPv6 address as in the standard
-                    text representation of IPv6 addresses, but reversed as in
-                    IP6.ARPA. (Note that this representation of IPv6
-                    address is different from IP6.ARPA where each hex
-                    digit occupies a label.)
-                    All 8 words must be present except when one set of consecutive
-                    zero words is replaced with <strong class="userinput"><code>.zz.</code></strong>
-                    analogous to double colons (::) in standard IPv6 text
-                    encodings.
-                    The IPv6 prefix length must be between 1 and 128.
-                  </p>
-                </dd>
-<dt><span class="term"><span class="command"><strong>QNAME</strong></span></span></dt>
-<dd>
-                  <p>
-                    QNAME policy records are triggered by query names of
-                    requests and targets of CNAME records resolved to generate
-                    the response.
-                    The owner name of a QNAME policy record is
-                    the query name relativized to the policy zone.
-                  </p>
-                </dd>
-<dt><span class="term"><span class="command"><strong>RPZ-IP</strong></span></span></dt>
-<dd>
-                  <p>
-                    IP triggers are IP addresses in an
-                    A or AAAA record in the ANSWER section of a response.
-                    They are encoded like client-IP triggers except as
-                    subdomains of <span class="command"><strong>rpz-ip</strong></span>.
-                  </p>
-                </dd>
-<dt><span class="term"><span class="command"><strong>RPZ-NSDNAME</strong></span></span></dt>
-<dd>
-                  <p>
-                    NSDNAME triggers match names of authoritative servers
-                    for the query name, a parent of the query name, a CNAME for
-                    query name, or a parent of a CNAME.
-                    They are encoded as subdomains of
-                    <span class="command"><strong>rpz-nsdname</strong></span> relativized
-                    to the RPZ origin name.
-                    NSIP triggers match IP addresses in A and
-                    AAAA RRsets for domains that can be checked against NSDNAME
-                    policy records.
-                    The <span class="command"><strong>nsdname-enable</strong></span> phrase turns NSDNAME
-                    triggers off or on for a single policy zone or all
-                    zones.
-                  </p>
-                </dd>
-<dt><span class="term"><span class="command"><strong>RPZ-NSIP</strong></span></span></dt>
-<dd>
-                  <p>
-                    NSIP triggers match the IP addresses of authoritative
-                    servers.  They are enncoded like IP triggers, except as
-                    subdomains of <span class="command"><strong>rpz-nsip</strong></span>.
-                    NSDNAME and NSIP triggers are checked only for names with at
-                    least <span class="command"><strong>min-ns-dots</strong></span> dots.
-                    The default value of <span class="command"><strong>min-ns-dots</strong></span> is
-                    1, to exclude top level domains.
-                    The <span class="command"><strong>nsip-enable</strong></span> phrase turns NSIP
-                    triggers off or on for a single policy zone or all
-                    zones.
-                  </p>
-                  <p>
-                    If a name server's IP address is not yet known,
-                    <span class="command"><strong>named</strong></span> will recursively look up
-                    the IP address before applying an RPZ-NSIP rule.
-                    This can cause a processing delay. To speed up
-                    processing at the cost of precision, the
-                    <span class="command"><strong>nsip-wait-recurse</strong></span> option
-                    can be used: when set to <strong class="userinput"><code>no</code></strong>,
-                    RPZ-NSIP rules will only be applied when a name
-                    servers's IP address has already been looked up and
-                    cached.  If a server's IP address is not in the
-                    cache, then the RPZ-NSIP rule will be ignored,
-                    but the address will be looked up in the
-                    background, and the rule will be applied
-                    to subsequent queries.  The default is
-                    <strong class="userinput"><code>yes</code></strong>, meaning RPZ-NSIP
-                    rules should always be applied even if an
-                    address needs to be looked up first.
-                  </p>
-                </dd>
-</dl></div>
-<p>
-          </p>
-
-          <p>
-            The query response is checked against all response policy zones,
-            so two or more policy records can be triggered by a response.
-            Because DNS responses are rewritten according to at most one
-            policy record, a single record encoding an action (other than
-            <span class="command"><strong>DISABLED</strong></span> actions) must be chosen.
-            Triggers or the records that encode them are chosen for the
-            rewriting in the following order:
-            </p>
-<div class="orderedlist"><ol class="orderedlist" type="1">
-<li class="listitem">Choose the triggered record in the zone that appears
-                first in the <span class="command"><strong>response-policy</strong></span> option.
-              </li>
-<li class="listitem">Prefer CLIENT-IP to QNAME to IP to NSDNAME to NSIP
-                triggers in a single zone.
-              </li>
-<li class="listitem">Among NSDNAME triggers, prefer the
-                trigger that matches the smallest name under the DNSSEC ordering.
-              </li>
-<li class="listitem">Among IP or NSIP triggers, prefer the trigger
-                with the longest prefix.
-              </li>
-<li class="listitem">Among triggers with the same prefix length,
-                prefer the IP or NSIP trigger that matches
-                the smallest IP address.
-              </li>
-</ol></div>
-<p>
-          </p>
-
-          <p>
-            When the processing of a response is restarted to resolve
-            DNAME or CNAME records and a policy record set has
-            not been triggered,
-            all response policy zones are again consulted for the
-            DNAME or CNAME names and addresses.
-          </p>
-
-          <p>
-            RPZ record sets are any types of DNS record except
-            DNAME or DNSSEC that encode actions or responses to
-            individual queries.
-            Any of the policies can be used with any of the triggers.
-            For example, while the <span class="command"><strong>TCP-only</strong></span> policy is
-            commonly used with <span class="command"><strong>client-IP</strong></span> triggers,
-            it can be used with any type of trigger to force the use of
-            TCP for responses with owner names in a zone.
-            </p>
-<div class="variablelist"><dl class="variablelist">
-<dt><span class="term"><span class="command"><strong>PASSTHRU</strong></span></span></dt>
-<dd>
-                  <p>
-                    The whitelist policy is specified
-                    by a CNAME whose target is <span class="command"><strong>rpz-passthru</strong></span>.
-                    It causes the response to not be rewritten
-                    and is most often used to "poke holes" in policies for
-                    CIDR blocks.
-                  </p>
-                </dd>
-<dt><span class="term"><span class="command"><strong>DROP</strong></span></span></dt>
-<dd>
-                  <p>
-                    The blacklist policy is specified
-                    by a CNAME whose target is <span class="command"><strong>rpz-drop</strong></span>.
-                    It causes the response to be discarded.
-                    Nothing is sent to the DNS client.
-                  </p>
-                </dd>
-<dt><span class="term"><span class="command"><strong>TCP-Only</strong></span></span></dt>
-<dd>
-                  <p>
-                    The "slip" policy is specified
-                    by a CNAME whose target is <span class="command"><strong>rpz-tcp-only</strong></span>.
-                    It changes UDP responses to short, truncated DNS responses
-                    that require the DNS client to try again with TCP.
-                    It is used to mitigate distributed DNS reflection attacks.
-                  </p>
-                </dd>
-<dt><span class="term"><span class="command"><strong>NXDOMAIN</strong></span></span></dt>
-<dd>
-                  <p>
-                    The domain undefined response is encoded
-                    by a CNAME whose target is the root domain (.)
-                  </p>
-                </dd>
-<dt><span class="term"><span class="command"><strong>NODATA</strong></span></span></dt>
-<dd>
-                  <p>
-                    The empty set of resource records is specified by
-                    CNAME whose target is the wildcard top-level
-                    domain (*.).
-                    It rewrites the response to NODATA or ANCOUNT=1.
-                  </p>
-                </dd>
-<dt><span class="term"><span class="command"><strong>Local Data</strong></span></span></dt>
-<dd>
-                  <p>
-                    A set of ordinary DNS records can be used to answer queries.
-                    Queries for record types not the set are answered with
-                    NODATA.
-                  </p>
-
-                  <p>
-                    A special form of local data is a CNAME whose target is a
-                    wildcard such as *.example.com.
-                    It is used as if were an ordinary CNAME after the asterisk (*)
-                    has been replaced with the query name.
-                    The purpose for this special form is query logging in the
-                    walled garden's authority DNS server.
-                  </p>
-                </dd>
-</dl></div>
-<p>
-          </p>
-
-          <p>
-            All of the actions specified in all of the individual records
-            in a policy zone
-            can be overridden with a <span class="command"><strong>policy</strong></span> clause in the
-            <span class="command"><strong>response-policy</strong></span> option.
-            An organization using a policy zone provided by another
-            organization might use this mechanism to redirect domains
-            to its own walled garden.
-            </p>
-<div class="variablelist"><dl class="variablelist">
-<dt><span class="term"><span class="command"><strong>GIVEN</strong></span></span></dt>
-<dd>
-                  <p>The placeholder policy says "do not override but
-                    perform the action specified in the zone."
-                  </p>
-                </dd>
-<dt><span class="term"><span class="command"><strong>DISABLED</strong></span></span></dt>
-<dd>
-                  <p>
-                    The testing override policy causes policy zone records to do
-                    nothing but log what they would have done if the
-                    policy zone were not disabled.
-                    The response to the DNS query will be written (or not)
-                    according to any triggered policy records that are not
-                    disabled.
-                    Disabled policy zones should appear first,
-                    because they will often not be logged
-                    if a higher precedence trigger is found first.
-                  </p>
-                </dd>
-<dt>
-<span class="term"><span class="command"><strong>PASSTHRU</strong></span>, </span><span class="term"><span class="command"><strong>DROP</strong></span>, </span><span class="term"><span class="command"><strong>TCP-Only</strong></span>, </span><span class="term"><span class="command"><strong>NXDOMAIN</strong></span>, </span><span class="term"><span class="command"><strong>NODATA</strong></span></span>
-</dt>
-<dd>
-                  <p>
-                    override with the corresponding per-record policy.
-                  </p>
-                </dd>
-<dt><span class="term"><span class="command"><strong>CNAME domain</strong></span></span></dt>
-<dd>
-                    <p>
-                      causes all RPZ policy records to act as if they were
-                      "cname domain" records.
-                    </p>
-                  </dd>
-</dl></div>
-<p>
-          </p>
-
-          <p>
-            By default, the actions encoded in a response policy zone
-            are applied only to queries that ask for recursion (RD=1).
-            That default can be changed for a single policy zone or
-            all response policy zones in a view
-            with a <span class="command"><strong>recursive-only no</strong></span> clause.
-            This feature is useful for serving the same zone files
-            both inside and outside an RFC 1918 cloud and using RPZ to
-            delete answers that would otherwise contain RFC 1918 values
-            on the externally visible name server or view.
-          </p>
-
-          <p>
-            Also by default, RPZ actions are applied only to DNS requests
-            that either do not request DNSSEC metadata (DO=0) or when no
-            DNSSEC records are available for request name in the original
-            zone (not the response policy zone).  This default can be
-            changed for all response policy zones in a view with a
-            <span class="command"><strong>break-dnssec yes</strong></span> clause.  In that case, RPZ
-            actions are applied regardless of DNSSEC.  The name of the
-            clause option reflects the fact that results rewritten by RPZ
-            actions cannot verify.
-          </p>
-
-          <p>
-            No DNS records are needed for a QNAME or Client-IP trigger.
-            The name or IP address itself is sufficient,
-            so in principle the query name need not be recursively resolved.
-            However, not resolving the requested
-            name can leak the fact that response policy rewriting is in use
-            and that the name is listed in a policy zone to operators of
-            servers for listed names.  To prevent that information leak, by
-            default any recursion needed for a request is done before any
-            policy triggers are considered.  Because listed domains often
-            have slow authoritative servers, this behavior can cost
-            significant time.
-            The <span class="command"><strong>qname-wait-recurse yes</strong></span> option
-            overrides the default and enables that behavior
-            when recursion cannot change a non-error response.
-            The option does not affect QNAME or client-IP triggers
-            in policy zones listed
-            after other zones containing IP, NSIP and NSDNAME triggers, because
-            those may depend on the A, AAAA, and NS records that would be
-            found during recursive resolution.  It also does not affect
-            DNSSEC requests (DO=1) unless <span class="command"><strong>break-dnssec yes</strong></span>
-            is in use, because the response would depend on whether or not
-            RRSIG records were found during resolution.
-            Using this option can cause error responses such as SERVFAIL to
-            appear to be rewritten, since no recursion is being done to
-            discover problems at the authoritative server.
-          </p>
-
-          <p>
-            The <span class="command"><strong>dnsrps-enable yes</strong></span> option turns on
-            the DNS Rsponse Policy Service (DNSRPS) interface, if it has been
-            compiled in to <span class="command"><strong>named</strong></span> using
-            <span class="command"><strong>configure --enable-dnsrps</strong></span>.
-          </p>
-
-          <p>
-            The <span class="command"><strong>dnsrps-options</strong></span> block provides additional
-            RPZ configuration settings, which are passed through to the
-            DNSRPS provider library.
-            Multiple DNSRPS settings in an <span class="command"><strong>dnsrps-options</strong></span>
-            string should be separated with semi-colons.
-            The DNSRPS provider, librpz, is passed a configuration string
-            consisting of the <span class="command"><strong>dnsrps-options</strong></span> text,
-            concatenated with settings derived from the
-            <span class="command"><strong>response-policy</strong></span> statement.
-          </p>
-
-          <p>
-            Note: The <span class="command"><strong>dnsrps-options</strong></span> text should only include
-            configuration settings that are specific to the DNSRPS
-            provider.  For example, the DNSRPS provider from
-            Farsight Security takes options such as
-            <span class="command"><strong>dnsrpzd-conf</strong></span>,
-            <span class="command"><strong>dnsrpzd-sock</strong></span>, and
-            <span class="command"><strong>dnzrpzd-args</strong></span> (for details of these options,
-            see the <span class="command"><strong>librpz</strong></span> documentation).
-            Other RPZ configuration settings could be included in
-            <span class="command"><strong>dnsrps-options</strong></span>
-            as well, but if <span class="command"><strong>named</strong></span> were switched
-            back to traditional RPZ by setting
-            <span class="command"><strong>dnsrps-enable</strong></span> to "no", those options would
-            be ignored.
-          </p>
-
-          <p>
-            The TTL of a record modified by RPZ policies is set from the
-            TTL of the relevant record in policy zone.  It is then limited
-            to a maximum value.
-            The <span class="command"><strong>max-policy-ttl</strong></span> clause changes the
-            maximum seconds from its default of 5.
-          </p>
-
-          <p>
-            For example, you might use this option statement
-          </p>
-<pre class="programlisting">    response-policy { zone "badlist"; };</pre>
-          <p>
-            and this zone statement
-          </p>
-<pre class="programlisting">    zone "badlist" {type master; file "master/badlist"; allow-query {none;}; };</pre>
-          <p>
-            with this zone file
-          </p>
-<pre class="programlisting">$TTL 1H
-@                       SOA LOCALHOST. named-mgr.example.com (1 1h 15m 30d 2h)
-                        NS  LOCALHOST.
-
-; QNAME policy records.  There are no periods (.) after the owner names.
-nxdomain.domain.com     CNAME   .               ; NXDOMAIN policy
-*.nxdomain.domain.com   CNAME   .               ; NXDOMAIN policy
-nodata.domain.com       CNAME   *.              ; NODATA policy
-*.nodata.domain.com     CNAME   *.              ; NODATA policy
-bad.domain.com          A       10.0.0.1        ; redirect to a walled garden
-                        AAAA    2001:2::1
-bzone.domain.com        CNAME   garden.example.com.
-
-; do not rewrite (PASSTHRU) OK.DOMAIN.COM
-ok.domain.com           CNAME   rpz-passthru.
-
-; redirect x.bzone.domain.com to x.bzone.domain.com.garden.example.com
-*.bzone.domain.com      CNAME   *.garden.example.com.
-
-
-; IP policy records that rewrite all responses containing A records in 127/8
-;       except 127.0.0.1
-8.0.0.0.127.rpz-ip      CNAME   .
-32.1.0.0.127.rpz-ip     CNAME   rpz-passthru.
-
-; NSDNAME and NSIP policy records
-ns.domain.com.rpz-nsdname   CNAME   .
-48.zz.2.2001.rpz-nsip       CNAME   .
-
-; blacklist and whitelist some DNS clients
-112.zz.2001.rpz-client-ip    CNAME   rpz-drop.
-8.0.0.0.127.rpz-client-ip    CNAME   rpz-drop.
-
-; force some DNS clients and responses in the example.com zone to TCP
-16.0.0.1.10.rpz-client-ip   CNAME   rpz-tcp-only.
-example.com                 CNAME   rpz-tcp-only.
-*.example.com               CNAME   rpz-tcp-only.
-
-</pre>
-          <p>
-            RPZ can affect server performance.
-            Each configured response policy zone requires the server to
-            perform one to four additional database lookups before a
-            query can be answered.
-            For example, a DNS server with four policy zones, each with all
-            four kinds of response triggers, QNAME, IP, NSIP, and
-            NSDNAME, requires a total of 17 times as many database
-            lookups as a similar DNS server with no response policy zones.
-            A <acronym class="acronym">BIND9</acronym> server with adequate memory and one
-            response policy zone with QNAME and IP triggers might achieve a
-            maximum queries-per-second rate about 20% lower.
-            A server with four response policy zones with QNAME and IP
-            triggers might have a maximum QPS rate about 50% lower.
-          </p>
-
-          <p>
-            Responses rewritten by RPZ are counted in the
-            <span class="command"><strong>RPZRewrites</strong></span> statistics.
-          </p>
-
-          <p>
-            The <span class="command"><strong>log</strong></span> clause can be used to optionally
-            turn off rewrite logging for a particular response policy
-            zone. By default, all rewrites are logged.
-          </p>
-
-          <p>
-            Updates to RPZ zones are processed asynchronously; if there
-            is more than one update pending they are bundled together.
-            If an update to a RPZ zone (for example, via IXFR) happens less
-            than <code class="option">min-update-interval</code> seconds after the most
-            recent update, then the changes will not be carried out until this
-            interval has elapsed.  The default is <code class="literal">5</code> seconds.
-          </p>
-        </div>
-
-        <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="rrl"></a>Response Rate Limiting</h4></div></div></div>
-
-          <p>
-            Excessive almost identical UDP <span class="emphasis"><em>responses</em></span>
-            can be controlled by configuring a
-            <span class="command"><strong>rate-limit</strong></span> clause in an
-            <span class="command"><strong>options</strong></span> or <span class="command"><strong>view</strong></span> statement.
-            This mechanism keeps authoritative BIND 9 from being used
-            in amplifying reflection denial of service (DoS) attacks.
-            Short truncated (TC=1) responses can be sent to provide
-            rate-limited responses to legitimate clients within
-            a range of forged, attacked IP addresses.
-            Legitimate clients react to dropped or truncated response
-            by retrying with UDP or with TCP respectively.
-          </p>
-
-          <p>
-            This mechanism is intended for authoritative DNS servers.
-            It can be used on recursive servers but can slow
-            applications such as SMTP servers (mail receivers) and
-            HTTP clients (web browsers) that repeatedly request the
-            same domains.
-            When possible, closing "open" recursive servers is better.
-          </p>
-
-          <p>
-            Response rate limiting uses a "credit" or "token bucket" scheme.
-            Each combination of identical response and client
-            has a conceptual account that earns a specified number
-            of credits every second.
-            A prospective response debits its account by one.
-            Responses are dropped or truncated
-            while the account is negative.
-            Responses are tracked within a rolling window of time
-            which defaults to 15 seconds, but can be configured with
-            the <span class="command"><strong>window</strong></span> option to any value from
-            1 to 3600 seconds (1 hour).
-            The account cannot become more positive than
-            the per-second limit
-            or more negative than <span class="command"><strong>window</strong></span>
-            times the per-second limit.
-            When the specified number of credits for a class of
-            responses is set to 0, those responses are not rate limited.
-          </p>
-
-          <p>
-            The notions of "identical response" and "DNS client"
-            for rate limiting are not simplistic.
-            All responses to an address block are counted as if to a
-            single client.
-            The prefix lengths of addresses blocks are
-            specified with <span class="command"><strong>ipv4-prefix-length</strong></span> (default 24)
-            and <span class="command"><strong>ipv6-prefix-length</strong></span> (default 56).
-          </p>
-
-          <p>
-            All non-empty responses for a valid domain name (qname)
-            and record type (qtype) are identical and have a limit specified
-            with <span class="command"><strong>responses-per-second</strong></span>
-            (default 0 or no limit).
-            All empty (NODATA) responses for a valid domain,
-            regardless of query type, are identical.
-            Responses in the NODATA class are limited by
-            <span class="command"><strong>nodata-per-second</strong></span>
-            (default <span class="command"><strong>responses-per-second</strong></span>).
-            Requests for any and all undefined subdomains of a given
-            valid domain result in NXDOMAIN errors, and are identical
-            regardless of query type.
-            They are limited by <span class="command"><strong>nxdomains-per-second</strong></span>
-            (default <span class="command"><strong>responses-per-second</strong></span>).
-            This controls some attacks using random names, but
-            can be relaxed or turned off (set to 0)
-            on servers that expect many legitimate
-            NXDOMAIN responses, such as from anti-spam blacklists.
-            Referrals or delegations to the server of a given
-            domain are identical and are limited by
-            <span class="command"><strong>referrals-per-second</strong></span>
-            (default <span class="command"><strong>responses-per-second</strong></span>).
-          </p>
-
-          <p>
-            Responses generated from local wildcards are counted and limited
-            as if they were for the parent domain name.
-            This controls flooding using random.wild.example.com.
-          </p>
-
-          <p>
-            All requests that result in DNS errors other
-            than NXDOMAIN, such as SERVFAIL and FORMERR, are identical
-            regardless of requested name (qname) or record type (qtype).
-            This controls attacks using invalid requests or distant,
-            broken authoritative servers.
-            By default the limit on errors is the same as the
-            <span class="command"><strong>responses-per-second</strong></span> value,
-            but it can be set separately with
-            <span class="command"><strong>errors-per-second</strong></span>.
-          </p>
-
-          <p>
-            Many attacks using DNS involve UDP requests with forged source
-            addresses.
-            Rate limiting prevents the use of BIND 9 to flood a network
-            with responses to requests with forged source addresses,
-            but could let a third party block responses to legitimate requests.
-            There is a mechanism that can answer some legitimate
-            requests from a client whose address is being forged in a flood.
-            Setting <span class="command"><strong>slip</strong></span> to 2 (its default) causes every
-            other UDP request to be answered with a small truncated (TC=1)
-            response.
-            The small size and reduced frequency, and so lack of
-            amplification, of "slipped" responses make them unattractive
-            for reflection DoS attacks.
-            <span class="command"><strong>slip</strong></span> must be between 0 and 10.
-            A value of 0 does not "slip":
-            no truncated responses are sent due to rate limiting,
-            all responses are dropped.
-            A value of 1 causes every response to slip;
-            values between 2 and 10 cause every n'th response to slip.
-            Some error responses including REFUSED and SERVFAIL
-            cannot be replaced with truncated responses and are instead
-            leaked at the <span class="command"><strong>slip</strong></span> rate.
-          </p>
-
-          <p>
-            (NOTE: Dropped responses from an authoritative server may
-            reduce the difficulty of a third party successfully forging
-            a response to a recursive resolver. The best security
-            against forged responses is for authoritative operators
-            to sign their zones using DNSSEC and for resolver operators
-            to validate the responses. When this is not an option,
-            operators who are more concerned with response integrity
-            than with flood mitigation may consider setting
-            <span class="command"><strong>slip</strong></span> to 1, causing all rate-limited
-            responses to be truncated rather than dropped.  This reduces
-            the effectiveness of rate-limiting against reflection attacks.)
-          </p>
-
-          <p>
-            When the approximate query per second rate exceeds
-            the <span class="command"><strong>qps-scale</strong></span> value,
-            then the <span class="command"><strong>responses-per-second</strong></span>,
-            <span class="command"><strong>errors-per-second</strong></span>,
-            <span class="command"><strong>nxdomains-per-second</strong></span> and
-            <span class="command"><strong>all-per-second</strong></span> values are reduced by the
-            ratio of the current rate to the <span class="command"><strong>qps-scale</strong></span> value.
-            This feature can tighten defenses during attacks.
-            For example, with
-            <span class="command"><strong>qps-scale 250; responses-per-second 20;</strong></span> and
-            a total query rate of 1000 queries/second for all queries from
-            all DNS clients including via TCP,
-            then the effective responses/second limit changes to
-            (250/1000)*20 or 5.
-            Responses sent via TCP are not limited
-            but are counted to compute the query per second rate.
-          </p>
-
-          <p>
-            Rate limiters for different name spaces maintain
-            separate counters: If, for example, there is a
-            <span class="command"><strong>rate-limit</strong></span> statement for "com" and
-            another for "example.com", queries matching "example.com"
-            will not be debited against the rate limiter for "com".
-          </p>
-
-          <p>
-            If a <span class="command"><strong>rate-limit</strong></span> statement does not specify a
-            <span class="command"><strong>domain</strong></span>, then it applies to the root domain
-            (".") and thus affects the entire DNS namespace, except those
-            portions covered by other <span class="command"><strong>rate-limit</strong></span>
-            statements.
-          </p>
-
-          <p>
-            Communities of DNS clients can be given their own parameters or no
-            rate limiting by putting
-            <span class="command"><strong>rate-limit</strong></span> statements in <span class="command"><strong>view</strong></span>
-            statements instead of the global <span class="command"><strong>option</strong></span>
-            statement.
-            A <span class="command"><strong>rate-limit</strong></span> statement in a view replaces,
-            rather than supplementing, a <span class="command"><strong>rate-limit</strong></span>
-            statement among the main options.
-            DNS clients within a view can be exempted from rate limits
-            with the <span class="command"><strong>exempt-clients</strong></span> clause.
-          </p>
-
-          <p>
-            UDP responses of all kinds can be limited with the
-            <span class="command"><strong>all-per-second</strong></span> phrase.  This rate
-            limiting is unlike the rate limiting provided by
-            <span class="command"><strong>responses-per-second</strong></span>,
-            <span class="command"><strong>errors-per-second</strong></span>, and
-            <span class="command"><strong>nxdomains-per-second</strong></span> on a DNS server
-            which are often invisible to the victim of a DNS
-            reflection attack.  Unless the forged requests of the
-            attack are the same as the legitimate requests of the
-            victim, the victim's requests are not affected.  Responses
-            affected by an <span class="command"><strong>all-per-second</strong></span> limit
-            are always dropped; the <span class="command"><strong>slip</strong></span> value
-            has no effect.  An <span class="command"><strong>all-per-second</strong></span>
-            limit should be at least 4 times as large as the other
-            limits, because single DNS clients often send bursts
-            of legitimate requests.  For example, the receipt of a
-            single mail message can prompt requests from an SMTP
-            server for NS, PTR, A, and AAAA records as the incoming
-            SMTP/TCP/IP connection is considered.  The SMTP server
-            can need additional NS, A, AAAA, MX, TXT, and SPF records
-            as it considers the STMP <span class="command"><strong>Mail From</strong></span>
-            command.  Web browsers often repeatedly resolve the
-            same names that are repeated in HTML &lt;IMG&gt; tags
-            in a page.  <span class="command"><strong>all-per-second</strong></span> is similar
-            to the rate limiting offered by firewalls but often
-            inferior.  Attacks that justify ignoring the contents
-            of DNS responses are likely to be attacks on the DNS
-            server itself.  They usually should be discarded before
-            the DNS server spends resources make TCP connections
-            or parsing DNS requests, but that rate limiting must
-            be done before the DNS server sees the requests.
-          </p>
-
-          <p>
-            The maximum size of the table used to track requests and
-            rate limit responses is set with <span class="command"><strong>max-table-size</strong></span>.
-            Each entry in the table is between 40 and 80 bytes.
-            The table needs approximately as many entries as the number
-            of requests received per second.
-            The default is 20,000.
-            To reduce the cold start of growing the table,
-            <span class="command"><strong>min-table-size</strong></span> (default 500)
-            can set the minimum table size.
-            Enable <span class="command"><strong>rate-limit</strong></span> category logging to monitor
-            expansions of the table and inform
-            choices for the initial and maximum table size.
-          </p>
-
-          <p>
-            Use <span class="command"><strong>log-only yes</strong></span> to test rate limiting parameters
-            without actually dropping any requests.
-          </p>
-
-          <p>
-            Responses dropped by rate limits are included in the
-            <span class="command"><strong>RateDropped</strong></span> and <span class="command"><strong>QryDropped</strong></span>
-            statistics.
-            Responses that truncated by rate limits are included in
-            <span class="command"><strong>RateSlipped</strong></span> and <span class="command"><strong>RespTruncated</strong></span>.
-          </p>
-        </div>
-
-        <div class="section">
-<div class="titlepage"></div>
-          <p>
-            Named supports NXDOMAIN redirection via two methods:
-            </p>
-<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">Redirect zone <a class="xref" href="Bv9ARM.ch06.html#zone_statement_grammar" title="zone Statement Grammar">the section called &#8220;<span class="command"><strong>zone</strong></span>
-            Statement Grammar&#8221;</a>
-</li>
-<li class="listitem">Redirect namespace</li>
-</ul></div>
-<p>
-          </p>
-          <p>
-            With both methods when named gets a NXDOMAIN response
-            it examines a separate namespace to see if the NXDOMAIN
-            response should be replaced with an alternative response.
-          </p>
-          <p>
-            With a redirect zone (<span class="command"><strong>zone "." { type redirect; };</strong></span>), the
-            data used to replace the NXDOMAIN is held in a single
-            zone which is not part of the normal namespace.  All the
-            redirect information is contained in the zone; there are
-            no delegations.
-          </p>
-          <p>
-            With a redirect namespace (<span class="command"><strong>option { nxdomain-redirect
-            &lt;suffix&gt; };</strong></span>) the data used to replace the
-            NXDOMAIN is part of the normal namespace and is looked up by
-            appending the specified suffix to the original query name.
-            This roughly doubles the cache required to process NXDOMAIN
-            responses as you have the original NXDOMAIN response and
-            the replacement data or a NXDOMAIN indicating that there
-            is no replacement.
-          </p>
-          <p>
-            If both a redirect zone and a redirect namespace are configured,
-            the redirect zone is tried first.
-          </p>
-        </div>
-      </div>
-
-      <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="server_statement_grammar"></a><span class="command"><strong>server</strong></span> Statement Grammar</h3></div></div></div>
-        <pre class="programlisting">
-<span class="command"><strong>server</strong></span> <em class="replaceable"><code>netprefix</code></em> {
-       <span class="command"><strong>bogus</strong></span> <em class="replaceable"><code>boolean</code></em>;
-       <span class="command"><strong>edns</strong></span> <em class="replaceable"><code>boolean</code></em>;
-       <span class="command"><strong>edns-udp-size</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>edns-version</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>keys</strong></span> <em class="replaceable"><code>server_key</code></em>;
-       <span class="command"><strong>max-udp-size</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>notify-source</strong></span> ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [
-           <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>integer</code></em> ];
-       <span class="command"><strong>notify-source-v6</strong></span> ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ]
-           [ dscp <em class="replaceable"><code>integer</code></em> ];
-       <span class="command"><strong>padding</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>provide-ixfr</strong></span> <em class="replaceable"><code>boolean</code></em>;
-       <span class="command"><strong>query-source</strong></span> ( ( [ address ] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port (
-           <em class="replaceable"><code>integer</code></em> | * ) ] ) | ( [ [ address ] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) ]
-           <span class="command"><strong>port</strong></span> ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [ dscp <em class="replaceable"><code>integer</code></em> ];
-       <span class="command"><strong>query-source-v6</strong></span> ( ( [ address ] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port (
-           <em class="replaceable"><code>integer</code></em> | * ) ] ) | ( [ [ address ] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) ]
-           <span class="command"><strong>port</strong></span> ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [ dscp <em class="replaceable"><code>integer</code></em> ];
-       <span class="command"><strong>request-expire</strong></span> <em class="replaceable"><code>boolean</code></em>;
-       <span class="command"><strong>request-ixfr</strong></span> <em class="replaceable"><code>boolean</code></em>;
-       <span class="command"><strong>request-nsid</strong></span> <em class="replaceable"><code>boolean</code></em>;
-       <span class="command"><strong>send-cookie</strong></span> <em class="replaceable"><code>boolean</code></em>;
-       <span class="command"><strong>tcp-keepalive</strong></span> <em class="replaceable"><code>boolean</code></em>;
-       <span class="command"><strong>tcp-only</strong></span> <em class="replaceable"><code>boolean</code></em>;
-       <span class="command"><strong>transfer-format</strong></span> ( many-answers | one-answer );
-       <span class="command"><strong>transfer-source</strong></span> ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [
-           <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>integer</code></em> ];
-       <span class="command"><strong>transfer-source-v6</strong></span> ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * )
-           ] [ dscp <em class="replaceable"><code>integer</code></em> ];
-       <span class="command"><strong>transfers</strong></span> <em class="replaceable"><code>integer</code></em>;
-};
-</pre>
-        </div>
-
-        <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="server_statement_definition_and_usage"></a><span class="command"><strong>server</strong></span> Statement Definition and
-            Usage</h3></div></div></div>
-
-          <p>
-            The <span class="command"><strong>server</strong></span> statement defines
-            characteristics
-            to be associated with a remote name server.  If a prefix length is
-            specified, then a range of servers is covered.  Only the most
-            specific
-            server clause applies regardless of the order in
-            <code class="filename">named.conf</code>.
-          </p>
-
-          <p>
-            The <span class="command"><strong>server</strong></span> statement can occur at
-            the top level of the
-            configuration file or inside a <span class="command"><strong>view</strong></span>
-            statement.
-            If a <span class="command"><strong>view</strong></span> statement contains
-            one or more <span class="command"><strong>server</strong></span> statements, only
-            those
-            apply to the view and any top-level ones are ignored.
-            If a view contains no <span class="command"><strong>server</strong></span>
-            statements,
-            any top-level <span class="command"><strong>server</strong></span> statements are
-            used as
-            defaults.
-          </p>
-
-          <p>
-            If you discover that a remote server is giving out bad data,
-            marking it as bogus will prevent further queries to it. The
-            default
-            value of <span class="command"><strong>bogus</strong></span> is <span class="command"><strong>no</strong></span>.
-          </p>
-          <p>
-            The <span class="command"><strong>provide-ixfr</strong></span> clause determines
-            whether
-            the local server, acting as master, will respond with an
-            incremental
-            zone transfer when the given remote server, a slave, requests it.
-            If set to <span class="command"><strong>yes</strong></span>, incremental transfer
-            will be provided
-            whenever possible. If set to <span class="command"><strong>no</strong></span>,
-            all transfers
-            to the remote server will be non-incremental. If not set, the
-            value
-            of the <span class="command"><strong>provide-ixfr</strong></span> option in the
-            view or
-            global options block is used as a default.
-          </p>
-
-          <p>
-            The <span class="command"><strong>request-ixfr</strong></span> clause determines
-            whether
-            the local server, acting as a slave, will request incremental zone
-            transfers from the given remote server, a master. If not set, the
-            value of the <span class="command"><strong>request-ixfr</strong></span> option in
-            the view or global options block is used as a default. It may
-            also be set in the zone block and, if set there, it will
-            override the global or view setting for that zone.
-          </p>
-
-          <p>
-            IXFR requests to servers that do not support IXFR will
-            automatically
-            fall back to AXFR.  Therefore, there is no need to manually list
-            which servers support IXFR and which ones do not; the global
-            default
-            of <span class="command"><strong>yes</strong></span> should always work.
-            The purpose of the <span class="command"><strong>provide-ixfr</strong></span> and
-            <span class="command"><strong>request-ixfr</strong></span> clauses is
-            to make it possible to disable the use of IXFR even when both
-            master
-            and slave claim to support it, for example if one of the servers
-            is buggy and crashes or corrupts data when IXFR is used.
-          </p>
-
-          <p>
-            The <span class="command"><strong>request-expire</strong></span> clause determines
-            whether the local server, when acting as a slave, will
-            request the EDNS EXPIRE value.  The EDNS EXPIRE value
-            indicates the remaining time before the zone data will
-            expire and need to be be refreshed.  This is used
-            when a secondary server transfers a zone from another
-            secondary server; when transferring from the primary, the
-            expiration timer is set from the EXPIRE field of the SOA
-            record instead.
-            The default is <span class="command"><strong>yes</strong></span>.
-          </p>
-
-          <p>
-            The <span class="command"><strong>edns</strong></span> clause determines whether
-            the local server will attempt to use EDNS when communicating
-            with the remote server.  The default is <span class="command"><strong>yes</strong></span>.
-          </p>
-
-          <p>
-            The <span class="command"><strong>edns-udp-size</strong></span> option sets the
-            EDNS UDP size that is advertised by <span class="command"><strong>named</strong></span>
-            when querying the remote server.  Valid values are 512
-            to 4096 bytes (values outside this range will be silently
-            adjusted to the nearest value within it).  This option
-            is useful when you wish to advertise a different value
-            to this server than the value you advertise globally,
-            for example, when there is a firewall at the remote
-            site that is blocking large replies. (Note: Currently,
-            this sets a single UDP size for all packets sent to the
-            server; <span class="command"><strong>named</strong></span> will not deviate from
-            this value.  This differs from the behavior of
-            <span class="command"><strong>edns-udp-size</strong></span> in <span class="command"><strong>options</strong></span>
-            or <span class="command"><strong>view</strong></span> statements, where it specifies
-            a maximum value. The <span class="command"><strong>server</strong></span> statement
-            behavior may be brought into conformance with the
-            <span class="command"><strong>options/view</strong></span> behavior in future releases.)
-          </p>
-
-          <p>
-            The <span class="command"><strong>edns-version</strong></span> option sets the
-            maximum EDNS VERSION that will be sent to the server(s)
-            by the resolver.  The actual EDNS version sent is still
-            subject to normal EDNS version negotiation rules (see
-            RFC 6891), the maximum EDNS version supported by the
-            server, and any other heuristics that indicate that a
-            lower version should be sent.  This option is intended
-            to be used when a remote server reacts badly to a given
-            EDNS version or higher; it should be set to the highest
-            version the remote server is known to support.  Valid
-            values are 0 to 255; higher values will be silently
-            adjusted.  This option will not be needed until higher
-            EDNS versions than 0 are in use.
-          </p>
-
-          <p>
-            The <span class="command"><strong>max-udp-size</strong></span> option sets the
-            maximum EDNS UDP message size <span class="command"><strong>named</strong></span>
-            will send.  Valid values are 512 to 4096 bytes (values
-            outside this range will be silently adjusted).  This
-            option is useful when you know that there is a firewall
-            that is blocking large replies from <span class="command"><strong>named</strong></span>.
-          </p>
-
-          <p>
-            The <span class="command"><strong>padding</strong></span> option adds EDNS Padding
-            options to outgoing messages, increasing the packet size to
-            a multiple of the specified block size. Valid block sizes
-            range from 0 (the default, which disables the use of
-            EDNS Padding) to 512 bytes.  Larger values will be reduced
-            to 512, with a logged warning.
-            Note: This option is not currently compatible with no TSIG
-            or SIG(0), as the EDNS OPT record containing the padding
-            would have to be added to the packet after it had already
-            been signed.
-          </p>
-
-          <p>
-            The <span class="command"><strong>tcp-only</strong></span> option sets the transport
-            protocol to TCP. The default is to use the UDP transport
-            and to fallback on TCP only when a truncated response
-            is received.
-          </p>
-
-          <p>
-            The <span class="command"><strong>tcp-keepalive</strong></span> option adds EDNS
-            TCP keepalive to messages sent over TCP. Note currently
-            idle timeouts in responses are ignored.
-          </p>
-
-          <p>
-            The server supports two zone transfer methods. The first, <span class="command"><strong>one-answer</strong></span>,
-            uses one DNS message per resource record transferred. <span class="command"><strong>many-answers</strong></span> packs
-            as many resource records as possible into a message. <span class="command"><strong>many-answers</strong></span> is
-            more efficient, but is only known to be understood by <acronym class="acronym">BIND</acronym> 9, <acronym class="acronym">BIND</acronym>
-            8.x, and patched versions of <acronym class="acronym">BIND</acronym>
-            4.9.5. You can specify which method
-            to use for a server with the <span class="command"><strong>transfer-format</strong></span> option.
-            If <span class="command"><strong>transfer-format</strong></span> is not
-            specified, the <span class="command"><strong>transfer-format</strong></span>
-            specified
-            by the <span class="command"><strong>options</strong></span> statement will be
-            used.
-          </p>
-
-          <p><span class="command"><strong>transfers</strong></span>
-            is used to limit the number of concurrent inbound zone
-            transfers from the specified server. If no
-            <span class="command"><strong>transfers</strong></span> clause is specified, the
-            limit is set according to the
-            <span class="command"><strong>transfers-per-ns</strong></span> option.
-          </p>
-
-          <p>
-            The <span class="command"><strong>keys</strong></span> clause identifies a
-            <span class="command"><strong>key_id</strong></span> defined by the <span class="command"><strong>key</strong></span> statement,
-            to be used for transaction security (TSIG, <a class="xref" href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called &#8220;TSIG&#8221;</a>)
-            when talking to the remote server.
-            When a request is sent to the remote server, a request signature
-            will be generated using the key specified here and appended to the
-            message. A request originating from the remote server is not
-            required
-            to be signed by this key.
-          </p>
-
-          <p>
-            Only a single key per server is currently supported.
-          </p>
-
-          <p>
-            The <span class="command"><strong>transfer-source</strong></span> and
-            <span class="command"><strong>transfer-source-v6</strong></span> clauses specify
-            the IPv4 and IPv6 source
-            address to be used for zone transfer with the remote server,
-            respectively.
-            For an IPv4 remote server, only <span class="command"><strong>transfer-source</strong></span> can
-            be specified.
-            Similarly, for an IPv6 remote server, only
-            <span class="command"><strong>transfer-source-v6</strong></span> can be
-            specified.
-            For more details, see the description of
-            <span class="command"><strong>transfer-source</strong></span> and
-            <span class="command"><strong>transfer-source-v6</strong></span> in
-            <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
-          </p>
-
-          <p>
-            The <span class="command"><strong>notify-source</strong></span> and
-            <span class="command"><strong>notify-source-v6</strong></span> clauses specify the
-            IPv4 and IPv6 source address to be used for notify
-            messages sent to remote servers, respectively.  For an
-            IPv4 remote server, only <span class="command"><strong>notify-source</strong></span>
-            can be specified.  Similarly, for an IPv6 remote server,
-            only <span class="command"><strong>notify-source-v6</strong></span> can be specified.
-          </p>
-
-          <p>
-            The <span class="command"><strong>query-source</strong></span> and
-            <span class="command"><strong>query-source-v6</strong></span> clauses specify the
-            IPv4 and IPv6 source address to be used for queries
-            sent to remote servers, respectively.  For an IPv4
-            remote server, only <span class="command"><strong>query-source</strong></span> can
-            be specified.  Similarly, for an IPv6 remote server,
-            only <span class="command"><strong>query-source-v6</strong></span> can be specified.
-          </p>
-
-          <p>
-            The <span class="command"><strong>request-nsid</strong></span> clause determines
-            whether the local server will add a NSID EDNS option
-            to requests sent to the server.  This overrides
-            <span class="command"><strong>request-nsid</strong></span> set at the view or
-            option level.
-          </p>
-
-          <p>
-            The <span class="command"><strong>send-cookie</strong></span> clause determines
-            whether the local server will add a COOKIE EDNS option
-            to requests sent to the server.  This overrides
-            <span class="command"><strong>send-cookie</strong></span> set at the view or
-            option level.  The <span class="command"><strong>named</strong></span> server may
-            determine that COOKIE is not supported by the remote server
-            and not add a COOKIE EDNS option to requests.
-          </p>
-        </div>
-
-      <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="statschannels"></a><span class="command"><strong>statistics-channels</strong></span> Statement Grammar</h3></div></div></div>
-        <pre class="programlisting">
-<span class="command"><strong>statistics-channels</strong></span> {
-       <span class="command"><strong>inet</strong></span> ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> |
-           * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [
-           <span class="command"><strong>allow</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ...
-           } ];
-};
-</pre>
-      </div>
-
-      <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="statistics_channels"></a><span class="command"><strong>statistics-channels</strong></span> Statement Definition and
-            Usage</h3></div></div></div>
-
-        <p>
-          The <span class="command"><strong>statistics-channels</strong></span> statement
-          declares communication channels to be used by system
-          administrators to get access to statistics information of
-          the name server.
-        </p>
-
-        <p>
-          This statement intends to be flexible to support multiple
-          communication protocols in the future, but currently only
-          HTTP access is supported.
-          It requires that BIND 9 be compiled with libxml2 and/or
-          json-c (also known as libjson0); the
-          <span class="command"><strong>statistics-channels</strong></span> statement is
-          still accepted even if it is built without the library,
-          but any HTTP access will fail with an error.
-        </p>
-
-        <p>
-          An <span class="command"><strong>inet</strong></span> control channel is a TCP socket
-          listening at the specified <span class="command"><strong>ip_port</strong></span> on the
-          specified <span class="command"><strong>ip_addr</strong></span>, which can be an IPv4 or IPv6
-          address.  An <span class="command"><strong>ip_addr</strong></span> of <code class="literal">*</code>
-          (asterisk) is
-          interpreted as the IPv4 wildcard address; connections will be
-          accepted on any of the system's IPv4 addresses.
-          To listen on the IPv6 wildcard address,
-          use an <span class="command"><strong>ip_addr</strong></span> of <code class="literal">::</code>.
-        </p>
-
-        <p>
-          If no port is specified, port 80 is used for HTTP channels.
-          The asterisk "<code class="literal">*</code>" cannot be used for
-          <span class="command"><strong>ip_port</strong></span>.
-        </p>
-
-        <p>
-          The attempt of opening a statistics channel is
-          restricted by the optional <span class="command"><strong>allow</strong></span> clause.
-          Connections to the statistics channel are permitted based on the
-          <span class="command"><strong>address_match_list</strong></span>.
-          If no <span class="command"><strong>allow</strong></span> clause is present,
-          <span class="command"><strong>named</strong></span> accepts connection
-          attempts from any address; since the statistics may
-          contain sensitive internal information, it is highly
-          recommended to restrict the source of connection requests
-          appropriately.
-        </p>
-
-        <p>
-          If no <span class="command"><strong>statistics-channels</strong></span> statement is present,
-          <span class="command"><strong>named</strong></span> will not open any communication channels.
-        </p>
-
-        <p>
-          The statistics are available in various formats and views
-          depending on the URI used to access them.  For example, if
-          the statistics channel is configured to listen on 127.0.0.1
-          port 8888, then the statistics are accessible in XML format at
-          <a class="link" href="http://127.0.0.1:8888/" target="_top">http://127.0.0.1:8888/</a> or
-          <a class="link" href="http://127.0.0.1:8888/xml" target="_top">http://127.0.0.1:8888/xml</a>. A CSS file is
-          included which can format the XML statistics into tables
-          when viewed with a stylesheet-capable browser, and into
-          charts and graphs using the Google Charts API when using a
-          javascript-capable browser.
-        </p>
-
-        <p>
-          Applications that depend on a particular XML schema
-          can request
-          <a class="link" href="http://127.0.0.1:8888/xml/v2" target="_top">http://127.0.0.1:8888/xml/v2</a> for version 2
-          of the statistics XML schema or
-          <a class="link" href="http://127.0.0.1:8888/xml/v3" target="_top">http://127.0.0.1:8888/xml/v3</a> for version 3.
-          If the requested schema is supported by the server, then
-          it will respond; if not, it will return a "page not found"
-          error.
-        </p>
-
-        <p>
-          Broken-out subsets of the statistics can be viewed at
-          <a class="link" href="http://127.0.0.1:8888/xml/v3/status" target="_top">http://127.0.0.1:8888/xml/v3/status</a>
-          (server uptime and last reconfiguration time),
-          <a class="link" href="http://127.0.0.1:8888/xml/v3/server" target="_top">http://127.0.0.1:8888/xml/v3/server</a>
-          (server and resolver statistics),
-          <a class="link" href="http://127.0.0.1:8888/xml/v3/zones" target="_top">http://127.0.0.1:8888/xml/v3/zones</a>
-          (zone statistics),
-          <a class="link" href="http://127.0.0.1:8888/xml/v3/net" target="_top">http://127.0.0.1:8888/xml/v3/net</a>
-          (network status and socket statistics),
-          <a class="link" href="http://127.0.0.1:8888/xml/v3/mem" target="_top">http://127.0.0.1:8888/xml/v3/mem</a>
-          (memory manager statistics),
-          <a class="link" href="http://127.0.0.1:8888/xml/v3/tasks" target="_top">http://127.0.0.1:8888/xml/v3/tasks</a>
-          (task manager statistics), and
-          <a class="link" href="http://127.0.0.1:8888/xml/v3/traffic" target="_top">http://127.0.0.1:8888/xml/v3/traffic</a>
-          (traffic sizes).
-        </p>
-
-        <p>
-          The full set of statistics can also be read in JSON format at
-          <a class="link" href="http://127.0.0.1:8888/json" target="_top">http://127.0.0.1:8888/json</a>,
-          with the broken-out subsets at
-          <a class="link" href="http://127.0.0.1:8888/json/v1/status" target="_top">http://127.0.0.1:8888/json/v1/status</a>
-          (server uptime and last reconfiguration time),
-          <a class="link" href="http://127.0.0.1:8888/json/v1/server" target="_top">http://127.0.0.1:8888/json/v1/server</a>
-          (server and resolver statistics),
-          <a class="link" href="http://127.0.0.1:8888/json/v1/zones" target="_top">http://127.0.0.1:8888/json/v1/zones</a>
-          (zone statistics),
-          <a class="link" href="http://127.0.0.1:8888/json/v1/net" target="_top">http://127.0.0.1:8888/json/v1/net</a>
-          (network status and socket statistics),
-          <a class="link" href="http://127.0.0.1:8888/json/v1/mem" target="_top">http://127.0.0.1:8888/json/v1/mem</a>
-          (memory manager statistics),
-          <a class="link" href="http://127.0.0.1:8888/json/v1/tasks" target="_top">http://127.0.0.1:8888/json/v1/tasks</a>
-          (task manager statistics), and
-          <a class="link" href="http://127.0.0.1:8888/json/v1/traffic" target="_top">http://127.0.0.1:8888/json/v1/traffic</a>
-          (traffic sizes).
-        </p>
-      </div>
-
-        <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="trusted-keys"></a><span class="command"><strong>trusted-keys</strong></span> Statement Grammar</h3></div></div></div>
-        <pre class="programlisting">
-<span class="command"><strong>trusted-keys</strong></span> { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em>
-    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; ... };
-</pre>
-        </div>
-        <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="trusted_keys"></a><span class="command"><strong>trusted-keys</strong></span> Statement Definition
-            and Usage</h3></div></div></div>
-
-          <p>
-            The <span class="command"><strong>trusted-keys</strong></span> statement defines
-            DNSSEC security roots. DNSSEC is described in <a class="xref" href="Bv9ARM.ch04.html#DNSSEC" title="DNSSEC">the section called &#8220;DNSSEC&#8221;</a>. A security root is defined when the
-            public key for a non-authoritative zone is known, but
-            cannot be securely obtained through DNS, either because
-            it is the DNS root zone or because its parent zone is
-            unsigned.  Once a key has been configured as a trusted
-            key, it is treated as if it had been validated and
-            proven secure. The resolver attempts DNSSEC validation
-            on all DNS data in subdomains of a security root.
-          </p>
-          <p>
-            All keys (and corresponding zones) listed in
-            <span class="command"><strong>trusted-keys</strong></span> are deemed to exist regardless
-            of what parent zones say.  Similarly for all keys listed in
-            <span class="command"><strong>trusted-keys</strong></span> only those keys are
-            used to validate the DNSKEY RRset.  The parent's DS RRset
-            will not be used.
-          </p>
-          <p>
-            The <span class="command"><strong>trusted-keys</strong></span> statement can contain
-            multiple key entries, each consisting of the key's
-            domain name, flags, protocol, algorithm, and the Base64
-            representation of the key data.
-            Spaces, tabs, newlines and carriage returns are ignored
-            in the key data, so the configuration may be split up into
-            multiple lines.
-          </p>
-          <p>
-            <span class="command"><strong>trusted-keys</strong></span> may be set at the top level
-            of <code class="filename">named.conf</code> or within a view.  If it is
-            set in both places, they are additive: keys defined at the top
-            level are inherited by all views, but keys defined in a view
-            are only used within that view.
-          </p>
-          <p>
-            Validation below specified names can be temporarily disabled
-            by using <span class="command"><strong>rndc nta</strong></span>.
-          </p>
-        </div>
-
-        <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="managed_keys"></a><span class="command"><strong>managed-keys</strong></span> Statement Grammar</h3></div></div></div>
-        <pre class="programlisting">
-<span class="command"><strong>managed-keys</strong></span> { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em>
-    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; ... };
-</pre>
-        </div>
-        <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="managed-keys"></a><span class="command"><strong>managed-keys</strong></span> Statement Definition
-            and Usage</h3></div></div></div>
-
-          <p>
-            The <span class="command"><strong>managed-keys</strong></span> statement, like
-            <span class="command"><strong>trusted-keys</strong></span>, defines DNSSEC
-            security roots.  The difference is that
-            <span class="command"><strong>managed-keys</strong></span> can be kept up to date
-            automatically, without intervention from the resolver
-            operator.
-          </p>
-          <p>
-            Suppose, for example, that a zone's key-signing
-            key was compromised, and the zone owner had to revoke and
-            replace the key.  A resolver which had the old key in a
-            <span class="command"><strong>trusted-keys</strong></span> statement would be
-            unable to validate this zone any longer; it would
-            reply with a SERVFAIL response code.  This would
-            continue until the resolver operator had updated the
-            <span class="command"><strong>trusted-keys</strong></span> statement with the new key.
-          </p>
-          <p>
-            If, however, the zone were listed in a
-            <span class="command"><strong>managed-keys</strong></span> statement instead, then the
-            zone owner could add a "stand-by" key to the zone in advance.
-            <span class="command"><strong>named</strong></span> would store the stand-by key, and
-            when the original key was revoked, <span class="command"><strong>named</strong></span>
-            would be able to transition smoothly to the new key.  It would
-            also recognize that the old key had been revoked, and cease
-            using that key to validate answers, minimizing the damage that
-            the compromised key could do.
-          </p>
-          <p>
-            A <span class="command"><strong>managed-keys</strong></span> statement contains a list of
-            the keys to be managed, along with information about how the
-            keys are to be initialized for the first time.  The only
-            initialization method currently supported is
-            <code class="literal">initial-key</code>.
-            This means the <span class="command"><strong>managed-keys</strong></span> statement must
-            contain a copy of the initializing key.  (Future releases may
-            allow keys to be initialized by other methods, eliminating this
-            requirement.)
-          </p>
-          <p>
-            Consequently, a <span class="command"><strong>managed-keys</strong></span> statement
-            appears similar to a <span class="command"><strong>trusted-keys</strong></span>, differing
-            in the presence of the second field, containing the keyword
-            <code class="literal">initial-key</code>.  The difference is, whereas the
-            keys listed in a <span class="command"><strong>trusted-keys</strong></span> continue to be
-            trusted until they are removed from
-            <code class="filename">named.conf</code>, an initializing key listed
-            in a <span class="command"><strong>managed-keys</strong></span> statement is only trusted
-            <span class="emphasis"><em>once</em></span>: for as long as it takes to load the
-            managed key database and start the RFC 5011 key maintenance
-            process.
-          </p>
-          <p>
-            The first time <span class="command"><strong>named</strong></span> runs with a managed key
-            configured in <code class="filename">named.conf</code>, it fetches the
-            DNSKEY RRset directly from the zone apex, and validates it
-            using the key specified in the <span class="command"><strong>managed-keys</strong></span>
-            statement.  If the DNSKEY RRset is validly signed, then it is
-            used as the basis for a new managed keys database.
-          </p>
-          <p>
-            From that point on, whenever <span class="command"><strong>named</strong></span> runs, it
-            sees the <span class="command"><strong>managed-keys</strong></span> statement, checks to
-            make sure RFC 5011 key maintenance has already been initialized
-            for the specified domain, and if so, it simply moves on.  The
-            key specified in the <span class="command"><strong>managed-keys</strong></span>
-            statement is not used to validate answers; it has been
-            superseded by the key or keys stored in the managed keys database.
-          </p>
-          <p>
-            The next time <span class="command"><strong>named</strong></span> runs after a name
-            has been <span class="emphasis"><em>removed</em></span> from the
-            <span class="command"><strong>managed-keys</strong></span> statement, the corresponding
-            zone will be removed from the managed keys database,
-            and RFC 5011 key maintenance will no longer be used for that
-            domain.
-          </p>
-          <p>
-            In the current implementation, the managed keys database
-            is stored as a master-format zone file.
-          </p>
-          <p>
-            On servers which do not use views, this file is named
-            <code class="filename">managed-keys.bind</code>.  When views are in
-            use, there will be a separate managed keys database for each
-            view; the filename will be the view name (or, if a view name
-            contains characters which would make it illegal as a filename,
-            a hash of the view name), followed by
-            the suffix <code class="filename">.mkeys</code>.
-          </p>
-          <p>
-            When the key database is changed, the zone is updated.
-            As with any other dynamic zone, changes will be written
-            into a journal file, e.g.,
-            <code class="filename">managed-keys.bind.jnl</code> or
-            <code class="filename">internal.mkeys.jnl</code>.
-            Changes are committed to the master file as soon as
-            possible afterward; this will usually occur within 30
-            seconds.  So, whenever <span class="command"><strong>named</strong></span> is using
-            automatic key maintenance, the zone file and journal file
-            can be expected to exist in the working directory.
-            (For this reason among others, the working directory
-            should be always be writable by <span class="command"><strong>named</strong></span>.)
-          </p>
-          <p>
-            If the <span class="command"><strong>dnssec-validation</strong></span> option is
-            set to <strong class="userinput"><code>auto</code></strong>, <span class="command"><strong>named</strong></span>
-            will automatically initialize a managed key for the
-            root zone.  The key that is used to initialize the key
-            maintenance process is stored in <code class="filename">bind.keys</code>;
-            the location of this file can be overridden with the
-            <span class="command"><strong>bindkeys-file</strong></span> option. As a fallback
-            in the event no <code class="filename">bind.keys</code> can be
-            found, the initializing key is also compiled directly
-            into <span class="command"><strong>named</strong></span>.
-          </p>
-        </div>
-
-        <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="view_statement_grammar"></a><span class="command"><strong>view</strong></span> Statement Grammar</h3></div></div></div>
-
-<pre class="programlisting"><span class="command"><strong>view</strong></span> <em class="replaceable"><code>view_name</code></em> [ <em class="replaceable"><code>class</code></em> ] <span class="command"><strong>{</strong></span>
-    <span class="command"><strong>match-clients {</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ;
-    <span class="command"><strong>match-destinations {</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ;
-    <span class="command"><strong>match-recursive-only</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ;
-  [ <em class="replaceable"><code>view_option</code></em> ; ... ]
-  [ <em class="replaceable"><code>zone_statement</code></em> ; ... ]
-<span class="command"><strong>} </strong></span>;
-</pre>
-
-        </div>
-        <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="view_statement"></a><span class="command"><strong>view</strong></span> Statement Definition and Usage</h3></div></div></div>
-
-          <p>
-            The <span class="command"><strong>view</strong></span> statement is a powerful
-            feature
-            of <acronym class="acronym">BIND</acronym> 9 that lets a name server
-            answer a DNS query differently
-            depending on who is asking. It is particularly useful for
-            implementing
-            split DNS setups without having to run multiple servers.
-          </p>
-
-          <p>
-            Each <span class="command"><strong>view</strong></span> statement defines a view
-            of the
-            DNS namespace that will be seen by a subset of clients.  A client
-            matches
-            a view if its source IP address matches the
-            <code class="varname">address_match_list</code> of the view's
-            <span class="command"><strong>match-clients</strong></span> clause and its
-            destination IP address matches
-            the <code class="varname">address_match_list</code> of the
-            view's
-            <span class="command"><strong>match-destinations</strong></span> clause.  If not
-            specified, both
-            <span class="command"><strong>match-clients</strong></span> and <span class="command"><strong>match-destinations</strong></span>
-            default to matching all addresses.  In addition to checking IP
-            addresses
-            <span class="command"><strong>match-clients</strong></span> and <span class="command"><strong>match-destinations</strong></span>
-            can also take <span class="command"><strong>keys</strong></span> which provide an
-            mechanism for the
-            client to select the view.  A view can also be specified
-            as <span class="command"><strong>match-recursive-only</strong></span>, which
-            means that only recursive
-            requests from matching clients will match that view.
-            The order of the <span class="command"><strong>view</strong></span> statements is
-            significant &#8212;
-            a client request will be resolved in the context of the first
-            <span class="command"><strong>view</strong></span> that it matches.
-          </p>
-
-          <p>
-            Zones defined within a <span class="command"><strong>view</strong></span>
-            statement will
-            only be accessible to clients that match the <span class="command"><strong>view</strong></span>.
-            By defining a zone of the same name in multiple views, different
-            zone data can be given to different clients, for example,
-            "internal"
-            and "external" clients in a split DNS setup.
-          </p>
-
-          <p>
-            Many of the options given in the <span class="command"><strong>options</strong></span> statement
-            can also be used within a <span class="command"><strong>view</strong></span>
-            statement, and then
-            apply only when resolving queries with that view.  When no
-            view-specific
-            value is given, the value in the <span class="command"><strong>options</strong></span> statement
-            is used as a default.  Also, zone options can have default values
-            specified
-            in the <span class="command"><strong>view</strong></span> statement; these
-            view-specific defaults
-            take precedence over those in the <span class="command"><strong>options</strong></span> statement.
-          </p>
-
-          <p>
-            Views are class specific.  If no class is given, class IN
-            is assumed.  Note that all non-IN views must contain a hint zone,
-            since only the IN class has compiled-in default hints.
-          </p>
-
-          <p>
-            If there are no <span class="command"><strong>view</strong></span> statements in
-            the config
-            file, a default view that matches any client is automatically
-            created
-            in class IN. Any <span class="command"><strong>zone</strong></span> statements
-            specified on
-            the top level of the configuration file are considered to be part
-            of
-            this default view, and the <span class="command"><strong>options</strong></span>
-            statement will
-            apply to the default view. If any explicit <span class="command"><strong>view</strong></span>
-            statements are present, all <span class="command"><strong>zone</strong></span>
-            statements must
-            occur inside <span class="command"><strong>view</strong></span> statements.
-          </p>
-
-          <p>
-            Here is an example of a typical split DNS setup implemented
-            using <span class="command"><strong>view</strong></span> statements:
-          </p>
-
-<pre class="programlisting">view "internal" {
-      // This should match our internal networks.
-      match-clients { 10.0.0.0/8; };
-
-      // Provide recursive service to internal
-      // clients only.
-      recursion yes;
-
-      // Provide a complete view of the example.com
-      // zone including addresses of internal hosts.
-      zone "example.com" {
-            type master;
-            file "example-internal.db";
-      };
-};
-
-view "external" {
-      // Match all clients not matched by the
-      // previous view.
-      match-clients { any; };
-
-      // Refuse recursive service to external clients.
-      recursion no;
-
-      // Provide a restricted view of the example.com
-      // zone containing only publicly accessible hosts.
-      zone "example.com" {
-           type master;
-           file "example-external.db";
-      };
-};
-</pre>
-
-        </div>
-        <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="zone_statement_grammar"></a><span class="command"><strong>zone</strong></span>
-            Statement Grammar</h3></div></div></div>
-
-<pre class="programlisting">
-<span class="command"><strong>zone</strong></span> <em class="replaceable"><code>string</code></em> [ <em class="replaceable"><code>class</code></em> ] {
-       <span class="command"><strong>type</strong></span> ( master | primary );
-       <span class="command"><strong>allow-query</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
-       <span class="command"><strong>allow-query-on</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
-       <span class="command"><strong>allow-transfer</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
-       <span class="command"><strong>allow-update</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
-       <span class="command"><strong>also-notify</strong></span> [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] ) [ key <em class="replaceable"><code>string</code></em> ]; ... };
-       <span class="command"><strong>alt-transfer-source</strong></span> ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];
-       <span class="command"><strong>alt-transfer-source-v6</strong></span> ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];
-       <span class="command"><strong>auto-dnssec</strong></span> ( allow | maintain | off );
-       <span class="command"><strong>check-dup-records</strong></span> ( fail | warn | ignore );
-       <span class="command"><strong>check-integrity</strong></span> <em class="replaceable"><code>boolean</code></em>;
-       <span class="command"><strong>check-mx</strong></span> ( fail | warn | ignore );
-       <span class="command"><strong>check-mx-cname</strong></span> ( fail | warn | ignore );
-       <span class="command"><strong>check-names</strong></span> ( fail | warn | ignore );
-       <span class="command"><strong>check-sibling</strong></span> <em class="replaceable"><code>boolean</code></em>;
-       <span class="command"><strong>check-spf</strong></span> ( warn | ignore );
-       <span class="command"><strong>check-srv-cname</strong></span> ( fail | warn | ignore );
-       <span class="command"><strong>check-wildcard</strong></span> <em class="replaceable"><code>boolean</code></em>;
-       <span class="command"><strong>database</strong></span> <em class="replaceable"><code>string</code></em>;
-       <span class="command"><strong>dialup</strong></span> ( notify | notify-passive | passive | refresh | <em class="replaceable"><code>boolean</code></em> );
-       <span class="command"><strong>dlz</strong></span> <em class="replaceable"><code>string</code></em>;
-       <span class="command"><strong>dnssec-dnskey-kskonly</strong></span> <em class="replaceable"><code>boolean</code></em>;
-       <span class="command"><strong>dnssec-loadkeys-interval</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>dnssec-secure-to-insecure</strong></span> <em class="replaceable"><code>boolean</code></em>;
-       <span class="command"><strong>dnssec-update-mode</strong></span> ( maintain | no-resign );
-       <span class="command"><strong>file</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
-       <span class="command"><strong>forward</strong></span> ( first | only );
-       <span class="command"><strong>forwarders</strong></span> [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ]; ... };
-       <span class="command"><strong>inline-signing</strong></span> <em class="replaceable"><code>boolean</code></em>;
-       <span class="command"><strong>ixfr-from-differences</strong></span> <em class="replaceable"><code>boolean</code></em>;
-       <span class="command"><strong>journal</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
-       <span class="command"><strong>key-directory</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
-       <span class="command"><strong>masterfile-format</strong></span> ( map | raw | text );
-       <span class="command"><strong>masterfile-style</strong></span> ( full | relative );
-       <span class="command"><strong>max-journal-size</strong></span> ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );
-       <span class="command"><strong>max-records</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>max-transfer-idle-out</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>max-transfer-time-out</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>max-zone-ttl</strong></span> ( unlimited | <em class="replaceable"><code>ttlval</code></em> );
-       <span class="command"><strong>notify</strong></span> ( explicit | master-only | <em class="replaceable"><code>boolean</code></em> );
-       <span class="command"><strong>notify-delay</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>notify-source</strong></span> ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];
-       <span class="command"><strong>notify-source-v6</strong></span> ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];
-       <span class="command"><strong>notify-to-soa</strong></span> <em class="replaceable"><code>boolean</code></em>;
-       <span class="command"><strong>serial-update-method</strong></span> ( date | increment | unixtime );
-       <span class="command"><strong>sig-signing-nodes</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>sig-signing-signatures</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>sig-signing-type</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>sig-validity-interval</strong></span> <em class="replaceable"><code>integer</code></em> [ <em class="replaceable"><code>integer</code></em> ];
-       <span class="command"><strong>update-check-ksk</strong></span> <em class="replaceable"><code>boolean</code></em>;
-       <span class="command"><strong>update-policy</strong></span> ( local | { ( deny | grant ) <em class="replaceable"><code>string</code></em> ( 6to4-self | external | krb5-self | krb5-subdomain | ms-self | ms-subdomain | name | self | selfsub | selfwild | subdomain | tcp-self | wildcard | zonesub ) [ <em class="replaceable"><code>string</code></em> ] <em class="replaceable"><code>rrtypelist</code></em>; ... };
-       <span class="command"><strong>zero-no-soa-ttl</strong></span> <em class="replaceable"><code>boolean</code></em>;
-       <span class="command"><strong>zone-statistics</strong></span> ( full | terse | none | <em class="replaceable"><code>boolean</code></em> );
-};
-</pre>
-<pre class="programlisting">
-<span class="command"><strong>zone</strong></span> <em class="replaceable"><code>string</code></em> [ <em class="replaceable"><code>class</code></em> ] {
-       <span class="command"><strong>type</strong></span> ( slave | secondary );
-       <span class="command"><strong>allow-notify</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
-       <span class="command"><strong>allow-query</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
-       <span class="command"><strong>allow-query-on</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
-       <span class="command"><strong>allow-transfer</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
-       <span class="command"><strong>allow-update-forwarding</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
-       <span class="command"><strong>also-notify</strong></span> [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] ) [ key <em class="replaceable"><code>string</code></em> ]; ... };
-       <span class="command"><strong>alt-transfer-source</strong></span> ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];
-       <span class="command"><strong>alt-transfer-source-v6</strong></span> ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];
-       <span class="command"><strong>auto-dnssec</strong></span> ( allow | maintain | off );
-       <span class="command"><strong>check-names</strong></span> ( fail | warn | ignore );
-       <span class="command"><strong>database</strong></span> <em class="replaceable"><code>string</code></em>;
-       <span class="command"><strong>dialup</strong></span> ( notify | notify-passive | passive | refresh | <em class="replaceable"><code>boolean</code></em> );
-       <span class="command"><strong>dlz</strong></span> <em class="replaceable"><code>string</code></em>;
-       <span class="command"><strong>dnssec-dnskey-kskonly</strong></span> <em class="replaceable"><code>boolean</code></em>;
-       <span class="command"><strong>dnssec-loadkeys-interval</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>dnssec-update-mode</strong></span> ( maintain | no-resign );
-       <span class="command"><strong>file</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
-       <span class="command"><strong>forward</strong></span> ( first | only );
-       <span class="command"><strong>forwarders</strong></span> [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ]; ... };
-       <span class="command"><strong>inline-signing</strong></span> <em class="replaceable"><code>boolean</code></em>;
-       <span class="command"><strong>ixfr-from-differences</strong></span> <em class="replaceable"><code>boolean</code></em>;
-       <span class="command"><strong>journal</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
-       <span class="command"><strong>key-directory</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
-       <span class="command"><strong>masterfile-format</strong></span> ( map | raw | text );
-       <span class="command"><strong>masterfile-style</strong></span> ( full | relative );
-       <span class="command"><strong>masters</strong></span> [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] ) [ key <em class="replaceable"><code>string</code></em> ]; ... };
-       <span class="command"><strong>max-journal-size</strong></span> ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );
-       <span class="command"><strong>max-records</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>max-refresh-time</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>max-retry-time</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>max-transfer-idle-in</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>max-transfer-idle-out</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>max-transfer-time-in</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>max-transfer-time-out</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>min-refresh-time</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>min-retry-time</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>multi-master</strong></span> <em class="replaceable"><code>boolean</code></em>;
-       <span class="command"><strong>notify</strong></span> ( explicit | master-only | <em class="replaceable"><code>boolean</code></em> );
-       <span class="command"><strong>notify-delay</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>notify-source</strong></span> ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];
-       <span class="command"><strong>notify-source-v6</strong></span> ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];
-       <span class="command"><strong>notify-to-soa</strong></span> <em class="replaceable"><code>boolean</code></em>;
-       <span class="command"><strong>request-expire</strong></span> <em class="replaceable"><code>boolean</code></em>;
-       <span class="command"><strong>request-ixfr</strong></span> <em class="replaceable"><code>boolean</code></em>;
-       <span class="command"><strong>sig-signing-nodes</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>sig-signing-signatures</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>sig-signing-type</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>sig-validity-interval</strong></span> <em class="replaceable"><code>integer</code></em> [ <em class="replaceable"><code>integer</code></em> ];
-       <span class="command"><strong>transfer-source</strong></span> ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];
-       <span class="command"><strong>transfer-source-v6</strong></span> ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];
-       <span class="command"><strong>try-tcp-refresh</strong></span> <em class="replaceable"><code>boolean</code></em>;
-       <span class="command"><strong>update-check-ksk</strong></span> <em class="replaceable"><code>boolean</code></em>;
-       <span class="command"><strong>use-alt-transfer-source</strong></span> <em class="replaceable"><code>boolean</code></em>;
-       <span class="command"><strong>zero-no-soa-ttl</strong></span> <em class="replaceable"><code>boolean</code></em>;
-       <span class="command"><strong>zone-statistics</strong></span> ( full | terse | none | <em class="replaceable"><code>boolean</code></em> );
-};
-</pre>
-<pre class="programlisting">
-<span class="command"><strong>zone</strong></span> <em class="replaceable"><code>string</code></em> [ <em class="replaceable"><code>class</code></em> ] {
-       <span class="command"><strong>type</strong></span> hint;
-       <span class="command"><strong>check-names</strong></span> ( fail | warn | ignore );
-       <span class="command"><strong>delegation-only</strong></span> <em class="replaceable"><code>boolean</code></em>;
-       <span class="command"><strong>file</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
-};
-</pre>
-<pre class="programlisting">
-<span class="command"><strong>zone</strong></span> <em class="replaceable"><code>string</code></em> [ <em class="replaceable"><code>class</code></em> ] {
-       <span class="command"><strong>type</strong></span> stub;
-       <span class="command"><strong>allow-query</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
-       <span class="command"><strong>allow-query-on</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
-       <span class="command"><strong>check-names</strong></span> ( fail | warn | ignore );
-       <span class="command"><strong>database</strong></span> <em class="replaceable"><code>string</code></em>;
-       <span class="command"><strong>delegation-only</strong></span> <em class="replaceable"><code>boolean</code></em>;
-       <span class="command"><strong>dialup</strong></span> ( notify | notify-passive | passive | refresh | <em class="replaceable"><code>boolean</code></em> );
-       <span class="command"><strong>file</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
-       <span class="command"><strong>forward</strong></span> ( first | only );
-       <span class="command"><strong>forwarders</strong></span> [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ]; ... };
-       <span class="command"><strong>masterfile-format</strong></span> ( map | raw | text );
-       <span class="command"><strong>masterfile-style</strong></span> ( full | relative );
-       <span class="command"><strong>masters</strong></span> [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] ) [ key <em class="replaceable"><code>string</code></em> ]; ... };
-       <span class="command"><strong>max-records</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>max-refresh-time</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>max-retry-time</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>max-transfer-idle-in</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>max-transfer-time-in</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>min-refresh-time</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>min-retry-time</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>multi-master</strong></span> <em class="replaceable"><code>boolean</code></em>;
-       <span class="command"><strong>transfer-source</strong></span> ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];
-       <span class="command"><strong>transfer-source-v6</strong></span> ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];
-       <span class="command"><strong>use-alt-transfer-source</strong></span> <em class="replaceable"><code>boolean</code></em>;
-       <span class="command"><strong>zone-statistics</strong></span> ( full | terse | none | <em class="replaceable"><code>boolean</code></em> );
-};
-</pre>
-<pre class="programlisting">
-<span class="command"><strong>zone</strong></span> <em class="replaceable"><code>string</code></em> [ <em class="replaceable"><code>class</code></em> ] {
-       <span class="command"><strong>type</strong></span> static-stub;
-       <span class="command"><strong>allow-query</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
-       <span class="command"><strong>allow-query-on</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
-       <span class="command"><strong>forward</strong></span> ( first | only );
-       <span class="command"><strong>forwarders</strong></span> [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ]; ... };
-       <span class="command"><strong>max-records</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>server-addresses</strong></span> { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [ port <em class="replaceable"><code>integer</code></em> ]; ... };
-       <span class="command"><strong>server-names</strong></span> { <em class="replaceable"><code>quoted_string</code></em>; ... };
-       <span class="command"><strong>zone-statistics</strong></span> ( full | terse | none | <em class="replaceable"><code>boolean</code></em> );
-};
-</pre>
-<pre class="programlisting">
-<span class="command"><strong>zone</strong></span> <em class="replaceable"><code>string</code></em> [ <em class="replaceable"><code>class</code></em> ] {
-       <span class="command"><strong>type</strong></span> forward;
-       <span class="command"><strong>delegation-only</strong></span> <em class="replaceable"><code>boolean</code></em>;
-       <span class="command"><strong>forward</strong></span> ( first | only );
-       <span class="command"><strong>forwarders</strong></span> [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ]; ... };
-};
-</pre>
-<pre class="programlisting">
-<span class="command"><strong>zone</strong></span> <em class="replaceable"><code>string</code></em> [ <em class="replaceable"><code>class</code></em> ] {
-       <span class="command"><strong>type</strong></span> redirect;
-       <span class="command"><strong>allow-query</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
-       <span class="command"><strong>allow-query-on</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
-       <span class="command"><strong>dlz</strong></span> <em class="replaceable"><code>string</code></em>;
-       <span class="command"><strong>file</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
-       <span class="command"><strong>masterfile-format</strong></span> ( map | raw | text );
-       <span class="command"><strong>masterfile-style</strong></span> ( full | relative );
-       <span class="command"><strong>masters</strong></span> [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] ) [ key <em class="replaceable"><code>string</code></em> ]; ... };
-       <span class="command"><strong>max-records</strong></span> <em class="replaceable"><code>integer</code></em>;
-       <span class="command"><strong>max-zone-ttl</strong></span> ( unlimited | <em class="replaceable"><code>ttlval</code></em> );
-       <span class="command"><strong>zone-statistics</strong></span> ( full | terse | none | <em class="replaceable"><code>boolean</code></em> );
-};
-</pre>
-<pre class="programlisting">
-<span class="command"><strong>zone</strong></span> <em class="replaceable"><code>string</code></em> [ <em class="replaceable"><code>class</code></em> ] {
-       <span class="command"><strong>type</strong></span> delegation-only;
-};
-</pre>
-<pre class="programlisting">
-<span class="command"><strong>zone</strong></span> <em class="replaceable"><code>string</code></em> [ <em class="replaceable"><code>class</code></em> ] {
-       <span class="command"><strong>in-view</strong></span> <em class="replaceable"><code>string</code></em>;
-};
-</pre>
-
-        </div>
-        <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="zone_statement"></a><span class="command"><strong>zone</strong></span> Statement Definition and Usage</h3></div></div></div>
-
-          <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="zone_types"></a>Zone Types</h4></div></div></div>
-            <p>
-              The <span class="command"><strong>type</strong></span> keyword is required
-              for the <span class="command"><strong>zone</strong></span> configuration unless
-              it is an <span class="command"><strong>in-view</strong></span> configuration. Its
-              acceptable values include:
-              <code class="varname">master</code> (or <code class="varname">primary</code>),
-              <code class="varname">slave</code> (or <code class="varname">secondary</code>),
-              <code class="varname">delegation-only</code>,
-              <code class="varname">forward</code>,
-              <code class="varname">hint</code>,
-              <code class="varname">redirect</code>,
-              <code class="varname">static-stub</code>,
-              and <code class="varname">stub</code>.
-            </p>
-
-            <div class="informaltable">
-              <table border="1">
-<colgroup>
-<col class="1">
-<col width="4.017in" class="2">
-</colgroup>
-<tbody>
-<tr>
-<td>
-                      <p>
-                        <code class="varname">master</code>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        The server has a master copy of the data
-                        for the zone and will be able to provide authoritative
-                        answers for it. Type <code class="varname">primary</code> is
-                        a synonym for <code class="varname">master</code>.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        <code class="varname">slave</code>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        A slave zone is a replica of a master
-                        zone. Type <code class="varname">secondary</code> is a
-                        synonym for <code class="varname">slave</code>.
-                        The <span class="command"><strong>masters</strong></span> list
-                        specifies one or more IP addresses
-                        of master servers that the slave contacts to update
-                        its copy of the zone.
-                        Masters list elements can also be names of other
-                        masters lists.
-                        By default, transfers are made from port 53 on the
-                        servers; this can
-                        be changed for all servers by specifying a port number
-                        before the
-                        list of IP addresses, or on a per-server basis after
-                        the IP address.
-                        Authentication to the master can also be done with
-                        per-server TSIG keys.
-                        If a file is specified, then the
-                        replica will be written to this file whenever the zone
-                        is changed,
-                        and reloaded from this file on a server restart. Use
-                        of a file is
-                        recommended, since it often speeds server startup and
-                        eliminates
-                        a needless waste of bandwidth. Note that for large
-                        numbers (in the
-                        tens or hundreds of thousands) of zones per server, it
-                        is best to
-                        use a two-level naming scheme for zone filenames. For
-                        example,
-                        a slave server for the zone <code class="literal">example.com</code> might place
-                        the zone contents into a file called
-                        <code class="filename">ex/example.com</code> where <code class="filename">ex/</code> is
-                        just the first two letters of the zone name. (Most
-                        operating systems
-                        behave very slowly if you put 100000 files into
-                        a single directory.)
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        <code class="varname">stub</code>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        A stub zone is similar to a slave zone,
-                        except that it replicates only the NS records of a
-                        master zone instead
-                        of the entire zone. Stub zones are not a standard part
-                        of the DNS;
-                        they are a feature specific to the <acronym class="acronym">BIND</acronym> implementation.
-                      </p>
-
-                      <p>
-                        Stub zones can be used to eliminate the need for glue
-                        NS record
-                        in a parent zone at the expense of maintaining a stub
-                        zone entry and
-                        a set of name server addresses in <code class="filename">named.conf</code>.
-                        This usage is not recommended for new configurations,
-                        and BIND 9
-                        supports it only in a limited way.
-                        In <acronym class="acronym">BIND</acronym> 4/8, zone
-                        transfers of a parent zone
-                        included the NS records from stub children of that
-                        zone. This meant
-                        that, in some cases, users could get away with
-                        configuring child stubs
-                        only in the master server for the parent zone. <acronym class="acronym">BIND</acronym>
-                        9 never mixes together zone data from different zones
-                        in this
-                        way. Therefore, if a <acronym class="acronym">BIND</acronym> 9 master serving a parent
-                        zone has child stub zones configured, all the slave
-                        servers for the
-                        parent zone also need to have the same child stub
-                        zones
-                        configured.
-                      </p>
-
-                      <p>
-                        Stub zones can also be used as a way of forcing the
-                        resolution
-                        of a given domain to use a particular set of
-                        authoritative servers.
-                        For example, the caching name servers on a private
-                        network using
-                        RFC1918 addressing may be configured with stub zones
-                        for
-                        <code class="literal">10.in-addr.arpa</code>
-                        to use a set of internal name servers as the
-                        authoritative
-                        servers for that domain.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        <code class="varname">static-stub</code>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        A static-stub zone is similar to a stub zone
-                        with the following exceptions:
-                        the zone data is statically configured, rather
-                        than transferred from a master server;
-                        when recursion is necessary for a query that
-                        matches a static-stub zone, the locally
-                        configured data (nameserver names and glue addresses)
-                        is always used even if different authoritative
-                        information is cached.
-                      </p>
-                      <p>
-                        Zone data is configured via the
-                        <span class="command"><strong>server-addresses</strong></span> and
-                        <span class="command"><strong>server-names</strong></span> zone options.
-                      </p>
-                      <p>
-                        The zone data is maintained in the form of NS
-                        and (if necessary) glue A or AAAA RRs
-                        internally, which can be seen by dumping zone
-                        databases by <span class="command"><strong>rndc dumpdb -all</strong></span>.
-                        The configured RRs are considered local configuration
-                        parameters rather than public data.
-                        Non recursive queries (i.e., those with the RD
-                        bit off) to a static-stub zone are therefore
-                        prohibited and will be responded with REFUSED.
-                      </p>
-                      <p>
-                        Since the data is statically configured, no
-                        zone maintenance action takes place for a static-stub
-                        zone.
-                        For example, there is no periodic refresh
-                        attempt, and an incoming notify message
-                        will be rejected with an rcode of NOTAUTH.
-                      </p>
-                      <p>
-                        Each static-stub zone is configured with
-                        internally generated NS and (if necessary)
-                        glue A or AAAA RRs
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        <code class="varname">forward</code>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        A "forward zone" is a way to configure
-                        forwarding on a per-domain basis.  A <span class="command"><strong>zone</strong></span> statement
-                        of type <span class="command"><strong>forward</strong></span> can
-                        contain a <span class="command"><strong>forward</strong></span>
-                        and/or <span class="command"><strong>forwarders</strong></span>
-                        statement,
-                        which will apply to queries within the domain given by
-                        the zone
-                        name. If no <span class="command"><strong>forwarders</strong></span>
-                        statement is present or
-                        an empty list for <span class="command"><strong>forwarders</strong></span> is given, then no
-                        forwarding will be done for the domain, canceling the
-                        effects of
-                        any forwarders in the <span class="command"><strong>options</strong></span> statement. Thus
-                        if you want to use this type of zone to change the
-                        behavior of the
-                        global <span class="command"><strong>forward</strong></span> option
-                        (that is, "forward first"
-                        to, then "forward only", or vice versa, but want to
-                        use the same
-                        servers as set globally) you need to re-specify the
-                        global forwarders.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        <code class="varname">hint</code>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        The initial set of root name servers is
-                        specified using a "hint zone". When the server starts
-                        up, it uses
-                        the root hints to find a root name server and get the
-                        most recent
-                        list of root name servers. If no hint zone is
-                        specified for class
-                        IN, the server uses a compiled-in default set of root
-                        servers hints.
-                        Classes other than IN have no built-in defaults hints.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        <code class="varname">redirect</code>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Redirect zones are used to provide answers to
-                        queries when normal resolution would result in
-                        NXDOMAIN being returned.
-                        Only one redirect zone is supported
-                        per view.  <span class="command"><strong>allow-query</strong></span> can be
-                        used to restrict which clients see these answers.
-                      </p>
-                      <p>
-                        If the client has requested DNSSEC records (DO=1) and
-                        the NXDOMAIN response is signed then no substitution
-                        will occur.
-                      </p>
-                      <p>
-                        To redirect all NXDOMAIN responses to
-                        100.100.100.2 and
-                        2001:ffff:ffff::100.100.100.2, one would
-                        configure a type redirect zone named ".",
-                        with the zone file containing wildcard records
-                        that point to the desired addresses:
-                        <code class="literal">"*. IN A 100.100.100.2"</code>
-                        and
-                        <code class="literal">"*. IN AAAA 2001:ffff:ffff::100.100.100.2"</code>.
-                      </p>
-                      <p>
-                        To redirect all Spanish names (under .ES) one
-                        would use similar entries but with the names
-                        "*.ES." instead of "*.".  To redirect all
-                        commercial Spanish names (under COM.ES) one
-                        would use wildcard entries called "*.COM.ES.".
-                      </p>
-                      <p>
-                        Note that the redirect zone supports all
-                        possible types; it is not limited to A and
-                        AAAA records.
-                      </p>
-                      <p>
-                        If a redirect zone is configured with a
-                        <code class="option">masters</code> option, then it is
-                        transfered in as if it were a slave zone.
-                        Otherwise, it is loaded from a file as if it
-                        were a master zone.
-                      </p>
-                      <p>
-                        Because redirect zones are not referenced
-                        directly by name, they are not kept in the
-                        zone lookup table with normal master and slave
-                        zones. To reload a redirect zone, use
-                        <span class="command"><strong>rndc reload -redirect</strong></span>,
-                        and to retransfer a redirect zone configured
-                        as slave, use
-                        <span class="command"><strong>rndc retransfer -redirect</strong></span>.
-                        When using <span class="command"><strong>rndc reload</strong></span>
-                        without specifying a zone name, redirect zones
-                        will be reloaded along with other zones.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        <code class="varname">delegation-only</code>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        This is used to enforce the delegation-only
-                        status of infrastructure zones (e.g. COM,
-                        NET, ORG).  Any answer that is received
-                        without an explicit or implicit delegation
-                        in the authority section will be treated
-                        as NXDOMAIN.  This does not apply to the
-                        zone apex.  This should not be applied to
-                        leaf zones.
-                      </p>
-                      <p>
-                        <code class="varname">delegation-only</code> has no
-                        effect on answers received from forwarders.
-                      </p>
-                      <p>
-                        See caveats in <a class="xref" href="Bv9ARM.ch06.html#root_delegation_only"><span class="command"><strong>root-delegation-only</strong></span></a>.
-                      </p>
-                    </td>
-</tr>
-</tbody>
-</table>
-            </div>
-          </div>
-
-          <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="class"></a>Class</h4></div></div></div>
-
-            <p>
-              The zone's name may optionally be followed by a class. If
-              a class is not specified, class <code class="literal">IN</code> (for <code class="varname">Internet</code>),
-              is assumed. This is correct for the vast majority of cases.
-            </p>
-            <p>
-              The <code class="literal">hesiod</code> class is
-              named for an information service from MIT's Project Athena. It
-              is
-              used to share information about various systems databases, such
-              as users, groups, printers and so on. The keyword
-              <code class="literal">HS</code> is
-              a synonym for hesiod.
-            </p>
-            <p>
-              Another MIT development is Chaosnet, a LAN protocol created
-              in the mid-1970s. Zone data for it can be specified with the <code class="literal">CHAOS</code> class.
-            </p>
-          </div>
-
-          <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="zone_options"></a>Zone Options</h4></div></div></div>
-
-            <div class="variablelist"><dl class="variablelist">
-<dt><span class="term"><span class="command"><strong>allow-notify</strong></span></span></dt>
-<dd>
-                  <p>
-                    See the description of
-                    <span class="command"><strong>allow-notify</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.
-                  </p>
-                </dd>
-<dt><span class="term"><span class="command"><strong>allow-query</strong></span></span></dt>
-<dd>
-                  <p>
-                    See the description of
-                    <span class="command"><strong>allow-query</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.
-                  </p>
-                </dd>
-<dt><span class="term"><span class="command"><strong>allow-query-on</strong></span></span></dt>
-<dd>
-                  <p>
-                    See the description of
-                    <span class="command"><strong>allow-query-on</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.
-                  </p>
-                </dd>
-<dt><span class="term"><span class="command"><strong>allow-transfer</strong></span></span></dt>
-<dd>
-                  <p>
-                    See the description of <span class="command"><strong>allow-transfer</strong></span>
-                    in <a class="xref" href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.
-                  </p>
-                </dd>
-<dt><span class="term"><span class="command"><strong>allow-update</strong></span></span></dt>
-<dd>
-                  <p>
-                    See the description of <span class="command"><strong>allow-update</strong></span>
-                    in <a class="xref" href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.
-                  </p>
-                </dd>
-<dt><span class="term"><span class="command"><strong>update-policy</strong></span></span></dt>
-<dd>
-                  <p>
-                    Specifies a "Simple Secure Update" policy. See
-                    <a class="xref" href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called &#8220;Dynamic Update Policies&#8221;</a>.
-                  </p>
-                </dd>
-<dt><span class="term"><span class="command"><strong>allow-update-forwarding</strong></span></span></dt>
-<dd>
-                  <p>
-                    See the description of <span class="command"><strong>allow-update-forwarding</strong></span>
-                    in <a class="xref" href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.
-                  </p>
-                </dd>
-<dt><span class="term"><span class="command"><strong>also-notify</strong></span></span></dt>
-<dd>
-                  <p>
-                    Only meaningful if <span class="command"><strong>notify</strong></span>
-                    is
-                    active for this zone. The set of machines that will
-                    receive a
-                    <code class="literal">DNS NOTIFY</code> message
-                    for this zone is made up of all the listed name servers
-                    (other than
-                    the primary master) for the zone plus any IP addresses
-                    specified
-                    with <span class="command"><strong>also-notify</strong></span>. A port
-                    may be specified
-                    with each <span class="command"><strong>also-notify</strong></span>
-                    address to send the notify
-                    messages to a port other than the default of 53.
-                    A TSIG key may also be specified to cause the
-                    <code class="literal">NOTIFY</code> to be signed by the
-                    given key.
-                    <span class="command"><strong>also-notify</strong></span> is not
-                    meaningful for stub zones.
-                    The default is the empty list.
-                  </p>
-                </dd>
-<dt><span class="term"><span class="command"><strong>check-names</strong></span></span></dt>
-<dd>
-                  <p>
-                    This option is used to restrict the character set and
-                    syntax of
-                    certain domain names in master files and/or DNS responses
-                    received from the
-                    network.  The default varies according to zone type.  For <span class="command"><strong>master</strong></span> zones the default is <span class="command"><strong>fail</strong></span>.  For <span class="command"><strong>slave</strong></span>
-                    zones the default is <span class="command"><strong>warn</strong></span>.
-                    It is not implemented for <span class="command"><strong>hint</strong></span> zones.
-                  </p>
-                </dd>
-<dt><span class="term"><span class="command"><strong>check-mx</strong></span></span></dt>
-<dd>
-                  <p>
-                    See the description of
-                    <span class="command"><strong>check-mx</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
-                  </p>
-                </dd>
-<dt><span class="term"><span class="command"><strong>check-spf</strong></span></span></dt>
-<dd>
-                  <p>
-                    See the description of
-                    <span class="command"><strong>check-spf</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
-                  </p>
-                </dd>
-<dt><span class="term"><span class="command"><strong>check-wildcard</strong></span></span></dt>
-<dd>
-                  <p>
-                    See the description of
-                    <span class="command"><strong>check-wildcard</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
-                  </p>
-                </dd>
-<dt><span class="term"><span class="command"><strong>check-integrity</strong></span></span></dt>
-<dd>
-                  <p>
-                    See the description of
-                    <span class="command"><strong>check-integrity</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
-                  </p>
-                </dd>
-<dt><span class="term"><span class="command"><strong>check-sibling</strong></span></span></dt>
-<dd>
-                  <p>
-                    See the description of
-                    <span class="command"><strong>check-sibling</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
-                  </p>
-                </dd>
-<dt><span class="term"><span class="command"><strong>zero-no-soa-ttl</strong></span></span></dt>
-<dd>
-                  <p>
-                    See the description of
-                    <span class="command"><strong>zero-no-soa-ttl</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
-                  </p>
-                </dd>
-<dt><span class="term"><span class="command"><strong>update-check-ksk</strong></span></span></dt>
-<dd>
-                  <p>
-                    See the description of
-                    <span class="command"><strong>update-check-ksk</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
-                  </p>
-                </dd>
-<dt><span class="term"><span class="command"><strong>dnssec-loadkeys-interval</strong></span></span></dt>
-<dd>
-                  <p>
-                    See the description of
-                    <span class="command"><strong>dnssec-loadkeys-interval</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#options" title="options Statement Definition and Usage">the section called &#8220;<span class="command"><strong>options</strong></span> Statement Definition and
-          Usage&#8221;</a>.
-                  </p>
-                </dd>
-<dt><span class="term"><span class="command"><strong>dnssec-update-mode</strong></span></span></dt>
-<dd>
-                  <p>
-                    See the description of
-                    <span class="command"><strong>dnssec-update-mode</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#options" title="options Statement Definition and Usage">the section called &#8220;<span class="command"><strong>options</strong></span> Statement Definition and
-          Usage&#8221;</a>.
-                  </p>
-                </dd>
-<dt><span class="term"><span class="command"><strong>dnssec-dnskey-kskonly</strong></span></span></dt>
-<dd>
-                  <p>
-                    See the description of
-                    <span class="command"><strong>dnssec-dnskey-kskonly</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
-                  </p>
-                </dd>
-<dt><span class="term"><span class="command"><strong>try-tcp-refresh</strong></span></span></dt>
-<dd>
-                  <p>
-                    See the description of
-                    <span class="command"><strong>try-tcp-refresh</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
-                  </p>
-                </dd>
-<dt><span class="term"><span class="command"><strong>database</strong></span></span></dt>
-<dd>
-                  <p>
-                    Specify the type of database to be used for storing the
-                    zone data.  The string following the <span class="command"><strong>database</strong></span> keyword
-                    is interpreted as a list of whitespace-delimited words.
-                    The first word
-                    identifies the database type, and any subsequent words are
-                    passed
-                    as arguments to the database to be interpreted in a way
-                    specific
-                    to the database type.
-                  </p>
-                  <p>
-                    The default is <strong class="userinput"><code>"rbt"</code></strong>, BIND 9's
-                    native in-memory
-                    red-black-tree database.  This database does not take
-                    arguments.
-                  </p>
-                  <p>
-                    Other values are possible if additional database drivers
-                    have been linked into the server.  Some sample drivers are
-                    included
-                    with the distribution but none are linked in by default.
-                  </p>
-                </dd>
-<dt><span class="term"><span class="command"><strong>dialup</strong></span></span></dt>
-<dd>
-                  <p>
-                    See the description of
-                    <span class="command"><strong>dialup</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
-                  </p>
-                </dd>
-<dt><span class="term"><span class="command"><strong>delegation-only</strong></span></span></dt>
-<dd>
-                  <p>
-                    The flag only applies to forward, hint and stub
-                    zones.  If set to <strong class="userinput"><code>yes</code></strong>,
-                    then the zone will also be treated as if it is
-                    also a delegation-only type zone.
-                  </p>
-                  <p>
-                    See caveats in <a class="xref" href="Bv9ARM.ch06.html#root_delegation_only"><span class="command"><strong>root-delegation-only</strong></span></a>.
-                  </p>
-                </dd>
-<dt><span class="term"><span class="command"><strong>file</strong></span></span></dt>
-<dd>
-                  <p>
-                    Set the zone's filename. In <span class="command"><strong>master</strong></span>,
-                    <span class="command"><strong>hint</strong></span>, and <span class="command"><strong>redirect</strong></span>
-                    zones which do not have <span class="command"><strong>masters</strong></span>
-                    defined, zone data is loaded from this file. In
-                    <span class="command"><strong>slave</strong></span>, <span class="command"><strong>stub</strong></span>, and
-                    <span class="command"><strong>redirect</strong></span> zones which do have
-                    <span class="command"><strong>masters</strong></span> defined, zone data is
-                    retrieved from another server and saved in this file.
-                    This option is not applicable to other zone types.
-                  </p>
-                </dd>
-<dt><span class="term"><span class="command"><strong>forward</strong></span></span></dt>
-<dd>
-                  <p>
-                    Only meaningful if the zone has a forwarders
-                    list. The <span class="command"><strong>only</strong></span> value causes
-                    the lookup to fail
-                    after trying the forwarders and getting no answer, while <span class="command"><strong>first</strong></span> would
-                    allow a normal lookup to be tried.
-                  </p>
-                </dd>
-<dt><span class="term"><span class="command"><strong>forwarders</strong></span></span></dt>
-<dd>
-                  <p>
-                    Used to override the list of global forwarders.
-                    If it is not specified in a zone of type <span class="command"><strong>forward</strong></span>,
-                    no forwarding is done for the zone and the global options are
-                    not used.
-                  </p>
-                </dd>
-<dt><span class="term"><span class="command"><strong>ixfr-base</strong></span></span></dt>
-<dd>
-                  <p>
-                    Was used in <acronym class="acronym">BIND</acronym> 8 to
-                    specify the name
-                    of the transaction log (journal) file for dynamic update
-                    and IXFR.
-                    <acronym class="acronym">BIND</acronym> 9 ignores the option
-                    and constructs the name of the journal
-                    file by appending "<code class="filename">.jnl</code>"
-                    to the name of the
-                    zone file.
-                  </p>
-                </dd>
-<dt><span class="term"><span class="command"><strong>ixfr-tmp-file</strong></span></span></dt>
-<dd>
-                  <p>
-                    Was an undocumented option in <acronym class="acronym">BIND</acronym> 8.
-                    Ignored in <acronym class="acronym">BIND</acronym> 9.
-                  </p>
-                </dd>
-<dt><span class="term"><span class="command"><strong>journal</strong></span></span></dt>
-<dd>
-                  <p>
-                    Allow the default journal's filename to be overridden.
-                    The default is the zone's filename with "<code class="filename">.jnl</code>" appended.
-                    This is applicable to <span class="command"><strong>master</strong></span> and <span class="command"><strong>slave</strong></span> zones.
-                  </p>
-                </dd>
-<dt><span class="term"><span class="command"><strong>max-journal-size</strong></span></span></dt>
-<dd>
-                  <p>
-                    See the description of
-                    <span class="command"><strong>max-journal-size</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#server_resource_limits" title="Server Resource Limits">the section called &#8220;Server  Resource Limits&#8221;</a>.
-                  </p>
-                </dd>
-<dt><span class="term"><span class="command"><strong>max-records</strong></span></span></dt>
-<dd>
-                  <p>
-                    See the description of
-                    <span class="command"><strong>max-records</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#server_resource_limits" title="Server Resource Limits">the section called &#8220;Server  Resource Limits&#8221;</a>.
-                  </p>
-                </dd>
-<dt><span class="term"><span class="command"><strong>max-transfer-time-in</strong></span></span></dt>
-<dd>
-                  <p>
-                    See the description of
-                    <span class="command"><strong>max-transfer-time-in</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
-                  </p>
-                </dd>
-<dt><span class="term"><span class="command"><strong>max-transfer-idle-in</strong></span></span></dt>
-<dd>
-                  <p>
-                    See the description of
-                    <span class="command"><strong>max-transfer-idle-in</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
-                  </p>
-                </dd>
-<dt><span class="term"><span class="command"><strong>max-transfer-time-out</strong></span></span></dt>
-<dd>
-                  <p>
-                    See the description of
-                    <span class="command"><strong>max-transfer-time-out</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
-                  </p>
-                </dd>
-<dt><span class="term"><span class="command"><strong>max-transfer-idle-out</strong></span></span></dt>
-<dd>
-                  <p>
-                    See the description of
-                    <span class="command"><strong>max-transfer-idle-out</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
-                  </p>
-                </dd>
-<dt><span class="term"><span class="command"><strong>notify</strong></span></span></dt>
-<dd>
-                  <p>
-                    See the description of
-                    <span class="command"><strong>notify</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
-                  </p>
-                </dd>
-<dt><span class="term"><span class="command"><strong>notify-delay</strong></span></span></dt>
-<dd>
-                  <p>
-                    See the description of
-                    <span class="command"><strong>notify-delay</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.
-                  </p>
-                </dd>
-<dt><span class="term"><span class="command"><strong>notify-to-soa</strong></span></span></dt>
-<dd>
-                  <p>
-                    See the description of
-                    <span class="command"><strong>notify-to-soa</strong></span> in
-                    <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
-                  </p>
-                </dd>
-<dt><span class="term"><span class="command"><strong>pubkey</strong></span></span></dt>
-<dd>
-                  <p>
-                    In <acronym class="acronym">BIND</acronym> 8, this option was
-                    intended for specifying
-                    a public zone key for verification of signatures in DNSSEC
-                    signed
-                    zones when they are loaded from disk. <acronym class="acronym">BIND</acronym> 9 does not verify signatures
-                    on load and ignores the option.
-                  </p>
-                </dd>
-<dt><span class="term"><span class="command"><strong>zone-statistics</strong></span></span></dt>
-<dd>
-                  <p>
-                    See the description of
-                    <span class="command"><strong>zone-statistics</strong></span> in
-                    <a class="xref" href="Bv9ARM.ch06.html#options" title="options Statement Definition and Usage">the section called &#8220;<span class="command"><strong>options</strong></span> Statement Definition and
-          Usage&#8221;</a>.
-                  </p>
-                </dd>
-<dt><span class="term"><span class="command"><strong>server-addresses</strong></span></span></dt>
-<dd>
-                  <p>
-                    Only meaningful for static-stub zones.
-                    This is a list of IP addresses to which queries
-                    should be sent in recursive resolution for the
-                    zone.
-                    A non empty list for this option will internally
-                    configure the apex NS RR with associated glue A or
-                    AAAA RRs.
-                  </p>
-                  <p>
-                    For example, if "example.com" is configured as a
-                    static-stub zone with 192.0.2.1 and 2001:db8::1234
-                    in a <span class="command"><strong>server-addresses</strong></span> option,
-                    the following RRs will be internally configured.
-                  </p>
-<pre class="programlisting">example.com. NS example.com.
-example.com. A 192.0.2.1
-example.com. AAAA 2001:db8::1234</pre>
-                  <p>
-                    These records are internally used to resolve
-                    names under the static-stub zone.
-                    For instance, if the server receives a query for
-                    "www.example.com" with the RD bit on, the server
-                    will initiate recursive resolution and send
-                    queries to 192.0.2.1 and/or 2001:db8::1234.
-                  </p>
-                </dd>
-<dt><span class="term"><span class="command"><strong>server-names</strong></span></span></dt>
-<dd>
-                  <p>
-                    Only meaningful for static-stub zones.
-                    This is a list of domain names of nameservers that
-                    act as authoritative servers of the static-stub
-                    zone.
-                    These names will be resolved to IP addresses when
-                    <span class="command"><strong>named</strong></span> needs to send queries to
-                    these servers.
-                    To make this supplemental resolution successful,
-                    these names must not be a subdomain of the origin
-                    name of static-stub zone.
-                    That is, when "example.net" is the origin of a
-                    static-stub zone, "ns.example" and
-                    "master.example.com" can be specified in the
-                    <span class="command"><strong>server-names</strong></span> option, but
-                    "ns.example.net" cannot, and will be rejected by
-                    the configuration parser.
-                  </p>
-                  <p>
-                    A non empty list for this option will internally
-                    configure the apex NS RR with the specified names.
-                    For example, if "example.com" is configured as a
-                    static-stub zone with "ns1.example.net" and
-                    "ns2.example.net"
-                    in a <span class="command"><strong>server-names</strong></span> option,
-                    the following RRs will be internally configured.
-                  </p>
-<pre class="programlisting">example.com. NS ns1.example.net.
-example.com. NS ns2.example.net.
-</pre>
-                  <p>
-                    These records are internally used to resolve
-                    names under the static-stub zone.
-                    For instance, if the server receives a query for
-                    "www.example.com" with the RD bit on, the server
-                    initiate recursive resolution,
-                    resolve "ns1.example.net" and/or
-                    "ns2.example.net" to IP addresses, and then send
-                    queries to (one or more of) these addresses.
-                  </p>
-                </dd>
-<dt><span class="term"><span class="command"><strong>sig-validity-interval</strong></span></span></dt>
-<dd>
-                  <p>
-                    See the description of
-                    <span class="command"><strong>sig-validity-interval</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.
-                  </p>
-                </dd>
-<dt><span class="term"><span class="command"><strong>sig-signing-nodes</strong></span></span></dt>
-<dd>
-                  <p>
-                    See the description of
-                    <span class="command"><strong>sig-signing-nodes</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.
-                  </p>
-                </dd>
-<dt><span class="term"><span class="command"><strong>sig-signing-signatures</strong></span></span></dt>
-<dd>
-                  <p>
-                    See the description of
-                    <span class="command"><strong>sig-signing-signatures</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.
-                  </p>
-                </dd>
-<dt><span class="term"><span class="command"><strong>sig-signing-type</strong></span></span></dt>
-<dd>
-                  <p>
-                    See the description of
-                    <span class="command"><strong>sig-signing-type</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.
-                  </p>
-                </dd>
-<dt><span class="term"><span class="command"><strong>transfer-source</strong></span></span></dt>
-<dd>
-                  <p>
-                    See the description of
-                    <span class="command"><strong>transfer-source</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
-                  </p>
-                </dd>
-<dt><span class="term"><span class="command"><strong>transfer-source-v6</strong></span></span></dt>
-<dd>
-                  <p>
-                    See the description of
-                    <span class="command"><strong>transfer-source-v6</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
-                  </p>
-                </dd>
-<dt><span class="term"><span class="command"><strong>alt-transfer-source</strong></span></span></dt>
-<dd>
-                  <p>
-                    See the description of
-                    <span class="command"><strong>alt-transfer-source</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
-                  </p>
-                </dd>
-<dt><span class="term"><span class="command"><strong>alt-transfer-source-v6</strong></span></span></dt>
-<dd>
-                  <p>
-                    See the description of
-                    <span class="command"><strong>alt-transfer-source-v6</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
-                  </p>
-                </dd>
-<dt><span class="term"><span class="command"><strong>use-alt-transfer-source</strong></span></span></dt>
-<dd>
-                  <p>
-                    See the description of
-                    <span class="command"><strong>use-alt-transfer-source</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
-                  </p>
-                </dd>
-<dt><span class="term"><span class="command"><strong>notify-source</strong></span></span></dt>
-<dd>
-                  <p>
-                    See the description of
-                    <span class="command"><strong>notify-source</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
-                  </p>
-                </dd>
-<dt><span class="term"><span class="command"><strong>notify-source-v6</strong></span></span></dt>
-<dd>
-                  <p>
-                    See the description of
-                    <span class="command"><strong>notify-source-v6</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
-                  </p>
-                </dd>
-<dt>
-<span class="term"><span class="command"><strong>min-refresh-time</strong></span>, </span><span class="term"><span class="command"><strong>max-refresh-time</strong></span>, </span><span class="term"><span class="command"><strong>min-retry-time</strong></span>, </span><span class="term"><span class="command"><strong>max-retry-time</strong></span></span>
-</dt>
-<dd>
-                  <p>
-                    See the description in <a class="xref" href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.
-                  </p>
-                </dd>
-<dt><span class="term"><span class="command"><strong>ixfr-from-differences</strong></span></span></dt>
-<dd>
-                  <p>
-                    See the description of
-                    <span class="command"><strong>ixfr-from-differences</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
-                    (Note that the <span class="command"><strong>ixfr-from-differences</strong></span>
-                    <strong class="userinput"><code>master</code></strong> and
-                    <strong class="userinput"><code>slave</code></strong> choices are not
-                    available at the zone level.)
-                  </p>
-                </dd>
-<dt><span class="term"><span class="command"><strong>key-directory</strong></span></span></dt>
-<dd>
-                  <p>
-                    See the description of
-                    <span class="command"><strong>key-directory</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#options" title="options Statement Definition and Usage">the section called &#8220;<span class="command"><strong>options</strong></span> Statement Definition and
-          Usage&#8221;</a>.
-                  </p>
-                </dd>
-<dt><span class="term"><span class="command"><strong>auto-dnssec</strong></span></span></dt>
-<dd>
-                  <p>
-                    See the description of
-                    <span class="command"><strong>auto-dnssec</strong></span> in
-                    <a class="xref" href="Bv9ARM.ch06.html#options" title="options Statement Definition and Usage">the section called &#8220;<span class="command"><strong>options</strong></span> Statement Definition and
-          Usage&#8221;</a>.
-                  </p>
-                </dd>
-<dt><span class="term"><span class="command"><strong>serial-update-method</strong></span></span></dt>
-<dd>
-                  <p>
-                    See the description of
-                    <span class="command"><strong>serial-update-method</strong></span> in
-                    <a class="xref" href="Bv9ARM.ch06.html#options" title="options Statement Definition and Usage">the section called &#8220;<span class="command"><strong>options</strong></span> Statement Definition and
-          Usage&#8221;</a>.
-                  </p>
-                </dd>
-<dt><span class="term"><span class="command"><strong>inline-signing</strong></span></span></dt>
-<dd>
-                  <p>
-                    If <code class="literal">yes</code>, this enables
-                    "bump in the wire" signing of a zone, where a
-                    unsigned zone is transferred in or loaded from
-                    disk and a signed version of the zone is served,
-                    with possibly, a different serial number.  This
-                    behavior is disabled by default.
-                  </p>
-                </dd>
-<dt><span class="term"><span class="command"><strong>multi-master</strong></span></span></dt>
-<dd>
-                  <p>
-                    See the description of <span class="command"><strong>multi-master</strong></span> in
-                    <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
-                  </p>
-                </dd>
-<dt><span class="term"><span class="command"><strong>masterfile-format</strong></span></span></dt>
-<dd>
-                  <p>
-                    See the description of <span class="command"><strong>masterfile-format</strong></span>
-                    in <a class="xref" href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.
-                  </p>
-                </dd>
-<dt><span class="term"><span class="command"><strong>max-zone-ttl</strong></span></span></dt>
-<dd>
-                  <p>
-                    See the description of <span class="command"><strong>max-zone-ttl</strong></span>
-                    in <a class="xref" href="Bv9ARM.ch06.html#options" title="options Statement Definition and Usage">the section called &#8220;<span class="command"><strong>options</strong></span> Statement Definition and
-          Usage&#8221;</a>.
-                  </p>
-                </dd>
-<dt><span class="term"><span class="command"><strong>dnssec-secure-to-insecure</strong></span></span></dt>
-<dd>
-                  <p>
-                    See the description of
-                    <span class="command"><strong>dnssec-secure-to-insecure</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
-                  </p>
-                </dd>
-</dl></div>
-
-          </div>
-          <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="dynamic_update_policies"></a>Dynamic Update Policies</h4></div></div></div>
-
-            <p><acronym class="acronym">BIND</acronym> 9 supports two alternative
-              methods of granting clients the right to perform
-              dynamic updates to a zone, configured by the
-              <span class="command"><strong>allow-update</strong></span> and
-              <span class="command"><strong>update-policy</strong></span> option, respectively.
-            </p>
-            <p>
-              The <span class="command"><strong>allow-update</strong></span> clause works the
-              same way as in previous versions of <acronym class="acronym">BIND</acronym>.
-              It grants given clients the permission to update any
-              record of any name in the zone.
-            </p>
-            <p>
-              The <span class="command"><strong>update-policy</strong></span> clause
-              allows more fine-grained control over what updates are
-              allowed.  A set of rules is specified, where each rule
-              either grants or denies permissions for one or more
-              names to be updated by one or more identities.  If
-              the dynamic update request message is signed (that is,
-              it includes either a TSIG or SIG(0) record), the
-              identity of the signer can be determined.
-            </p>
-            <p>
-              Rules are specified in the <span class="command"><strong>update-policy</strong></span>
-              zone option, and are only meaningful for master zones.
-              When the <span class="command"><strong>update-policy</strong></span> statement
-              is present, it is a configuration error for the
-              <span class="command"><strong>allow-update</strong></span> statement to be
-              present.  The <span class="command"><strong>update-policy</strong></span> statement
-              (except when set to <code class="literal">local</code>) only
-              examines the signer of a message; the source
-              address is not relevant.
-            </p>
-            <p>
-              A pre-defined <span class="command"><strong>update-policy</strong></span> rule can be
-              switched on with the command
-              <span class="command"><strong>update-policy local;</strong></span>.
-              Switching on this rule in a zone causes
-              <span class="command"><strong>named</strong></span> to generate a TSIG session key and
-              place it in a file. That key will then be allowed to update
-              the zone, if the update request is sent from localhost.
-              By default, the session key is stored in the file
-              <code class="filename">/var/run/named/session.key</code>; the key name
-              is "local-ddns" and the key algorithm is HMAC-SHA256.
-              These values are configurable with the
-              <span class="command"><strong>session-keyfile</strong></span>,
-              <span class="command"><strong>session-keyname</strong></span> and
-              <span class="command"><strong>session-keyalg</strong></span> options, respectively).
-            </p>
-            <p>
-              A client on the local system, if it is run with appropriate
-              permissions, may read the session key from the key file and
-              use the key to sign update requests.  The zone's update
-              policy will be set to allow that key to change any record
-              within the zone.  Assuming the key name is "local-ddns",
-              this policy is:
-            </p>
-
-            <pre class="programlisting">update-policy { grant local-ddns zonesub any; };
-            </pre>
-
-            <p>
-              ...with an additional restriction that only clients
-              connecting from the local system will be permitted to send
-              updates.
-            </p>
-            <p>
-              Note that only one session key is generated; all zones
-              configured to use <span class="command"><strong>update-policy local</strong></span>
-              will accept the same key.
-            </p>
-            <p>
-              The command <span class="command"><strong>nsupdate -l</strong></span> implements this
-              feature, sending requests to localhost and signing them using
-              the key retrieved from the session key file.
-            </p>
-
-            <p>
-              Other rule definitions look like this:
-            </p>
-
-<pre class="programlisting">
-( <span class="command"><strong>grant</strong></span> | <span class="command"><strong>deny</strong></span> ) <em class="replaceable"><code>identity</code></em> <em class="replaceable"><code>nametype</code></em> [<span class="optional"> <em class="replaceable"><code>name</code></em> </span>] [<span class="optional"> <em class="replaceable"><code>types</code></em> </span>]
-</pre>
-
-            <p>
-              Each rule grants or denies privileges.  Once a message has
-              successfully matched a rule, the operation is immediately
-              granted or denied and no further rules are examined.  A rule
-              is matched when the signer matches the identity field, the
-              name matches the name field in accordance with the nametype
-              field, and the type matches the types specified in the type
-              field.
-            </p>
-            <p>
-              No signer is required for <em class="replaceable"><code>tcp-self</code></em>
-              or <em class="replaceable"><code>6to4-self</code></em> however the standard
-              reverse mapping / prefix conversion must match the identity
-              field.
-            </p>
-            <p>
-              The identity field specifies a name or a wildcard
-              name.  Normally, this is the name of the TSIG or
-              SIG(0) key used to sign the update request.  When a
-              TKEY exchange has been used to create a shared secret,
-              the identity of the shared secret is the same as the
-              identity of the key used to authenticate the TKEY
-              exchange.  TKEY is also the negotiation method used
-              by GSS-TSIG, which establishes an identity that is
-              the Kerberos principal of the client, such as
-              <strong class="userinput"><code>"user@host.domain"</code></strong>.  When the
-              <em class="replaceable"><code>identity</code></em> field specifies
-              a wildcard name, it is subject to DNS wildcard
-              expansion, so the rule will apply to multiple identities.
-              The <em class="replaceable"><code>identity</code></em> field must
-              contain a fully-qualified domain name.
-            </p>
-            <p>
-              For nametypes <code class="varname">krb5-self</code>,
-              <code class="varname">ms-self</code>, <code class="varname">krb5-subdomain</code>,
-              and <code class="varname">ms-subdomain</code> the
-              <em class="replaceable"><code>identity</code></em> field specifies
-              the Windows or Kerberos realm of the machine belongs to.
-            </p>
-            <p>
-              The <em class="replaceable"><code>nametype</code></em> field has 13
-              values:
-              <code class="varname">name</code>, <code class="varname">subdomain</code>,
-              <code class="varname">wildcard</code>, <code class="varname">self</code>,
-              <code class="varname">selfsub</code>, <code class="varname">selfwild</code>,
-              <code class="varname">krb5-self</code>, <code class="varname">ms-self</code>,
-              <code class="varname">krb5-subdomain</code>,
-              <code class="varname">ms-subdomain</code>,
-              <code class="varname">tcp-self</code>, <code class="varname">6to4-self</code>,
-              <code class="varname">zonesub</code>, and <code class="varname">external</code>.
-            </p>
-            <div class="informaltable">
-              <table border="1">
-<colgroup>
-<col width="0.819in" class="1">
-<col width="3.681in" class="2">
-</colgroup>
-<tbody>
-<tr>
-<td>
-                      <p>
-                        <code class="varname">name</code>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Exact-match semantics.  This rule matches
-                        when the name being updated is identical
-                        to the contents of the
-                        <em class="replaceable"><code>name</code></em> field.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        <code class="varname">subdomain</code>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        This rule matches when the name being updated
-                        is a subdomain of, or identical to, the
-                        contents of the <em class="replaceable"><code>name</code></em>
-                        field.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        <code class="varname">zonesub</code>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        This rule is similar to subdomain, except that
-                        it matches when the name being updated is a
-                        subdomain of the zone in which the
-                        <span class="command"><strong>update-policy</strong></span> statement
-                        appears.  This obviates the need to type the zone
-                        name twice, and enables the use of a standard
-                        <span class="command"><strong>update-policy</strong></span> statement in
-                        multiple zones without modification.
-                      </p>
-                      <p>
-                        When this rule is used, the
-                        <em class="replaceable"><code>name</code></em> field is omitted.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        <code class="varname">wildcard</code>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        The <em class="replaceable"><code>name</code></em> field
-                        is subject to DNS wildcard expansion, and
-                        this rule matches when the name being updated
-                        is a valid expansion of the wildcard.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        <code class="varname">self</code>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        This rule matches when the name being updated
-                        matches the contents of the
-                        <em class="replaceable"><code>identity</code></em> field.
-                        The <em class="replaceable"><code>name</code></em> field
-                        is ignored, but should be the same as the
-                        <em class="replaceable"><code>identity</code></em> field.
-                        The <code class="varname">self</code> nametype is
-                        most useful when allowing using one key per
-                        name to update, where the key has the same
-                        name as the name to be updated.  The
-                        <em class="replaceable"><code>identity</code></em> would
-                        be specified as <code class="constant">*</code> (an asterisk) in
-                        this case.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        <code class="varname">selfsub</code>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        This rule is similar to <code class="varname">self</code>
-                        except that subdomains of <code class="varname">self</code>
-                        can also be updated.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        <code class="varname">selfwild</code>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        This rule is similar to <code class="varname">self</code>
-                        except that only subdomains of
-                        <code class="varname">self</code> can be updated.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        <code class="varname">ms-self</code>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        This rule takes a Windows machine principal
-                        (machine$@REALM) for machine in REALM and
-                        and converts it machine.realm allowing the machine
-                        to update machine.realm.  The REALM to be matched
-                        is specified in the <em class="replaceable"><code>identity</code></em>
-                        field.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        <code class="varname">ms-subdomain</code>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        This rule takes a Windows machine principal
-                        (machine$@REALM) for machine in REALM and
-                        converts it to machine.realm allowing the machine
-                        to update subdomains of machine.realm.  The REALM
-                        to be matched is specified in the
-                        <em class="replaceable"><code>identity</code></em> field.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        <code class="varname">krb5-self</code>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        This rule takes a Kerberos machine principal
-                        (host/machine@REALM) for machine in REALM and
-                        and converts it machine.realm allowing the machine
-                        to update machine.realm.  The REALM to be matched
-                        is specified in the <em class="replaceable"><code>identity</code></em>
-                        field.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        <code class="varname">krb5-subdomain</code>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        This rule takes a Kerberos machine principal
-                        (host/machine@REALM) for machine in REALM and
-                        converts it to machine.realm allowing the machine
-                        to update subdomains of machine.realm.  The REALM
-                        to be matched is specified in the
-                        <em class="replaceable"><code>identity</code></em> field.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        <code class="varname">tcp-self</code>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Allow updates that have been sent via TCP and
-                        for which the standard mapping from the initiating
-                        IP address into the IN-ADDR.ARPA and IP6.ARPA
-                        namespaces match the name to be updated.
-                      </p>
-                      <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-                        It is theoretically possible to spoof these TCP
-                        sessions.
-                      </div>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        <code class="varname">6to4-self</code>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Allow the 6to4 prefix to be update by any TCP
-                        connection from the 6to4 network or from the
-                        corresponding IPv4 address.  This is intended
-                        to allow NS or DNAME RRsets to be added to the
-                        reverse tree.
-                      </p>
-                      <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-                        It is theoretically possible to spoof these TCP
-                        sessions.
-                      </div>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        <code class="varname">external</code>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        This rule allows <span class="command"><strong>named</strong></span>
-                        to defer the decision of whether to allow a
-                        given update to an external daemon.
-                      </p>
-                      <p>
-                        The method of communicating with the daemon is
-                        specified in the <em class="replaceable"><code>identity</code></em>
-                        field, the format of which is
-                        "<code class="constant">local:</code><em class="replaceable"><code>path</code></em>",
-                        where <em class="replaceable"><code>path</code></em> is the location
-                        of a UNIX-domain socket.  (Currently, "local" is the
-                        only supported mechanism.)
-                      </p>
-                      <p>
-                        Requests to the external daemon are sent over the
-                        UNIX-domain socket as datagrams with the following
-                        format:
-                      </p>
-                      <pre class="programlisting">
-   Protocol version number (4 bytes, network byte order, currently 1)
-   Request length (4 bytes, network byte order)
-   Signer (null-terminated string)
-   Name (null-terminated string)
-   TCP source address (null-terminated string)
-   Rdata type (null-terminated string)
-   Key (null-terminated string)
-   TKEY token length (4 bytes, network byte order)
-   TKEY token (remainder of packet)</pre>
-                      <p>
-                        The daemon replies with a four-byte value in
-                        network byte order, containing either 0 or 1; 0
-                        indicates that the specified update is not
-                        permitted, and 1 indicates that it is.
-                      </p>
-                    </td>
-</tr>
-</tbody>
-</table>
-            </div>
-
-            <p>
-              In all cases, the <em class="replaceable"><code>name</code></em>
-              field must specify a fully-qualified domain name.
-            </p>
-
-            <p>
-              If no types are explicitly specified, this rule matches
-              all types except RRSIG, NS, SOA, NSEC and NSEC3. Types
-              may be specified by name, including "ANY" (ANY matches
-              all types except NSEC and NSEC3, which can never be
-              updated).  Note that when an attempt is made to delete
-              all records associated with a name, the rules are
-              checked for each existing record type.
-            </p>
-          </div>
-
-          <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="multiple_views"></a>Multiple views</h4></div></div></div>
-
-            <p>
-              When multiple views are in use, a zone may be
-              referenced by more than one of them. Often, the views
-              will contain different zones with the same name, allowing
-              different clients to receive different answers for the same
-              queries. At times, however, it is desirable for multiple
-              views to contain identical zones.  The
-              <span class="command"><strong>in-view</strong></span> zone option provides an efficient
-              way to do this: it allows a view to reference a zone that
-              was defined in a previously configured view. Example:
-            </p>
-            <pre class="programlisting">
-view internal {
-    match-clients { 10/8; };
-
-    zone example.com {
-        type master;
-        file "example-external.db";
-    };
-};
-
-view external {
-    match-clients { any; };
-
-    zone example.com {
-        in-view internal;
-    };
-};
-            </pre>
-            <p>
-              An <span class="command"><strong>in-view</strong></span> option cannot refer to a view
-              that is configured later in the configuration file.
-            </p>
-            <p>
-              A <span class="command"><strong>zone</strong></span> statement which uses the
-              <span class="command"><strong>in-view</strong></span> option may not use any other
-              options with the exception of <span class="command"><strong>forward</strong></span>
-              and <span class="command"><strong>forwarders</strong></span>. (These options control
-              the behavior of the containing view, rather than changing
-              the zone object itself.)
-            </p>
-            <p>
-              Zone level acls (e.g. allow-query, allow-transfer) and
-              other configuration details of the zone are all set
-              in the view the referenced zone is defined in.  Care
-              need to be taken to ensure that acls are wide enough
-              for all views referencing the zone.
-            </p>
-            <p>
-              An <span class="command"><strong>in-view</strong></span> zone cannot be used as a
-              response policy zone.
-            </p>
-            <p>
-              An <span class="command"><strong>in-view</strong></span> zone is not intended to reference
-              a <span class="command"><strong>forward</strong></span> zone.
-            </p>
-          </div>
-
-        </div>
-      </div>
-      <div class="section">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="zone_file"></a>Zone File</h2></div></div></div>
-
-        <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="types_of_resource_records_and_when_to_use_them"></a>Types of Resource Records and When to Use Them</h3></div></div></div>
-
-          <p>
-            This section, largely borrowed from RFC 1034, describes the
-            concept of a Resource Record (RR) and explains when each is used.
-            Since the publication of RFC 1034, several new RRs have been
-            identified
-            and implemented in the DNS. These are also included.
-          </p>
-          <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id-1.6.6.2.3"></a>Resource Records</h4></div></div></div>
-
-            <p>
-              A domain name identifies a node.  Each node has a set of
-              resource information, which may be empty.  The set of resource
-              information associated with a particular name is composed of
-              separate RRs. The order of RRs in a set is not significant and
-              need not be preserved by name servers, resolvers, or other
-              parts of the DNS. However, sorting of multiple RRs is
-              permitted for optimization purposes, for example, to specify
-              that a particular nearby server be tried first. See <a class="xref" href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called &#8220;The <span class="command"><strong>sortlist</strong></span> Statement&#8221;</a> and <a class="xref" href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called &#8220;RRset Ordering&#8221;</a>.
-            </p>
-
-            <p>
-              The components of a Resource Record are:
-            </p>
-            <div class="informaltable">
-              <table border="1">
-<colgroup>
-<col width="1.000in" class="1">
-<col width="3.500in" class="2">
-</colgroup>
-<tbody>
-<tr>
-<td>
-                      <p>
-                        owner name
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        The domain name where the RR is found.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        type
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        An encoded 16-bit value that specifies
-                        the type of the resource record.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        TTL
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        The time-to-live of the RR. This field
-                        is a 32-bit integer in units of seconds, and is
-                        primarily used by
-                        resolvers when they cache RRs. The TTL describes how
-                        long a RR can
-                        be cached before it should be discarded.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        class
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        An encoded 16-bit value that identifies
-                        a protocol family or instance of a protocol.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        RDATA
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        The resource data.  The format of the
-                        data is type (and sometimes class) specific.
-                      </p>
-                    </td>
-</tr>
-</tbody>
-</table>
-            </div>
-            <p>
-              The following are <span class="emphasis"><em>types</em></span> of valid RRs:
-            </p>
-            <div class="informaltable">
-              <table border="1">
-<colgroup>
-<col width="0.875in" class="1">
-<col width="3.625in" class="2">
-</colgroup>
-<tbody>
-<tr>
-<td>
-                      <p>
-                        A
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        A host address.  In the IN class, this is a
-                        32-bit IP address.  Described in RFC 1035.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        AAAA
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        IPv6 address.  Described in RFC 1886.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        A6
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        IPv6 address.  This can be a partial
-                        address (a suffix) and an indirection to the name
-                        where the rest of the
-                        address (the prefix) can be found.  Experimental.
-                        Described in RFC 2874.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        AFSDB
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Location of AFS database servers.
-                        Experimental.  Described in RFC 1183.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        APL
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Address prefix list.  Experimental.
-                        Described in RFC 3123.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        ATMA
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        ATM Address.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        AVC
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Application Visibility and Control record.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        CAA
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Identifies which Certificate Authorities can issue
-                        certificates for this domain and what rules they
-                        need to follow when doing so. Defined in RFC 6844.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        CDNSKEY
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Identifies which DNSKEY records should be published
-                        as DS records in the parent zone.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        CDS
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Contains the set of DS records that should be published
-                        by the parent zone.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        CERT
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Holds a digital certificate.
-                        Described in RFC 2538.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        CNAME
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Identifies the canonical name of an alias.
-                        Described in RFC 1035.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        CSYNC
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Child-to-Parent Synchronization in DNS as described
-                        in RFC 7477.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        DHCID
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Is used for identifying which DHCP client is
-                        associated with this name.  Described in RFC 4701.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        DLV
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        A DNS Look-aside Validation record which contains
-                        the records that are used as trust anchors for
-                        zones in a DLV namespace.  Described in RFC 4431.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        DNAME
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Replaces the domain name specified with
-                        another name to be looked up, effectively aliasing an
-                        entire
-                        subtree of the domain name space rather than a single
-                        record
-                        as in the case of the CNAME RR.
-                        Described in RFC 2672.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        DNSKEY
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Stores a public key associated with a signed
-                        DNS zone.  Described in RFC 4034.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        DOA
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Implements the Digital Object Architecture over
-                        DNS. Experimental.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        DS
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Stores the hash of a public key associated with a
-                        signed DNS zone.  Described in RFC 4034.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        EID
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        End Point Identifier.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        EUI48
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        A 48-bit EUI address. Described in RFC 7043.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        EUI64
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        A 64-bit EUI address. Described in RFC 7043.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        GID
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Reserved.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        GPOS
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Specifies the global position.  Superseded by LOC.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        HINFO
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Identifies the CPU and OS used by a host.
-                        Described in RFC 1035.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        HIP
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Host Identity Protocol Address.
-                        Described in RFC 5205.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        IPSECKEY
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Provides a method for storing IPsec keying material in
-                        DNS.  Described in RFC 4025.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        ISDN
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Representation of ISDN addresses.
-                        Experimental.  Described in RFC 1183.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        KEY
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Stores a public key associated with a
-                        DNS name.  Used in original DNSSEC; replaced
-                        by DNSKEY in DNSSECbis, but still used with
-                        SIG(0).  Described in RFCs 2535 and 2931.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        KX
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Identifies a key exchanger for this
-                        DNS name.  Described in RFC 2230.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        L32
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Holds 32-bit Locator values for
-                        Identifier-Locator Network Protocol. Described
-                        in RFC 6742.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        L64
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Holds 64-bit Locator values for
-                        Identifier-Locator Network Protocol. Described
-                        in RFC 6742.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        LOC
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        For storing GPS info.  Described in RFC 1876.
-                        Experimental.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        LP
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Identifier-Locator Network Protocol.
-                        Described in RFC 6742.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        MB
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Mail Box.  Historical.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        MD
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Mail Destination.  Historical.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        MF
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Mail Forwarder.  Historical.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        MG
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Mail Group.  Historical.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        MINFO
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Mail Information.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        MR
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Mail Rename. Historical.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        MX
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Identifies a mail exchange for the domain with
-                        a 16-bit preference value (lower is better)
-                        followed by the host name of the mail exchange.
-                        Described in RFC 974, RFC 1035.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        NAPTR
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Name authority pointer.  Described in RFC 2915.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        NID
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Holds values for Node Identifiers in
-                        Identifier-Locator Network Protocol. Described
-                        in RFC 6742.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        NINFO
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Contains zone status information.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        NIMLOC
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Nimrod Locator.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        NSAP
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        A network service access point.
-                        Described in RFC 1706.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        NSAP-PTR
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Historical.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        NS
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        The authoritative name server for the
-                        domain.  Described in RFC 1035.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        NSEC
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Used in DNSSECbis to securely indicate that
-                        RRs with an owner name in a certain name interval do
-                        not exist in
-                        a zone and indicate what RR types are present for an
-                        existing name.
-                        Described in RFC 4034.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        NSEC3
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Used in DNSSECbis to securely indicate that
-                        RRs with an owner name in a certain name
-                        interval do not exist in a zone and indicate
-                        what RR types are present for an existing
-                        name.  NSEC3 differs from NSEC in that it
-                        prevents zone enumeration but is more
-                        computationally expensive on both the server
-                        and the client than NSEC.  Described in RFC
-                        5155.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        NSEC3PARAM
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Used in DNSSECbis to tell the authoritative
-                        server which NSEC3 chains are available to use.
-                        Described in RFC 5155.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        NULL
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        This is an opaque container.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        NXT
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Used in DNSSEC to securely indicate that
-                        RRs with an owner name in a certain name interval do
-                        not exist in
-                        a zone and indicate what RR types are present for an
-                        existing name.
-                        Used in original DNSSEC; replaced by NSEC in
-                        DNSSECbis.
-                        Described in RFC 2535.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        OPENPGPKEY
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Used to hold an OPENPGPKEY.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        PTR
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        A pointer to another part of the domain
-                        name space.  Described in RFC 1035.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        PX
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Provides mappings between RFC 822 and X.400
-                        addresses.  Described in RFC 2163.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        RKEY
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Resource key.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        RP
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Information on persons responsible
-                        for the domain.  Experimental.  Described in RFC 1183.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        RRSIG
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Contains DNSSECbis signature data.  Described
-                        in RFC 4034.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        RT
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Route-through binding for hosts that
-                        do not have their own direct wide area network
-                        addresses.
-                        Experimental.  Described in RFC 1183.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        SIG
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Contains DNSSEC signature data.  Used in
-                        original DNSSEC; replaced by RRSIG in
-                        DNSSECbis, but still used for SIG(0).
-                        Described in RFCs 2535 and 2931.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        SINK
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        The kitchen sink record.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        SMIMEA
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        The S/MIME Security Certificate Association.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        SOA
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Identifies the start of a zone of authority.
-                        Described in RFC 1035.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        SPF
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Contains the Sender Policy Framework information
-                        for a given email domain.  Described in RFC 4408.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        SRV
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Information about well known network
-                        services (replaces WKS).  Described in RFC 2782.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        SSHFP
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Provides a way to securely publish a secure shell key's
-                        fingerprint.  Described in RFC 4255.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        TA
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Trust Anchor. Experimental.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        TALINK
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Trust Anchor Link.  Experimental.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        TLSA
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Transport Layer Security Certificate Association.
-                        Described in RFC 6698.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        TXT
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Text records.  Described in RFC 1035.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        UID
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Reserved.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        UINFO
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Reserved.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        UNSPEC
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Reserved. Historical.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        URI
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Holds a URI. Described in RFC 7553.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        WKS
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Information about which well known
-                        network services, such as SMTP, that a domain
-                        supports. Historical.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        X25
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Representation of X.25 network addresses.
-                        Experimental.  Described in RFC 1183.
-                      </p>
-                    </td>
-</tr>
-</tbody>
-</table>
-            </div>
-            <p>
-              The following <span class="emphasis"><em>classes</em></span> of resource records
-              are currently valid in the DNS:
-            </p>
-            <div class="informaltable">
-<table border="1">
-<colgroup>
-<col width="0.875in" class="1">
-<col width="3.625in" class="2">
-</colgroup>
-<tbody>
-<tr>
-<td>
-                      <p>
-                        IN
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        The Internet.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        CH
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Chaosnet, a LAN protocol created at MIT in the
-                        mid-1970s.
-                        Rarely used for its historical purpose, but reused for
-                        BIND's
-                        built-in server information zones, e.g.,
-                        <code class="literal">version.bind</code>.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        HS
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Hesiod, an information service
-                        developed by MIT's Project Athena. It is used to share
-                        information
-                        about various systems databases, such as users,
-                        groups, printers
-                        and so on.
-                      </p>
-                    </td>
-</tr>
-</tbody>
-</table>
-            </div>
-
-            <p>
-              The owner name is often implicit, rather than forming an
-              integral
-              part of the RR.  For example, many name servers internally form
-              tree
-              or hash structures for the name space, and chain RRs off nodes.
-              The remaining RR parts are the fixed header (type, class, TTL)
-              which is consistent for all RRs, and a variable part (RDATA)
-              that
-              fits the needs of the resource being described.
-            </p>
-            <p>
-              The meaning of the TTL field is a time limit on how long an
-              RR can be kept in a cache.  This limit does not apply to
-              authoritative
-              data in zones; it is also timed out, but by the refreshing
-              policies
-              for the zone.  The TTL is assigned by the administrator for the
-              zone where the data originates.  While short TTLs can be used to
-              minimize caching, and a zero TTL prohibits caching, the
-              realities
-              of Internet performance suggest that these times should be on
-              the
-              order of days for the typical host.  If a change can be
-              anticipated,
-              the TTL can be reduced prior to the change to minimize
-              inconsistency
-              during the change, and then increased back to its former value
-              following
-              the change.
-            </p>
-            <p>
-              The data in the RDATA section of RRs is carried as a combination
-              of binary strings and domain names.  The domain names are
-              frequently
-              used as "pointers" to other data in the DNS.
-            </p>
-          </div>
-          <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="rr_text"></a>Textual expression of RRs</h4></div></div></div>
-
-            <p>
-              RRs are represented in binary form in the packets of the DNS
-              protocol, and are usually represented in highly encoded form
-              when
-              stored in a name server or resolver.  In the examples provided
-              in
-              RFC 1034, a style similar to that used in master files was
-              employed
-              in order to show the contents of RRs.  In this format, most RRs
-              are shown on a single line, although continuation lines are
-              possible
-              using parentheses.
-            </p>
-            <p>
-              The start of the line gives the owner of the RR.  If a line
-              begins with a blank, then the owner is assumed to be the same as
-              that of the previous RR.  Blank lines are often included for
-              readability.
-            </p>
-            <p>
-              Following the owner, we list the TTL, type, and class of the
-              RR.  Class and type use the mnemonics defined above, and TTL is
-              an integer before the type field.  In order to avoid ambiguity
-              in
-              parsing, type and class mnemonics are disjoint, TTLs are
-              integers,
-              and the type mnemonic is always last. The IN class and TTL
-              values
-              are often omitted from examples in the interests of clarity.
-            </p>
-            <p>
-              The resource data or RDATA section of the RR are given using
-              knowledge of the typical representation for the data.
-            </p>
-            <p>
-              For example, we might show the RRs carried in a message as:
-            </p>
-            <div class="informaltable">
-<table border="1">
-<colgroup>
-<col width="1.381in" class="1">
-<col width="1.020in" class="2">
-<col width="2.099in" class="3">
-</colgroup>
-<tbody>
-<tr>
-<td>
-                      <p>
-                        <code class="literal">ISI.EDU.</code>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        <code class="literal">MX</code>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        <code class="literal">10 VENERA.ISI.EDU.</code>
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p></p>
-                    </td>
-<td>
-                      <p>
-                        <code class="literal">MX</code>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        <code class="literal">10 VAXA.ISI.EDU</code>
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        <code class="literal">VENERA.ISI.EDU</code>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        <code class="literal">A</code>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        <code class="literal">128.9.0.32</code>
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p></p>
-                    </td>
-<td>
-                      <p>
-                        <code class="literal">A</code>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        <code class="literal">10.1.0.52</code>
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        <code class="literal">VAXA.ISI.EDU</code>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        <code class="literal">A</code>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        <code class="literal">10.2.0.27</code>
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p></p>
-                    </td>
-<td>
-                      <p>
-                        <code class="literal">A</code>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        <code class="literal">128.9.0.33</code>
-                      </p>
-                    </td>
-</tr>
-</tbody>
-</table>
-            </div>
-            <p>
-              The MX RRs have an RDATA section which consists of a 16-bit
-              number followed by a domain name.  The address RRs use a
-              standard
-              IP address format to contain a 32-bit internet address.
-            </p>
-            <p>
-              The above example shows six RRs, with two RRs at each of three
-              domain names.
-            </p>
-            <p>
-              Similarly we might see:
-            </p>
-            <div class="informaltable">
-<table border="1">
-<colgroup>
-<col width="1.491in" class="1">
-<col width="1.067in" class="2">
-<col width="2.067in" class="3">
-</colgroup>
-<tbody>
-<tr>
-<td>
-                      <p>
-                        <code class="literal">XX.LCS.MIT.EDU.</code>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        <code class="literal">IN A</code>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        <code class="literal">10.0.0.44</code>
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td> </td>
-<td>
-                      <p>
-                        <code class="literal">CH A</code>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        <code class="literal">MIT.EDU. 2420</code>
-                      </p>
-                    </td>
-</tr>
-</tbody>
-</table>
-            </div>
-            <p>
-              This example shows two addresses for
-              <code class="literal">XX.LCS.MIT.EDU</code>, each of a different class.
-            </p>
-          </div>
-        </div>
-
-        <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="mx_records"></a>Discussion of MX Records</h3></div></div></div>
-
-          <p>
-            As described above, domain servers store information as a
-            series of resource records, each of which contains a particular
-            piece of information about a given domain name (which is usually,
-            but not always, a host). The simplest way to think of a RR is as
-            a typed pair of data, a domain name matched with a relevant datum,
-            and stored with some additional type information to help systems
-            determine when the RR is relevant.
-          </p>
-
-          <p>
-            MX records are used to control delivery of email. The data
-            specified in the record is a priority and a domain name. The
-            priority
-            controls the order in which email delivery is attempted, with the
-            lowest number first. If two priorities are the same, a server is
-            chosen randomly. If no servers at a given priority are responding,
-            the mail transport agent will fall back to the next largest
-            priority.
-            Priority numbers do not have any absolute meaning &#8212; they are
-            relevant
-            only respective to other MX records for that domain name. The
-            domain
-            name given is the machine to which the mail will be delivered.
-            It <span class="emphasis"><em>must</em></span> have an associated address record
-            (A or AAAA) &#8212; CNAME is not sufficient.
-          </p>
-          <p>
-            For a given domain, if there is both a CNAME record and an
-            MX record, the MX record is in error, and will be ignored.
-            Instead,
-            the mail will be delivered to the server specified in the MX
-            record
-            pointed to by the CNAME.
-            For example:
-          </p>
-          <div class="informaltable">
-            <table border="1">
-<colgroup>
-<col width="1.708in" class="1">
-<col width="0.444in" class="2">
-<col width="0.444in" class="3">
-<col width="0.976in" class="4">
-<col width="1.553in" class="5">
-</colgroup>
-<tbody>
-<tr>
-<td>
-                    <p>
-                      <code class="literal">example.com.</code>
-                    </p>
-                  </td>
-<td>
-                    <p>
-                      <code class="literal">IN</code>
-                    </p>
-                  </td>
-<td>
-                    <p>
-                      <code class="literal">MX</code>
-                    </p>
-                  </td>
-<td>
-                    <p>
-                      <code class="literal">10</code>
-                    </p>
-                  </td>
-<td>
-                    <p>
-                      <code class="literal">mail.example.com.</code>
-                    </p>
-                  </td>
-</tr>
-<tr>
-<td>
-                    <p></p>
-                  </td>
-<td>
-                    <p>
-                      <code class="literal">IN</code>
-                    </p>
-                  </td>
-<td>
-                    <p>
-                      <code class="literal">MX</code>
-                    </p>
-                  </td>
-<td>
-                    <p>
-                      <code class="literal">10</code>
-                    </p>
-                  </td>
-<td>
-                    <p>
-                      <code class="literal">mail2.example.com.</code>
-                    </p>
-                  </td>
-</tr>
-<tr>
-<td>
-                    <p></p>
-                  </td>
-<td>
-                    <p>
-                      <code class="literal">IN</code>
-                    </p>
-                  </td>
-<td>
-                    <p>
-                      <code class="literal">MX</code>
-                    </p>
-                  </td>
-<td>
-                    <p>
-                      <code class="literal">20</code>
-                    </p>
-                  </td>
-<td>
-                    <p>
-                      <code class="literal">mail.backup.org.</code>
-                    </p>
-                  </td>
-</tr>
-<tr>
-<td>
-                    <p>
-                      <code class="literal">mail.example.com.</code>
-                    </p>
-                  </td>
-<td>
-                    <p>
-                      <code class="literal">IN</code>
-                    </p>
-                  </td>
-<td>
-                    <p>
-                      <code class="literal">A</code>
-                    </p>
-                  </td>
-<td>
-                    <p>
-                      <code class="literal">10.0.0.1</code>
-                    </p>
-                  </td>
-<td>
-                    <p></p>
-                  </td>
-</tr>
-<tr>
-<td>
-                    <p>
-                      <code class="literal">mail2.example.com.</code>
-                    </p>
-                  </td>
-<td>
-                    <p>
-                      <code class="literal">IN</code>
-                    </p>
-                  </td>
-<td>
-                    <p>
-                      <code class="literal">A</code>
-                    </p>
-                  </td>
-<td>
-                    <p>
-                      <code class="literal">10.0.0.2</code>
-                    </p>
-                  </td>
-<td>
-                    <p></p>
-                  </td>
-</tr>
-</tbody>
-</table>
-            </div>
-<p>
-            Mail delivery will be attempted to <code class="literal">mail.example.com</code> and
-            <code class="literal">mail2.example.com</code> (in
-            any order), and if neither of those succeed, delivery to <code class="literal">mail.backup.org</code> will
-            be attempted.
-          </p>
-        </div>
-        <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="Setting_TTLs"></a>Setting TTLs</h3></div></div></div>
-
-          <p>
-            The time-to-live of the RR field is a 32-bit integer represented
-            in units of seconds, and is primarily used by resolvers when they
-            cache RRs. The TTL describes how long a RR can be cached before it
-            should be discarded. The following three types of TTL are
-            currently
-            used in a zone file.
-          </p>
-          <div class="informaltable">
-            <table border="1">
-<colgroup>
-<col width="0.750in" class="1">
-<col width="4.375in" class="2">
-</colgroup>
-<tbody>
-<tr>
-<td>
-                    <p>
-                      SOA
-                    </p>
-                  </td>
-<td>
-                    <p>
-                      The last field in the SOA is the negative
-                      caching TTL. This controls how long other servers will
-                      cache no-such-domain
-                      (NXDOMAIN) responses from you.
-                    </p>
-                    <p>
-                      The maximum time for
-                      negative caching is 3 hours (3h).
-                    </p>
-                  </td>
-</tr>
-<tr>
-<td>
-                    <p>
-                      $TTL
-                    </p>
-                  </td>
-<td>
-                    <p>
-                      The $TTL directive at the top of the
-                      zone file (before the SOA) gives a default TTL for every
-                      RR without
-                      a specific TTL set.
-                    </p>
-                  </td>
-</tr>
-<tr>
-<td>
-                    <p>
-                      RR TTLs
-                    </p>
-                  </td>
-<td>
-                    <p>
-                      Each RR can have a TTL as the second
-                      field in the RR, which will control how long other
-                      servers can cache it.
-                    </p>
-                  </td>
-</tr>
-</tbody>
-</table>
-          </div>
-          <p>
-            All of these TTLs default to units of seconds, though units
-            can be explicitly specified, for example, <code class="literal">1h30m</code>.
-          </p>
-        </div>
-        <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="ipv4_reverse"></a>Inverse Mapping in IPv4</h3></div></div></div>
-
-          <p>
-            Reverse name resolution (that is, translation from IP address
-            to name) is achieved by means of the <span class="emphasis"><em>in-addr.arpa</em></span> domain
-            and PTR records. Entries in the in-addr.arpa domain are made in
-            least-to-most significant order, read left to right. This is the
-            opposite order to the way IP addresses are usually written. Thus,
-            a machine with an IP address of 10.1.2.3 would have a
-            corresponding
-            in-addr.arpa name of
-            3.2.1.10.in-addr.arpa. This name should have a PTR resource record
-            whose data field is the name of the machine or, optionally,
-            multiple
-            PTR records if the machine has more than one name. For example,
-            in the [<span class="optional">example.com</span>] domain:
-          </p>
-          <div class="informaltable">
-            <table border="1">
-<colgroup>
-<col width="1.125in" class="1">
-<col width="4.000in" class="2">
-</colgroup>
-<tbody>
-<tr>
-<td>
-                    <p>
-                      <code class="literal">$ORIGIN</code>
-                    </p>
-                  </td>
-<td>
-                    <p>
-                      <code class="literal">2.1.10.in-addr.arpa</code>
-                    </p>
-                  </td>
-</tr>
-<tr>
-<td>
-                    <p>
-                      <code class="literal">3</code>
-                    </p>
-                  </td>
-<td>
-                    <p>
-                      <code class="literal">IN PTR foo.example.com.</code>
-                    </p>
-                  </td>
-</tr>
-</tbody>
-</table>
-          </div>
-          <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-            <p>
-              The <span class="command"><strong>$ORIGIN</strong></span> lines in the examples
-              are for providing context to the examples only &#8212; they do not
-              necessarily
-              appear in the actual usage. They are only used here to indicate
-              that the example is relative to the listed origin.
-            </p>
-          </div>
-        </div>
-        <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="zone_directives"></a>Other Zone File Directives</h3></div></div></div>
-
-          <p>
-            The Master File Format was initially defined in RFC 1035 and
-            has subsequently been extended. While the Master File Format
-            itself
-            is class independent all records in a Master File must be of the
-            same
-            class.
-          </p>
-          <p>
-            Master File Directives include <span class="command"><strong>$ORIGIN</strong></span>, <span class="command"><strong>$INCLUDE</strong></span>,
-            and <span class="command"><strong>$TTL.</strong></span>
-          </p>
-          <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="atsign"></a>The <span class="command"><strong>@</strong></span> (at-sign)</h4></div></div></div>
-
-            <p>
-              When used in the label (or name) field, the asperand or
-              at-sign (@) symbol represents the current origin.
-              At the start of the zone file, it is the
-              &lt;<code class="varname">zone_name</code>&gt; (followed by
-              trailing dot).
-            </p>
-          </div>
-          <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="origin_directive"></a>The <span class="command"><strong>$ORIGIN</strong></span> Directive</h4></div></div></div>
-
-            <p>
-              Syntax: <span class="command"><strong>$ORIGIN</strong></span>
-              <em class="replaceable"><code>domain-name</code></em>
-              [<span class="optional"><em class="replaceable"><code>comment</code></em></span>]
-            </p>
-            <p><span class="command"><strong>$ORIGIN</strong></span>
-              sets the domain name that will be appended to any
-              unqualified records. When a zone is first read in there
-              is an implicit <span class="command"><strong>$ORIGIN</strong></span>
-              &lt;<code class="varname">zone_name</code>&gt;<span class="command"><strong>.</strong></span>
-              (followed by trailing dot).
-              The current <span class="command"><strong>$ORIGIN</strong></span> is appended to
-              the domain specified in the <span class="command"><strong>$ORIGIN</strong></span>
-              argument if it is not absolute.
-            </p>
-
-<pre class="programlisting">
-$ORIGIN example.com.
-WWW     CNAME   MAIN-SERVER
-</pre>
-
-            <p>
-              is equivalent to
-            </p>
-
-<pre class="programlisting">
-WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
-</pre>
-
-          </div>
-          <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="include_directive"></a>The <span class="command"><strong>$INCLUDE</strong></span> Directive</h4></div></div></div>
-
-            <p>
-              Syntax: <span class="command"><strong>$INCLUDE</strong></span>
-              <em class="replaceable"><code>filename</code></em>
-              [<span class="optional">
-<em class="replaceable"><code>origin</code></em> </span>]
-              [<span class="optional"> <em class="replaceable"><code>comment</code></em> </span>]
-            </p>
-            <p>
-              Read and process the file <code class="filename">filename</code> as
-              if it were included into the file at this point.  If <span class="command"><strong>origin</strong></span> is
-              specified the file is processed with <span class="command"><strong>$ORIGIN</strong></span> set
-              to that value, otherwise the current <span class="command"><strong>$ORIGIN</strong></span> is
-              used.
-            </p>
-            <p>
-              The origin and the current domain name
-              revert to the values they had prior to the <span class="command"><strong>$INCLUDE</strong></span> once
-              the file has been read.
-            </p>
-            <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-              <p>
-                RFC 1035 specifies that the current origin should be restored
-                after
-                an <span class="command"><strong>$INCLUDE</strong></span>, but it is silent
-                on whether the current
-                domain name should also be restored.  BIND 9 restores both of
-                them.
-                This could be construed as a deviation from RFC 1035, a
-                feature, or both.
-              </p>
-            </div>
-          </div>
-          <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="ttl_directive"></a>The <span class="command"><strong>$TTL</strong></span> Directive</h4></div></div></div>
-
-            <p>
-              Syntax: <span class="command"><strong>$TTL</strong></span>
-              <em class="replaceable"><code>default-ttl</code></em>
-              [<span class="optional">
-<em class="replaceable"><code>comment</code></em> </span>]
-            </p>
-            <p>
-              Set the default Time To Live (TTL) for subsequent records
-              with undefined TTLs. Valid TTLs are of the range 0-2147483647
-              seconds.
-            </p>
-            <p><span class="command"><strong>$TTL</strong></span>
-               is defined in RFC 2308.
-            </p>
-          </div>
-        </div>
-        <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="generate_directive"></a><acronym class="acronym">BIND</acronym> Master File Extension: the  <span class="command"><strong>$GENERATE</strong></span> Directive</h3></div></div></div>
-
-          <p>
-            Syntax: <span class="command"><strong>$GENERATE</strong></span>
-            <em class="replaceable"><code>range</code></em>
-            <em class="replaceable"><code>lhs</code></em>
-            [<span class="optional"><em class="replaceable"><code>ttl</code></em></span>]
-            [<span class="optional"><em class="replaceable"><code>class</code></em></span>]
-            <em class="replaceable"><code>type</code></em>
-            <em class="replaceable"><code>rhs</code></em>
-            [<span class="optional"><em class="replaceable"><code>comment</code></em></span>]
-          </p>
-          <p><span class="command"><strong>$GENERATE</strong></span>
-            is used to create a series of resource records that only
-            differ from each other by an
-            iterator. <span class="command"><strong>$GENERATE</strong></span> can be used to
-            easily generate the sets of records required to support
-            sub /24 reverse delegations described in RFC 2317:
-            Classless IN-ADDR.ARPA delegation.
-          </p>
-
-<pre class="programlisting">$ORIGIN 0.0.192.IN-ADDR.ARPA.
-$GENERATE 1-2 @ NS SERVER$.EXAMPLE.
-$GENERATE 1-127 $ CNAME $.0</pre>
-
-          <p>
-            is equivalent to
-          </p>
-
-<pre class="programlisting">0.0.0.192.IN-ADDR.ARPA. NS SERVER1.EXAMPLE.
-0.0.0.192.IN-ADDR.ARPA. NS SERVER2.EXAMPLE.
-1.0.0.192.IN-ADDR.ARPA. CNAME 1.0.0.0.192.IN-ADDR.ARPA.
-2.0.0.192.IN-ADDR.ARPA. CNAME 2.0.0.0.192.IN-ADDR.ARPA.
-...
-127.0.0.192.IN-ADDR.ARPA. CNAME 127.0.0.0.192.IN-ADDR.ARPA.
-</pre>
-
-           <p>
-            Generate a set of A and MX records.  Note the MX's right hand
-            side is a quoted string.  The quotes will be stripped when the
-            right hand side is processed.
-           </p>
-
-<pre class="programlisting">
-$ORIGIN EXAMPLE.
-$GENERATE 1-127 HOST-$ A 1.2.3.$
-$GENERATE 1-127 HOST-$ MX "0 ."</pre>
-
-          <p>
-            is equivalent to
-          </p>
-
-<pre class="programlisting">HOST-1.EXAMPLE.   A  1.2.3.1
-HOST-1.EXAMPLE.   MX 0 .
-HOST-2.EXAMPLE.   A  1.2.3.2
-HOST-2.EXAMPLE.   MX 0 .
-HOST-3.EXAMPLE.   A  1.2.3.3
-HOST-3.EXAMPLE.   MX 0 .
-...
-HOST-127.EXAMPLE. A  1.2.3.127
-HOST-127.EXAMPLE. MX 0 .
-</pre>
-
-          <div class="informaltable">
-            <table border="1">
-<colgroup>
-<col width="0.875in" class="1">
-<col width="4.250in" class="2">
-</colgroup>
-<tbody>
-<tr>
-<td>
-                    <p><span class="command"><strong>range</strong></span></p>
-                  </td>
-<td>
-                    <p>
-                      This can be one of two forms: start-stop
-                      or start-stop/step. If the first form is used, then step
-                      is set to 1. start, stop and step must be positive
-                      integers between 0 and (2^31)-1. start must not be
-                      larger than stop.
-                    </p>
-                  </td>
-</tr>
-<tr>
-<td>
-                    <p><span class="command"><strong>lhs</strong></span></p>
-                  </td>
-<td>
-                    <p>This
-                      describes the owner name of the resource records
-                      to be created.  Any single <span class="command"><strong>$</strong></span>
-                      (dollar sign)
-                      symbols within the <span class="command"><strong>lhs</strong></span> string
-                      are replaced by the iterator value.
-
-                      To get a $ in the output, you need to escape the
-                      <span class="command"><strong>$</strong></span> using a backslash
-                      <span class="command"><strong>\</strong></span>,
-                      e.g. <span class="command"><strong>\$</strong></span>. The
-                      <span class="command"><strong>$</strong></span> may optionally be followed
-                      by modifiers which change the offset from the
-                      iterator, field width and base.
-
-                      Modifiers are introduced by a
-                      <span class="command"><strong>{</strong></span> (left brace) immediately following the
-                      <span class="command"><strong>$</strong></span> as
-                      <span class="command"><strong>${offset[,width[,base]]}</strong></span>.
-                      For example, <span class="command"><strong>${-20,3,d}</strong></span>
-                      subtracts 20 from the current value, prints the
-                      result as a decimal in a zero-padded field of
-                      width 3.
-
-                      Available output forms are decimal
-                      (<span class="command"><strong>d</strong></span>), octal
-                      (<span class="command"><strong>o</strong></span>), hexadecimal
-                      (<span class="command"><strong>x</strong></span> or <span class="command"><strong>X</strong></span>
-                      for uppercase) and nibble
-                      (<span class="command"><strong>n</strong></span> or <span class="command"><strong>N</strong></span>\
-                      for uppercase).  The default modifier is
-                      <span class="command"><strong>${0,0,d}</strong></span>.  If the
-                      <span class="command"><strong>lhs</strong></span> is not absolute, the
-                      current <span class="command"><strong>$ORIGIN</strong></span> is appended
-                      to the name.
-                    </p>
-                    <p>
-                      In nibble mode the value will be treated as
-                      if it was a reversed hexadecimal string
-                      with each hexadecimal digit as a separate
-                      label.  The width field includes the label
-                      separator.
-                    </p>
-                    <p>
-                      For compatibility with earlier versions,
-                      <span class="command"><strong>$$</strong></span> is still recognized as
-                      indicating a literal $ in the output.
-                    </p>
-                  </td>
-</tr>
-<tr>
-<td>
-                    <p><span class="command"><strong>ttl</strong></span></p>
-                  </td>
-<td>
-                    <p>
-                      Specifies the time-to-live of the generated records. If
-                      not specified this will be inherited using the
-                      normal TTL inheritance rules.
-                    </p>
-                    <p><span class="command"><strong>class</strong></span>
-                      and <span class="command"><strong>ttl</strong></span> can be
-                      entered in either order.
-                    </p>
-                  </td>
-</tr>
-<tr>
-<td>
-                    <p><span class="command"><strong>class</strong></span></p>
-                  </td>
-<td>
-                    <p>
-                      Specifies the class of the generated records.
-                      This must match the zone class if it is
-                      specified.
-                    </p>
-                    <p><span class="command"><strong>class</strong></span>
-                      and <span class="command"><strong>ttl</strong></span> can be
-                      entered in either order.
-                    </p>
-                  </td>
-</tr>
-<tr>
-<td>
-                    <p><span class="command"><strong>type</strong></span></p>
-                  </td>
-<td>
-                    <p>
-                      Any valid type.
-                    </p>
-                  </td>
-</tr>
-<tr>
-<td>
-                    <p><span class="command"><strong>rhs</strong></span></p>
-                  </td>
-<td>
-                    <p>
-                      <span class="command"><strong>rhs</strong></span>, optionally, quoted string.
-                    </p>
-                  </td>
-</tr>
-</tbody>
-</table>
-          </div>
-          <p>
-            The <span class="command"><strong>$GENERATE</strong></span> directive is a <acronym class="acronym">BIND</acronym> extension
-            and not part of the standard zone file format.
-          </p>
-          <p>
-            BIND 8 did not support the optional TTL and CLASS fields.
-          </p>
-        </div>
-
-        <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="zonefile_format"></a>Additional File Formats</h3></div></div></div>
-
-          <p>
-            In addition to the standard textual format, BIND 9
-            supports the ability to read or dump to zone files in
-            other formats.
-          </p>
-          <p>
-            The <code class="constant">raw</code> format is
-            a binary representation of zone data in a manner similar
-            to that used in zone transfers.  Since it does not require
-            parsing text, load time is significantly reduced.
-          </p>
-          <p>
-            An even faster alternative is the <code class="constant">map</code>
-            format, which is an image of a <acronym class="acronym">BIND</acronym> 9
-            in-memory zone database; it is capable of being loaded
-            directly into memory via the <span class="command"><strong>mmap()</strong></span>
-            function; the zone can begin serving queries almost
-            immediately.
-          </p>
-          <p>
-            For a primary server, a zone file in
-            <code class="constant">raw</code> or <code class="constant">map</code>
-            format is expected to be generated from a textual zone
-            file by the <span class="command"><strong>named-compilezone</strong></span> command.
-            For a secondary server or for a dynamic zone, it is automatically
-            generated (if this format is specified by the
-            <span class="command"><strong>masterfile-format</strong></span> option) when
-            <span class="command"><strong>named</strong></span> dumps the zone contents after
-            zone transfer or when applying prior updates.
-          </p>
-          <p>
-            If a zone file in a binary format needs manual modification,
-            it first must be converted to a textual form by the
-            <span class="command"><strong>named-compilezone</strong></span> command.  All
-            necessary modification should go to the text file, which
-            should then be converted to the binary form by the
-            <span class="command"><strong>named-compilezone</strong></span> command again.
-          </p>
-          <p>
-            Note that <span class="command"><strong>map</strong></span> format is extremely
-            architecture-specific.  A <code class="constant">map</code>
-            file <span class="emphasis"><em>cannot</em></span> be used on a system
-            with different pointer size, endianness or data alignment
-            than the system on which it was generated, and should in
-            general be used only inside a single system.
-            While <code class="constant">raw</code> format uses
-            network byte order and avoids architecture-dependent
-            data alignment so that it is as portable as
-            possible, it is also primarily expected to be used
-            inside the same single system.  To export a
-            zone file in either <code class="constant">raw</code> or
-            <code class="constant">map</code> format, or make a
-            portable backup of such a file, conversion to
-            <code class="constant">text</code> format is recommended.
-          </p>
-        </div>
-      </div>
-
-      <div class="section">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="statistics"></a>BIND9 Statistics</h2></div></div></div>
-
-        <p>
-          <acronym class="acronym">BIND</acronym> 9 maintains lots of statistics
-          information and provides several interfaces for users to
-          get access to the statistics.
-          The available statistics include all statistics counters
-          that were available in <acronym class="acronym">BIND</acronym> 8 and
-          are meaningful in <acronym class="acronym">BIND</acronym> 9,
-          and other information that is considered useful.
-        </p>
-
-        <p>
-          The statistics information is categorized into the following
-          sections.
-        </p>
-
-        <div class="informaltable">
-          <table border="1">
-<colgroup>
-<col width="3.300in" class="1">
-<col width="2.625in" class="2">
-</colgroup>
-<tbody>
-<tr>
-<td>
-                  <p>Incoming Requests</p>
-                </td>
-<td>
-                  <p>
-                    The number of incoming DNS requests for each OPCODE.
-                  </p>
-                </td>
-</tr>
-<tr>
-<td>
-                  <p>Incoming Queries</p>
-                </td>
-<td>
-                  <p>
-                    The number of incoming queries for each RR type.
-                  </p>
-                </td>
-</tr>
-<tr>
-<td>
-                  <p>Outgoing Queries</p>
-                </td>
-<td>
-                  <p>
-                    The number of outgoing queries for each RR
-                    type sent from the internal resolver.
-                    Maintained per view.
-                  </p>
-                </td>
-</tr>
-<tr>
-<td>
-                  <p>Name Server Statistics</p>
-                </td>
-<td>
-                  <p>
-                    Statistics counters about incoming request processing.
-                  </p>
-                </td>
-</tr>
-<tr>
-<td>
-                  <p>Zone Maintenance Statistics</p>
-                </td>
-<td>
-                  <p>
-                    Statistics counters regarding zone maintenance
-                    operations such as zone transfers.
-                  </p>
-                </td>
-</tr>
-<tr>
-<td>
-                  <p>Resolver Statistics</p>
-                </td>
-<td>
-                  <p>
-                    Statistics counters about name resolution
-                    performed in the internal resolver.
-                    Maintained per view.
-                  </p>
-                </td>
-</tr>
-<tr>
-<td>
-                  <p>Cache DB RRsets</p>
-                </td>
-<td>
-                  <p>
-                    The number of RRsets per RR type and nonexistent
-                    names stored in the cache database.
-                    If the exclamation mark (!) is printed for a RR
-                    type, it means that particular type of RRset is
-                    known to be nonexistent (this is also known as
-                    "NXRRSET").  If a hash mark (#) is present then
-                    the RRset is marked for garbage collection.
-                    Maintained per view.
-                  </p>
-                </td>
-</tr>
-<tr>
-<td>
-                  <p>Socket I/O Statistics</p>
-                </td>
-<td>
-                  <p>
-                    Statistics counters about network related events.
-                  </p>
-                </td>
-</tr>
-</tbody>
-</table>
-        </div>
-
-        <p>
-          A subset of Name Server Statistics is collected and shown
-          per zone for which the server has the authority when
-          <span class="command"><strong>zone-statistics</strong></span> is set to
-          <strong class="userinput"><code>full</code></strong> (or <strong class="userinput"><code>yes</code></strong>
-          for backward compatibility. See the description of
-          <span class="command"><strong>zone-statistics</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#options" title="options Statement Definition and Usage">the section called &#8220;<span class="command"><strong>options</strong></span> Statement Definition and
-          Usage&#8221;</a>
-          for further details.
-        </p>
-
-        <p>
-          These statistics counters are shown with their zone and
-          view names. The view name is omitted when the server is
-          not configured with explicit views.</p>
-
-        <p>
-          There are currently two user interfaces to get access to the
-          statistics.
-          One is in the plain text format dumped to the file specified
-          by the <span class="command"><strong>statistics-file</strong></span> configuration option.
-          The other is remotely accessible via a statistics channel
-          when the <span class="command"><strong>statistics-channels</strong></span> statement
-          is specified in the configuration file
-          (see <a class="xref" href="Bv9ARM.ch06.html#statschannels" title="statistics-channels Statement Grammar">the section called &#8220;<span class="command"><strong>statistics-channels</strong></span> Statement Grammar&#8221;</a>.)
-        </p>
-
-        <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="statsfile"></a>The Statistics File</h3></div></div></div>
-
-          <p>
-            The text format statistics dump begins with a line, like:
-          </p>
-          <p>
-            <span class="command"><strong>+++ Statistics Dump +++ (973798949)</strong></span>
-          </p>
-          <p>
-            The number in parentheses is a standard
-            Unix-style timestamp, measured as seconds since January 1, 1970.
-
-            Following
-            that line is a set of statistics information, which is categorized
-            as described above.
-            Each section begins with a line, like:
-          </p>
-
-          <p>
-            <span class="command"><strong>++ Name Server Statistics ++</strong></span>
-          </p>
-
-          <p>
-            Each section consists of lines, each containing the statistics
-            counter value followed by its textual description.
-            See below for available counters.
-            For brevity, counters that have a value of 0 are not shown
-            in the statistics file.
-          </p>
-
-          <p>
-            The statistics dump ends with the line where the
-            number is identical to the number in the beginning line; for example:
-          </p>
-          <p>
-            <span class="command"><strong>--- Statistics Dump --- (973798949)</strong></span>
-          </p>
-        </div>
-
-        <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="statistics_counters"></a>Statistics Counters</h3></div></div></div>
-
-          <p>
-            The following tables summarize statistics counters that
-            <acronym class="acronym">BIND</acronym> 9 provides.
-            For each row of the tables, the leftmost column is the
-            abbreviated symbol name of that counter.
-            These symbols are shown in the statistics information
-            accessed via an HTTP statistics channel.
-            The rightmost column gives the description of the counter,
-            which is also shown in the statistics file
-            (but, in this document, possibly with slight modification
-            for better readability).
-            Additional notes may also be provided in this column.
-            When a middle column exists between these two columns,
-            it gives the corresponding counter name of the
-            <acronym class="acronym">BIND</acronym> 8 statistics, if applicable.
-          </p>
-
-          <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="stats_counters"></a>Name Server Statistics Counters</h4></div></div></div>
-
-            <div class="informaltable">
-              <table border="1">
-<colgroup>
-<col width="1.150in" class="1">
-<col width="1.150in" class="2">
-<col width="3.350in" class="3">
-</colgroup>
-<tbody>
-<tr>
-<td>
-                      <p>
-                        <span class="emphasis"><em>Symbol</em></span>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        <span class="emphasis"><em>BIND8 Symbol</em></span>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        <span class="emphasis"><em>Description</em></span>
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>Requestv4</strong></span></p>
-                    </td>
-<td>
-                      <p><span class="command"><strong>RQ</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        IPv4 requests received.
-                        Note: this also counts non query requests.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>Requestv6</strong></span></p>
-                    </td>
-<td>
-                      <p><span class="command"><strong>RQ</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        IPv6 requests received.
-                        Note: this also counts non query requests.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>ReqEdns0</strong></span></p>
-                    </td>
-<td>
-                      <p><span class="command"><strong></strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Requests with EDNS(0) received.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>ReqBadEDNSVer</strong></span></p>
-                    </td>
-<td>
-                      <p><span class="command"><strong></strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Requests with unsupported EDNS version received.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>ReqTSIG</strong></span></p>
-                    </td>
-<td>
-                      <p><span class="command"><strong></strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Requests with TSIG received.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>ReqSIG0</strong></span></p>
-                    </td>
-<td>
-                      <p><span class="command"><strong></strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Requests with SIG(0) received.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>ReqBadSIG</strong></span></p>
-                    </td>
-<td>
-                      <p><span class="command"><strong></strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Requests with invalid (TSIG or SIG(0)) signature.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>ReqTCP</strong></span></p>
-                    </td>
-<td>
-                      <p><span class="command"><strong>RTCP</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        TCP requests received.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>AuthQryRej</strong></span></p>
-                    </td>
-<td>
-                      <p><span class="command"><strong>RUQ</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Authoritative (non recursive) queries rejected.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>RecQryRej</strong></span></p>
-                    </td>
-<td>
-                      <p><span class="command"><strong>RURQ</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Recursive queries rejected.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>XfrRej</strong></span></p>
-                    </td>
-<td>
-                      <p><span class="command"><strong>RUXFR</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Zone transfer requests rejected.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>UpdateRej</strong></span></p>
-                    </td>
-<td>
-                      <p><span class="command"><strong>RUUpd</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Dynamic update requests rejected.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>Response</strong></span></p>
-                    </td>
-<td>
-                      <p><span class="command"><strong>SAns</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Responses sent.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>RespTruncated</strong></span></p>
-                    </td>
-<td>
-                      <p><span class="command"><strong></strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Truncated responses sent.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>RespEDNS0</strong></span></p>
-                    </td>
-<td>
-                      <p><span class="command"><strong></strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Responses with EDNS(0) sent.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>RespTSIG</strong></span></p>
-                    </td>
-<td>
-                      <p><span class="command"><strong></strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Responses with TSIG sent.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>RespSIG0</strong></span></p>
-                    </td>
-<td>
-                      <p><span class="command"><strong></strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Responses with SIG(0) sent.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>QrySuccess</strong></span></p>
-                    </td>
-<td>
-                      <p><span class="command"><strong></strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Queries resulted in a successful answer.
-                        This means the query which returns a NOERROR response
-                        with at least one answer RR.
-                        This corresponds to the
-                        <span class="command"><strong>success</strong></span> counter
-                        of previous versions of
-                        <acronym class="acronym">BIND</acronym> 9.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>QryAuthAns</strong></span></p>
-                    </td>
-<td>
-                      <p><span class="command"><strong></strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Queries resulted in authoritative answer.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>QryNoauthAns</strong></span></p>
-                    </td>
-<td>
-                      <p><span class="command"><strong>SNaAns</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Queries resulted in non authoritative answer.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>QryReferral</strong></span></p>
-                    </td>
-<td>
-                      <p><span class="command"><strong></strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Queries resulted in referral answer.
-                        This corresponds to the
-                        <span class="command"><strong>referral</strong></span> counter
-                        of previous versions of
-                        <acronym class="acronym">BIND</acronym> 9.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>QryNxrrset</strong></span></p>
-                    </td>
-<td>
-                      <p><span class="command"><strong></strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Queries resulted in NOERROR responses with no data.
-                        This corresponds to the
-                        <span class="command"><strong>nxrrset</strong></span> counter
-                        of previous versions of
-                        <acronym class="acronym">BIND</acronym> 9.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>QrySERVFAIL</strong></span></p>
-                    </td>
-<td>
-                      <p><span class="command"><strong>SFail</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Queries resulted in SERVFAIL.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>QryFORMERR</strong></span></p>
-                    </td>
-<td>
-                      <p><span class="command"><strong>SFErr</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Queries resulted in FORMERR.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>QryNXDOMAIN</strong></span></p>
-                    </td>
-<td>
-                      <p><span class="command"><strong>SNXD</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Queries resulted in NXDOMAIN.
-                        This corresponds to the
-                        <span class="command"><strong>nxdomain</strong></span> counter
-                        of previous versions of
-                        <acronym class="acronym">BIND</acronym> 9.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>QryRecursion</strong></span></p>
-                    </td>
-<td>
-                      <p><span class="command"><strong>RFwdQ</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Queries which caused the server
-                        to perform recursion in order to find the final answer.
-                        This corresponds to the
-                        <span class="command"><strong>recursion</strong></span> counter
-                        of previous versions of
-                        <acronym class="acronym">BIND</acronym> 9.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>QryDuplicate</strong></span></p>
-                    </td>
-<td>
-                      <p><span class="command"><strong>RDupQ</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Queries which the server attempted to
-                        recurse but discovered an existing query with the same
-                        IP address, port, query ID, name, type and class
-                        already being processed.
-                        This corresponds to the
-                        <span class="command"><strong>duplicate</strong></span> counter
-                        of previous versions of
-                        <acronym class="acronym">BIND</acronym> 9.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>QryDropped</strong></span></p>
-                    </td>
-<td>
-                      <p><span class="command"><strong></strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Recursive queries for which the server
-                        discovered an excessive number of existing
-                        recursive queries for the same name, type and
-                        class and were subsequently dropped.
-                        This is the number of dropped queries due to
-                        the reason explained with the
-                        <span class="command"><strong>clients-per-query</strong></span>
-                        and
-                        <span class="command"><strong>max-clients-per-query</strong></span>
-                        options
-                        (see the description about
-                        <a class="xref" href="Bv9ARM.ch06.html#clients-per-query"><span class="command"><strong>clients-per-query</strong></span></a>.)
-                        This corresponds to the
-                        <span class="command"><strong>dropped</strong></span> counter
-                        of previous versions of
-                        <acronym class="acronym">BIND</acronym> 9.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>QryFailure</strong></span></p>
-                    </td>
-<td>
-                      <p><span class="command"><strong></strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Other query failures.
-                        This corresponds to the
-                        <span class="command"><strong>failure</strong></span> counter
-                        of previous versions of
-                        <acronym class="acronym">BIND</acronym> 9.
-                        Note: this counter is provided mainly for
-                        backward compatibility with the previous versions.
-                        Normally a more fine-grained counters such as
-                        <span class="command"><strong>AuthQryRej</strong></span> and
-                        <span class="command"><strong>RecQryRej</strong></span>
-                        that would also fall into this counter are provided,
-                        and so this counter would not be of much
-                        interest in practice.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>QryNXRedir</strong></span></p>
-                    </td>
-<td>
-                      <p><span class="command"><strong></strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Queries resulted in NXDOMAIN that were redirected.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>QryNXRedirRLookup</strong></span></p>
-                    </td>
-<td>
-                      <p><span class="command"><strong></strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Queries resulted in NXDOMAIN that were redirected
-                        and resulted in a successful remote lookup.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>XfrReqDone</strong></span></p>
-                    </td>
-<td>
-                      <p><span class="command"><strong></strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Requested zone transfers completed.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>UpdateReqFwd</strong></span></p>
-                    </td>
-<td>
-                      <p><span class="command"><strong></strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Update requests forwarded.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>UpdateRespFwd</strong></span></p>
-                    </td>
-<td>
-                      <p><span class="command"><strong></strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Update responses forwarded.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>UpdateFwdFail</strong></span></p>
-                    </td>
-<td>
-                      <p><span class="command"><strong></strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Dynamic update forward failed.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>UpdateDone</strong></span></p>
-                    </td>
-<td>
-                      <p><span class="command"><strong></strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Dynamic updates completed.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>UpdateFail</strong></span></p>
-                    </td>
-<td>
-                      <p><span class="command"><strong></strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Dynamic updates failed.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>UpdateBadPrereq</strong></span></p>
-                    </td>
-<td>
-                      <p><span class="command"><strong></strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Dynamic updates rejected due to prerequisite failure.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>RateDropped</strong></span></p>
-                    </td>
-<td>
-                      <p><span class="command"><strong></strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Responses dropped by rate limits.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>RateSlipped</strong></span></p>
-                    </td>
-<td>
-                      <p><span class="command"><strong></strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Responses truncated by rate limits.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>RPZRewrites</strong></span></p>
-                    </td>
-<td>
-                      <p><span class="command"><strong></strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Response policy zone rewrites.
-                      </p>
-                    </td>
-</tr>
-</tbody>
-</table>
-            </div>
-          </div>
-
-          <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="zone_stats"></a>Zone Maintenance Statistics Counters</h4></div></div></div>
-
-            <div class="informaltable">
-              <table border="1">
-<colgroup>
-<col width="1.150in" class="1">
-<col width="3.350in" class="2">
-</colgroup>
-<tbody>
-<tr>
-<td>
-                      <p>
-                        <span class="emphasis"><em>Symbol</em></span>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        <span class="emphasis"><em>Description</em></span>
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>NotifyOutv4</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        IPv4 notifies sent.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>NotifyOutv6</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        IPv6 notifies sent.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>NotifyInv4</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        IPv4 notifies received.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>NotifyInv6</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        IPv6 notifies received.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>NotifyRej</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Incoming notifies rejected.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>SOAOutv4</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        IPv4 SOA queries sent.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>SOAOutv6</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        IPv6 SOA queries sent.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>AXFRReqv4</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        IPv4 AXFR requested.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>AXFRReqv6</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        IPv6 AXFR requested.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>IXFRReqv4</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        IPv4 IXFR requested.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>IXFRReqv6</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        IPv6 IXFR requested.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>XfrSuccess</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Zone transfer requests succeeded.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>XfrFail</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Zone transfer requests failed.
-                      </p>
-                    </td>
-</tr>
-</tbody>
-</table>
-            </div>
-          </div>
-
-          <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="resolver_stats"></a>Resolver Statistics Counters</h4></div></div></div>
-
-            <div class="informaltable">
-              <table border="1">
-<colgroup>
-<col width="1.150in" class="1">
-<col width="1.150in" class="2">
-<col width="3.350in" class="3">
-</colgroup>
-<tbody>
-<tr>
-<td>
-                      <p>
-                        <span class="emphasis"><em>Symbol</em></span>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        <span class="emphasis"><em>BIND8 Symbol</em></span>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        <span class="emphasis"><em>Description</em></span>
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>Queryv4</strong></span></p>
-                    </td>
-<td>
-                      <p><span class="command"><strong>SFwdQ</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        IPv4 queries sent.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>Queryv6</strong></span></p>
-                    </td>
-<td>
-                      <p><span class="command"><strong>SFwdQ</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        IPv6 queries sent.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>Responsev4</strong></span></p>
-                    </td>
-<td>
-                      <p><span class="command"><strong>RR</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        IPv4 responses received.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>Responsev6</strong></span></p>
-                    </td>
-<td>
-                      <p><span class="command"><strong>RR</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        IPv6 responses received.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>NXDOMAIN</strong></span></p>
-                    </td>
-<td>
-                      <p><span class="command"><strong>RNXD</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        NXDOMAIN received.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>SERVFAIL</strong></span></p>
-                    </td>
-<td>
-                      <p><span class="command"><strong>RFail</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        SERVFAIL received.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>FORMERR</strong></span></p>
-                    </td>
-<td>
-                      <p><span class="command"><strong>RFErr</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        FORMERR received.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>OtherError</strong></span></p>
-                    </td>
-<td>
-                      <p><span class="command"><strong>RErr</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Other errors received.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>EDNS0Fail</strong></span></p>
-                                                 </td>
-<td>
-                      <p><span class="command"><strong></strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        EDNS(0) query failures.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>Mismatch</strong></span></p>
-                    </td>
-<td>
-                      <p><span class="command"><strong>RDupR</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Mismatch responses received.
-                        The DNS ID, response's source address,
-                        and/or the response's source port does not
-                        match what was expected.
-                        (The port must be 53 or as defined by
-                        the <span class="command"><strong>port</strong></span> option.)
-                        This may be an indication of a cache
-                        poisoning attempt.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>Truncated</strong></span></p>
-                    </td>
-<td>
-                      <p><span class="command"><strong></strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Truncated responses received.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>Lame</strong></span></p>
-                    </td>
-<td>
-                      <p><span class="command"><strong>RLame</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Lame delegations received.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>Retry</strong></span></p>
-                    </td>
-<td>
-                      <p><span class="command"><strong>SDupQ</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Query retries performed.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>QueryAbort</strong></span></p>
-                    </td>
-<td>
-                      <p><span class="command"><strong></strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Queries aborted due to quota control.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>QuerySockFail</strong></span></p>
-                    </td>
-<td>
-                      <p><span class="command"><strong></strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Failures in opening query sockets.
-                        One common reason for such failures is a
-                        failure of opening a new socket due to a
-                        limitation on file descriptors.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>QueryTimeout</strong></span></p>
-                    </td>
-<td>
-                      <p><span class="command"><strong></strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Query timeouts.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>GlueFetchv4</strong></span></p>
-                    </td>
-<td>
-                      <p><span class="command"><strong>SSysQ</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        IPv4 NS address fetches invoked.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>GlueFetchv6</strong></span></p>
-                    </td>
-<td>
-                      <p><span class="command"><strong>SSysQ</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        IPv6 NS address fetches invoked.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>GlueFetchv4Fail</strong></span></p>
-                    </td>
-<td>
-                      <p><span class="command"><strong></strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        IPv4 NS address fetch failed.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>GlueFetchv6Fail</strong></span></p>
-                    </td>
-<td>
-                      <p><span class="command"><strong></strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        IPv6 NS address fetch failed.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>ValAttempt</strong></span></p>
-                    </td>
-<td>
-                      <p><span class="command"><strong></strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        DNSSEC validation attempted.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>ValOk</strong></span></p>
-                    </td>
-<td>
-                      <p><span class="command"><strong></strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        DNSSEC validation succeeded.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>ValNegOk</strong></span></p>
-                    </td>
-<td>
-                      <p><span class="command"><strong></strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        DNSSEC validation on negative information succeeded.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>ValFail</strong></span></p>
-                    </td>
-<td>
-                      <p><span class="command"><strong></strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        DNSSEC validation failed.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>QryRTTnn</strong></span></p>
-                    </td>
-<td>
-                      <p><span class="command"><strong></strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Frequency table on round trip times (RTTs) of
-                        queries.
-                        Each <span class="command"><strong>nn</strong></span> specifies the corresponding
-                        frequency.
-                        In the sequence of
-                        <span class="command"><strong>nn_1</strong></span>,
-                        <span class="command"><strong>nn_2</strong></span>,
-                        ...,
-                        <span class="command"><strong>nn_m</strong></span>,
-                        the value of <span class="command"><strong>nn_i</strong></span> is the
-                        number of queries whose RTTs are between
-                        <span class="command"><strong>nn_(i-1)</strong></span> (inclusive) and
-                        <span class="command"><strong>nn_i</strong></span> (exclusive) milliseconds.
-                        For the sake of convenience we define
-                        <span class="command"><strong>nn_0</strong></span> to be 0.
-                        The last entry should be represented as
-                        <span class="command"><strong>nn_m+</strong></span>, which means the
-                        number of queries whose RTTs are equal to or over
-                        <span class="command"><strong>nn_m</strong></span> milliseconds.
-                      </p>
-                    </td>
-</tr>
-</tbody>
-</table>
-            </div>
-
-          </div>
-
-          <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="socket_stats"></a>Socket I/O Statistics Counters</h4></div></div></div>
-
-            <p>
-              Socket I/O statistics counters are defined per socket
-              types, which are
-              <span class="command"><strong>UDP4</strong></span> (UDP/IPv4),
-              <span class="command"><strong>UDP6</strong></span> (UDP/IPv6),
-              <span class="command"><strong>TCP4</strong></span> (TCP/IPv4),
-              <span class="command"><strong>TCP6</strong></span> (TCP/IPv6),
-              <span class="command"><strong>Unix</strong></span> (Unix Domain), and
-              <span class="command"><strong>FDwatch</strong></span> (sockets opened outside the
-              socket module).
-              In the following table <span class="command"><strong>&lt;TYPE&gt;</strong></span>
-              represents a socket type.
-              Not all counters are available for all socket types;
-              exceptions are noted in the description field.
-            </p>
-
-            <div class="informaltable">
-              <table border="1">
-<colgroup>
-<col width="1.150in" class="1">
-<col width="3.350in" class="2">
-</colgroup>
-<tbody>
-<tr>
-<td>
-                      <p>
-                        <span class="emphasis"><em>Symbol</em></span>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        <span class="emphasis"><em>Description</em></span>
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>&lt;TYPE&gt;Open</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Sockets opened successfully.
-                        This counter is not applicable to the
-                        <span class="command"><strong>FDwatch</strong></span> type.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>&lt;TYPE&gt;OpenFail</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Failures of opening sockets.
-                        This counter is not applicable to the
-                        <span class="command"><strong>FDwatch</strong></span> type.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>&lt;TYPE&gt;Close</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Sockets closed.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>&lt;TYPE&gt;BindFail</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Failures of binding sockets.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>&lt;TYPE&gt;ConnFail</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Failures of connecting sockets.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>&lt;TYPE&gt;Conn</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Connections established successfully.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>&lt;TYPE&gt;AcceptFail</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Failures of accepting incoming connection requests.
-                        This counter is not applicable to the
-                        <span class="command"><strong>UDP</strong></span> and
-                        <span class="command"><strong>FDwatch</strong></span> types.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>&lt;TYPE&gt;Accept</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Incoming connections successfully accepted.
-                        This counter is not applicable to the
-                        <span class="command"><strong>UDP</strong></span> and
-                        <span class="command"><strong>FDwatch</strong></span> types.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>&lt;TYPE&gt;SendErr</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Errors in socket send operations.
-                        This counter corresponds
-                        to <span class="command"><strong>SErr</strong></span> counter of
-                        <span class="command"><strong>BIND</strong></span> 8.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span class="command"><strong>&lt;TYPE&gt;RecvErr</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Errors in socket receive operations.
-                        This includes errors of send operations on a
-                        connected UDP socket notified by an ICMP error
-                        message.
-                      </p>
-                    </td>
-</tr>
-</tbody>
-</table>
-            </div>
-          </div>
-
-          <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="bind8_compatibility"></a>Compatibility with <span class="emphasis"><em>BIND</em></span> 8 Counters</h4></div></div></div>
-
-            <p>
-              Most statistics counters that were available
-              in <span class="command"><strong>BIND</strong></span> 8 are also supported in
-              <span class="command"><strong>BIND</strong></span> 9 as shown in the above tables.
-              Here are notes about other counters that do not appear
-              in these tables.
-            </p>
-
-            <div class="variablelist"><dl class="variablelist">
-<dt><span class="term"><span class="command"><strong>RFwdR,SFwdR</strong></span></span></dt>
-<dd>
-                  <p>
-                    These counters are not supported
-                    because <span class="command"><strong>BIND</strong></span> 9 does not adopt
-                    the notion of <span class="emphasis"><em>forwarding</em></span>
-                    as <span class="command"><strong>BIND</strong></span> 8 did.
-                  </p>
-                </dd>
-<dt><span class="term"><span class="command"><strong>RAXFR</strong></span></span></dt>
-<dd>
-                  <p>
-                    This counter is accessible in the Incoming Queries section.
-                  </p>
-                </dd>
-<dt><span class="term"><span class="command"><strong>RIQ</strong></span></span></dt>
-<dd>
-                  <p>
-                    This counter is accessible in the Incoming Requests section.
-                  </p>
-                </dd>
-<dt><span class="term"><span class="command"><strong>ROpts</strong></span></span></dt>
-<dd>
-                  <p>
-                    This counter is not supported
-                    because <span class="command"><strong>BIND</strong></span> 9 does not care
-                    about IP options in the first place.
-                  </p>
-                </dd>
-</dl></div>
-          </div>
-        </div>
-      </div>
-
     </div>
 <div class="navfooter">
 <hr>
 <table width="100%" summary="Navigation footer">
 <tr>
 <td width="40%" align="left">
-<a accesskey="p" href="Bv9ARM.ch04.html">Prev</a> </td>
+<a accesskey="p" href="Bv9ARM.ch05.html">Prev</a> </td>
 <td width="20%" align="center"> </td>
 <td width="40%" align="right"> <a accesskey="n" href="Bv9ARM.ch07.html">Next</a>
 </td>
 </tr>
 <tr>
-<td width="40%" align="left" valign="top">Chapter 4. Advanced DNS Features </td>
+<td width="40%" align="left" valign="top">Chapter 5. <acronym class="acronym">BIND</acronym> 9 Configuration Reference </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> Chapter 6. <acronym class="acronym">BIND</acronym> 9 Security Considerations</td>
+<td width="40%" align="right" valign="top"> Chapter 7. Troubleshooting</td>
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0-dev</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1-dev</p>
 </body>
 </html>
index 7d7ed706fa7a97f695a487a5a62dfea29eae7097..c1f4ff4386ebd5217deb2824a66a037e3cbf4912 100644 (file)
@@ -9,17 +9,17 @@
 <html lang="en">
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>Chapter 6. BIND 9 Security Considerations</title>
+<title>Chapter 7. Troubleshooting</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="prev" href="Bv9ARM.ch06.html" title="Chapter 5. BIND 9 Configuration Reference">
-<link rel="next" href="Bv9ARM.ch08.html" title="Chapter 7. Troubleshooting">
+<link rel="prev" href="Bv9ARM.ch06.html" title="Chapter 6. BIND 9 Security Considerations">
+<link rel="next" href="Bv9ARM.ch08.html" title="Appendix A. Release Notes">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
 <table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center">Chapter 6. <acronym class="acronym">BIND</acronym> 9 Security Considerations</th></tr>
+<tr><th colspan="3" align="center">Chapter 7. Troubleshooting</th></tr>
 <tr>
 <td width="20%" align="left">
 <a accesskey="p" href="Bv9ARM.ch06.html">Prev</a> </td>
 </div>
 <div class="chapter">
 <div class="titlepage"><div><div><h1 class="title">
-<a name="Bv9ARM.ch07"></a>Chapter 6. <acronym class="acronym">BIND</acronym> 9 Security Considerations</h1></div></div></div>
+<a name="Bv9ARM.ch07"></a>Chapter 7. Troubleshooting</h1></div></div></div>
 <div class="toc">
 <p><b>Table of Contents</b></p>
 <dl class="toc">
-<dt><span class="section"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch07.html#chroot_and_setuid"><span class="command"><strong>Chroot</strong></span> and <span class="command"><strong>Setuid</strong></span></a></span></dt>
-<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch07.html#chroot">The <span class="command"><strong>chroot</strong></span> Environment</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch07.html#setuid">Using the <span class="command"><strong>setuid</strong></span> Function</a></span></dt>
-</dl></dd>
-<dt><span class="section"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch07.html#common_problems">Common Problems</a></span></dt>
+<dd><dl><dt><span class="section"><a href="Bv9ARM.ch07.html#id-1.8.2.2">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd>
+<dt><span class="section"><a href="Bv9ARM.ch07.html#id-1.8.3">Incrementing and Changing the Serial Number</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch07.html#more_help">Where Can I Get Help?</a></span></dt>
 </dl>
 </div>
 
       <div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="Access_Control_Lists"></a>Access Control Lists</h2></div></div></div>
+<a name="common_problems"></a>Common Problems</h2></div></div></div>
 
-        <p>
-          Access Control Lists (ACLs) are address match lists that
-          you can set up and nickname for future use in
-          <span class="command"><strong>allow-notify</strong></span>, <span class="command"><strong>allow-query</strong></span>,
-          <span class="command"><strong>allow-query-on</strong></span>, <span class="command"><strong>allow-recursion</strong></span>,
-          <span class="command"><strong>blackhole</strong></span>, <span class="command"><strong>allow-transfer</strong></span>,
-          <span class="command"><strong>match-clients</strong></span>, etc.
-        </p>
-        <p>
-          Using ACLs allows you to have finer control over who can access
-          your name server, without cluttering up your config files with huge
-          lists of IP addresses.
-        </p>
-        <p>
-          It is a <span class="emphasis"><em>good idea</em></span> to use ACLs, and to
-          control access to your server. Limiting access to your server by
-          outside parties can help prevent spoofing and denial of service
-          (DoS) attacks against your server.
-        </p>
-        <p>
-          ACLs match clients on the basis of up to three characteristics:
-          1) The client's IP address; 2) the TSIG or SIG(0) key that was
-          used to sign the request, if any; and 3) an address prefix
-          encoded in an EDNS Client Subnet option, if any.
-        </p>
-        <p>
-          Here is an example of ACLs based on client addresses:
-        </p>
-
-<pre class="programlisting">
-// Set up an ACL named "bogusnets" that will block
-// RFC1918 space and some reserved space, which is
-// commonly used in spoofing attacks.
-acl bogusnets {
-        0.0.0.0/8;  192.0.2.0/24; 224.0.0.0/3;
-        10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16;
-};
-
-// Set up an ACL called our-nets. Replace this with the
-// real IP numbers.
-acl our-nets { x.x.x.x/24; x.x.x.x/21; };
-options {
-  ...
-  ...
-  allow-query { our-nets; };
-  allow-recursion { our-nets; };
-  ...
-  blackhole { bogusnets; };
-  ...
-};
-
-zone "example.com" {
-  type master;
-  file "m/example.com";
-  allow-query { any; };
-};
-</pre>
+        <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="id-1.8.2.2"></a>It's not working; how can I figure out what's wrong?</h3></div></div></div>
 
-        <p>
-          This allows authoritative queries for "example.com" from any
-          address, but recursive queries only from the networks specified
-          in "our-nets", and no queries at all from the networks
-          specified in "bogusnets".
-        </p>
-        <p>
-          In addition to network addresses and prefixes, which are
-          matched against the source address of the DNS request, ACLs
-          may include <code class="option">key</code> elements, which specify the
-          name of a TSIG or SIG(0) key, or <code class="option">ecs</code>
-          elements, which specify a network prefix but are only matched
-          if that prefix matches an EDNS client subnet option included
-          in the request.
-        </p>
-        <p>
-          The EDNS Client Subnet (ECS) option is used by a recursive
-          resolver to inform an authoritative name server of the network
-          address block from which the original query was received, enabling
-          authoritative servers to give different answers to the same
-          resolver for different resolver clients.  An ACL containing
-          an element of the form
-          <span class="command"><strong>ecs <em class="replaceable"><code>prefix</code></em></strong></span>
-          will match if a request arrives in containing an ECS option
-          encoding an address within that prefix.  If the request has no
-          ECS option, then "ecs" elements are simply ignored.  Addresses
-          in ACLs that are not prefixed with "ecs" are matched only
-          against the source address.
-        </p>
-        <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
           <p>
-            (Note: The authoritative ECS implementation in
-            <span class="command"><strong>named</strong></span> is based on an early version of the
-            specification, and is known to have incompatibilities with
-            other implementations.  It is also inefficient, requiring
-            a separate view for each client subnet to be sent different
-            answers, and it is unable to correct for overlapping subnets in
-            the configuration.  It can be used for testing purposes, but is
-            not recommended for production use.)
+            The best solution to solving installation and
+            configuration issues is to take preventative measures by setting
+            up logging files beforehand. The log files provide a
+            source of hints and information that can be used to figure out
+            what went wrong and how to fix the problem.
           </p>
-        </div>
-        <p>
-          When <acronym class="acronym">BIND</acronym> 9 is built with GeoIP support,
-          ACLs can also be used for geographic access restrictions.
-          This is done by specifying an ACL element of the form:
-          <span class="command"><strong>geoip [<span class="optional">db <em class="replaceable"><code>database</code></em></span>] <em class="replaceable"><code>field</code></em> <em class="replaceable"><code>value</code></em></strong></span>
-        </p>
-        <p>
-          The <em class="replaceable"><code>field</code></em> indicates which field
-          to search for a match.  Available fields are "country",
-          "region", "city", "continent", "postal" (postal code),
-          "metro" (metro code), "area" (area code), "tz" (timezone),
-          "isp", "org", "asnum", "domain" and "netspeed".
-        </p>
-        <p>
-          <em class="replaceable"><code>value</code></em> is the value to search
-          for within the database.  A string may be quoted if it
-          contains spaces or other special characters.  If this is
-          an "asnum" search, then the leading "ASNNNN" string can be
-          used, otherwise the full description must be used (e.g.
-          "ASNNNN Example Company Name").  If this is a "country"
-          search and the string is two characters long, then it must
-          be a standard ISO-3166-1 two-letter country code, and if it
-          is three characters long then it must be an ISO-3166-1
-          three-letter country code; otherwise it is the full name
-          of the country.  Similarly, if this is a "region" search
-          and the string is two characters long, then it must be a
-          standard two-letter state or province abbreviation;
-          otherwise it is the full name of the state or province.
-        </p>
-        <p>
-          The <em class="replaceable"><code>database</code></em> field indicates which
-          GeoIP database to search for a match.  In most cases this is
-          unnecessary, because most search fields can only be found in
-          a single database.  However, searches for country can be
-          answered from the "city", "region", or "country" databases,
-          and searches for region (i.e., state or province) can be
-          answered from the "city" or "region" databases.  For these
-          search types, specifying a <em class="replaceable"><code>database</code></em>
-          will force the query to be answered from that database and no
-          other.  If <em class="replaceable"><code>database</code></em> is not
-          specified, then these queries will be answered from the "city",
-          database if it is installed, or the "region" database if it is
-          installed, or the "country" database, in that order.
-        </p>
-        <p>
-          By default, if a DNS query includes an EDNS Client Subnet (ECS)
-          option which encodes a non-zero address prefix, then GeoIP ACLs
-          will be matched against that address prefix.  Otherwise, they
-          are matched against the source address of the query.  To
-          prevent GeoIP ACLs from matching against ECS options, set
-          the <span class="command"><strong>geoip-use-ecs</strong></span> to <code class="literal">no</code>.
-        </p>
-        <p>
-          Some example GeoIP ACLs:
-        </p>
-        <pre class="programlisting">geoip country US;
-geoip country JAP;
-geoip db country country Canada;
-geoip db region region WA;
-geoip city "San Francisco";
-geoip region Oklahoma;
-geoip postal 95062;
-geoip tz "America/Los_Angeles";
-geoip org "Internet Systems Consortium";
-</pre>
 
-        <p>
-          ACLs use a "first-match" logic rather than "best-match":
-          if an address prefix matches an ACL element, then that ACL
-          is considered to have matched even if a later element would
-          have matched more specifically.  For example, the ACL
-          <span class="command"><strong> { 10/8; !10.0.0.1; }</strong></span> would actually
-          match a query from 10.0.0.1, because the first element
-          indicated that the query should be accepted, and the second
-          element is ignored.
-        </p>
-        <p>
-          When using "nested" ACLs (that is, ACLs included or referenced
-          within other ACLs), a negative match of a nested ACL will
-          the containing ACL to continue looking for matches.  This
-          enables complex ACLs to be constructed, in which multiple
-          client characteristics can be checked at the same time. For
-          example, to construct an ACL which allows queries only when
-          it originates from a particular network <span class="emphasis"><em>and</em></span>
-          only when it is signed with a particular key, use:
-        </p>
-        <pre class="programlisting">
-allow-query { !{ !10/8; any; }; key example; };
-</pre>
-        <p>
-          Within the nested ACL, any address that is
-          <span class="emphasis"><em>not</em></span> in the 10/8 network prefix will
-          be rejected, and this will terminate processing of the
-          ACL.  Any address that <span class="emphasis"><em>is</em></span> in the 10/8
-          network prefix will be accepted, but this causes a negative
-          match of the nested ACL, so the containing ACL continues
-          processing. The query will then be accepted if it is signed
-          by the key "example", and rejected otherwise.  The ACL, then,
-          will only matches when <span class="emphasis"><em>both</em></span> conditions
-          are true.
-        </p>
+        </div>
       </div>
-
       <div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="chroot_and_setuid"></a><span class="command"><strong>Chroot</strong></span> and <span class="command"><strong>Setuid</strong></span>
-</h2></div></div></div>
+<a name="id-1.8.3"></a>Incrementing and Changing the Serial Number</h2></div></div></div>
 
         <p>
-          On UNIX servers, it is possible to run <acronym class="acronym">BIND</acronym>
-          in a <span class="emphasis"><em>chrooted</em></span> environment (using
-          the <span class="command"><strong>chroot()</strong></span> function) by specifying
-          the <code class="option">-t</code> option for <span class="command"><strong>named</strong></span>.
-          This can help improve system security by placing
-          <acronym class="acronym">BIND</acronym> in a "sandbox", which will limit
-          the damage done if a server is compromised.
-        </p>
-        <p>
-          Another useful feature in the UNIX version of <acronym class="acronym">BIND</acronym> is the
-          ability to run the daemon as an unprivileged user ( <code class="option">-u</code> <em class="replaceable"><code>user</code></em> ).
-          We suggest running as an unprivileged user when using the <span class="command"><strong>chroot</strong></span> feature.
+          Zone serial numbers are just numbers &#8212; they aren't
+          date related.  A lot of people set them to a number that
+          represents a date, usually of the form YYYYMMDDRR.
+          Occasionally they will make a mistake and set them to a
+          "date in the future" then try to correct them by setting
+          them to the "current date".  This causes problems because
+          serial numbers are used to indicate that a zone has been
+          updated.  If the serial number on the slave server is
+          lower than the serial number on the master, the slave
+          server will attempt to update its copy of the zone.
         </p>
+
         <p>
-          Here is an example command line to load <acronym class="acronym">BIND</acronym> in a <span class="command"><strong>chroot</strong></span> sandbox,
-          <span class="command"><strong>/var/named</strong></span>, and to run <span class="command"><strong>named</strong></span> <span class="command"><strong>setuid</strong></span> to
-          user 202:
+          Setting the serial number to a lower number on the master
+          server than the slave server means that the slave will not perform
+          updates to its copy of the zone.
         </p>
+
         <p>
-          <strong class="userinput"><code>/usr/local/sbin/named -u 202 -t /var/named</code></strong>
+          The solution to this is to add 2147483647 (2^31-1) to the
+          number, reload the zone and make sure all slaves have updated to
+          the new zone serial number, then reset the number to what you want
+          it to be, and reload the zone again.
         </p>
 
-        <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="chroot"></a>The <span class="command"><strong>chroot</strong></span> Environment</h3></div></div></div>
-
-          <p>
-            In order for a <span class="command"><strong>chroot</strong></span> environment
-            to work properly in a particular directory (for example,
-            <code class="filename">/var/named</code>), you will need to set
-            up an environment that includes everything
-            <acronym class="acronym">BIND</acronym> needs to run.  From
-            <acronym class="acronym">BIND</acronym>'s point of view,
-            <code class="filename">/var/named</code> is the root of the
-            filesystem.  You will need to adjust the values of
-            options like <span class="command"><strong>directory</strong></span> and
-            <span class="command"><strong>pid-file</strong></span> to account for this.
-          </p>
-          <p>
-            Unlike with earlier versions of BIND, you typically will
-            <span class="emphasis"><em>not</em></span> need to compile <span class="command"><strong>named</strong></span>
-            statically nor install shared libraries under the new root.
-            However, depending on your operating system, you may need
-            to set up things like
-            <code class="filename">/dev/zero</code>,
-            <code class="filename">/dev/random</code>,
-            <code class="filename">/dev/log</code>, and
-            <code class="filename">/etc/localtime</code>.
-          </p>
-        </div>
-
-        <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="setuid"></a>Using the <span class="command"><strong>setuid</strong></span> Function</h3></div></div></div>
-
-          <p>
-            Prior to running the <span class="command"><strong>named</strong></span> daemon,
-            use
-            the <span class="command"><strong>touch</strong></span> utility (to change file
-            access and
-            modification times) or the <span class="command"><strong>chown</strong></span>
-            utility (to
-            set the user id and/or group id) on files
-            to which you want <acronym class="acronym">BIND</acronym>
-            to write.
-          </p>
-          <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p>
-            If the <span class="command"><strong>named</strong></span> daemon is running as an
-            unprivileged user, it will not be able to bind to new restricted
-            ports if the server is reloaded.
-          </p>
-</div>
-        </div>
       </div>
-
       <div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="dynamic_update_security"></a>Dynamic Update Security</h2></div></div></div>
+<a name="more_help"></a>Where Can I Get Help?</h2></div></div></div>
 
         <p>
-          Access to the dynamic
-          update facility should be strictly limited.  In earlier versions of
-          <acronym class="acronym">BIND</acronym>, the only way to do this was
-          based on the IP
-          address of the host requesting the update, by listing an IP address
-          or
-          network prefix in the <span class="command"><strong>allow-update</strong></span>
-          zone option.
-          This method is insecure since the source address of the update UDP
-          packet
-          is easily forged.  Also note that if the IP addresses allowed by the
-          <span class="command"><strong>allow-update</strong></span> option include the
-          address of a slave
-          server which performs forwarding of dynamic updates, the master can
-          be
-          trivially attacked by sending the update to the slave, which will
-          forward it to the master with its own source IP address causing the
-          master to approve it without question.
+          The Internet Systems Consortium
+          (<acronym class="acronym">ISC</acronym>) offers a wide range
+          of support and service agreements for <acronym class="acronym">BIND</acronym> and <acronym class="acronym">DHCP</acronym> servers. Four
+          levels of premium support are available and each level includes
+          support for all <acronym class="acronym">ISC</acronym> programs,
+          significant discounts on products
+          and training, and a recognized priority on bug fixes and
+          non-funded feature requests. In addition, <acronym class="acronym">ISC</acronym> offers a standard
+          support agreement package which includes services ranging from bug
+          fix announcements to remote support. It also includes training in
+          <acronym class="acronym">BIND</acronym> and <acronym class="acronym">DHCP</acronym>.
         </p>
 
         <p>
-          For these reasons, we strongly recommend that updates be
-          cryptographically authenticated by means of transaction signatures
-          (TSIG).  That is, the <span class="command"><strong>allow-update</strong></span>
-          option should
-          list only TSIG key names, not IP addresses or network
-          prefixes. Alternatively, the new <span class="command"><strong>update-policy</strong></span>
-          option can be used.
+          To discuss arrangements for support, contact
+          <a class="link" href="mailto:info@isc.org" target="_top">info@isc.org</a> or visit the
+          <acronym class="acronym">ISC</acronym> web page at
+          <a class="link" href="http://www.isc.org/services/support/" target="_top">http://www.isc.org/services/support/</a>
+          to read more.
         </p>
-
-        <p>
-          Some sites choose to keep all dynamically-updated DNS data
-          in a subdomain and delegate that subdomain to a separate zone. This
-          way, the top-level zone containing critical data such as the IP
-          addresses
-          of public web and mail servers need not allow dynamic update at
-          all.
-        </p>
-
       </div>
     </div>
 <div class="navfooter">
@@ -393,12 +130,12 @@ allow-query { !{ !10/8; any; }; key example; };
 </td>
 </tr>
 <tr>
-<td width="40%" align="left" valign="top">Chapter 5. <acronym class="acronym">BIND</acronym> 9 Configuration Reference </td>
+<td width="40%" align="left" valign="top">Chapter 6. <acronym class="acronym">BIND</acronym> 9 Security Considerations </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> Chapter 7. Troubleshooting</td>
+<td width="40%" align="right" valign="top"> Appendix A. Release Notes</td>
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0-dev</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1-dev</p>
 </body>
 </html>
index 911a49aa85a0878c9963e4b687c5c27b2234f1bf..fa84df9f52954ee98094e8370b3b0bd741c17dd9 100644 (file)
@@ -9,17 +9,17 @@
 <html lang="en">
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>Chapter 7. Troubleshooting</title>
+<title>Appendix A. Release Notes</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="prev" href="Bv9ARM.ch07.html" title="Chapter 6. BIND 9 Security Considerations">
-<link rel="next" href="Bv9ARM.ch09.html" title="Appendix A. Release Notes">
+<link rel="prev" href="Bv9ARM.ch07.html" title="Chapter 7. Troubleshooting">
+<link rel="next" href="Bv9ARM.ch09.html" title="Appendix B. A Brief History of the DNS and BIND">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
 <table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center">Chapter 7. Troubleshooting</th></tr>
+<tr><th colspan="3" align="center">Appendix A. Release Notes</th></tr>
 <tr>
 <td width="20%" align="left">
 <a accesskey="p" href="Bv9ARM.ch07.html">Prev</a> </td>
 </table>
 <hr>
 </div>
-<div class="chapter">
+<div class="appendix">
 <div class="titlepage"><div><div><h1 class="title">
-<a name="Bv9ARM.ch08"></a>Chapter 7. Troubleshooting</h1></div></div></div>
+<a name="Bv9ARM.ch08"></a>Release Notes</h1></div></div></div>
 <div class="toc">
 <p><b>Table of Contents</b></p>
 <dl class="toc">
-<dt><span class="section"><a href="Bv9ARM.ch08.html#common_problems">Common Problems</a></span></dt>
-<dd><dl><dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.8.2.2">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.8.3">Incrementing and Changing the Serial Number</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#more_help">Where Can I Get Help?</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.12.1-dev</a></span></dt>
+<dd><dl>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_intro">Introduction</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_download">Download</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_security">Security Fixes</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_features">New Features</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_removed">Removed Features</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_changes">Feature Changes</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_bugs">Bug Fixes</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_license">License</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#end_of_life">End of Life</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_thanks">Thank You</a></span></dt>
+</dl></dd>
 </dl>
 </div>
-
       <div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="common_problems"></a>Common Problems</h2></div></div></div>
+<a name="id-1.9.2"></a>Release Notes for BIND Version 9.12.1-dev</h2></div></div></div>
+  
+  <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
+    <p>
+      BIND 9.13 is unstable development release of BIND.
+      This document summarizes new features and functional changes that
+      have been introduced on this branch.  With each development
+      release leading up to the stable BIND 9.14 release, this document
+      will be updated with additional features added and bugs fixed.
+    </p>
+  </div>
 
-        <div class="section">
+  <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.8.2.2"></a>It's not working; how can I figure out what's wrong?</h3></div></div></div>
+<a name="relnotes_download"></a>Download</h3></div></div></div>
+    <p>
+      The latest versions of BIND 9 software can always be found at
+      <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
+      There you will find additional information about each release,
+      source code, and pre-compiled versions for Microsoft Windows
+      operating systems.
+    </p>
+  </div>
 
-          <p>
-            The best solution to solving installation and
-            configuration issues is to take preventative measures by setting
-            up logging files beforehand. The log files provide a
-            source of hints and information that can be used to figure out
-            what went wrong and how to fix the problem.
-          </p>
+  <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
+    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+       <p>
+         Addresses could be referenced after being freed during resolver
+         processing, causing an assertion failure. The chances of this
+         happening were remote, but the introduction of a delay in
+         resolution increased them. This bug is disclosed in
+         CVE-2017-3145. [RT #46839]
+       </p>
+      </li></ul></div>
+  </div>
 
-        </div>
-      </div>
-      <div class="section">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.8.3"></a>Incrementing and Changing the Serial Number</h2></div></div></div>
+  <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes_features"></a>New Features</h3></div></div></div>
+    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+       <p>
+         None.
+       </p>
+      </li></ul></div>
+  </div>
 
-        <p>
-          Zone serial numbers are just numbers &#8212; they aren't
-          date related.  A lot of people set them to a number that
-          represents a date, usually of the form YYYYMMDDRR.
-          Occasionally they will make a mistake and set them to a
-          "date in the future" then try to correct them by setting
-          them to the "current date".  This causes problems because
-          serial numbers are used to indicate that a zone has been
-          updated.  If the serial number on the slave server is
-          lower than the serial number on the master, the slave
-          server will attempt to update its copy of the zone.
-        </p>
+  <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes_removed"></a>Removed Features</h3></div></div></div>
+    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+       <p>
+         <span class="command"><strong>dnssec-keygen</strong></span> can no longer generate HMAC
+         keys for TSIG authentication. Use <span class="command"><strong>tsig-keygen</strong></span>
+         to generate these keys. [RT #46404]
+       </p>
+      </li></ul></div>
+  </div>
 
-        <p>
-          Setting the serial number to a lower number on the master
-          server than the slave server means that the slave will not perform
-          updates to its copy of the zone.
-        </p>
+  <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
+    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+       <p>
+         Zone types <span class="command"><strong>primary</strong></span> and
+         <span class="command"><strong>secondary</strong></span> are now available as synonyms for
+         <span class="command"><strong>master</strong></span> and <span class="command"><strong>slave</strong></span>,
+         respectively, in <code class="filename">named.conf</code>.
+       </p>
+      </li></ul></div>
+  </div>
 
-        <p>
-          The solution to this is to add 2147483647 (2^31-1) to the
-          number, reload the zone and make sure all slaves have updated to
-          the new zone serial number, then reset the number to what you want
-          it to be, and reload the zone again.
-        </p>
+  <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
+    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+       <p>
+         Attempting to validate improperly unsigned CNAME responses
+         from secure zones could cause a validator loop. This caused
+         a delay in returning SERVFAIL and also increased the chances
+         of encountering the crash bug described in CVE-2017-3145.
+         [RT #46839]
+       </p>
+      </li></ul></div>
+  </div>
 
-      </div>
-      <div class="section">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="more_help"></a>Where Can I Get Help?</h2></div></div></div>
+  <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes_license"></a>License</h3></div></div></div>
+    <p>
+      BIND is open source software licenced under the terms of the Mozilla
+      Public License, version 2.0 (see the <code class="filename">LICENSE</code>
+      file for the full text).
+    </p>
+    <p>
+      The license requires that if you make changes to BIND and distribute
+      them outside your organization, those changes must be published under
+      the same license. It does not require that you publish or disclose
+      anything other than the changes you have made to our software.  This
+      requirement does not affect anyone who is using BIND, with or without
+      modifications, without redistributing it, nor anyone redistributing
+      BIND without changes.
+    </p>
+    <p>
+      Those wishing to discuss license compliance may contact ISC at
+      <a class="link" href="https://www.isc.org/mission/contact/" target="_top">
+       https://www.isc.org/mission/contact/</a>.
+    </p>
+  </div>
 
-        <p>
-          The Internet Systems Consortium
-          (<acronym class="acronym">ISC</acronym>) offers a wide range
-          of support and service agreements for <acronym class="acronym">BIND</acronym> and <acronym class="acronym">DHCP</acronym> servers. Four
-          levels of premium support are available and each level includes
-          support for all <acronym class="acronym">ISC</acronym> programs,
-          significant discounts on products
-          and training, and a recognized priority on bug fixes and
-          non-funded feature requests. In addition, <acronym class="acronym">ISC</acronym> offers a standard
-          support agreement package which includes services ranging from bug
-          fix announcements to remote support. It also includes training in
-          <acronym class="acronym">BIND</acronym> and <acronym class="acronym">DHCP</acronym>.
-        </p>
+  <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="end_of_life"></a>End of Life</h3></div></div></div>
+    <p>
+      BIND 9.13 is an unstable development branch. When its development
+      is complete, it will be renamed to BIND 9.14, which will be a
+      stable branch.
+    </p>
+    <p>
+      The end of life date for BIND 9.14 has not yet been determined.
+      For those needing long term support, the current Extended Support
+      Version (ESV) is BIND 9.11, which will be supported until December
+      2021. See
+      <a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>
+      for details of ISC's software support policy.
+    </p>
+  </div>
 
-        <p>
-          To discuss arrangements for support, contact
-          <a class="link" href="mailto:info@isc.org" target="_top">info@isc.org</a> or visit the
-          <acronym class="acronym">ISC</acronym> web page at
-          <a class="link" href="http://www.isc.org/services/support/" target="_top">http://www.isc.org/services/support/</a>
-          to read more.
-        </p>
-      </div>
+  <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes_thanks"></a>Thank You</h3></div></div></div>
+    <p>
+      Thank you to everyone who assisted us in making this release possible.
+      If you would like to contribute to ISC to assist us in continuing to
+      make quality open source software, please visit our donations page at
+      <a class="link" href="http://www.isc.org/donate/" target="_top">http://www.isc.org/donate/</a>.
+    </p>
+  </div>
+</div>
     </div>
 <div class="navfooter">
 <hr>
 </td>
 </tr>
 <tr>
-<td width="40%" align="left" valign="top">Chapter 6. <acronym class="acronym">BIND</acronym> 9 Security Considerations </td>
+<td width="40%" align="left" valign="top">Chapter 7. Troubleshooting </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> Appendix A. Release Notes</td>
+<td width="40%" align="right" valign="top"> Appendix B. A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym>
+</td>
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0-dev</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1-dev</p>
 </body>
 </html>
index ce2007819d6b14e21dc027c04f782582acf45d5a..f28f5745c01cdd88996d28c95a380c2da30be0f9 100644 (file)
@@ -9,17 +9,18 @@
 <html lang="en">
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>Appendix A. Release Notes</title>
+<title>Appendix B. A Brief History of the DNS and BIND</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="prev" href="Bv9ARM.ch08.html" title="Chapter 7. Troubleshooting">
-<link rel="next" href="Bv9ARM.ch10.html" title="Appendix B. A Brief History of the DNS and BIND">
+<link rel="prev" href="Bv9ARM.ch08.html" title="Appendix A. Release Notes">
+<link rel="next" href="Bv9ARM.ch10.html" title="Appendix C. General DNS Reference Information">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
 <table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center">Appendix A. Release Notes</th></tr>
+<tr><th colspan="3" align="center">Appendix B. A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym>
+</th></tr>
 <tr>
 <td width="20%" align="left">
 <a accesskey="p" href="Bv9ARM.ch08.html">Prev</a> </td>
 </div>
 <div class="appendix">
 <div class="titlepage"><div><div><h1 class="title">
-<a name="Bv9ARM.ch09"></a>Release Notes</h1></div></div></div>
-<div class="toc">
-<p><b>Table of Contents</b></p>
-<dl class="toc">
-<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.9.2">Release Notes for BIND Version 9.13.0-dev</a></span></dt>
-<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_features">New Features</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_removed">Removed Features</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_bugs">Bug Fixes</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_license">License</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#end_of_life">End of Life</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_thanks">Thank You</a></span></dt>
-</dl></dd>
-</dl>
-</div>
-      <div class="section">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.9.2"></a>Release Notes for BIND Version 9.13.0-dev</h2></div></div></div>
-  
-  <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
-    <p>
-      BIND 9.13 is unstable development release of BIND.
-      This document summarizes new features and functional changes that
-      have been introduced on this branch.  With each development
-      release leading up to the stable BIND 9.14 release, this document
-      will be updated with additional features added and bugs fixed.
-    </p>
-  </div>
-
-  <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_download"></a>Download</h3></div></div></div>
-    <p>
-      The latest versions of BIND 9 software can always be found at
-      <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
-      There you will find additional information about each release,
-      source code, and pre-compiled versions for Microsoft Windows
-      operating systems.
-    </p>
-  </div>
-
-  <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
-       <p>
-         Addresses could be referenced after being freed during resolver
-         processing, causing an assertion failure. The chances of this
-         happening were remote, but the introduction of a delay in
-         resolution increased them. This bug is disclosed in
-         CVE-2017-3145. [RT #46839]
-       </p>
-      </li></ul></div>
-  </div>
-
-  <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_features"></a>New Features</h3></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
-       <p>
-         None.
-       </p>
-      </li></ul></div>
-  </div>
-
-  <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_removed"></a>Removed Features</h3></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
-       <p>
-         <span class="command"><strong>dnssec-keygen</strong></span> can no longer generate HMAC
-         keys for TSIG authentication. Use <span class="command"><strong>tsig-keygen</strong></span>
-         to generate these keys. [RT #46404]
-       </p>
-      </li></ul></div>
-  </div>
-
-  <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
-       <p>
-         Zone types <span class="command"><strong>primary</strong></span> and
-         <span class="command"><strong>secondary</strong></span> are now available as synonyms for
-         <span class="command"><strong>master</strong></span> and <span class="command"><strong>slave</strong></span>,
-         respectively, in <code class="filename">named.conf</code>.
-       </p>
-      </li></ul></div>
-  </div>
+<a name="Bv9ARM.ch09"></a>A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym>
+</h1></div></div></div>
+      <p><a name="historical_dns_information"></a>
+        Although the "official" beginning of the Domain Name
+        System occurred in 1984 with the publication of RFC 920, the
+        core of the new system was described in 1983 in RFCs 882 and
+        883. From 1984 to 1987, the ARPAnet (the precursor to today's
+        Internet) became a testbed of experimentation for developing the
+        new naming/addressing scheme in a rapidly expanding,
+        operational network environment.  New RFCs were written and
+        published in 1987 that modified the original documents to
+        incorporate improvements based on the working model. RFC 1034,
+        "Domain Names-Concepts and Facilities", and RFC 1035, "Domain
+        Names-Implementation and Specification" were published and
+        became the standards upon which all <acronym class="acronym">DNS</acronym> implementations are
+        built.
+      </p>
 
-  <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
-       <p>
-         Attempting to validate improperly unsigned CNAME responses
-         from secure zones could cause a validator loop. This caused
-         a delay in returning SERVFAIL and also increased the chances
-         of encountering the crash bug described in CVE-2017-3145.
-         [RT #46839]
-       </p>
-      </li></ul></div>
-  </div>
-
-  <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_license"></a>License</h3></div></div></div>
-    <p>
-      BIND is open source software licenced under the terms of the Mozilla
-      Public License, version 2.0 (see the <code class="filename">LICENSE</code>
-      file for the full text).
-    </p>
-    <p>
-      The license requires that if you make changes to BIND and distribute
-      them outside your organization, those changes must be published under
-      the same license. It does not require that you publish or disclose
-      anything other than the changes you have made to our software.  This
-      requirement does not affect anyone who is using BIND, with or without
-      modifications, without redistributing it, nor anyone redistributing
-      BIND without changes.
-    </p>
-    <p>
-      Those wishing to discuss license compliance may contact ISC at
-      <a class="link" href="https://www.isc.org/mission/contact/" target="_top">
-       https://www.isc.org/mission/contact/</a>.
-    </p>
-  </div>
-
-  <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="end_of_life"></a>End of Life</h3></div></div></div>
-    <p>
-      BIND 9.13 is an unstable development branch. When its development
-      is complete, it will be renamed to BIND 9.14, which will be a
-      stable branch.
-    </p>
-    <p>
-      The end of life date for BIND 9.14 has not yet been determined.
-      For those needing long term support, the current Extended Support
-      Version (ESV) is BIND 9.11, which will be supported until December
-      2021. See
-      <a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>
-      for details of ISC's software support policy.
-    </p>
-  </div>
-
-  <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_thanks"></a>Thank You</h3></div></div></div>
-    <p>
-      Thank you to everyone who assisted us in making this release possible.
-      If you would like to contribute to ISC to assist us in continuing to
-      make quality open source software, please visit our donations page at
-      <a class="link" href="http://www.isc.org/donate/" target="_top">http://www.isc.org/donate/</a>.
-    </p>
-  </div>
-</div>
+      <p>
+        The first working domain name server, called "Jeeves", was
+        written in 1983-84 by Paul Mockapetris for operation on DEC
+        Tops-20
+        machines located at the University of Southern California's
+        Information
+        Sciences Institute (USC-ISI) and SRI International's Network
+        Information
+        Center (SRI-NIC). A <acronym class="acronym">DNS</acronym> server for
+        Unix machines, the Berkeley Internet
+        Name Domain (<acronym class="acronym">BIND</acronym>) package, was
+        written soon after by a group of
+        graduate students at the University of California at Berkeley
+        under
+        a grant from the US Defense Advanced Research Projects
+        Administration
+        (DARPA).
+      </p>
+      <p>
+        Versions of <acronym class="acronym">BIND</acronym> through
+        4.8.3 were maintained by the Computer
+        Systems Research Group (CSRG) at UC Berkeley. Douglas Terry, Mark
+        Painter, David Riggle and Songnian Zhou made up the initial <acronym class="acronym">BIND</acronym>
+        project team. After that, additional work on the software package
+        was done by Ralph Campbell. Kevin Dunlap, a Digital Equipment
+        Corporation
+        employee on loan to the CSRG, worked on <acronym class="acronym">BIND</acronym> for 2 years, from 1985
+        to 1987. Many other people also contributed to <acronym class="acronym">BIND</acronym> development
+        during that time: Doug Kingston, Craig Partridge, Smoot
+        Carl-Mitchell,
+        Mike Muuss, Jim Bloom and Mike Schwartz. <acronym class="acronym">BIND</acronym> maintenance was subsequently
+        handled by Mike Karels and Øivind Kure.
+      </p>
+      <p>
+        <acronym class="acronym">BIND</acronym> versions 4.9 and 4.9.1 were
+        released by Digital Equipment
+        Corporation (now Compaq Computer Corporation). Paul Vixie, then
+        a DEC employee, became <acronym class="acronym">BIND</acronym>'s
+        primary caretaker. He was assisted
+        by Phil Almquist, Robert Elz, Alan Barrett, Paul Albitz, Bryan
+        Beecher, Andrew
+        Partan, Andy Cherenson, Tom Limoncelli, Berthold Paffrath, Fuat
+        Baran, Anant Kumar, Art Harkin, Win Treese, Don Lewis, Christophe
+        Wolfhugel, and others.
+      </p>
+      <p>
+        In 1994, <acronym class="acronym">BIND</acronym> version 4.9.2 was sponsored by
+        Vixie Enterprises. Paul
+        Vixie became <acronym class="acronym">BIND</acronym>'s principal
+        architect/programmer.
+      </p>
+      <p>
+        <acronym class="acronym">BIND</acronym> versions from 4.9.3 onward
+        have been developed and maintained
+        by the Internet Systems Consortium and its predecessor,
+        the Internet Software Consortium,  with support being provided
+        by ISC's sponsors.
+      </p>
+      <p>
+        As co-architects/programmers, Bob Halley and
+        Paul Vixie released the first production-ready version of
+        <acronym class="acronym">BIND</acronym> version 8 in May 1997.
+      </p>
+      <p>
+        BIND version 9 was released in September 2000 and is a
+        major rewrite of nearly all aspects of the underlying
+        BIND architecture.
+      </p>
+      <p>
+        BIND versions 4 and 8 are officially deprecated.
+        No additional development is done
+        on BIND version 4 or BIND version 8.
+      </p>
+      <p>
+        <acronym class="acronym">BIND</acronym> development work is made
+        possible today by the sponsorship
+        of several corporations, and by the tireless work efforts of
+        numerous individuals.
+      </p>
     </div>
 <div class="navfooter">
 <hr>
 </td>
 </tr>
 <tr>
-<td width="40%" align="left" valign="top">Chapter 7. Troubleshooting </td>
+<td width="40%" align="left" valign="top">Appendix A. Release Notes </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> Appendix B. A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym>
-</td>
+<td width="40%" align="right" valign="top"> Appendix C. General <acronym class="acronym">DNS</acronym> Reference Information</td>
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0-dev</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1-dev</p>
 </body>
 </html>
index 6cd7f39151bb2ba2fbc371a7fe9fed4f5c0d5ac3..c50a9d026e949e5a173d83a4830dd9375c775b53 100644 (file)
@@ -9,18 +9,17 @@
 <html lang="en">
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>Appendix B. A Brief History of the DNS and BIND</title>
+<title>Appendix C. General DNS Reference Information</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="prev" href="Bv9ARM.ch09.html" title="Appendix A. Release Notes">
-<link rel="next" href="Bv9ARM.ch11.html" title="Appendix C. General DNS Reference Information">
+<link rel="prev" href="Bv9ARM.ch09.html" title="Appendix B. A Brief History of the DNS and BIND">
+<link rel="next" href="Bv9ARM.ch11.html" title="Appendix D. BIND 9 DNS Library Support">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
 <table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center">Appendix B. A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym>
-</th></tr>
+<tr><th colspan="3" align="center">Appendix C. General <acronym class="acronym">DNS</acronym> Reference Information</th></tr>
 <tr>
 <td width="20%" align="left">
 <a accesskey="p" href="Bv9ARM.ch09.html">Prev</a> </td>
 </div>
 <div class="appendix">
 <div class="titlepage"><div><div><h1 class="title">
-<a name="Bv9ARM.ch10"></a>A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym>
-</h1></div></div></div>
-      <p><a name="historical_dns_information"></a>
-        Although the "official" beginning of the Domain Name
-        System occurred in 1984 with the publication of RFC 920, the
-        core of the new system was described in 1983 in RFCs 882 and
-        883. From 1984 to 1987, the ARPAnet (the precursor to today's
-        Internet) became a testbed of experimentation for developing the
-        new naming/addressing scheme in a rapidly expanding,
-        operational network environment.  New RFCs were written and
-        published in 1987 that modified the original documents to
-        incorporate improvements based on the working model. RFC 1034,
-        "Domain Names-Concepts and Facilities", and RFC 1035, "Domain
-        Names-Implementation and Specification" were published and
-        became the standards upon which all <acronym class="acronym">DNS</acronym> implementations are
-        built.
-      </p>
-
-      <p>
-        The first working domain name server, called "Jeeves", was
-        written in 1983-84 by Paul Mockapetris for operation on DEC
-        Tops-20
-        machines located at the University of Southern California's
-        Information
-        Sciences Institute (USC-ISI) and SRI International's Network
-        Information
-        Center (SRI-NIC). A <acronym class="acronym">DNS</acronym> server for
-        Unix machines, the Berkeley Internet
-        Name Domain (<acronym class="acronym">BIND</acronym>) package, was
-        written soon after by a group of
-        graduate students at the University of California at Berkeley
-        under
-        a grant from the US Defense Advanced Research Projects
-        Administration
-        (DARPA).
-      </p>
-      <p>
-        Versions of <acronym class="acronym">BIND</acronym> through
-        4.8.3 were maintained by the Computer
-        Systems Research Group (CSRG) at UC Berkeley. Douglas Terry, Mark
-        Painter, David Riggle and Songnian Zhou made up the initial <acronym class="acronym">BIND</acronym>
-        project team. After that, additional work on the software package
-        was done by Ralph Campbell. Kevin Dunlap, a Digital Equipment
-        Corporation
-        employee on loan to the CSRG, worked on <acronym class="acronym">BIND</acronym> for 2 years, from 1985
-        to 1987. Many other people also contributed to <acronym class="acronym">BIND</acronym> development
-        during that time: Doug Kingston, Craig Partridge, Smoot
-        Carl-Mitchell,
-        Mike Muuss, Jim Bloom and Mike Schwartz. <acronym class="acronym">BIND</acronym> maintenance was subsequently
-        handled by Mike Karels and Øivind Kure.
-      </p>
-      <p>
-        <acronym class="acronym">BIND</acronym> versions 4.9 and 4.9.1 were
-        released by Digital Equipment
-        Corporation (now Compaq Computer Corporation). Paul Vixie, then
-        a DEC employee, became <acronym class="acronym">BIND</acronym>'s
-        primary caretaker. He was assisted
-        by Phil Almquist, Robert Elz, Alan Barrett, Paul Albitz, Bryan
-        Beecher, Andrew
-        Partan, Andy Cherenson, Tom Limoncelli, Berthold Paffrath, Fuat
-        Baran, Anant Kumar, Art Harkin, Win Treese, Don Lewis, Christophe
-        Wolfhugel, and others.
-      </p>
-      <p>
-        In 1994, <acronym class="acronym">BIND</acronym> version 4.9.2 was sponsored by
-        Vixie Enterprises. Paul
-        Vixie became <acronym class="acronym">BIND</acronym>'s principal
-        architect/programmer.
-      </p>
-      <p>
-        <acronym class="acronym">BIND</acronym> versions from 4.9.3 onward
-        have been developed and maintained
-        by the Internet Systems Consortium and its predecessor,
-        the Internet Software Consortium,  with support being provided
-        by ISC's sponsors.
-      </p>
-      <p>
-        As co-architects/programmers, Bob Halley and
-        Paul Vixie released the first production-ready version of
-        <acronym class="acronym">BIND</acronym> version 8 in May 1997.
-      </p>
-      <p>
-        BIND version 9 was released in September 2000 and is a
-        major rewrite of nearly all aspects of the underlying
-        BIND architecture.
-      </p>
-      <p>
-        BIND versions 4 and 8 are officially deprecated.
-        No additional development is done
-        on BIND version 4 or BIND version 8.
-      </p>
-      <p>
-        <acronym class="acronym">BIND</acronym> development work is made
-        possible today by the sponsorship
-        of several corporations, and by the tireless work efforts of
-        numerous individuals.
-      </p>
+<a name="Bv9ARM.ch10"></a>General <acronym class="acronym">DNS</acronym> Reference Information</h1></div></div></div>
+<div class="toc">
+<p><b>Table of Contents</b></p>
+<dl class="toc">
+<dt><span class="section"><a href="Bv9ARM.ch10.html#ipv6addresses">IPv6 addresses (AAAA)</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch10.html#bibliography">Bibliography (and Suggested Reading)</a></span></dt>
+<dd><dl>
+<dt><span class="section"><a href="Bv9ARM.ch10.html#rfcs">Request for Comments (RFCs)</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch10.html#internet_drafts">Internet Drafts</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch10.html#more_about_bind">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt>
+</dl></dd>
+</dl>
+</div>
+
+      <div class="section">
+<div class="titlepage"><div><div><h2 class="title" style="clear: both">
+<a name="ipv6addresses"></a>IPv6 addresses (AAAA)</h2></div></div></div>
+
+          <p>
+            IPv6 addresses are 128-bit identifiers for interfaces and
+            sets of interfaces which were introduced in the <acronym class="acronym">DNS</acronym> to facilitate
+            scalable Internet routing. There are three types of addresses: <span class="emphasis"><em>Unicast</em></span>,
+            an identifier for a single interface;
+            <span class="emphasis"><em>Anycast</em></span>,
+            an identifier for a set of interfaces; and <span class="emphasis"><em>Multicast</em></span>,
+            an identifier for a set of interfaces. Here we describe the global
+            Unicast address scheme. For more information, see RFC 3587,
+            "Global Unicast Address Format."
+          </p>
+          <p>
+            IPv6 unicast addresses consist of a
+            <span class="emphasis"><em>global routing prefix</em></span>, a
+            <span class="emphasis"><em>subnet identifier</em></span>, and an
+            <span class="emphasis"><em>interface identifier</em></span>.
+          </p>
+          <p>
+            The global routing prefix is provided by the
+            upstream provider or ISP, and (roughly) corresponds to the
+            IPv4 <span class="emphasis"><em>network</em></span> section
+            of the address range.
+
+            The subnet identifier is for local subnetting, much the
+            same as subnetting an
+            IPv4 /16 network into /24 subnets.
+
+            The interface identifier is the address of an individual
+            interface on a given network; in IPv6, addresses belong to
+            interfaces rather than to machines.
+          </p>
+          <p>
+            The subnetting capability of IPv6 is much more flexible than
+            that of IPv4: subnetting can be carried out on bit boundaries,
+            in much the same way as Classless InterDomain Routing
+            (CIDR), and the DNS PTR representation ("nibble" format)
+            makes setting up reverse zones easier.
+          </p>
+          <p>
+            The Interface Identifier must be unique on the local link,
+            and is usually generated automatically by the IPv6
+            implementation, although it is usually possible to
+            override the default setting if necessary.  A typical IPv6
+            address might look like:
+            <span class="command"><strong>2001:db8:201:9:a00:20ff:fe81:2b32</strong></span>
+          </p>
+          <p>
+            IPv6 address specifications often contain long strings
+            of zeros, so the architects have included a shorthand for
+            specifying
+            them. The double colon (`::') indicates the longest possible
+            string
+            of zeros that can fit, and can be used only once in an address.
+          </p>
+      </div>
+      <div class="section">
+<div class="titlepage"><div><div><h2 class="title" style="clear: both">
+<a name="bibliography"></a>Bibliography (and Suggested Reading)</h2></div></div></div>
+
+        <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="rfcs"></a>Request for Comments (RFCs)</h3></div></div></div>
+
+          <p>
+            Specification documents for the Internet protocol suite, including
+            the <acronym class="acronym">DNS</acronym>, are published as part of
+            the Request for Comments (RFCs)
+            series of technical notes. The standards themselves are defined
+            by the Internet Engineering Task Force (IETF) and the Internet
+            Engineering Steering Group (IESG). RFCs can be obtained online via FTP at:
+          </p>
+          <p>
+            <a class="link" href="ftp://www.isi.edu/in-notes/" target="_top">
+              ftp://www.isi.edu/in-notes/RFC<em class="replaceable"><code>xxxx</code></em>.txt
+            </a>
+          </p>
+          <p>
+            (where <em class="replaceable"><code>xxxx</code></em> is
+            the number of the RFC). RFCs are also available via the Web at:
+          </p>
+          <p>
+            <a class="link" href="http://www.ietf.org/rfc/" target="_top">http://www.ietf.org/rfc/</a>.
+          </p>
+          <div class="bibliography">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="id-1.11.3.2.6"></a>Bibliography</h4></div></div></div>
+            <div class="bibliodiv">
+              
+
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.1.2"></a><p>[<abbr class="abbrev">RFC974</abbr>] 
+                
+                <span class="author"><span class="firstname">C.</span> <span class="surname">Partridge</span>. </span>
+                <span class="citetitle"><em class="citetitle">Mail Routing and the Domain System</em>. </span>
+                <span class="pubdate">January 1986. </span>
+              </p>
+</div>
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.1.3"></a><p>[<abbr class="abbrev">RFC1034</abbr>] 
+                
+                <span class="author"><span class="firstname">P.V.</span> <span class="surname">Mockapetris</span>. </span>
+                <span class="citetitle"><em class="citetitle">Domain Names &#8212; Concepts and Facilities</em>. </span>
+                <span class="pubdate">November 1987. </span>
+              </p>
+</div>
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.1.4"></a><p>[<abbr class="abbrev">RFC1035</abbr>] 
+                
+                <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span> <span class="citetitle"><em class="citetitle">Domain Names &#8212; Implementation and
+                  Specification</em>. </span>
+                <span class="pubdate">November 1987. </span>
+              </p>
+</div>
+            </div>
+            <div class="bibliodiv">
+
+              
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.2.2"></a><p>[<abbr class="abbrev">RFC2181</abbr>] 
+                
+                <span class="author"><span class="firstname">R., R. Bush</span> <span class="surname">Elz</span>. </span>
+                <span class="citetitle"><em class="citetitle">Clarifications to the <acronym class="acronym">DNS</acronym>
+                  Specification</em>. </span>
+                <span class="pubdate">July 1997. </span>
+              </p>
+</div>
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.2.3"></a><p>[<abbr class="abbrev">RFC2308</abbr>] 
+                
+                <span class="author"><span class="firstname">M.</span> <span class="surname">Andrews</span>. </span>
+                <span class="citetitle"><em class="citetitle">Negative Caching of <acronym class="acronym">DNS</acronym>
+                  Queries</em>. </span>
+                <span class="pubdate">March 1998. </span>
+              </p>
+</div>
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.2.4"></a><p>[<abbr class="abbrev">RFC1995</abbr>] 
+                
+                <span class="author"><span class="firstname">M.</span> <span class="surname">Ohta</span>. </span>
+                <span class="citetitle"><em class="citetitle">Incremental Zone Transfer in <acronym class="acronym">DNS</acronym></em>. </span>
+                <span class="pubdate">August 1996. </span>
+              </p>
+</div>
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.2.5"></a><p>[<abbr class="abbrev">RFC1996</abbr>] 
+                
+                <span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span>
+                <span class="citetitle"><em class="citetitle">A Mechanism for Prompt Notification of Zone Changes</em>. </span>
+                <span class="pubdate">August 1996. </span>
+              </p>
+</div>
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.2.6"></a><p>[<abbr class="abbrev">RFC2136</abbr>] 
+                
+                <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">Y.</span> <span class="surname">Rekhter</span>, and <span class="firstname">J.</span> <span class="surname">Bound</span>. </span>
+                <span class="citetitle"><em class="citetitle">Dynamic Updates in the Domain Name System</em>. </span>
+                <span class="pubdate">April 1997. </span>
+              </p>
+</div>
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.2.7"></a><p>[<abbr class="abbrev">RFC2671</abbr>] 
+                
+                <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span>
+                <span class="citetitle"><em class="citetitle">Extension Mechanisms for DNS (EDNS0)</em>. </span>
+                <span class="pubdate">August 1997. </span>
+              </p>
+</div>
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.2.8"></a><p>[<abbr class="abbrev">RFC2672</abbr>] 
+                
+                <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span>. </span>
+                <span class="citetitle"><em class="citetitle">Non-Terminal DNS Name Redirection</em>. </span>
+                <span class="pubdate">August 1999. </span>
+              </p>
+</div>
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.2.9"></a><p>[<abbr class="abbrev">RFC2845</abbr>] 
+                
+                <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>, <span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, and <span class="firstname">B.</span> <span class="surname">Wellington</span>. </span>
+                <span class="citetitle"><em class="citetitle">Secret Key Transaction Authentication for <acronym class="acronym">DNS</acronym> (TSIG)</em>. </span>
+                <span class="pubdate">May 2000. </span>
+              </p>
+</div>
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.2.10"></a><p>[<abbr class="abbrev">RFC2930</abbr>] 
+                
+                <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span>
+                <span class="citetitle"><em class="citetitle">Secret Key Establishment for DNS (TKEY RR)</em>. </span>
+                <span class="pubdate">September 2000. </span>
+              </p>
+</div>
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.2.11"></a><p>[<abbr class="abbrev">RFC2931</abbr>] 
+                
+                <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span>
+                <span class="citetitle"><em class="citetitle">DNS Request and Transaction Signatures (SIG(0)s)</em>. </span>
+                <span class="pubdate">September 2000. </span>
+              </p>
+</div>
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.2.12"></a><p>[<abbr class="abbrev">RFC3007</abbr>] 
+                
+                <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span>. </span>
+                <span class="citetitle"><em class="citetitle">Secure Domain Name System (DNS) Dynamic Update</em>. </span>
+                <span class="pubdate">November 2000. </span>
+              </p>
+</div>
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.2.13"></a><p>[<abbr class="abbrev">RFC3645</abbr>] 
+                
+                <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Kwan</span>, <span class="firstname">P.</span> <span class="surname">Garg</span>, <span class="firstname">J.</span> <span class="surname">Gilroy</span>, <span class="firstname">L.</span> <span class="surname">Esibov</span>, <span class="firstname">J.</span> <span class="surname">Westhead</span>, and <span class="firstname">R.</span> <span class="surname">Hall</span>. </span>
+                <span class="citetitle"><em class="citetitle">Generic Security Service Algorithm for Secret
+                       Key Transaction Authentication for DNS
+                       (GSS-TSIG)</em>. </span>
+                <span class="pubdate">October 2003. </span>
+              </p>
+</div>
+            </div>
+            <div class="bibliodiv">
+
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.3.2"></a><p>[<abbr class="abbrev">RFC3225</abbr>] 
+                
+                <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Conrad</span>. </span>
+                <span class="citetitle"><em class="citetitle">Indicating Resolver Support of DNSSEC</em>. </span>
+                <span class="pubdate">December 2001. </span>
+              </p>
+</div>
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.3.3"></a><p>[<abbr class="abbrev">RFC3833</abbr>] 
+                
+                <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Atkins</span> and <span class="firstname">R.</span> <span class="surname">Austein</span>. </span>
+                <span class="citetitle"><em class="citetitle">Threat Analysis of the Domain Name System (DNS)</em>. </span>
+                <span class="pubdate">August 2004. </span>
+              </p>
+</div>
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.3.4"></a><p>[<abbr class="abbrev">RFC4033</abbr>] 
+                
+                <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span>
+                <span class="citetitle"><em class="citetitle">DNS Security Introduction and Requirements</em>. </span>
+                <span class="pubdate">March 2005. </span>
+              </p>
+</div>
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.3.5"></a><p>[<abbr class="abbrev">RFC4034</abbr>] 
+                
+                <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span>
+                <span class="citetitle"><em class="citetitle">Resource Records for the DNS Security Extensions</em>. </span>
+                <span class="pubdate">March 2005. </span>
+              </p>
+</div>
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.3.6"></a><p>[<abbr class="abbrev">RFC4035</abbr>] 
+                
+                <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span>
+                <span class="citetitle"><em class="citetitle">Protocol Modifications for the DNS
+                       Security Extensions</em>. </span>
+                <span class="pubdate">March 2005. </span>
+              </p>
+</div>
+            </div>
+            <div class="bibliodiv">
+
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.4.2"></a><p>[<abbr class="abbrev">RFC1535</abbr>] 
+                
+                <span class="author"><span class="firstname">E.</span> <span class="surname">Gavron</span>. </span>
+                <span class="citetitle"><em class="citetitle">A Security Problem and Proposed Correction With Widely
+                  Deployed <acronym class="acronym">DNS</acronym> Software</em>. </span>
+                <span class="pubdate">October 1993. </span>
+              </p>
+</div>
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.4.3"></a><p>[<abbr class="abbrev">RFC1536</abbr>] 
+                
+                <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Kumar</span>, <span class="firstname">J.</span> <span class="surname">Postel</span>, <span class="firstname">C.</span> <span class="surname">Neuman</span>, <span class="firstname">P.</span> <span class="surname">Danzig</span>, and <span class="firstname">S.</span> <span class="surname">Miller</span>. </span>
+                <span class="citetitle"><em class="citetitle">Common <acronym class="acronym">DNS</acronym> Implementation
+                  Errors and Suggested Fixes</em>. </span>
+                <span class="pubdate">October 1993. </span>
+              </p>
+</div>
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.4.4"></a><p>[<abbr class="abbrev">RFC1982</abbr>] 
+                
+                <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Elz</span> and <span class="firstname">R.</span> <span class="surname">Bush</span>. </span>
+                <span class="citetitle"><em class="citetitle">Serial Number Arithmetic</em>. </span>
+                <span class="pubdate">August 1996. </span>
+              </p>
+</div>
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.4.5"></a><p>[<abbr class="abbrev">RFC4074</abbr>] 
+                
+                <span class="authorgroup"><span class="firstname">Y.</span> <span class="surname">Morishita</span> and <span class="firstname">T.</span> <span class="surname">Jinmei</span>. </span>
+                <span class="citetitle"><em class="citetitle">Common Misbehaviour Against <acronym class="acronym">DNS</acronym>
+                Queries for IPv6 Addresses</em>. </span>
+                <span class="pubdate">May 2005. </span>
+              </p>
+</div>
+            </div>
+            <div class="bibliodiv">
+
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.5.2"></a><p>[<abbr class="abbrev">RFC1183</abbr>] 
+                
+                <span class="authorgroup"><span class="firstname">C.F.</span> <span class="surname">Everhart</span>, <span class="firstname">L. A.</span> <span class="surname">Mamakos</span>, <span class="firstname">R.</span> <span class="surname">Ullmann</span>, and <span class="firstname">P.</span> <span class="surname">Mockapetris</span>. </span>
+                <span class="citetitle"><em class="citetitle">New <acronym class="acronym">DNS</acronym> RR Definitions</em>. </span>
+                <span class="pubdate">October 1990. </span>
+              </p>
+</div>
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.5.3"></a><p>[<abbr class="abbrev">RFC1706</abbr>] 
+                
+                <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">R.</span> <span class="surname">Colella</span>. </span>
+                <span class="citetitle"><em class="citetitle"><acronym class="acronym">DNS</acronym> NSAP Resource Records</em>. </span>
+                <span class="pubdate">October 1994. </span>
+              </p>
+</div>
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.5.4"></a><p>[<abbr class="abbrev">RFC2168</abbr>] 
+                
+                <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Daniel</span> and <span class="firstname">M.</span> <span class="surname">Mealling</span>. </span>
+                <span class="citetitle"><em class="citetitle">Resolution of Uniform Resource Identifiers using
+                  the Domain Name System</em>. </span>
+                <span class="pubdate">June 1997. </span>
+              </p>
+</div>
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.5.5"></a><p>[<abbr class="abbrev">RFC1876</abbr>] 
+                
+                <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Davis</span>, <span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">T.</span>, and <span class="firstname">I.</span> <span class="surname">Dickinson</span>. </span>
+                <span class="citetitle"><em class="citetitle">A Means for Expressing Location Information in the
+                  Domain
+                  Name System</em>. </span>
+                <span class="pubdate">January 1996. </span>
+              </p>
+</div>
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.5.6"></a><p>[<abbr class="abbrev">RFC2052</abbr>] 
+                
+                <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span>
+                <span class="citetitle"><em class="citetitle">A <acronym class="acronym">DNS</acronym> RR for Specifying the
+                  Location of
+                  Services</em>. </span>
+                <span class="pubdate">October 1996. </span>
+              </p>
+</div>
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.5.7"></a><p>[<abbr class="abbrev">RFC2163</abbr>] 
+                
+                <span class="author"><span class="firstname">A.</span> <span class="surname">Allocchio</span>. </span>
+                <span class="citetitle"><em class="citetitle">Using the Internet <acronym class="acronym">DNS</acronym> to
+                  Distribute MIXER
+                  Conformant Global Address Mapping</em>. </span>
+                <span class="pubdate">January 1998. </span>
+              </p>
+</div>
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.5.8"></a><p>[<abbr class="abbrev">RFC2230</abbr>] 
+                
+                <span class="author"><span class="firstname">R.</span> <span class="surname">Atkinson</span>. </span>
+                <span class="citetitle"><em class="citetitle">Key Exchange Delegation Record for the <acronym class="acronym">DNS</acronym></em>. </span>
+                <span class="pubdate">October 1997. </span>
+              </p>
+</div>
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.5.9"></a><p>[<abbr class="abbrev">RFC2536</abbr>] 
+                
+                <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span>
+                <span class="citetitle"><em class="citetitle">DSA KEYs and SIGs in the Domain Name System (DNS)</em>. </span>
+                <span class="pubdate">March 1999. </span>
+              </p>
+</div>
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.5.10"></a><p>[<abbr class="abbrev">RFC2537</abbr>] 
+                
+                <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span>
+                <span class="citetitle"><em class="citetitle">RSA/MD5 KEYs and SIGs in the Domain Name System (DNS)</em>. </span>
+                <span class="pubdate">March 1999. </span>
+              </p>
+</div>
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.5.11"></a><p>[<abbr class="abbrev">RFC2538</abbr>] 
+                
+                <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span>
+                <span class="citetitle"><em class="citetitle">Storing Certificates in the Domain Name System (DNS)</em>. </span>
+                <span class="pubdate">March 1999. </span>
+              </p>
+</div>
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.5.12"></a><p>[<abbr class="abbrev">RFC2539</abbr>] 
+                
+                <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span>
+                <span class="citetitle"><em class="citetitle">Storage of Diffie-Hellman Keys in the Domain Name System (DNS)</em>. </span>
+                <span class="pubdate">March 1999. </span>
+              </p>
+</div>
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.5.13"></a><p>[<abbr class="abbrev">RFC2540</abbr>] 
+                
+                <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span>
+                <span class="citetitle"><em class="citetitle">Detached Domain Name System (DNS) Information</em>. </span>
+                <span class="pubdate">March 1999. </span>
+              </p>
+</div>
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.5.14"></a><p>[<abbr class="abbrev">RFC2782</abbr>] 
+                
+                <span class="author"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span>. </span>
+                <span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span>
+                <span class="author"><span class="firstname">L.</span> <span class="surname">Esibov</span>. </span>
+                <span class="citetitle"><em class="citetitle">A DNS RR for specifying the location of services (DNS SRV)</em>. </span>
+                <span class="pubdate">February 2000. </span>
+              </p>
+</div>
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.5.15"></a><p>[<abbr class="abbrev">RFC2915</abbr>] 
+                
+                <span class="author"><span class="firstname">M.</span> <span class="surname">Mealling</span>. </span>
+                <span class="author"><span class="firstname">R.</span> <span class="surname">Daniel</span>. </span>
+                <span class="citetitle"><em class="citetitle">The Naming Authority Pointer (NAPTR) DNS Resource Record</em>. </span>
+                <span class="pubdate">September 2000. </span>
+              </p>
+</div>
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.5.16"></a><p>[<abbr class="abbrev">RFC3110</abbr>] 
+                
+                <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span>
+                <span class="citetitle"><em class="citetitle">RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)</em>. </span>
+                <span class="pubdate">May 2001. </span>
+              </p>
+</div>
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.5.17"></a><p>[<abbr class="abbrev">RFC3123</abbr>] 
+                
+                <span class="author"><span class="firstname">P.</span> <span class="surname">Koch</span>. </span>
+                <span class="citetitle"><em class="citetitle">A DNS RR Type for Lists of Address Prefixes (APL RR)</em>. </span>
+                <span class="pubdate">June 2001. </span>
+              </p>
+</div>
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.5.18"></a><p>[<abbr class="abbrev">RFC3596</abbr>] 
+                
+                <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">C.</span> <span class="surname">Huitema</span>, <span class="firstname">V.</span> <span class="surname">Ksinant</span>, and <span class="firstname">M.</span> <span class="surname">Souissi</span>. </span>
+                <span class="citetitle"><em class="citetitle"><acronym class="acronym">DNS</acronym> Extensions to support IP
+                  version 6</em>. </span>
+                <span class="pubdate">October 2003. </span>
+              </p>
+</div>
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.5.19"></a><p>[<abbr class="abbrev">RFC3597</abbr>] 
+                
+                <span class="author"><span class="firstname">A.</span> <span class="surname">Gustafsson</span>. </span>
+                <span class="citetitle"><em class="citetitle">Handling of Unknown DNS Resource Record (RR) Types</em>. </span>
+                <span class="pubdate">September 2003. </span>
+              </p>
+</div>
+            </div>
+            <div class="bibliodiv">
+
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.6.2"></a><p>[<abbr class="abbrev">RFC1101</abbr>] 
+                
+                <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span>
+                <span class="citetitle"><em class="citetitle"><acronym class="acronym">DNS</acronym> Encoding of Network Names
+                  and Other Types</em>. </span>
+                <span class="pubdate">April 1989. </span>
+              </p>
+</div>
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.6.3"></a><p>[<abbr class="abbrev">RFC1123</abbr>] 
+                
+                <span class="author"><span class="surname">Braden</span>. </span>
+                <span class="citetitle"><em class="citetitle">Requirements for Internet Hosts - Application and
+                  Support</em>. </span>
+                <span class="pubdate">October 1989. </span>
+              </p>
+</div>
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.6.4"></a><p>[<abbr class="abbrev">RFC1591</abbr>] 
+                
+                <span class="author"><span class="firstname">J.</span> <span class="surname">Postel</span>. </span>
+                <span class="citetitle"><em class="citetitle">Domain Name System Structure and Delegation</em>. </span>
+                <span class="pubdate">March 1994. </span>
+              </p>
+</div>
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.6.5"></a><p>[<abbr class="abbrev">RFC2317</abbr>] 
+                
+                <span class="authorgroup"><span class="firstname">H.</span> <span class="surname">Eidnes</span>, <span class="firstname">G.</span> <span class="surname">de Groot</span>, and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span>
+                <span class="citetitle"><em class="citetitle">Classless IN-ADDR.ARPA Delegation</em>. </span>
+                <span class="pubdate">March 1998. </span>
+              </p>
+</div>
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.6.6"></a><p>[<abbr class="abbrev">RFC2826</abbr>] 
+                
+                <span class="authorgroup"><span class="surname">Internet Architecture Board</span>. </span>
+                <span class="citetitle"><em class="citetitle">IAB Technical Comment on the Unique DNS Root</em>. </span>
+                <span class="pubdate">May 2000. </span>
+              </p>
+</div>
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.6.7"></a><p>[<abbr class="abbrev">RFC2929</abbr>] 
+                
+                <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, <span class="firstname">E.</span> <span class="surname">Brunner-Williams</span>, and <span class="firstname">B.</span> <span class="surname">Manning</span>. </span>
+                <span class="citetitle"><em class="citetitle">Domain Name System (DNS) IANA Considerations</em>. </span>
+                <span class="pubdate">September 2000. </span>
+              </p>
+</div>
+            </div>
+            <div class="bibliodiv">
+
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.7.2"></a><p>[<abbr class="abbrev">RFC1033</abbr>] 
+                
+                <span class="author"><span class="firstname">M.</span> <span class="surname">Lottor</span>. </span>
+                <span class="citetitle"><em class="citetitle">Domain administrators operations guide</em>. </span>
+                <span class="pubdate">November 1987. </span>
+              </p>
+</div>
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.7.3"></a><p>[<abbr class="abbrev">RFC1537</abbr>] 
+                
+                <span class="author"><span class="firstname">P.</span> <span class="surname">Beertema</span>. </span>
+                <span class="citetitle"><em class="citetitle">Common <acronym class="acronym">DNS</acronym> Data File
+                  Configuration Errors</em>. </span>
+                <span class="pubdate">October 1993. </span>
+              </p>
+</div>
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.7.4"></a><p>[<abbr class="abbrev">RFC1912</abbr>] 
+                
+                <span class="author"><span class="firstname">D.</span> <span class="surname">Barr</span>. </span>
+                <span class="citetitle"><em class="citetitle">Common <acronym class="acronym">DNS</acronym> Operational and
+                  Configuration Errors</em>. </span>
+                <span class="pubdate">February 1996. </span>
+              </p>
+</div>
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.7.5"></a><p>[<abbr class="abbrev">RFC2010</abbr>] 
+                
+                <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span>
+                <span class="citetitle"><em class="citetitle">Operational Criteria for Root Name Servers</em>. </span>
+                <span class="pubdate">October 1996. </span>
+              </p>
+</div>
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.7.6"></a><p>[<abbr class="abbrev">RFC2219</abbr>] 
+                
+                <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Hamilton</span> and <span class="firstname">R.</span> <span class="surname">Wright</span>. </span>
+                <span class="citetitle"><em class="citetitle">Use of <acronym class="acronym">DNS</acronym> Aliases for
+                  Network Services</em>. </span>
+                <span class="pubdate">October 1997. </span>
+              </p>
+</div>
+            </div>
+            <div class="bibliodiv">
+
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.8.2"></a><p>[<abbr class="abbrev">RFC2825</abbr>] 
+                
+                <span class="authorgroup"><span class="surname">IAB</span> and <span class="firstname">R.</span> <span class="surname">Daigle</span>. </span>
+                <span class="citetitle"><em class="citetitle">A Tangled Web: Issues of I18N, Domain Names,
+                       and the Other Internet protocols</em>. </span>
+                <span class="pubdate">May 2000. </span>
+              </p>
+</div>
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.8.3"></a><p>[<abbr class="abbrev">RFC3490</abbr>] 
+                
+                <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Faltstrom</span>, <span class="firstname">P.</span> <span class="surname">Hoffman</span>, and <span class="firstname">A.</span> <span class="surname">Costello</span>. </span>
+                <span class="citetitle"><em class="citetitle">Internationalizing Domain Names in Applications (IDNA)</em>. </span>
+                <span class="pubdate">March 2003. </span>
+              </p>
+</div>
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.8.4"></a><p>[<abbr class="abbrev">RFC3491</abbr>] 
+                
+                <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Hoffman</span> and <span class="firstname">M.</span> <span class="surname">Blanchet</span>. </span>
+                <span class="citetitle"><em class="citetitle">Nameprep: A Stringprep Profile for Internationalized Domain Names</em>. </span>
+                <span class="pubdate">March 2003. </span>
+              </p>
+</div>
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.8.5"></a><p>[<abbr class="abbrev">RFC3492</abbr>] 
+                
+                <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Costello</span>. </span>
+                <span class="citetitle"><em class="citetitle">Punycode: A Bootstring encoding of Unicode
+                       for Internationalized Domain Names in
+                       Applications (IDNA)</em>. </span>
+                <span class="pubdate">March 2003. </span>
+              </p>
+</div>
+            </div>
+            <div class="bibliodiv">
+
+              <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<h3 class="title">Note</h3>
+                <p>
+                  Note: the following list of RFCs, although
+                  <acronym class="acronym">DNS</acronym>-related, are not
+                  concerned with implementing software.
+                </p>
+              </div>
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.9.3"></a><p>[<abbr class="abbrev">RFC1464</abbr>] 
+                
+                <span class="author"><span class="firstname">R.</span> <span class="surname">Rosenbaum</span>. </span>
+                <span class="citetitle"><em class="citetitle">Using the Domain Name System To Store Arbitrary String
+                  Attributes</em>. </span>
+                <span class="pubdate">May 1993. </span>
+              </p>
+</div>
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.9.4"></a><p>[<abbr class="abbrev">RFC1713</abbr>] 
+                
+                <span class="author"><span class="firstname">A.</span> <span class="surname">Romao</span>. </span>
+                <span class="citetitle"><em class="citetitle">Tools for <acronym class="acronym">DNS</acronym> Debugging</em>. </span>
+                <span class="pubdate">November 1994. </span>
+              </p>
+</div>
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.9.5"></a><p>[<abbr class="abbrev">RFC1794</abbr>] 
+                
+                <span class="author"><span class="firstname">T.</span> <span class="surname">Brisco</span>. </span>
+                <span class="citetitle"><em class="citetitle"><acronym class="acronym">DNS</acronym> Support for Load
+                  Balancing</em>. </span>
+                <span class="pubdate">April 1995. </span>
+              </p>
+</div>
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.9.6"></a><p>[<abbr class="abbrev">RFC2240</abbr>] 
+                
+                <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span>
+                <span class="citetitle"><em class="citetitle">A Legal Basis for Domain Name Allocation</em>. </span>
+                <span class="pubdate">November 1997. </span>
+              </p>
+</div>
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.9.7"></a><p>[<abbr class="abbrev">RFC2345</abbr>] 
+                
+                <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>, <span class="firstname">T.</span> <span class="surname">Wolf</span>, and <span class="firstname">G.</span> <span class="surname">Oglesby</span>. </span>
+                <span class="citetitle"><em class="citetitle">Domain Names and Company Name Retrieval</em>. </span>
+                <span class="pubdate">May 1998. </span>
+              </p>
+</div>
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.9.8"></a><p>[<abbr class="abbrev">RFC2352</abbr>] 
+                
+                <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span>
+                <span class="citetitle"><em class="citetitle">A Convention For Using Legal Names as Domain Names</em>. </span>
+                <span class="pubdate">May 1998. </span>
+              </p>
+</div>
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.9.9"></a><p>[<abbr class="abbrev">RFC3071</abbr>] 
+                
+                <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>. </span>
+                <span class="citetitle"><em class="citetitle">Reflections on the DNS, RFC 1591, and Categories of Domains</em>. </span>
+                <span class="pubdate">February 2001. </span>
+              </p>
+</div>
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.9.10"></a><p>[<abbr class="abbrev">RFC3258</abbr>] 
+                
+                <span class="authorgroup"><span class="firstname">T.</span> <span class="surname">Hardie</span>. </span>
+                <span class="citetitle"><em class="citetitle">Distributing Authoritative Name Servers via
+                       Shared Unicast Addresses</em>. </span>
+                <span class="pubdate">April 2002. </span>
+              </p>
+</div>
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.9.11"></a><p>[<abbr class="abbrev">RFC3901</abbr>] 
+                
+                <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Durand</span> and <span class="firstname">J.</span> <span class="surname">Ihren</span>. </span>
+                <span class="citetitle"><em class="citetitle">DNS IPv6 Transport Operational Guidelines</em>. </span>
+                <span class="pubdate">September 2004. </span>
+              </p>
+</div>
+            </div>
+            <div class="bibliodiv">
+
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.10.2"></a><p>[<abbr class="abbrev">RFC1712</abbr>] 
+                
+                <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Farrell</span>, <span class="firstname">M.</span> <span class="surname">Schulze</span>, <span class="firstname">S.</span> <span class="surname">Pleitner</span>, and <span class="firstname">D.</span> <span class="surname">Baldoni</span>. </span>
+                <span class="citetitle"><em class="citetitle"><acronym class="acronym">DNS</acronym> Encoding of Geographical
+                  Location</em>. </span>
+                <span class="pubdate">November 1994. </span>
+              </p>
+</div>
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.10.3"></a><p>[<abbr class="abbrev">RFC2673</abbr>] 
+                
+                <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span>. </span>
+                <span class="citetitle"><em class="citetitle">Binary Labels in the Domain Name System</em>. </span>
+                <span class="pubdate">August 1999. </span>
+              </p>
+</div>
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.10.4"></a><p>[<abbr class="abbrev">RFC2874</abbr>] 
+                
+                <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span> and <span class="firstname">C.</span> <span class="surname">Huitema</span>. </span>
+                <span class="citetitle"><em class="citetitle">DNS Extensions to Support IPv6 Address Aggregation
+                       and Renumbering</em>. </span>
+                <span class="pubdate">July 2000. </span>
+              </p>
+</div>
+            </div>
+            <div class="bibliodiv">
+
+              <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<h3 class="title">Note</h3>
+                <p>
+                  Most of these have been consolidated into RFC4033,
+                  RFC4034 and RFC4035 which collectively describe DNSSECbis.
+                </p>
+              </div>
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.11.3"></a><p>[<abbr class="abbrev">RFC2065</abbr>] 
+                
+                <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">C.</span> <span class="surname">Kaufman</span>. </span>
+                <span class="citetitle"><em class="citetitle">Domain Name System Security Extensions</em>. </span>
+                <span class="pubdate">January 1997. </span>
+              </p>
+</div>
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.11.4"></a><p>[<abbr class="abbrev">RFC2137</abbr>] 
+                
+                <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span>
+                <span class="citetitle"><em class="citetitle">Secure Domain Name System Dynamic Update</em>. </span>
+                <span class="pubdate">April 1997. </span>
+              </p>
+</div>
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.11.5"></a><p>[<abbr class="abbrev">RFC2535</abbr>] 
+                
+                <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span>
+                <span class="citetitle"><em class="citetitle">Domain Name System Security Extensions</em>. </span>
+                <span class="pubdate">March 1999. </span>
+              </p>
+</div>
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.11.6"></a><p>[<abbr class="abbrev">RFC3008</abbr>] 
+                
+                <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span>. </span>
+                <span class="citetitle"><em class="citetitle">Domain Name System Security (DNSSEC)
+                       Signing Authority</em>. </span>
+                <span class="pubdate">November 2000. </span>
+              </p>
+</div>
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.11.7"></a><p>[<abbr class="abbrev">RFC3090</abbr>] 
+                
+                <span class="authorgroup"><span class="firstname">E.</span> <span class="surname">Lewis</span>. </span>
+                <span class="citetitle"><em class="citetitle">DNS Security Extension Clarification on Zone Status</em>. </span>
+                <span class="pubdate">March 2001. </span>
+              </p>
+</div>
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.11.8"></a><p>[<abbr class="abbrev">RFC3445</abbr>] 
+                
+                <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Massey</span> and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span>
+                <span class="citetitle"><em class="citetitle">Limiting the Scope of the KEY Resource Record (RR)</em>. </span>
+                <span class="pubdate">December 2002. </span>
+              </p>
+</div>
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.11.9"></a><p>[<abbr class="abbrev">RFC3655</abbr>] 
+                
+                <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span> and <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span>
+                <span class="citetitle"><em class="citetitle">Redefinition of DNS Authenticated Data (AD) bit</em>. </span>
+                <span class="pubdate">November 2003. </span>
+              </p>
+</div>
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.11.10"></a><p>[<abbr class="abbrev">RFC3658</abbr>] 
+                
+                <span class="authorgroup"><span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span>
+                <span class="citetitle"><em class="citetitle">Delegation Signer (DS) Resource Record (RR)</em>. </span>
+                <span class="pubdate">December 2003. </span>
+              </p>
+</div>
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.11.11"></a><p>[<abbr class="abbrev">RFC3755</abbr>] 
+                
+                <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Weiler</span>. </span>
+                <span class="citetitle"><em class="citetitle">Legacy Resolver Compatibility for Delegation Signer (DS)</em>. </span>
+                <span class="pubdate">May 2004. </span>
+              </p>
+</div>
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.11.12"></a><p>[<abbr class="abbrev">RFC3757</abbr>] 
+                
+                <span class="authorgroup"><span class="firstname">O.</span> <span class="surname">Kolkman</span>, <span class="firstname">J.</span> <span class="surname">Schlyter</span>, and <span class="firstname">E.</span> <span class="surname">Lewis</span>. </span>
+                <span class="citetitle"><em class="citetitle">Domain Name System KEY (DNSKEY) Resource Record
+                      (RR) Secure Entry Point (SEP) Flag</em>. </span>
+                <span class="pubdate">April 2004. </span>
+              </p>
+</div>
+              <div class="biblioentry">
+<a name="id-1.11.3.2.6.11.13"></a><p>[<abbr class="abbrev">RFC3845</abbr>] 
+                
+                <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Schlyter</span>. </span>
+                <span class="citetitle"><em class="citetitle">DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format</em>. </span>
+                <span class="pubdate">August 2004. </span>
+              </p>
+</div>
+            </div>
+          </div>
+        </div>
+        <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="internet_drafts"></a>Internet Drafts</h3></div></div></div>
+
+          <p>
+            Internet Drafts (IDs) are rough-draft working documents of
+            the Internet Engineering Task Force. They are, in essence, RFCs
+            in the preliminary stages of development. Implementors are
+            cautioned not
+            to regard IDs as archival, and they should not be quoted or cited
+            in any formal documents unless accompanied by the disclaimer that
+            they are "works in progress." IDs have a lifespan of six months
+            after which they are deleted unless updated by their authors.
+          </p>
+        </div>
+        <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="more_about_bind"></a>Other Documents About <acronym class="acronym">BIND</acronym>
+</h3></div></div></div>
+
+          <p></p>
+          <div class="bibliography">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="id-1.11.3.4.3"></a>Bibliography</h4></div></div></div>
+            <div class="biblioentry">
+<a name="id-1.11.3.4.3.1"></a><p>
+              <span class="authorgroup"><span class="firstname">Paul</span> <span class="surname">Albitz</span> and <span class="firstname">Cricket</span> <span class="surname">Liu</span>. </span>
+              <span class="citetitle"><em class="citetitle"><acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></em>. </span>
+              <span class="copyright">Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. </span>
+            </p>
+</div>
+          </div>
+        </div>
+      </div>
     </div>
 <div class="navfooter">
 <hr>
 </td>
 </tr>
 <tr>
-<td width="40%" align="left" valign="top">Appendix A. Release Notes </td>
+<td width="40%" align="left" valign="top">Appendix B. A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym> </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> Appendix C. General <acronym class="acronym">DNS</acronym> Reference Information</td>
+<td width="40%" align="right" valign="top"> Appendix D. BIND 9 DNS Library Support</td>
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0-dev</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1-dev</p>
 </body>
 </html>
index a1f9317489a0d2eaee18cb5bcdfd9727db8b339f..44e3cbdc41c597664a3bb03efeca667d09f9dce7 100644 (file)
@@ -9,17 +9,17 @@
 <html lang="en">
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>Appendix C. General DNS Reference Information</title>
+<title>Appendix D. BIND 9 DNS Library Support</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="prev" href="Bv9ARM.ch10.html" title="Appendix B. A Brief History of the DNS and BIND">
-<link rel="next" href="Bv9ARM.ch12.html" title="Appendix D. BIND 9 DNS Library Support">
+<link rel="prev" href="Bv9ARM.ch10.html" title="Appendix C. General DNS Reference Information">
+<link rel="next" href="Bv9ARM.ch12.html" title="Manual pages">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
 <table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center">Appendix C. General <acronym class="acronym">DNS</acronym> Reference Information</th></tr>
+<tr><th colspan="3" align="center">Appendix D. BIND 9 DNS Library Support</th></tr>
 <tr>
 <td width="20%" align="left">
 <a accesskey="p" href="Bv9ARM.ch10.html">Prev</a> </td>
 </div>
 <div class="appendix">
 <div class="titlepage"><div><div><h1 class="title">
-<a name="Bv9ARM.ch11"></a>General <acronym class="acronym">DNS</acronym> Reference Information</h1></div></div></div>
+<a name="Bv9ARM.ch11"></a>BIND 9 DNS Library Support</h1></div></div></div>
 <div class="toc">
 <p><b>Table of Contents</b></p>
 <dl class="toc">
-<dt><span class="section"><a href="Bv9ARM.ch11.html#ipv6addresses">IPv6 addresses (AAAA)</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch11.html#bibliography">Bibliography (and Suggested Reading)</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch11.html#bind9.library">BIND 9 DNS Library Support</a></span></dt>
 <dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch11.html#rfcs">Request for Comments (RFCs)</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch11.html#internet_drafts">Internet Drafts</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch11.html#more_about_bind">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch11.html#id-1.12.2.5">Installation</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch11.html#id-1.12.2.6">Known Defects/Restrictions</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch11.html#id-1.12.2.7">The dns.conf File</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch11.html#id-1.12.2.8">Sample Applications</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch11.html#id-1.12.2.9">Library References</a></span></dt>
 </dl></dd>
 </dl>
 </div>
-
       <div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="ipv6addresses"></a>IPv6 addresses (AAAA)</h2></div></div></div>
-
-          <p>
-            IPv6 addresses are 128-bit identifiers for interfaces and
-            sets of interfaces which were introduced in the <acronym class="acronym">DNS</acronym> to facilitate
-            scalable Internet routing. There are three types of addresses: <span class="emphasis"><em>Unicast</em></span>,
-            an identifier for a single interface;
-            <span class="emphasis"><em>Anycast</em></span>,
-            an identifier for a set of interfaces; and <span class="emphasis"><em>Multicast</em></span>,
-            an identifier for a set of interfaces. Here we describe the global
-            Unicast address scheme. For more information, see RFC 3587,
-            "Global Unicast Address Format."
-          </p>
-          <p>
-            IPv6 unicast addresses consist of a
-            <span class="emphasis"><em>global routing prefix</em></span>, a
-            <span class="emphasis"><em>subnet identifier</em></span>, and an
-            <span class="emphasis"><em>interface identifier</em></span>.
-          </p>
-          <p>
-            The global routing prefix is provided by the
-            upstream provider or ISP, and (roughly) corresponds to the
-            IPv4 <span class="emphasis"><em>network</em></span> section
-            of the address range.
-
-            The subnet identifier is for local subnetting, much the
-            same as subnetting an
-            IPv4 /16 network into /24 subnets.
-
-            The interface identifier is the address of an individual
-            interface on a given network; in IPv6, addresses belong to
-            interfaces rather than to machines.
-          </p>
-          <p>
-            The subnetting capability of IPv6 is much more flexible than
-            that of IPv4: subnetting can be carried out on bit boundaries,
-            in much the same way as Classless InterDomain Routing
-            (CIDR), and the DNS PTR representation ("nibble" format)
-            makes setting up reverse zones easier.
-          </p>
-          <p>
-            The Interface Identifier must be unique on the local link,
-            and is usually generated automatically by the IPv6
-            implementation, although it is usually possible to
-            override the default setting if necessary.  A typical IPv6
-            address might look like:
-            <span class="command"><strong>2001:db8:201:9:a00:20ff:fe81:2b32</strong></span>
-          </p>
-          <p>
-            IPv6 address specifications often contain long strings
-            of zeros, so the architects have included a shorthand for
-            specifying
-            them. The double colon (`::') indicates the longest possible
-            string
-            of zeros that can fit, and can be used only once in an address.
-          </p>
-      </div>
-      <div class="section">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="bibliography"></a>Bibliography (and Suggested Reading)</h2></div></div></div>
-
-        <div class="section">
+<a name="bind9.library"></a>BIND 9 DNS Library Support</h2></div></div></div>
+  
+  <p>
+    This version of BIND 9 "exports" its internal libraries so
+    that they can be used by third-party applications more easily (we
+    call them "export" libraries in this document). Certain library
+    functions are altered from specific BIND-only behavior to more generic
+    behavior when used by other applications; to enable this generic behavior,
+    the calling program initializes the libraries by calling
+    <span class="command"><strong>isc_lib_register()</strong></span>.
+  </p>
+  <p>
+    In addition to DNS-related APIs that are used within BIND 9, the
+    libraries provide the following features:
+  </p>
+  <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+      <p>
+       The "DNS client" module. This is a higher level API that
+       provides an interface to name resolution, single DNS transaction
+       with a particular server, and dynamic update. Regarding name
+       resolution, it supports advanced features such as DNSSEC validation
+       and caching. This module supports both synchronous and asynchronous
+       mode.
+      </p>
+    </li>
+<li class="listitem">
+      <p>
+       The "IRS" (Information Retrieval System) library.  It provides an
+       interface to parse the traditional <code class="filename">resolv.conf</code>
+       file and more advanced, DNS-specific configuration file for the
+       rest of this package (see the description for the
+       <code class="filename">dns.conf</code> file below).
+      </p>
+    </li>
+<li class="listitem">
+      <p>
+       As part of the IRS library, the standard address-name
+       mapping functions, <span class="command"><strong>getaddrinfo()</strong></span> and
+       <span class="command"><strong>getnameinfo()</strong></span>, are provided. They use the
+       DNSSEC-aware validating resolver backend, and could use other
+       advanced features of the BIND 9 libraries such as caching. The
+       <span class="command"><strong>getaddrinfo()</strong></span> function resolves both A
+       and AAAA RRs concurrently when the address family is
+       unspecified.
+      </p>
+    </li>
+<li class="listitem">
+      <p>
+       An experimental framework to support other event
+       libraries than BIND 9's internal event task system.
+      </p>
+    </li>
+</ul></div>
+  <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="rfcs"></a>Request for Comments (RFCs)</h3></div></div></div>
-
-          <p>
-            Specification documents for the Internet protocol suite, including
-            the <acronym class="acronym">DNS</acronym>, are published as part of
-            the Request for Comments (RFCs)
-            series of technical notes. The standards themselves are defined
-            by the Internet Engineering Task Force (IETF) and the Internet
-            Engineering Steering Group (IESG). RFCs can be obtained online via FTP at:
-          </p>
-          <p>
-            <a class="link" href="ftp://www.isi.edu/in-notes/" target="_top">
-              ftp://www.isi.edu/in-notes/RFC<em class="replaceable"><code>xxxx</code></em>.txt
-            </a>
-          </p>
-          <p>
-            (where <em class="replaceable"><code>xxxx</code></em> is
-            the number of the RFC). RFCs are also available via the Web at:
-          </p>
-          <p>
-            <a class="link" href="http://www.ietf.org/rfc/" target="_top">http://www.ietf.org/rfc/</a>.
-          </p>
-          <div class="bibliography">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id-1.11.3.2.6"></a>Bibliography</h4></div></div></div>
-            <div class="bibliodiv">
-              
-
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.1.2"></a><p>[<abbr class="abbrev">RFC974</abbr>] 
-                
-                <span class="author"><span class="firstname">C.</span> <span class="surname">Partridge</span>. </span>
-                <span class="citetitle"><em class="citetitle">Mail Routing and the Domain System</em>. </span>
-                <span class="pubdate">January 1986. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.1.3"></a><p>[<abbr class="abbrev">RFC1034</abbr>] 
-                
-                <span class="author"><span class="firstname">P.V.</span> <span class="surname">Mockapetris</span>. </span>
-                <span class="citetitle"><em class="citetitle">Domain Names &#8212; Concepts and Facilities</em>. </span>
-                <span class="pubdate">November 1987. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.1.4"></a><p>[<abbr class="abbrev">RFC1035</abbr>] 
-                
-                <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span> <span class="citetitle"><em class="citetitle">Domain Names &#8212; Implementation and
-                  Specification</em>. </span>
-                <span class="pubdate">November 1987. </span>
-              </p>
-</div>
-            </div>
-            <div class="bibliodiv">
-
-              
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.2.2"></a><p>[<abbr class="abbrev">RFC2181</abbr>] 
-                
-                <span class="author"><span class="firstname">R., R. Bush</span> <span class="surname">Elz</span>. </span>
-                <span class="citetitle"><em class="citetitle">Clarifications to the <acronym class="acronym">DNS</acronym>
-                  Specification</em>. </span>
-                <span class="pubdate">July 1997. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.2.3"></a><p>[<abbr class="abbrev">RFC2308</abbr>] 
-                
-                <span class="author"><span class="firstname">M.</span> <span class="surname">Andrews</span>. </span>
-                <span class="citetitle"><em class="citetitle">Negative Caching of <acronym class="acronym">DNS</acronym>
-                  Queries</em>. </span>
-                <span class="pubdate">March 1998. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.2.4"></a><p>[<abbr class="abbrev">RFC1995</abbr>] 
-                
-                <span class="author"><span class="firstname">M.</span> <span class="surname">Ohta</span>. </span>
-                <span class="citetitle"><em class="citetitle">Incremental Zone Transfer in <acronym class="acronym">DNS</acronym></em>. </span>
-                <span class="pubdate">August 1996. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.2.5"></a><p>[<abbr class="abbrev">RFC1996</abbr>] 
-                
-                <span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span>
-                <span class="citetitle"><em class="citetitle">A Mechanism for Prompt Notification of Zone Changes</em>. </span>
-                <span class="pubdate">August 1996. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.2.6"></a><p>[<abbr class="abbrev">RFC2136</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">Y.</span> <span class="surname">Rekhter</span>, and <span class="firstname">J.</span> <span class="surname">Bound</span>. </span>
-                <span class="citetitle"><em class="citetitle">Dynamic Updates in the Domain Name System</em>. </span>
-                <span class="pubdate">April 1997. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.2.7"></a><p>[<abbr class="abbrev">RFC2671</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span>
-                <span class="citetitle"><em class="citetitle">Extension Mechanisms for DNS (EDNS0)</em>. </span>
-                <span class="pubdate">August 1997. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.2.8"></a><p>[<abbr class="abbrev">RFC2672</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span>. </span>
-                <span class="citetitle"><em class="citetitle">Non-Terminal DNS Name Redirection</em>. </span>
-                <span class="pubdate">August 1999. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.2.9"></a><p>[<abbr class="abbrev">RFC2845</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>, <span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, and <span class="firstname">B.</span> <span class="surname">Wellington</span>. </span>
-                <span class="citetitle"><em class="citetitle">Secret Key Transaction Authentication for <acronym class="acronym">DNS</acronym> (TSIG)</em>. </span>
-                <span class="pubdate">May 2000. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.2.10"></a><p>[<abbr class="abbrev">RFC2930</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span>
-                <span class="citetitle"><em class="citetitle">Secret Key Establishment for DNS (TKEY RR)</em>. </span>
-                <span class="pubdate">September 2000. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.2.11"></a><p>[<abbr class="abbrev">RFC2931</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span>
-                <span class="citetitle"><em class="citetitle">DNS Request and Transaction Signatures (SIG(0)s)</em>. </span>
-                <span class="pubdate">September 2000. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.2.12"></a><p>[<abbr class="abbrev">RFC3007</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span>. </span>
-                <span class="citetitle"><em class="citetitle">Secure Domain Name System (DNS) Dynamic Update</em>. </span>
-                <span class="pubdate">November 2000. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.2.13"></a><p>[<abbr class="abbrev">RFC3645</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Kwan</span>, <span class="firstname">P.</span> <span class="surname">Garg</span>, <span class="firstname">J.</span> <span class="surname">Gilroy</span>, <span class="firstname">L.</span> <span class="surname">Esibov</span>, <span class="firstname">J.</span> <span class="surname">Westhead</span>, and <span class="firstname">R.</span> <span class="surname">Hall</span>. </span>
-                <span class="citetitle"><em class="citetitle">Generic Security Service Algorithm for Secret
-                       Key Transaction Authentication for DNS
-                       (GSS-TSIG)</em>. </span>
-                <span class="pubdate">October 2003. </span>
-              </p>
-</div>
-            </div>
-            <div class="bibliodiv">
-
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.3.2"></a><p>[<abbr class="abbrev">RFC3225</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Conrad</span>. </span>
-                <span class="citetitle"><em class="citetitle">Indicating Resolver Support of DNSSEC</em>. </span>
-                <span class="pubdate">December 2001. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.3.3"></a><p>[<abbr class="abbrev">RFC3833</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Atkins</span> and <span class="firstname">R.</span> <span class="surname">Austein</span>. </span>
-                <span class="citetitle"><em class="citetitle">Threat Analysis of the Domain Name System (DNS)</em>. </span>
-                <span class="pubdate">August 2004. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.3.4"></a><p>[<abbr class="abbrev">RFC4033</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span>
-                <span class="citetitle"><em class="citetitle">DNS Security Introduction and Requirements</em>. </span>
-                <span class="pubdate">March 2005. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.3.5"></a><p>[<abbr class="abbrev">RFC4034</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span>
-                <span class="citetitle"><em class="citetitle">Resource Records for the DNS Security Extensions</em>. </span>
-                <span class="pubdate">March 2005. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.3.6"></a><p>[<abbr class="abbrev">RFC4035</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span>
-                <span class="citetitle"><em class="citetitle">Protocol Modifications for the DNS
-                       Security Extensions</em>. </span>
-                <span class="pubdate">March 2005. </span>
-              </p>
-</div>
-            </div>
-            <div class="bibliodiv">
-
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.4.2"></a><p>[<abbr class="abbrev">RFC1535</abbr>] 
-                
-                <span class="author"><span class="firstname">E.</span> <span class="surname">Gavron</span>. </span>
-                <span class="citetitle"><em class="citetitle">A Security Problem and Proposed Correction With Widely
-                  Deployed <acronym class="acronym">DNS</acronym> Software</em>. </span>
-                <span class="pubdate">October 1993. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.4.3"></a><p>[<abbr class="abbrev">RFC1536</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Kumar</span>, <span class="firstname">J.</span> <span class="surname">Postel</span>, <span class="firstname">C.</span> <span class="surname">Neuman</span>, <span class="firstname">P.</span> <span class="surname">Danzig</span>, and <span class="firstname">S.</span> <span class="surname">Miller</span>. </span>
-                <span class="citetitle"><em class="citetitle">Common <acronym class="acronym">DNS</acronym> Implementation
-                  Errors and Suggested Fixes</em>. </span>
-                <span class="pubdate">October 1993. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.4.4"></a><p>[<abbr class="abbrev">RFC1982</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Elz</span> and <span class="firstname">R.</span> <span class="surname">Bush</span>. </span>
-                <span class="citetitle"><em class="citetitle">Serial Number Arithmetic</em>. </span>
-                <span class="pubdate">August 1996. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.4.5"></a><p>[<abbr class="abbrev">RFC4074</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">Y.</span> <span class="surname">Morishita</span> and <span class="firstname">T.</span> <span class="surname">Jinmei</span>. </span>
-                <span class="citetitle"><em class="citetitle">Common Misbehaviour Against <acronym class="acronym">DNS</acronym>
-                Queries for IPv6 Addresses</em>. </span>
-                <span class="pubdate">May 2005. </span>
-              </p>
-</div>
-            </div>
-            <div class="bibliodiv">
-
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.5.2"></a><p>[<abbr class="abbrev">RFC1183</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">C.F.</span> <span class="surname">Everhart</span>, <span class="firstname">L. A.</span> <span class="surname">Mamakos</span>, <span class="firstname">R.</span> <span class="surname">Ullmann</span>, and <span class="firstname">P.</span> <span class="surname">Mockapetris</span>. </span>
-                <span class="citetitle"><em class="citetitle">New <acronym class="acronym">DNS</acronym> RR Definitions</em>. </span>
-                <span class="pubdate">October 1990. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.5.3"></a><p>[<abbr class="abbrev">RFC1706</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">R.</span> <span class="surname">Colella</span>. </span>
-                <span class="citetitle"><em class="citetitle"><acronym class="acronym">DNS</acronym> NSAP Resource Records</em>. </span>
-                <span class="pubdate">October 1994. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.5.4"></a><p>[<abbr class="abbrev">RFC2168</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Daniel</span> and <span class="firstname">M.</span> <span class="surname">Mealling</span>. </span>
-                <span class="citetitle"><em class="citetitle">Resolution of Uniform Resource Identifiers using
-                  the Domain Name System</em>. </span>
-                <span class="pubdate">June 1997. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.5.5"></a><p>[<abbr class="abbrev">RFC1876</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Davis</span>, <span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">T.</span>, and <span class="firstname">I.</span> <span class="surname">Dickinson</span>. </span>
-                <span class="citetitle"><em class="citetitle">A Means for Expressing Location Information in the
-                  Domain
-                  Name System</em>. </span>
-                <span class="pubdate">January 1996. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.5.6"></a><p>[<abbr class="abbrev">RFC2052</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span>
-                <span class="citetitle"><em class="citetitle">A <acronym class="acronym">DNS</acronym> RR for Specifying the
-                  Location of
-                  Services</em>. </span>
-                <span class="pubdate">October 1996. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.5.7"></a><p>[<abbr class="abbrev">RFC2163</abbr>] 
-                
-                <span class="author"><span class="firstname">A.</span> <span class="surname">Allocchio</span>. </span>
-                <span class="citetitle"><em class="citetitle">Using the Internet <acronym class="acronym">DNS</acronym> to
-                  Distribute MIXER
-                  Conformant Global Address Mapping</em>. </span>
-                <span class="pubdate">January 1998. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.5.8"></a><p>[<abbr class="abbrev">RFC2230</abbr>] 
-                
-                <span class="author"><span class="firstname">R.</span> <span class="surname">Atkinson</span>. </span>
-                <span class="citetitle"><em class="citetitle">Key Exchange Delegation Record for the <acronym class="acronym">DNS</acronym></em>. </span>
-                <span class="pubdate">October 1997. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.5.9"></a><p>[<abbr class="abbrev">RFC2536</abbr>] 
-                
-                <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span>
-                <span class="citetitle"><em class="citetitle">DSA KEYs and SIGs in the Domain Name System (DNS)</em>. </span>
-                <span class="pubdate">March 1999. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.5.10"></a><p>[<abbr class="abbrev">RFC2537</abbr>] 
-                
-                <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span>
-                <span class="citetitle"><em class="citetitle">RSA/MD5 KEYs and SIGs in the Domain Name System (DNS)</em>. </span>
-                <span class="pubdate">March 1999. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.5.11"></a><p>[<abbr class="abbrev">RFC2538</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span>
-                <span class="citetitle"><em class="citetitle">Storing Certificates in the Domain Name System (DNS)</em>. </span>
-                <span class="pubdate">March 1999. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.5.12"></a><p>[<abbr class="abbrev">RFC2539</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span>
-                <span class="citetitle"><em class="citetitle">Storage of Diffie-Hellman Keys in the Domain Name System (DNS)</em>. </span>
-                <span class="pubdate">March 1999. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.5.13"></a><p>[<abbr class="abbrev">RFC2540</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span>
-                <span class="citetitle"><em class="citetitle">Detached Domain Name System (DNS) Information</em>. </span>
-                <span class="pubdate">March 1999. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.5.14"></a><p>[<abbr class="abbrev">RFC2782</abbr>] 
-                
-                <span class="author"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span>. </span>
-                <span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span>
-                <span class="author"><span class="firstname">L.</span> <span class="surname">Esibov</span>. </span>
-                <span class="citetitle"><em class="citetitle">A DNS RR for specifying the location of services (DNS SRV)</em>. </span>
-                <span class="pubdate">February 2000. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.5.15"></a><p>[<abbr class="abbrev">RFC2915</abbr>] 
-                
-                <span class="author"><span class="firstname">M.</span> <span class="surname">Mealling</span>. </span>
-                <span class="author"><span class="firstname">R.</span> <span class="surname">Daniel</span>. </span>
-                <span class="citetitle"><em class="citetitle">The Naming Authority Pointer (NAPTR) DNS Resource Record</em>. </span>
-                <span class="pubdate">September 2000. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.5.16"></a><p>[<abbr class="abbrev">RFC3110</abbr>] 
-                
-                <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span>
-                <span class="citetitle"><em class="citetitle">RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)</em>. </span>
-                <span class="pubdate">May 2001. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.5.17"></a><p>[<abbr class="abbrev">RFC3123</abbr>] 
-                
-                <span class="author"><span class="firstname">P.</span> <span class="surname">Koch</span>. </span>
-                <span class="citetitle"><em class="citetitle">A DNS RR Type for Lists of Address Prefixes (APL RR)</em>. </span>
-                <span class="pubdate">June 2001. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.5.18"></a><p>[<abbr class="abbrev">RFC3596</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">C.</span> <span class="surname">Huitema</span>, <span class="firstname">V.</span> <span class="surname">Ksinant</span>, and <span class="firstname">M.</span> <span class="surname">Souissi</span>. </span>
-                <span class="citetitle"><em class="citetitle"><acronym class="acronym">DNS</acronym> Extensions to support IP
-                  version 6</em>. </span>
-                <span class="pubdate">October 2003. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.5.19"></a><p>[<abbr class="abbrev">RFC3597</abbr>] 
-                
-                <span class="author"><span class="firstname">A.</span> <span class="surname">Gustafsson</span>. </span>
-                <span class="citetitle"><em class="citetitle">Handling of Unknown DNS Resource Record (RR) Types</em>. </span>
-                <span class="pubdate">September 2003. </span>
-              </p>
-</div>
-            </div>
-            <div class="bibliodiv">
-
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.6.2"></a><p>[<abbr class="abbrev">RFC1101</abbr>] 
-                
-                <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span>
-                <span class="citetitle"><em class="citetitle"><acronym class="acronym">DNS</acronym> Encoding of Network Names
-                  and Other Types</em>. </span>
-                <span class="pubdate">April 1989. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.6.3"></a><p>[<abbr class="abbrev">RFC1123</abbr>] 
-                
-                <span class="author"><span class="surname">Braden</span>. </span>
-                <span class="citetitle"><em class="citetitle">Requirements for Internet Hosts - Application and
-                  Support</em>. </span>
-                <span class="pubdate">October 1989. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.6.4"></a><p>[<abbr class="abbrev">RFC1591</abbr>] 
-                
-                <span class="author"><span class="firstname">J.</span> <span class="surname">Postel</span>. </span>
-                <span class="citetitle"><em class="citetitle">Domain Name System Structure and Delegation</em>. </span>
-                <span class="pubdate">March 1994. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.6.5"></a><p>[<abbr class="abbrev">RFC2317</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">H.</span> <span class="surname">Eidnes</span>, <span class="firstname">G.</span> <span class="surname">de Groot</span>, and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span>
-                <span class="citetitle"><em class="citetitle">Classless IN-ADDR.ARPA Delegation</em>. </span>
-                <span class="pubdate">March 1998. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.6.6"></a><p>[<abbr class="abbrev">RFC2826</abbr>] 
-                
-                <span class="authorgroup"><span class="surname">Internet Architecture Board</span>. </span>
-                <span class="citetitle"><em class="citetitle">IAB Technical Comment on the Unique DNS Root</em>. </span>
-                <span class="pubdate">May 2000. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.6.7"></a><p>[<abbr class="abbrev">RFC2929</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, <span class="firstname">E.</span> <span class="surname">Brunner-Williams</span>, and <span class="firstname">B.</span> <span class="surname">Manning</span>. </span>
-                <span class="citetitle"><em class="citetitle">Domain Name System (DNS) IANA Considerations</em>. </span>
-                <span class="pubdate">September 2000. </span>
-              </p>
-</div>
-            </div>
-            <div class="bibliodiv">
-
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.7.2"></a><p>[<abbr class="abbrev">RFC1033</abbr>] 
-                
-                <span class="author"><span class="firstname">M.</span> <span class="surname">Lottor</span>. </span>
-                <span class="citetitle"><em class="citetitle">Domain administrators operations guide</em>. </span>
-                <span class="pubdate">November 1987. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.7.3"></a><p>[<abbr class="abbrev">RFC1537</abbr>] 
-                
-                <span class="author"><span class="firstname">P.</span> <span class="surname">Beertema</span>. </span>
-                <span class="citetitle"><em class="citetitle">Common <acronym class="acronym">DNS</acronym> Data File
-                  Configuration Errors</em>. </span>
-                <span class="pubdate">October 1993. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.7.4"></a><p>[<abbr class="abbrev">RFC1912</abbr>] 
-                
-                <span class="author"><span class="firstname">D.</span> <span class="surname">Barr</span>. </span>
-                <span class="citetitle"><em class="citetitle">Common <acronym class="acronym">DNS</acronym> Operational and
-                  Configuration Errors</em>. </span>
-                <span class="pubdate">February 1996. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.7.5"></a><p>[<abbr class="abbrev">RFC2010</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span>
-                <span class="citetitle"><em class="citetitle">Operational Criteria for Root Name Servers</em>. </span>
-                <span class="pubdate">October 1996. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.7.6"></a><p>[<abbr class="abbrev">RFC2219</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Hamilton</span> and <span class="firstname">R.</span> <span class="surname">Wright</span>. </span>
-                <span class="citetitle"><em class="citetitle">Use of <acronym class="acronym">DNS</acronym> Aliases for
-                  Network Services</em>. </span>
-                <span class="pubdate">October 1997. </span>
-              </p>
-</div>
-            </div>
-            <div class="bibliodiv">
-
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.8.2"></a><p>[<abbr class="abbrev">RFC2825</abbr>] 
-                
-                <span class="authorgroup"><span class="surname">IAB</span> and <span class="firstname">R.</span> <span class="surname">Daigle</span>. </span>
-                <span class="citetitle"><em class="citetitle">A Tangled Web: Issues of I18N, Domain Names,
-                       and the Other Internet protocols</em>. </span>
-                <span class="pubdate">May 2000. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.8.3"></a><p>[<abbr class="abbrev">RFC3490</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Faltstrom</span>, <span class="firstname">P.</span> <span class="surname">Hoffman</span>, and <span class="firstname">A.</span> <span class="surname">Costello</span>. </span>
-                <span class="citetitle"><em class="citetitle">Internationalizing Domain Names in Applications (IDNA)</em>. </span>
-                <span class="pubdate">March 2003. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.8.4"></a><p>[<abbr class="abbrev">RFC3491</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Hoffman</span> and <span class="firstname">M.</span> <span class="surname">Blanchet</span>. </span>
-                <span class="citetitle"><em class="citetitle">Nameprep: A Stringprep Profile for Internationalized Domain Names</em>. </span>
-                <span class="pubdate">March 2003. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.8.5"></a><p>[<abbr class="abbrev">RFC3492</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Costello</span>. </span>
-                <span class="citetitle"><em class="citetitle">Punycode: A Bootstring encoding of Unicode
-                       for Internationalized Domain Names in
-                       Applications (IDNA)</em>. </span>
-                <span class="pubdate">March 2003. </span>
-              </p>
-</div>
-            </div>
-            <div class="bibliodiv">
-
-              <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-                <p>
-                  Note: the following list of RFCs, although
-                  <acronym class="acronym">DNS</acronym>-related, are not
-                  concerned with implementing software.
-                </p>
-              </div>
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.9.3"></a><p>[<abbr class="abbrev">RFC1464</abbr>] 
-                
-                <span class="author"><span class="firstname">R.</span> <span class="surname">Rosenbaum</span>. </span>
-                <span class="citetitle"><em class="citetitle">Using the Domain Name System To Store Arbitrary String
-                  Attributes</em>. </span>
-                <span class="pubdate">May 1993. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.9.4"></a><p>[<abbr class="abbrev">RFC1713</abbr>] 
-                
-                <span class="author"><span class="firstname">A.</span> <span class="surname">Romao</span>. </span>
-                <span class="citetitle"><em class="citetitle">Tools for <acronym class="acronym">DNS</acronym> Debugging</em>. </span>
-                <span class="pubdate">November 1994. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.9.5"></a><p>[<abbr class="abbrev">RFC1794</abbr>] 
-                
-                <span class="author"><span class="firstname">T.</span> <span class="surname">Brisco</span>. </span>
-                <span class="citetitle"><em class="citetitle"><acronym class="acronym">DNS</acronym> Support for Load
-                  Balancing</em>. </span>
-                <span class="pubdate">April 1995. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.9.6"></a><p>[<abbr class="abbrev">RFC2240</abbr>] 
-                
-                <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span>
-                <span class="citetitle"><em class="citetitle">A Legal Basis for Domain Name Allocation</em>. </span>
-                <span class="pubdate">November 1997. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.9.7"></a><p>[<abbr class="abbrev">RFC2345</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>, <span class="firstname">T.</span> <span class="surname">Wolf</span>, and <span class="firstname">G.</span> <span class="surname">Oglesby</span>. </span>
-                <span class="citetitle"><em class="citetitle">Domain Names and Company Name Retrieval</em>. </span>
-                <span class="pubdate">May 1998. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.9.8"></a><p>[<abbr class="abbrev">RFC2352</abbr>] 
-                
-                <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span>
-                <span class="citetitle"><em class="citetitle">A Convention For Using Legal Names as Domain Names</em>. </span>
-                <span class="pubdate">May 1998. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.9.9"></a><p>[<abbr class="abbrev">RFC3071</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>. </span>
-                <span class="citetitle"><em class="citetitle">Reflections on the DNS, RFC 1591, and Categories of Domains</em>. </span>
-                <span class="pubdate">February 2001. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.9.10"></a><p>[<abbr class="abbrev">RFC3258</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">T.</span> <span class="surname">Hardie</span>. </span>
-                <span class="citetitle"><em class="citetitle">Distributing Authoritative Name Servers via
-                       Shared Unicast Addresses</em>. </span>
-                <span class="pubdate">April 2002. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.9.11"></a><p>[<abbr class="abbrev">RFC3901</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Durand</span> and <span class="firstname">J.</span> <span class="surname">Ihren</span>. </span>
-                <span class="citetitle"><em class="citetitle">DNS IPv6 Transport Operational Guidelines</em>. </span>
-                <span class="pubdate">September 2004. </span>
-              </p>
-</div>
-            </div>
-            <div class="bibliodiv">
-
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.10.2"></a><p>[<abbr class="abbrev">RFC1712</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Farrell</span>, <span class="firstname">M.</span> <span class="surname">Schulze</span>, <span class="firstname">S.</span> <span class="surname">Pleitner</span>, and <span class="firstname">D.</span> <span class="surname">Baldoni</span>. </span>
-                <span class="citetitle"><em class="citetitle"><acronym class="acronym">DNS</acronym> Encoding of Geographical
-                  Location</em>. </span>
-                <span class="pubdate">November 1994. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.10.3"></a><p>[<abbr class="abbrev">RFC2673</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span>. </span>
-                <span class="citetitle"><em class="citetitle">Binary Labels in the Domain Name System</em>. </span>
-                <span class="pubdate">August 1999. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.10.4"></a><p>[<abbr class="abbrev">RFC2874</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span> and <span class="firstname">C.</span> <span class="surname">Huitema</span>. </span>
-                <span class="citetitle"><em class="citetitle">DNS Extensions to Support IPv6 Address Aggregation
-                       and Renumbering</em>. </span>
-                <span class="pubdate">July 2000. </span>
-              </p>
-</div>
-            </div>
-            <div class="bibliodiv">
-
-              <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-                <p>
-                  Most of these have been consolidated into RFC4033,
-                  RFC4034 and RFC4035 which collectively describe DNSSECbis.
-                </p>
-              </div>
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.11.3"></a><p>[<abbr class="abbrev">RFC2065</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">C.</span> <span class="surname">Kaufman</span>. </span>
-                <span class="citetitle"><em class="citetitle">Domain Name System Security Extensions</em>. </span>
-                <span class="pubdate">January 1997. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.11.4"></a><p>[<abbr class="abbrev">RFC2137</abbr>] 
-                
-                <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span>
-                <span class="citetitle"><em class="citetitle">Secure Domain Name System Dynamic Update</em>. </span>
-                <span class="pubdate">April 1997. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.11.5"></a><p>[<abbr class="abbrev">RFC2535</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span>
-                <span class="citetitle"><em class="citetitle">Domain Name System Security Extensions</em>. </span>
-                <span class="pubdate">March 1999. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.11.6"></a><p>[<abbr class="abbrev">RFC3008</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span>. </span>
-                <span class="citetitle"><em class="citetitle">Domain Name System Security (DNSSEC)
-                       Signing Authority</em>. </span>
-                <span class="pubdate">November 2000. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.11.7"></a><p>[<abbr class="abbrev">RFC3090</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">E.</span> <span class="surname">Lewis</span>. </span>
-                <span class="citetitle"><em class="citetitle">DNS Security Extension Clarification on Zone Status</em>. </span>
-                <span class="pubdate">March 2001. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.11.8"></a><p>[<abbr class="abbrev">RFC3445</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Massey</span> and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span>
-                <span class="citetitle"><em class="citetitle">Limiting the Scope of the KEY Resource Record (RR)</em>. </span>
-                <span class="pubdate">December 2002. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.11.9"></a><p>[<abbr class="abbrev">RFC3655</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span> and <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span>
-                <span class="citetitle"><em class="citetitle">Redefinition of DNS Authenticated Data (AD) bit</em>. </span>
-                <span class="pubdate">November 2003. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.11.10"></a><p>[<abbr class="abbrev">RFC3658</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span>
-                <span class="citetitle"><em class="citetitle">Delegation Signer (DS) Resource Record (RR)</em>. </span>
-                <span class="pubdate">December 2003. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.11.11"></a><p>[<abbr class="abbrev">RFC3755</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Weiler</span>. </span>
-                <span class="citetitle"><em class="citetitle">Legacy Resolver Compatibility for Delegation Signer (DS)</em>. </span>
-                <span class="pubdate">May 2004. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.11.12"></a><p>[<abbr class="abbrev">RFC3757</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">O.</span> <span class="surname">Kolkman</span>, <span class="firstname">J.</span> <span class="surname">Schlyter</span>, and <span class="firstname">E.</span> <span class="surname">Lewis</span>. </span>
-                <span class="citetitle"><em class="citetitle">Domain Name System KEY (DNSKEY) Resource Record
-                      (RR) Secure Entry Point (SEP) Flag</em>. </span>
-                <span class="pubdate">April 2004. </span>
-              </p>
-</div>
-              <div class="biblioentry">
-<a name="id-1.11.3.2.6.11.13"></a><p>[<abbr class="abbrev">RFC3845</abbr>] 
-                
-                <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Schlyter</span>. </span>
-                <span class="citetitle"><em class="citetitle">DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format</em>. </span>
-                <span class="pubdate">August 2004. </span>
-              </p>
-</div>
-            </div>
-          </div>
-        </div>
-        <div class="section">
+<a name="id-1.12.2.5"></a>Installation</h3></div></div></div>
+    
+    <pre class="screen">
+$ <strong class="userinput"><code>make install</code></strong>
+    </pre>
+    <p>
+      Normal installation of BIND will also install library object
+      and header files.  Root privilege is normally required.
+    </p>
+    <p>
+      To see how to build your own application after the installation, see
+      <code class="filename">lib/samples/Makefile-postinstall.in</code>.
+    </p>
+  </div>
+  <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="id-1.12.2.6"></a>Known Defects/Restrictions</h3></div></div></div>
+    
+    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+        <p>
+       The "fixed" RRset order is not (currently) supported in the export
+       library. If you want to use "fixed" RRset order for, e.g.
+       <span class="command"><strong>named</strong></span> while still building the export library
+       even without the fixed order support, build them separately:
+      </p>
+<pre class="screen">
+$ <strong class="userinput"><code>./configure --enable-fixed-rrset <em class="replaceable"><code>[other flags, but not --enable-exportlib]</code></em></code></strong>
+$ <strong class="userinput"><code>make</code></strong>
+$ <strong class="userinput"><code>./configure --enable-exportlib <em class="replaceable"><code>[other flags, but not --enable-fixed-rrset]</code></em></code></strong>
+$ <strong class="userinput"><code>cd lib/export</code></strong>
+$ <strong class="userinput"><code>make</code></strong>
+</pre>
+<p>
+      </p>
+      </li>
+<li class="listitem">
+        <p>
+       RFC 5011 is not supported in the validating stub resolver of the
+       export library. In fact, it is not clear whether it should: trust
+       anchors would be a system-wide configuration which would be managed
+       by an administrator, while the stub resolver will be used by
+       ordinary applications run by a normal user.
+      </p>
+      </li>
+<li class="listitem">
+        <p>
+       Not all common <code class="filename">/etc/resolv.conf</code> options are
+       supported in the IRS library. The only available options in this
+       version are <span class="command"><strong>debug</strong></span> and <span class="command"><strong>ndots</strong></span>.
+      </p>
+      </li>
+</ul></div>
+  </div>
+  <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="internet_drafts"></a>Internet Drafts</h3></div></div></div>
-
-          <p>
-            Internet Drafts (IDs) are rough-draft working documents of
-            the Internet Engineering Task Force. They are, in essence, RFCs
-            in the preliminary stages of development. Implementors are
-            cautioned not
-            to regard IDs as archival, and they should not be quoted or cited
-            in any formal documents unless accompanied by the disclaimer that
-            they are "works in progress." IDs have a lifespan of six months
-            after which they are deleted unless updated by their authors.
-          </p>
-        </div>
-        <div class="section">
+<a name="id-1.12.2.7"></a>The dns.conf File</h3></div></div></div>
+    
+    <p>
+      The IRS library supports an "advanced" configuration file related to
+      the DNS library for configuration parameters that would be beyond the
+      capability of the <code class="filename">resolv.conf</code> file.
+      Specifically, it is intended to provide DNSSEC related configuration
+      parameters. By default the path to this configuration file is
+      <code class="filename">/etc/dns.conf</code>.  This module is very experimental
+      and the configuration syntax or library interfaces may change in
+      future versions. Currently, only the <span class="command"><strong>trusted-keys</strong></span>
+      statement is supported, whose syntax is the same as the same
+      statement in <code class="filename">named.conf</code>. (See
+      <a class="xref" href="Bv9ARM.ch05.html#trusted-keys" title="trusted-keys Statement Grammar">the section called &#8220;<span class="command"><strong>trusted-keys</strong></span> Statement Grammar&#8221;</a> for details.)
+    </p>
+  </div>
+  <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="more_about_bind"></a>Other Documents About <acronym class="acronym">BIND</acronym>
-</h3></div></div></div>
-
-          <p></p>
-          <div class="bibliography">
+<a name="id-1.12.2.8"></a>Sample Applications</h3></div></div></div>
+    
+    <p>
+      Some sample application programs using this API are provided for
+      reference. The following is a brief description of these
+      applications.
+    </p>
+    <div class="section">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id-1.11.3.4.3"></a>Bibliography</h4></div></div></div>
-            <div class="biblioentry">
-<a name="id-1.11.3.4.3.1"></a><p>
-              <span class="authorgroup"><span class="firstname">Paul</span> <span class="surname">Albitz</span> and <span class="firstname">Cricket</span> <span class="surname">Liu</span>. </span>
-              <span class="citetitle"><em class="citetitle"><acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></em>. </span>
-              <span class="copyright">Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. </span>
+<a name="id-1.12.2.8.3"></a>sample: a simple stub resolver utility</h4></div></div></div>
+      
+      <p>
+       Sends a query of a given name (of a given optional RR type) to a
+       specified recursive server and prints the result as a list of RRs.
+       It can also act as a validating stub resolver if a trust anchor is
+       given via a set of command line options.
+      </p>
+      <p>
+       Usage: sample [options] server_address hostname
+      </p>
+      <p>
+       Options and Arguments:
+      </p>
+      <div class="variablelist"><dl class="variablelist">
+<dt><span class="term">-t RRtype</span></dt>
+<dd>
+            <p>
+             specify the RR type of the query.  The default is the A RR.
+           </p>
+          </dd>
+<dt><span class="term">[-a algorithm] [-e] -k keyname -K keystring</span></dt>
+<dd>
+            <p>
+             specify a command-line DNS key to validate the answer.  For
+             example, to specify the following DNSKEY of example.com:
+             </p>
+<div class="literallayout"><p><br>
+                     example.com. 3600 IN DNSKEY 257 3 5 xxx<br>
+             </p></div>
+<p>
+             specify the options as follows:
+             </p>
+<pre class="screen">
+<strong class="userinput"><code>-e -k example.com -K "xxx"</code></strong>
+             </pre>
+<p>
+             -e means that this key is a zone's "key signing key" (also known
+             as "secure entry point").
+             When -a is omitted rsasha1 will be used by default.
+           </p>
+          </dd>
+<dt><span class="term">-s domain:alt_server_address</span></dt>
+<dd>
+            <p>
+              specify a separate recursive server address for the specific
+              "domain".  Example: -s example.com:2001:db8::1234
+           </p>
+          </dd>
+<dt><span class="term">server_address</span></dt>
+<dd>
+            <p>
+             an IP(v4/v6) address of the recursive server to which queries
+             are sent.
+           </p>
+          </dd>
+<dt><span class="term">hostname</span></dt>
+<dd>
+            <p>
+             the domain name for the query
+       </p>
+          </dd>
+</dl></div>
+    </div>
+    <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="id-1.12.2.8.4"></a>sample-async: a simple stub resolver, working asynchronously</h4></div></div></div>
+      
+      <p>
+      Similar to "sample", but accepts a list
+      of (query) domain names as a separate file and resolves the names
+      asynchronously.</p>
+      <p>
+       Usage: sample-async [-s server_address] [-t RR_type] input_file</p>
+      <p>
+     Options and Arguments:
+      </p>
+      <div class="variablelist"><dl class="variablelist">
+<dt><span class="term">-s server_address</span></dt>
+<dd>
+       an IPv4 address of the recursive server to which queries are sent.
+      (IPv6 addresses are not supported in this implementation)
+      </dd>
+<dt><span class="term">-t RR_type</span></dt>
+<dd>
+      specify the RR type of the queries. The default is the A
+      RR.
+      </dd>
+<dt><span class="term">input_file</span></dt>
+<dd>
+           a list of domain names to be resolved. each line consists of a
+           single domain name. Example:
+      <div class="literallayout"><p><br>
+      www.example.com<br>
+      mx.example.net<br>
+      ns.xxx.example<br>
+      </p></div>
+         </dd>
+</dl></div>
+    </div>
+    <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="id-1.12.2.8.5"></a>sample-request: a simple DNS transaction client</h4></div></div></div>
+      
+      <p>
+       Sends a query to a specified server, and prints the response with
+       minimal processing. It doesn't act as a "stub resolver": it stops
+       the processing once it gets any response from the server, whether
+       it's a referral or an alias (CNAME or DNAME) that would require
+       further queries to get the ultimate answer. In other words, this
+       utility acts as a very simplified <span class="command"><strong>dig</strong></span>.
+      </p>
+      <p>
+       Usage: sample-request [-t RRtype] server_address hostname
+      </p>
+      <p>
+       Options and Arguments:
+      </p>
+      <div class="variablelist"><dl class="variablelist">
+<dt><span class="term">-t RRtype</span></dt>
+<dd>
+           <p>
+             specify the RR type of the queries. The default is the A RR.
             </p>
-</div>
-          </div>
-        </div>
+          </dd>
+<dt><span class="term">server_address</span></dt>
+<dd>
+           <p>
+             an IP(v4/v6) address of the recursive server to which
+             the query is sent.
+           </p>
+          </dd>
+<dt><span class="term">hostname</span></dt>
+<dd>
+           <p>
+             the domain name for the query
+           </p>
+          </dd>
+</dl></div>
+    </div>
+    <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="id-1.12.2.8.6"></a>sample-gai: getaddrinfo() and getnameinfo() test code</h4></div></div></div>
+      
+      <p>
+       This is a test program to check <span class="command"><strong>getaddrinfo()</strong></span> and
+       <span class="command"><strong>getnameinfo()</strong></span> behavior. It takes a host name as an
+       argument, calls <span class="command"><strong>getaddrinfo()</strong></span> with the given host
+       name, and calls <span class="command"><strong>getnameinfo()</strong></span> with the resulting
+       IP addresses returned by <span class="command"><strong>getaddrinfo()</strong></span>. If the
+       dns.conf file exists and defines a trust anchor, the underlying
+       resolver will act as a validating resolver, and
+       <span class="command"><strong>getaddrinfo()</strong></span>/<span class="command"><strong>getnameinfo()</strong></span>
+       will fail with an EAI_INSECUREDATA error when DNSSEC validation
+       fails.
+      </p>
+      <p>
+       Usage: sample-gai hostname
+      </p>
+    </div>
+    <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="id-1.12.2.8.7"></a>sample-update: a simple dynamic update client program</h4></div></div></div>
+      
+      <p>
+       Accepts a single update command as a command-line argument, sends
+       an update request message to the authoritative server, and shows
+       the response from the server. In other words, this is a simplified
+       <span class="command"><strong>nsupdate</strong></span>.
+      </p>
+      <p>
+       Usage: sample-update [options] (add|delete) "update data"
+      </p>
+      <p>
+       Options and Arguments:
+      </p>
+      <div class="variablelist"><dl class="variablelist">
+<dt><span class="term">-a auth_server</span></dt>
+<dd>
+           <p>
+             An IP address of the authoritative server that has authority
+             for the zone containing the update name.  This should
+             normally be the primary authoritative server that accepts
+             dynamic updates.  It can also be a secondary server that is
+             configured to forward update requests to the primary server.
+           </p>
+          </dd>
+<dt><span class="term">-k keyfile</span></dt>
+<dd>
+           <p>
+             A TSIG key file to secure the update transaction.  The
+             keyfile format is the same as that for the nsupdate utility.
+           </p>
+          </dd>
+<dt><span class="term">-p prerequisite</span></dt>
+<dd>
+           <p>
+             A prerequisite for the update (only one prerequisite can be
+             specified).  The prerequisite format is the same as that is
+             accepted by the nsupdate utility.
+           </p>
+          </dd>
+<dt><span class="term">-r recursive_server</span></dt>
+<dd>
+           <p>
+             An IP address of a recursive server that this utility will
+             use.  A recursive server may be necessary to identify the
+             authoritative server address to which the update request is
+             sent.
+           </p>
+          </dd>
+<dt><span class="term">-z zonename</span></dt>
+<dd>
+           <p>
+             The domain name of the zone that contains
+           </p>
+          </dd>
+<dt><span class="term">(add|delete)</span></dt>
+<dd>
+           <p>
+             Specify the type of update operation.  Either "add" or
+             "delete" must be specified.
+           </p>
+          </dd>
+<dt><span class="term">"update data"</span></dt>
+<dd>
+           <p>
+             Specify the data to be updated.  A typical example of the
+             data would look like "name TTL RRtype RDATA".
+           </p>
+          </dd>
+</dl></div>
+      <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<h3 class="title">Note</h3>
+       <p>
+         In practice, either -a or -r must be specified.  Others can be
+         optional; the underlying library routine tries to identify the
+         appropriate server and the zone name for the update.
+       </p>
       </div>
+      <p>
+       Examples: assuming the primary authoritative server of the
+       dynamic.example.com zone has an IPv6 address 2001:db8::1234,
+      </p>
+      <pre class="screen">
+$ <strong class="userinput"><code>sample-update -a sample-update -k Kxxx.+nnn+mmmm.key add "foo.dynamic.example.com 30 IN A 192.168.2.1"</code></strong></pre>
+      <p>
+       adds an A RR for foo.dynamic.example.com using the given key.
+      </p>
+      <pre class="screen">
+$ <strong class="userinput"><code>sample-update -a sample-update -k Kxxx.+nnn+mmmm.key delete "foo.dynamic.example.com 30 IN A"</code></strong></pre>
+      <p>
+       removes all A RRs for foo.dynamic.example.com using the given key.
+      </p>
+      <pre class="screen">
+$ <strong class="userinput"><code>sample-update -a sample-update -k Kxxx.+nnn+mmmm.key delete "foo.dynamic.example.com"</code></strong></pre>
+      <p>
+       removes all RRs for foo.dynamic.example.com using the given key.
+      </p>
+    </div>
+    <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="id-1.12.2.8.8"></a>nsprobe: domain/name server checker in terms of RFC 4074</h4></div></div></div>
+      
+      <p>
+       Checks a set of domains to see the name servers of the domains
+       behave correctly in terms of RFC 4074. This is included in the set
+       of sample programs to show how the export library can be used in a
+       DNS-related application.
+      </p>
+      <p>
+       Usage: nsprobe [-d] [-v [-v...]] [-c cache_address] [input_file]
+      </p>
+      <p>
+       Options
+      </p>
+      <div class="variablelist"><dl class="variablelist">
+<dt><span class="term">-d</span></dt>
+<dd>
+           <p>
+             Run in "debug" mode.  With this option nsprobe will dump
+             every RRs it receives.
+           </p>
+          </dd>
+<dt><span class="term">-v</span></dt>
+<dd>
+           <p>
+             Increase verbosity of other normal log messages.  This can be
+             specified multiple times.
+           </p>
+          </dd>
+<dt><span class="term">-c cache_address</span></dt>
+<dd>
+           <p>
+             Specify an IP address of a recursive (caching) name server.
+             nsprobe uses this server to get the NS RRset of each domain
+             and the A and/or AAAA RRsets for the name servers.  The
+             default value is 127.0.0.1.
+           </p>
+          </dd>
+<dt><span class="term">input_file</span></dt>
+<dd>
+           <p>
+             A file name containing a list of domain (zone) names to be
+             probed.  when omitted the standard input will be used.  Each
+             line of the input file specifies a single domain name such as
+             "example.com".  In general this domain name must be the apex
+             name of some DNS zone (unlike normal "host names" such as
+             "www.example.com").  nsprobe first identifies the NS RRsets
+             for the given domain name, and sends A and AAAA queries to
+             these servers for some "widely used" names under the zone;
+             specifically, adding "www" and "ftp" to the zone name.
+           </p>
+          </dd>
+</dl></div>
+    </div>
+  </div>
+  <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="id-1.12.2.9"></a>Library References</h3></div></div></div>
+    
+    <p>
+      As of this writing, there is no formal "manual" for the libraries,
+      except this document, header files (some of which provide pretty
+      detailed explanations), and sample application programs.
+    </p>
+  </div>
+</div>
     </div>
 <div class="navfooter">
 <hr>
 </td>
 </tr>
 <tr>
-<td width="40%" align="left" valign="top">Appendix B. A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym> </td>
+<td width="40%" align="left" valign="top">Appendix C. General <acronym class="acronym">DNS</acronym> Reference Information </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> Appendix D. BIND 9 DNS Library Support</td>
+<td width="40%" align="right" valign="top"> Manual pages</td>
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0-dev</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1-dev</p>
 </body>
 </html>
index 1021b86bd8c025c17e5fb5dca18b7dab1dc9dff9..8be57a5289b8fa32e7fda6224eadd687c00cced8 100644 (file)
 <html lang="en">
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>Appendix D. BIND 9 DNS Library Support</title>
+<title>Manual pages</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="prev" href="Bv9ARM.ch11.html" title="Appendix C. General DNS Reference Information">
-<link rel="next" href="Bv9ARM.ch13.html" title="Manual pages">
+<link rel="prev" href="Bv9ARM.ch11.html" title="Appendix D. BIND 9 DNS Library Support">
+<link rel="next" href="man.arpaname.html" title="arpaname">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
 <table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center">Appendix D. BIND 9 DNS Library Support</th></tr>
+<tr><th colspan="3" align="center">Manual pages</th></tr>
 <tr>
 <td width="20%" align="left">
 <a accesskey="p" href="Bv9ARM.ch11.html">Prev</a> </td>
 <th width="60%" align="center"> </th>
-<td width="20%" align="right"> <a accesskey="n" href="Bv9ARM.ch13.html">Next</a>
+<td width="20%" align="right"> <a accesskey="n" href="man.arpaname.html">Next</a>
 </td>
 </tr>
 </table>
 <hr>
 </div>
-<div class="appendix">
-<div class="titlepage"><div><div><h1 class="title">
-<a name="Bv9ARM.ch12"></a>BIND 9 DNS Library Support</h1></div></div></div>
+<div class="reference">
+<div class="titlepage">
+<div><div><h1 class="title">
+<a name="Bv9ARM.ch12"></a>Manual pages</h1></div></div>
+<hr>
+</div>
 <div class="toc">
 <p><b>Table of Contents</b></p>
 <dl class="toc">
-<dt><span class="section"><a href="Bv9ARM.ch12.html#bind9.library">BIND 9 DNS Library Support</a></span></dt>
-<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch12.html#id-1.12.2.5">Installation</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch12.html#id-1.12.2.6">Known Defects/Restrictions</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch12.html#id-1.12.2.7">The dns.conf File</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch12.html#id-1.12.2.8">Sample Applications</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch12.html#id-1.12.2.9">Library References</a></span></dt>
-</dl></dd>
+<dt>
+<span class="refentrytitle"><a href="man.arpaname.html"><span class="application">arpaname</span></a></span><span class="refpurpose"> &#8212; translate IP addresses to the corresponding ARPA names</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.ddns-confgen.html"><span class="application">ddns-confgen</span></a></span><span class="refpurpose"> &#8212; ddns key generation tool</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.delv.html">delv</a></span><span class="refpurpose"> &#8212; DNS lookup and validation utility</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.dig.html">dig</a></span><span class="refpurpose"> &#8212; DNS lookup utility</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.dnssec-cds.html"><span class="application">dnssec-cds</span></a></span><span class="refpurpose"> &#8212; change DS records for a child zone based on CDS/CDNSKEY</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.dnssec-checkds.html"><span class="application">dnssec-checkds</span></a></span><span class="refpurpose"> &#8212; DNSSEC delegation consistency checking tool</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.dnssec-coverage.html"><span class="application">dnssec-coverage</span></a></span><span class="refpurpose"> &#8212; checks future DNSKEY coverage for a zone</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.dnssec-dsfromkey.html"><span class="application">dnssec-dsfromkey</span></a></span><span class="refpurpose"> &#8212; DNSSEC DS RR generation tool</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.dnssec-importkey.html"><span class="application">dnssec-importkey</span></a></span><span class="refpurpose"> &#8212; import DNSKEY records from external systems so they can be managed</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.dnssec-keyfromlabel.html"><span class="application">dnssec-keyfromlabel</span></a></span><span class="refpurpose"> &#8212; DNSSEC key generation tool</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.dnssec-keygen.html"><span class="application">dnssec-keygen</span></a></span><span class="refpurpose"> &#8212; DNSSEC key generation tool</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.dnssec-keymgr.html"><span class="application">dnssec-keymgr</span></a></span><span class="refpurpose"> &#8212; Ensures correct DNSKEY coverage for a zone based on a defined policy</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.dnssec-revoke.html"><span class="application">dnssec-revoke</span></a></span><span class="refpurpose"> &#8212; set the REVOKED bit on a DNSSEC key</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.dnssec-settime.html"><span class="application">dnssec-settime</span></a></span><span class="refpurpose"> &#8212; set the key timing metadata for a DNSSEC key</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.dnssec-signzone.html"><span class="application">dnssec-signzone</span></a></span><span class="refpurpose"> &#8212; DNSSEC zone signing tool</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.dnssec-verify.html"><span class="application">dnssec-verify</span></a></span><span class="refpurpose"> &#8212; DNSSEC zone verification tool</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.dnstap-read.html"><span class="application">dnstap-read</span></a></span><span class="refpurpose"> &#8212; print dnstap data in human-readable form</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.genrandom.html"><span class="application">genrandom</span></a></span><span class="refpurpose"> &#8212; generate a file containing random data</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.host.html">host</a></span><span class="refpurpose"> &#8212; DNS lookup utility</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.mdig.html"><span class="application">mdig</span></a></span><span class="refpurpose"> &#8212; DNS pipelined lookup utility</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.named-checkconf.html"><span class="application">named-checkconf</span></a></span><span class="refpurpose"> &#8212; named configuration file syntax checking tool</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.named-checkzone.html"><span class="application">named-checkzone</span></a></span><span class="refpurpose"> &#8212; zone file validity checking or converting tool</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.named-journalprint.html"><span class="application">named-journalprint</span></a></span><span class="refpurpose"> &#8212; print zone journal in human-readable form</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.named-nzd2nzf.html"><span class="application">named-nzd2nzf</span></a></span><span class="refpurpose"> &#8212; 
+      Convert an NZD database to NZF text format
+    </span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.named-rrchecker.html"><span class="application">named-rrchecker</span></a></span><span class="refpurpose"> &#8212; syntax checker for individual DNS resource records</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.named.conf.html"><code class="filename">named.conf</code></a></span><span class="refpurpose"> &#8212; configuration file for <span class="command"><strong>named</strong></span></span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.named.html"><span class="application">named</span></a></span><span class="refpurpose"> &#8212; Internet domain name server</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.nsec3hash.html"><span class="application">nsec3hash</span></a></span><span class="refpurpose"> &#8212; generate NSEC3 hash</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.nslookup.html">nslookup</a></span><span class="refpurpose"> &#8212; query Internet name servers interactively</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.nsupdate.html"><span class="application">nsupdate</span></a></span><span class="refpurpose"> &#8212; Dynamic DNS update utility</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.pkcs11-destroy.html"><span class="application">pkcs11-destroy</span></a></span><span class="refpurpose"> &#8212; destroy PKCS#11 objects</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.pkcs11-keygen.html"><span class="application">pkcs11-keygen</span></a></span><span class="refpurpose"> &#8212; generate keys on a PKCS#11 device</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.pkcs11-list.html"><span class="application">pkcs11-list</span></a></span><span class="refpurpose"> &#8212; list PKCS#11 objects</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.pkcs11-tokens.html"><span class="application">pkcs11-tokens</span></a></span><span class="refpurpose"> &#8212; list PKCS#11 available tokens</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.rndc-confgen.html"><span class="application">rndc-confgen</span></a></span><span class="refpurpose"> &#8212; rndc key generation tool</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.rndc.conf.html"><code class="filename">rndc.conf</code></a></span><span class="refpurpose"> &#8212; rndc configuration file</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.rndc.html"><span class="application">rndc</span></a></span><span class="refpurpose"> &#8212; name server control utility</span>
+</dt>
 </dl>
 </div>
-      <div class="section">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="bind9.library"></a>BIND 9 DNS Library Support</h2></div></div></div>
-  
-  <p>
-    This version of BIND 9 "exports" its internal libraries so
-    that they can be used by third-party applications more easily (we
-    call them "export" libraries in this document). Certain library
-    functions are altered from specific BIND-only behavior to more generic
-    behavior when used by other applications; to enable this generic behavior,
-    the calling program initializes the libraries by calling
-    <span class="command"><strong>isc_lib_register()</strong></span>.
-  </p>
-  <p>
-    In addition to DNS-related APIs that are used within BIND 9, the
-    libraries provide the following features:
-  </p>
-  <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-      <p>
-       The "DNS client" module. This is a higher level API that
-       provides an interface to name resolution, single DNS transaction
-       with a particular server, and dynamic update. Regarding name
-       resolution, it supports advanced features such as DNSSEC validation
-       and caching. This module supports both synchronous and asynchronous
-       mode.
-      </p>
-    </li>
-<li class="listitem">
-      <p>
-       The "IRS" (Information Retrieval System) library.  It provides an
-       interface to parse the traditional <code class="filename">resolv.conf</code>
-       file and more advanced, DNS-specific configuration file for the
-       rest of this package (see the description for the
-       <code class="filename">dns.conf</code> file below).
-      </p>
-    </li>
-<li class="listitem">
-      <p>
-       As part of the IRS library, the standard address-name
-       mapping functions, <span class="command"><strong>getaddrinfo()</strong></span> and
-       <span class="command"><strong>getnameinfo()</strong></span>, are provided. They use the
-       DNSSEC-aware validating resolver backend, and could use other
-       advanced features of the BIND 9 libraries such as caching. The
-       <span class="command"><strong>getaddrinfo()</strong></span> function resolves both A
-       and AAAA RRs concurrently when the address family is
-       unspecified.
-      </p>
-    </li>
-<li class="listitem">
-      <p>
-       An experimental framework to support other event
-       libraries than BIND 9's internal event task system.
-      </p>
-    </li>
-</ul></div>
-  <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.12.2.5"></a>Installation</h3></div></div></div>
-    
-    <pre class="screen">
-$ <strong class="userinput"><code>make install</code></strong>
-    </pre>
-    <p>
-      Normal installation of BIND will also install library object
-      and header files.  Root privilege is normally required.
-    </p>
-    <p>
-      To see how to build your own application after the installation, see
-      <code class="filename">lib/samples/Makefile-postinstall.in</code>.
-    </p>
-  </div>
-  <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.12.2.6"></a>Known Defects/Restrictions</h3></div></div></div>
-    
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-        <p>
-       The "fixed" RRset order is not (currently) supported in the export
-       library. If you want to use "fixed" RRset order for, e.g.
-       <span class="command"><strong>named</strong></span> while still building the export library
-       even without the fixed order support, build them separately:
-      </p>
-<pre class="screen">
-$ <strong class="userinput"><code>./configure --enable-fixed-rrset <em class="replaceable"><code>[other flags, but not --enable-exportlib]</code></em></code></strong>
-$ <strong class="userinput"><code>make</code></strong>
-$ <strong class="userinput"><code>./configure --enable-exportlib <em class="replaceable"><code>[other flags, but not --enable-fixed-rrset]</code></em></code></strong>
-$ <strong class="userinput"><code>cd lib/export</code></strong>
-$ <strong class="userinput"><code>make</code></strong>
-</pre>
-<p>
-      </p>
-      </li>
-<li class="listitem">
-        <p>
-       RFC 5011 is not supported in the validating stub resolver of the
-       export library. In fact, it is not clear whether it should: trust
-       anchors would be a system-wide configuration which would be managed
-       by an administrator, while the stub resolver will be used by
-       ordinary applications run by a normal user.
-      </p>
-      </li>
-<li class="listitem">
-        <p>
-       Not all common <code class="filename">/etc/resolv.conf</code> options are
-       supported in the IRS library. The only available options in this
-       version are <span class="command"><strong>debug</strong></span> and <span class="command"><strong>ndots</strong></span>.
-      </p>
-      </li>
-</ul></div>
-  </div>
-  <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.12.2.7"></a>The dns.conf File</h3></div></div></div>
-    
-    <p>
-      The IRS library supports an "advanced" configuration file related to
-      the DNS library for configuration parameters that would be beyond the
-      capability of the <code class="filename">resolv.conf</code> file.
-      Specifically, it is intended to provide DNSSEC related configuration
-      parameters. By default the path to this configuration file is
-      <code class="filename">/etc/dns.conf</code>.  This module is very experimental
-      and the configuration syntax or library interfaces may change in
-      future versions. Currently, only the <span class="command"><strong>trusted-keys</strong></span>
-      statement is supported, whose syntax is the same as the same
-      statement in <code class="filename">named.conf</code>. (See
-      <a class="xref" href="Bv9ARM.ch06.html#trusted-keys" title="trusted-keys Statement Grammar">the section called &#8220;<span class="command"><strong>trusted-keys</strong></span> Statement Grammar&#8221;</a> for details.)
-    </p>
-  </div>
-  <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.12.2.8"></a>Sample Applications</h3></div></div></div>
-    
-    <p>
-      Some sample application programs using this API are provided for
-      reference. The following is a brief description of these
-      applications.
-    </p>
-    <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id-1.12.2.8.3"></a>sample: a simple stub resolver utility</h4></div></div></div>
-      
-      <p>
-       Sends a query of a given name (of a given optional RR type) to a
-       specified recursive server and prints the result as a list of RRs.
-       It can also act as a validating stub resolver if a trust anchor is
-       given via a set of command line options.
-      </p>
-      <p>
-       Usage: sample [options] server_address hostname
-      </p>
-      <p>
-       Options and Arguments:
-      </p>
-      <div class="variablelist"><dl class="variablelist">
-<dt><span class="term">-t RRtype</span></dt>
-<dd>
-            <p>
-             specify the RR type of the query.  The default is the A RR.
-           </p>
-          </dd>
-<dt><span class="term">[-a algorithm] [-e] -k keyname -K keystring</span></dt>
-<dd>
-            <p>
-             specify a command-line DNS key to validate the answer.  For
-             example, to specify the following DNSKEY of example.com:
-             </p>
-<div class="literallayout"><p><br>
-                     example.com. 3600 IN DNSKEY 257 3 5 xxx<br>
-             </p></div>
-<p>
-             specify the options as follows:
-             </p>
-<pre class="screen">
-<strong class="userinput"><code>-e -k example.com -K "xxx"</code></strong>
-             </pre>
-<p>
-             -e means that this key is a zone's "key signing key" (also known
-             as "secure entry point").
-             When -a is omitted rsasha1 will be used by default.
-           </p>
-          </dd>
-<dt><span class="term">-s domain:alt_server_address</span></dt>
-<dd>
-            <p>
-              specify a separate recursive server address for the specific
-              "domain".  Example: -s example.com:2001:db8::1234
-           </p>
-          </dd>
-<dt><span class="term">server_address</span></dt>
-<dd>
-            <p>
-             an IP(v4/v6) address of the recursive server to which queries
-             are sent.
-           </p>
-          </dd>
-<dt><span class="term">hostname</span></dt>
-<dd>
-            <p>
-             the domain name for the query
-       </p>
-          </dd>
-</dl></div>
-    </div>
-    <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id-1.12.2.8.4"></a>sample-async: a simple stub resolver, working asynchronously</h4></div></div></div>
-      
-      <p>
-      Similar to "sample", but accepts a list
-      of (query) domain names as a separate file and resolves the names
-      asynchronously.</p>
-      <p>
-       Usage: sample-async [-s server_address] [-t RR_type] input_file</p>
-      <p>
-     Options and Arguments:
-      </p>
-      <div class="variablelist"><dl class="variablelist">
-<dt><span class="term">-s server_address</span></dt>
-<dd>
-       an IPv4 address of the recursive server to which queries are sent.
-      (IPv6 addresses are not supported in this implementation)
-      </dd>
-<dt><span class="term">-t RR_type</span></dt>
-<dd>
-      specify the RR type of the queries. The default is the A
-      RR.
-      </dd>
-<dt><span class="term">input_file</span></dt>
-<dd>
-           a list of domain names to be resolved. each line consists of a
-           single domain name. Example:
-      <div class="literallayout"><p><br>
-      www.example.com<br>
-      mx.example.net<br>
-      ns.xxx.example<br>
-      </p></div>
-         </dd>
-</dl></div>
-    </div>
-    <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id-1.12.2.8.5"></a>sample-request: a simple DNS transaction client</h4></div></div></div>
-      
-      <p>
-       Sends a query to a specified server, and prints the response with
-       minimal processing. It doesn't act as a "stub resolver": it stops
-       the processing once it gets any response from the server, whether
-       it's a referral or an alias (CNAME or DNAME) that would require
-       further queries to get the ultimate answer. In other words, this
-       utility acts as a very simplified <span class="command"><strong>dig</strong></span>.
-      </p>
-      <p>
-       Usage: sample-request [-t RRtype] server_address hostname
-      </p>
-      <p>
-       Options and Arguments:
-      </p>
-      <div class="variablelist"><dl class="variablelist">
-<dt><span class="term">-t RRtype</span></dt>
-<dd>
-           <p>
-             specify the RR type of the queries. The default is the A RR.
-            </p>
-          </dd>
-<dt><span class="term">server_address</span></dt>
-<dd>
-           <p>
-             an IP(v4/v6) address of the recursive server to which
-             the query is sent.
-           </p>
-          </dd>
-<dt><span class="term">hostname</span></dt>
-<dd>
-           <p>
-             the domain name for the query
-           </p>
-          </dd>
-</dl></div>
-    </div>
-    <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id-1.12.2.8.6"></a>sample-gai: getaddrinfo() and getnameinfo() test code</h4></div></div></div>
-      
-      <p>
-       This is a test program to check <span class="command"><strong>getaddrinfo()</strong></span> and
-       <span class="command"><strong>getnameinfo()</strong></span> behavior. It takes a host name as an
-       argument, calls <span class="command"><strong>getaddrinfo()</strong></span> with the given host
-       name, and calls <span class="command"><strong>getnameinfo()</strong></span> with the resulting
-       IP addresses returned by <span class="command"><strong>getaddrinfo()</strong></span>. If the
-       dns.conf file exists and defines a trust anchor, the underlying
-       resolver will act as a validating resolver, and
-       <span class="command"><strong>getaddrinfo()</strong></span>/<span class="command"><strong>getnameinfo()</strong></span>
-       will fail with an EAI_INSECUREDATA error when DNSSEC validation
-       fails.
-      </p>
-      <p>
-       Usage: sample-gai hostname
-      </p>
-    </div>
-    <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id-1.12.2.8.7"></a>sample-update: a simple dynamic update client program</h4></div></div></div>
-      
-      <p>
-       Accepts a single update command as a command-line argument, sends
-       an update request message to the authoritative server, and shows
-       the response from the server. In other words, this is a simplified
-       <span class="command"><strong>nsupdate</strong></span>.
-      </p>
-      <p>
-       Usage: sample-update [options] (add|delete) "update data"
-      </p>
-      <p>
-       Options and Arguments:
-      </p>
-      <div class="variablelist"><dl class="variablelist">
-<dt><span class="term">-a auth_server</span></dt>
-<dd>
-           <p>
-             An IP address of the authoritative server that has authority
-             for the zone containing the update name.  This should
-             normally be the primary authoritative server that accepts
-             dynamic updates.  It can also be a secondary server that is
-             configured to forward update requests to the primary server.
-           </p>
-          </dd>
-<dt><span class="term">-k keyfile</span></dt>
-<dd>
-           <p>
-             A TSIG key file to secure the update transaction.  The
-             keyfile format is the same as that for the nsupdate utility.
-           </p>
-          </dd>
-<dt><span class="term">-p prerequisite</span></dt>
-<dd>
-           <p>
-             A prerequisite for the update (only one prerequisite can be
-             specified).  The prerequisite format is the same as that is
-             accepted by the nsupdate utility.
-           </p>
-          </dd>
-<dt><span class="term">-r recursive_server</span></dt>
-<dd>
-           <p>
-             An IP address of a recursive server that this utility will
-             use.  A recursive server may be necessary to identify the
-             authoritative server address to which the update request is
-             sent.
-           </p>
-          </dd>
-<dt><span class="term">-z zonename</span></dt>
-<dd>
-           <p>
-             The domain name of the zone that contains
-           </p>
-          </dd>
-<dt><span class="term">(add|delete)</span></dt>
-<dd>
-           <p>
-             Specify the type of update operation.  Either "add" or
-             "delete" must be specified.
-           </p>
-          </dd>
-<dt><span class="term">"update data"</span></dt>
-<dd>
-           <p>
-             Specify the data to be updated.  A typical example of the
-             data would look like "name TTL RRtype RDATA".
-           </p>
-          </dd>
-</dl></div>
-      <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-       <p>
-         In practice, either -a or -r must be specified.  Others can be
-         optional; the underlying library routine tries to identify the
-         appropriate server and the zone name for the update.
-       </p>
-      </div>
-      <p>
-       Examples: assuming the primary authoritative server of the
-       dynamic.example.com zone has an IPv6 address 2001:db8::1234,
-      </p>
-      <pre class="screen">
-$ <strong class="userinput"><code>sample-update -a sample-update -k Kxxx.+nnn+mmmm.key add "foo.dynamic.example.com 30 IN A 192.168.2.1"</code></strong></pre>
-      <p>
-       adds an A RR for foo.dynamic.example.com using the given key.
-      </p>
-      <pre class="screen">
-$ <strong class="userinput"><code>sample-update -a sample-update -k Kxxx.+nnn+mmmm.key delete "foo.dynamic.example.com 30 IN A"</code></strong></pre>
-      <p>
-       removes all A RRs for foo.dynamic.example.com using the given key.
-      </p>
-      <pre class="screen">
-$ <strong class="userinput"><code>sample-update -a sample-update -k Kxxx.+nnn+mmmm.key delete "foo.dynamic.example.com"</code></strong></pre>
-      <p>
-       removes all RRs for foo.dynamic.example.com using the given key.
-      </p>
-    </div>
-    <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id-1.12.2.8.8"></a>nsprobe: domain/name server checker in terms of RFC 4074</h4></div></div></div>
-      
-      <p>
-       Checks a set of domains to see the name servers of the domains
-       behave correctly in terms of RFC 4074. This is included in the set
-       of sample programs to show how the export library can be used in a
-       DNS-related application.
-      </p>
-      <p>
-       Usage: nsprobe [-d] [-v [-v...]] [-c cache_address] [input_file]
-      </p>
-      <p>
-       Options
-      </p>
-      <div class="variablelist"><dl class="variablelist">
-<dt><span class="term">-d</span></dt>
-<dd>
-           <p>
-             Run in "debug" mode.  With this option nsprobe will dump
-             every RRs it receives.
-           </p>
-          </dd>
-<dt><span class="term">-v</span></dt>
-<dd>
-           <p>
-             Increase verbosity of other normal log messages.  This can be
-             specified multiple times.
-           </p>
-          </dd>
-<dt><span class="term">-c cache_address</span></dt>
-<dd>
-           <p>
-             Specify an IP address of a recursive (caching) name server.
-             nsprobe uses this server to get the NS RRset of each domain
-             and the A and/or AAAA RRsets for the name servers.  The
-             default value is 127.0.0.1.
-           </p>
-          </dd>
-<dt><span class="term">input_file</span></dt>
-<dd>
-           <p>
-             A file name containing a list of domain (zone) names to be
-             probed.  when omitted the standard input will be used.  Each
-             line of the input file specifies a single domain name such as
-             "example.com".  In general this domain name must be the apex
-             name of some DNS zone (unlike normal "host names" such as
-             "www.example.com").  nsprobe first identifies the NS RRsets
-             for the given domain name, and sends A and AAAA queries to
-             these servers for some "widely used" names under the zone;
-             specifically, adding "www" and "ftp" to the zone name.
-           </p>
-          </dd>
-</dl></div>
-    </div>
-  </div>
-  <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.12.2.9"></a>Library References</h3></div></div></div>
-    
-    <p>
-      As of this writing, there is no formal "manual" for the libraries,
-      except this document, header files (some of which provide pretty
-      detailed explanations), and sample application programs.
-    </p>
-  </div>
-</div>
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
     </div>
 <div class="navfooter">
 <hr>
@@ -523,16 +199,17 @@ $ <strong class="userinput"><code>sample-update -a sample-update -k Kxxx.+nnn+mm
 <td width="40%" align="left">
 <a accesskey="p" href="Bv9ARM.ch11.html">Prev</a> </td>
 <td width="20%" align="center"> </td>
-<td width="40%" align="right"> <a accesskey="n" href="Bv9ARM.ch13.html">Next</a>
+<td width="40%" align="right"> <a accesskey="n" href="man.arpaname.html">Next</a>
 </td>
 </tr>
 <tr>
-<td width="40%" align="left" valign="top">Appendix C. General <acronym class="acronym">DNS</acronym> Reference Information </td>
+<td width="40%" align="left" valign="top">Appendix D. BIND 9 DNS Library Support </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> Manual pages</td>
+<td width="40%" align="right" valign="top"> <span class="application">arpaname</span>
+</td>
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0-dev</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1-dev</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch13.html b/doc/arm/Bv9ARM.ch13.html
deleted file mode 100644 (file)
index 9de097e..0000000
+++ /dev/null
@@ -1,215 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<!--
- - Copyright (C) 2000-2018 Internet Systems Consortium, Inc. ("ISC")
- - 
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
--->
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>Manual pages</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
-<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="prev" href="Bv9ARM.ch12.html" title="Appendix D. BIND 9 DNS Library Support">
-<link rel="next" href="man.arpaname.html" title="arpaname">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center">Manual pages</th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="Bv9ARM.ch12.html">Prev</a> </td>
-<th width="60%" align="center"> </th>
-<td width="20%" align="right"> <a accesskey="n" href="man.arpaname.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="reference">
-<div class="titlepage">
-<div><div><h1 class="title">
-<a name="Bv9ARM.ch13"></a>Manual pages</h1></div></div>
-<hr>
-</div>
-<div class="toc">
-<p><b>Table of Contents</b></p>
-<dl class="toc">
-<dt>
-<span class="refentrytitle"><a href="man.arpaname.html"><span class="application">arpaname</span></a></span><span class="refpurpose"> &#8212; translate IP addresses to the corresponding ARPA names</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.ddns-confgen.html"><span class="application">ddns-confgen</span></a></span><span class="refpurpose"> &#8212; ddns key generation tool</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.delv.html">delv</a></span><span class="refpurpose"> &#8212; DNS lookup and validation utility</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.dig.html">dig</a></span><span class="refpurpose"> &#8212; DNS lookup utility</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.dnssec-cds.html"><span class="application">dnssec-cds</span></a></span><span class="refpurpose"> &#8212; change DS records for a child zone based on CDS/CDNSKEY</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.dnssec-checkds.html"><span class="application">dnssec-checkds</span></a></span><span class="refpurpose"> &#8212; DNSSEC delegation consistency checking tool</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.dnssec-coverage.html"><span class="application">dnssec-coverage</span></a></span><span class="refpurpose"> &#8212; checks future DNSKEY coverage for a zone</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.dnssec-dsfromkey.html"><span class="application">dnssec-dsfromkey</span></a></span><span class="refpurpose"> &#8212; DNSSEC DS RR generation tool</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.dnssec-importkey.html"><span class="application">dnssec-importkey</span></a></span><span class="refpurpose"> &#8212; import DNSKEY records from external systems so they can be managed</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.dnssec-keyfromlabel.html"><span class="application">dnssec-keyfromlabel</span></a></span><span class="refpurpose"> &#8212; DNSSEC key generation tool</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.dnssec-keygen.html"><span class="application">dnssec-keygen</span></a></span><span class="refpurpose"> &#8212; DNSSEC key generation tool</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.dnssec-keymgr.html"><span class="application">dnssec-keymgr</span></a></span><span class="refpurpose"> &#8212; Ensures correct DNSKEY coverage for a zone based on a defined policy</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.dnssec-revoke.html"><span class="application">dnssec-revoke</span></a></span><span class="refpurpose"> &#8212; set the REVOKED bit on a DNSSEC key</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.dnssec-settime.html"><span class="application">dnssec-settime</span></a></span><span class="refpurpose"> &#8212; set the key timing metadata for a DNSSEC key</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.dnssec-signzone.html"><span class="application">dnssec-signzone</span></a></span><span class="refpurpose"> &#8212; DNSSEC zone signing tool</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.dnssec-verify.html"><span class="application">dnssec-verify</span></a></span><span class="refpurpose"> &#8212; DNSSEC zone verification tool</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.dnstap-read.html"><span class="application">dnstap-read</span></a></span><span class="refpurpose"> &#8212; print dnstap data in human-readable form</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.genrandom.html"><span class="application">genrandom</span></a></span><span class="refpurpose"> &#8212; generate a file containing random data</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.host.html">host</a></span><span class="refpurpose"> &#8212; DNS lookup utility</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.mdig.html"><span class="application">mdig</span></a></span><span class="refpurpose"> &#8212; DNS pipelined lookup utility</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.named-checkconf.html"><span class="application">named-checkconf</span></a></span><span class="refpurpose"> &#8212; named configuration file syntax checking tool</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.named-checkzone.html"><span class="application">named-checkzone</span></a></span><span class="refpurpose"> &#8212; zone file validity checking or converting tool</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.named-journalprint.html"><span class="application">named-journalprint</span></a></span><span class="refpurpose"> &#8212; print zone journal in human-readable form</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.named-nzd2nzf.html"><span class="application">named-nzd2nzf</span></a></span><span class="refpurpose"> &#8212; 
-      Convert an NZD database to NZF text format
-    </span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.named-rrchecker.html"><span class="application">named-rrchecker</span></a></span><span class="refpurpose"> &#8212; syntax checker for individual DNS resource records</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.named.conf.html"><code class="filename">named.conf</code></a></span><span class="refpurpose"> &#8212; configuration file for <span class="command"><strong>named</strong></span></span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.named.html"><span class="application">named</span></a></span><span class="refpurpose"> &#8212; Internet domain name server</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.nsec3hash.html"><span class="application">nsec3hash</span></a></span><span class="refpurpose"> &#8212; generate NSEC3 hash</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.nslookup.html">nslookup</a></span><span class="refpurpose"> &#8212; query Internet name servers interactively</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.nsupdate.html"><span class="application">nsupdate</span></a></span><span class="refpurpose"> &#8212; Dynamic DNS update utility</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.pkcs11-destroy.html"><span class="application">pkcs11-destroy</span></a></span><span class="refpurpose"> &#8212; destroy PKCS#11 objects</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.pkcs11-keygen.html"><span class="application">pkcs11-keygen</span></a></span><span class="refpurpose"> &#8212; generate keys on a PKCS#11 device</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.pkcs11-list.html"><span class="application">pkcs11-list</span></a></span><span class="refpurpose"> &#8212; list PKCS#11 objects</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.pkcs11-tokens.html"><span class="application">pkcs11-tokens</span></a></span><span class="refpurpose"> &#8212; list PKCS#11 available tokens</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.rndc-confgen.html"><span class="application">rndc-confgen</span></a></span><span class="refpurpose"> &#8212; rndc key generation tool</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.rndc.conf.html"><code class="filename">rndc.conf</code></a></span><span class="refpurpose"> &#8212; rndc configuration file</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.rndc.html"><span class="application">rndc</span></a></span><span class="refpurpose"> &#8212; name server control utility</span>
-</dt>
-</dl>
-</div>
-      
-      
-      
-      
-      
-      
-      
-      
-      
-      
-      
-      
-      
-      
-      
-      
-      
-      
-      
-      
-      
-      
-      
-      
-      
-      
-      
-      
-      
-      
-      
-      
-      
-      
-      
-      
-      
-    </div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="Bv9ARM.ch12.html">Prev</a> </td>
-<td width="20%" align="center"> </td>
-<td width="40%" align="right"> <a accesskey="n" href="man.arpaname.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">Appendix D. BIND 9 DNS Library Support </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> <span class="application">arpaname</span>
-</td>
-</tr>
-</table>
-</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0-dev</p>
-</body>
-</html>
index 0def2a008230f0677b58fa322205b387e225b784..0cf4ba07d4df745afafe64bf787106df122a34b8 100644 (file)
@@ -32,7 +32,7 @@
 <div>
 <div><h1 class="title">
 <a name="id-1"></a>BIND 9 Administrator Reference Manual</h1></div>
-<div><p class="releaseinfo">BIND Version 9.13.0-dev</p></div>
+<div><p class="releaseinfo">BIND Version 9.12.1-dev</p></div>
 <div><p class="copyright">Copyright © 2000-2018 Internet Systems Consortium, Inc. ("ISC")</p></div>
 </div>
 <hr>
 <dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.16.7">Address to Name Lookups Using Nibble Format</a></span></dt>
 </dl></dd>
 </dl></dd>
-<dt><span class="chapter"><a href="Bv9ARM.ch06.html">5. <acronym class="acronym">BIND</acronym> 9 Configuration Reference</a></span></dt>
+<dt><span class="chapter"><a href="Bv9ARM.ch05.html">5. <acronym class="acronym">BIND</acronym> 9 Configuration Reference</a></span></dt>
 <dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#configuration_file_elements">Configuration File Elements</a></span></dt>
 <dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#comment_syntax">Comment Syntax</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#address_match_lists">Address Match Lists</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#comment_syntax">Comment Syntax</a></span></dt>
 </dl></dd>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt>
 <dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#acl_grammar"><span class="command"><strong>acl</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#acl"><span class="command"><strong>acl</strong></span> Statement Definition and
+<dt><span class="section"><a href="Bv9ARM.ch05.html#acl_grammar"><span class="command"><strong>acl</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#acl"><span class="command"><strong>acl</strong></span> Statement Definition and
           Usage</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#controls_grammar"><span class="command"><strong>controls</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span class="command"><strong>controls</strong></span> Statement Definition and
+<dt><span class="section"><a href="Bv9ARM.ch05.html#controls_grammar"><span class="command"><strong>controls</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#controls_statement_definition_and_usage"><span class="command"><strong>controls</strong></span> Statement Definition and
           Usage</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#include_grammar"><span class="command"><strong>include</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#include_statement"><span class="command"><strong>include</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#key_grammar"><span class="command"><strong>key</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#key_statement"><span class="command"><strong>key</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#logging_grammar"><span class="command"><strong>logging</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#logging_statement"><span class="command"><strong>logging</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#masters_grammar"><span class="command"><strong>masters</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#masters_statement"><span class="command"><strong>masters</strong></span> Statement Definition and
+<dt><span class="section"><a href="Bv9ARM.ch05.html#include_grammar"><span class="command"><strong>include</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#include_statement"><span class="command"><strong>include</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#key_grammar"><span class="command"><strong>key</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#key_statement"><span class="command"><strong>key</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#logging_grammar"><span class="command"><strong>logging</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#logging_statement"><span class="command"><strong>logging</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#masters_grammar"><span class="command"><strong>masters</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#masters_statement"><span class="command"><strong>masters</strong></span> Statement Definition and
           Usage</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#options_grammar"><span class="command"><strong>options</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#options"><span class="command"><strong>options</strong></span> Statement Definition and
+<dt><span class="section"><a href="Bv9ARM.ch05.html#options_grammar"><span class="command"><strong>options</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#options"><span class="command"><strong>options</strong></span> Statement Definition and
           Usage</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span class="command"><strong>server</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span class="command"><strong>server</strong></span> Statement Definition and
+<dt><span class="section"><a href="Bv9ARM.ch05.html#server_statement_grammar"><span class="command"><strong>server</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#server_statement_definition_and_usage"><span class="command"><strong>server</strong></span> Statement Definition and
             Usage</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#statschannels"><span class="command"><strong>statistics-channels</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#statistics_channels"><span class="command"><strong>statistics-channels</strong></span> Statement Definition and
+<dt><span class="section"><a href="Bv9ARM.ch05.html#statschannels"><span class="command"><strong>statistics-channels</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#statistics_channels"><span class="command"><strong>statistics-channels</strong></span> Statement Definition and
             Usage</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#trusted-keys"><span class="command"><strong>trusted-keys</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#trusted_keys"><span class="command"><strong>trusted-keys</strong></span> Statement Definition
+<dt><span class="section"><a href="Bv9ARM.ch05.html#trusted-keys"><span class="command"><strong>trusted-keys</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#trusted_keys"><span class="command"><strong>trusted-keys</strong></span> Statement Definition
             and Usage</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#managed_keys"><span class="command"><strong>managed-keys</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#managed-keys"><span class="command"><strong>managed-keys</strong></span> Statement Definition
+<dt><span class="section"><a href="Bv9ARM.ch05.html#managed_keys"><span class="command"><strong>managed-keys</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#managed-keys"><span class="command"><strong>managed-keys</strong></span> Statement Definition
             and Usage</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#view_statement_grammar"><span class="command"><strong>view</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#view_statement"><span class="command"><strong>view</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span class="command"><strong>zone</strong></span>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#view_statement_grammar"><span class="command"><strong>view</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#view_statement"><span class="command"><strong>view</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#zone_statement_grammar"><span class="command"><strong>zone</strong></span>
             Statement Grammar</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#zone_statement"><span class="command"><strong>zone</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#zone_statement"><span class="command"><strong>zone</strong></span> Statement Definition and Usage</a></span></dt>
 </dl></dd>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#zone_file">Zone File</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#zone_file">Zone File</a></span></dt>
 <dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#mx_records">Discussion of MX Records</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#ipv4_reverse">Inverse Mapping in IPv4</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#zone_directives">Other Zone File Directives</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#generate_directive"><acronym class="acronym">BIND</acronym> Master File Extension: the  <span class="command"><strong>$GENERATE</strong></span> Directive</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#zonefile_format">Additional File Formats</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#mx_records">Discussion of MX Records</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#Setting_TTLs">Setting TTLs</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#ipv4_reverse">Inverse Mapping in IPv4</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#zone_directives">Other Zone File Directives</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#generate_directive"><acronym class="acronym">BIND</acronym> Master File Extension: the  <span class="command"><strong>$GENERATE</strong></span> Directive</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#zonefile_format">Additional File Formats</a></span></dt>
 </dl></dd>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#statistics">BIND9 Statistics</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#statistics">BIND9 Statistics</a></span></dt>
 <dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#statsfile">The Statistics File</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#statistics_counters">Statistics Counters</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#statsfile">The Statistics File</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#statistics_counters">Statistics Counters</a></span></dt>
 </dl></dd>
 </dl></dd>
-<dt><span class="chapter"><a href="Bv9ARM.ch07.html">6. <acronym class="acronym">BIND</acronym> 9 Security Considerations</a></span></dt>
+<dt><span class="chapter"><a href="Bv9ARM.ch06.html">6. <acronym class="acronym">BIND</acronym> 9 Security Considerations</a></span></dt>
 <dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch07.html#chroot_and_setuid"><span class="command"><strong>Chroot</strong></span> and <span class="command"><strong>Setuid</strong></span></a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch06.html#Access_Control_Lists">Access Control Lists</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch06.html#chroot_and_setuid"><span class="command"><strong>Chroot</strong></span> and <span class="command"><strong>Setuid</strong></span></a></span></dt>
 <dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch07.html#chroot">The <span class="command"><strong>chroot</strong></span> Environment</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch07.html#setuid">Using the <span class="command"><strong>setuid</strong></span> Function</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch06.html#chroot">The <span class="command"><strong>chroot</strong></span> Environment</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch06.html#setuid">Using the <span class="command"><strong>setuid</strong></span> Function</a></span></dt>
 </dl></dd>
-<dt><span class="section"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch06.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
 </dl></dd>
-<dt><span class="chapter"><a href="Bv9ARM.ch08.html">7. Troubleshooting</a></span></dt>
+<dt><span class="chapter"><a href="Bv9ARM.ch07.html">7. Troubleshooting</a></span></dt>
 <dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#common_problems">Common Problems</a></span></dt>
-<dd><dl><dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.8.2.2">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.8.3">Incrementing and Changing the Serial Number</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#more_help">Where Can I Get Help?</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch07.html#common_problems">Common Problems</a></span></dt>
+<dd><dl><dt><span class="section"><a href="Bv9ARM.ch07.html#id-1.8.2.2">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd>
+<dt><span class="section"><a href="Bv9ARM.ch07.html#id-1.8.3">Incrementing and Changing the Serial Number</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch07.html#more_help">Where Can I Get Help?</a></span></dt>
 </dl></dd>
-<dt><span class="appendix"><a href="Bv9ARM.ch09.html">A. Release Notes</a></span></dt>
+<dt><span class="appendix"><a href="Bv9ARM.ch08.html">A. Release Notes</a></span></dt>
 <dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.9.2">Release Notes for BIND Version 9.13.0-dev</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.12.1-dev</a></span></dt>
 <dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_features">New Features</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_removed">Removed Features</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_bugs">Bug Fixes</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_license">License</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#end_of_life">End of Life</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_thanks">Thank You</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_intro">Introduction</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_download">Download</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_security">Security Fixes</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_features">New Features</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_removed">Removed Features</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_changes">Feature Changes</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_bugs">Bug Fixes</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_license">License</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#end_of_life">End of Life</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_thanks">Thank You</a></span></dt>
 </dl></dd>
 </dl></dd>
-<dt><span class="appendix"><a href="Bv9ARM.ch10.html">B. A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></a></span></dt>
-<dt><span class="appendix"><a href="Bv9ARM.ch11.html">C. General <acronym class="acronym">DNS</acronym> Reference Information</a></span></dt>
+<dt><span class="appendix"><a href="Bv9ARM.ch09.html">B. A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></a></span></dt>
+<dt><span class="appendix"><a href="Bv9ARM.ch10.html">C. General <acronym class="acronym">DNS</acronym> Reference Information</a></span></dt>
 <dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch11.html#ipv6addresses">IPv6 addresses (AAAA)</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch11.html#bibliography">Bibliography (and Suggested Reading)</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch10.html#ipv6addresses">IPv6 addresses (AAAA)</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch10.html#bibliography">Bibliography (and Suggested Reading)</a></span></dt>
 <dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch11.html#rfcs">Request for Comments (RFCs)</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch11.html#internet_drafts">Internet Drafts</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch11.html#more_about_bind">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch10.html#rfcs">Request for Comments (RFCs)</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch10.html#internet_drafts">Internet Drafts</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch10.html#more_about_bind">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt>
 </dl></dd>
 </dl></dd>
-<dt><span class="appendix"><a href="Bv9ARM.ch12.html">D. BIND 9 DNS Library Support</a></span></dt>
+<dt><span class="appendix"><a href="Bv9ARM.ch11.html">D. BIND 9 DNS Library Support</a></span></dt>
 <dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch12.html#bind9.library">BIND 9 DNS Library Support</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch11.html#bind9.library">BIND 9 DNS Library Support</a></span></dt>
 <dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch12.html#id-1.12.2.5">Installation</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch12.html#id-1.12.2.6">Known Defects/Restrictions</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch12.html#id-1.12.2.7">The dns.conf File</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch12.html#id-1.12.2.8">Sample Applications</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch12.html#id-1.12.2.9">Library References</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch11.html#id-1.12.2.5">Installation</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch11.html#id-1.12.2.6">Known Defects/Restrictions</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch11.html#id-1.12.2.7">The dns.conf File</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch11.html#id-1.12.2.8">Sample Applications</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch11.html#id-1.12.2.9">Library References</a></span></dt>
 </dl></dd>
 </dl></dd>
-<dt><span class="reference"><a href="Bv9ARM.ch13.html">I. Manual pages</a></span></dt>
+<dt><span class="reference"><a href="Bv9ARM.ch12.html">I. Manual pages</a></span></dt>
 <dd><dl>
 <dt>
 <span class="refentrytitle"><a href="man.arpaname.html"><span class="application">arpaname</span></a></span><span class="refpurpose"> &#8212; translate IP addresses to the corresponding ARPA names</span>
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0-dev</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1-dev</p>
 </body>
 </html>
index 2d5afd1041a8724374fd2f0073a57dc20f903dff..e2a6d833546bf25db17c774f32e904efd788ac2c 100644 (file)
Binary files a/doc/arm/Bv9ARM.pdf and b/doc/arm/Bv9ARM.pdf differ
index 6baf03b5d38f06d5bdc337e4ff200c70d9f0016a..9f8cf4aeef37320fc60d34355c260732e7eedab7 100644 (file)
@@ -12,8 +12,8 @@
 <title>arpaname</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
-<link rel="prev" href="Bv9ARM.ch13.html" title="Manual pages">
+<link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
+<link rel="prev" href="Bv9ARM.ch12.html" title="Manual pages">
 <link rel="next" href="man.ddns-confgen.html" title="ddns-confgen">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
@@ -22,7 +22,7 @@
 <tr><th colspan="3" align="center"><span class="application">arpaname</span></th></tr>
 <tr>
 <td width="20%" align="left">
-<a accesskey="p" href="Bv9ARM.ch13.html">Prev</a> </td>
+<a accesskey="p" href="Bv9ARM.ch12.html">Prev</a> </td>
 <th width="60%" align="center">Manual pages</th>
 <td width="20%" align="right"> <a accesskey="n" href="man.ddns-confgen.html">Next</a>
 </td>
@@ -77,8 +77,8 @@
 <table width="100%" summary="Navigation footer">
 <tr>
 <td width="40%" align="left">
-<a accesskey="p" href="Bv9ARM.ch13.html">Prev</a> </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
+<a accesskey="p" href="Bv9ARM.ch12.html">Prev</a> </td>
+<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch12.html">Up</a></td>
 <td width="40%" align="right"> <a accesskey="n" href="man.ddns-confgen.html">Next</a>
 </td>
 </tr>
@@ -90,6 +90,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0-dev</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1-dev</p>
 </body>
 </html>
index ec94d262e7982a493b842ee54ebc5e004fbaeb8b..68b3fbf046b2edefc758099bf98ff381c6968cdf 100644 (file)
@@ -12,7 +12,7 @@
 <title>ddns-confgen</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
+<link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
 <link rel="prev" href="man.arpaname.html" title="arpaname">
 <link rel="next" href="man.delv.html" title="delv">
 </head>
 <tr>
 <td width="40%" align="left">
 <a accesskey="p" href="man.arpaname.html">Prev</a> </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
+<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch12.html">Up</a></td>
 <td width="40%" align="right"> <a accesskey="n" href="man.delv.html">Next</a>
 </td>
 </tr>
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0-dev</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1-dev</p>
 </body>
 </html>
index 64f075965346410fcb7e249fac11898657bb0a35..8a0d35aacbd07b5d0d7ba51a7eab13b31dacfb4b 100644 (file)
@@ -12,7 +12,7 @@
 <title>delv</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
+<link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
 <link rel="prev" href="man.ddns-confgen.html" title="ddns-confgen">
 <link rel="next" href="man.dig.html" title="dig">
 </head>
 <tr>
 <td width="40%" align="left">
 <a accesskey="p" href="man.ddns-confgen.html">Prev</a> </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
+<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch12.html">Up</a></td>
 <td width="40%" align="right"> <a accesskey="n" href="man.dig.html">Next</a>
 </td>
 </tr>
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0-dev</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1-dev</p>
 </body>
 </html>
index 3d2b4c4fe0f39423c0fb8b8b8aad90436a2d345f..0e520050dc4f060638d12930926a02d24d923506 100644 (file)
@@ -12,7 +12,7 @@
 <title>dig</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
+<link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
 <link rel="prev" href="man.delv.html" title="delv">
 <link rel="next" href="man.dnssec-cds.html" title="dnssec-cds">
 </head>
@@ -1089,7 +1089,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
 <tr>
 <td width="40%" align="left">
 <a accesskey="p" href="man.delv.html">Prev</a> </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
+<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch12.html">Up</a></td>
 <td width="40%" align="right"> <a accesskey="n" href="man.dnssec-cds.html">Next</a>
 </td>
 </tr>
@@ -1101,6 +1101,6 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0-dev</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1-dev</p>
 </body>
 </html>
index 166bf98f5c24dc74a09061e8e2ade82ef560c3be..db829c23d36f93fa450f4433372e952c7374c554 100644 (file)
@@ -12,7 +12,7 @@
 <title>dnssec-cds</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
+<link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
 <link rel="prev" href="man.dig.html" title="dig">
 <link rel="next" href="man.dnssec-checkds.html" title="dnssec-checkds">
 </head>
@@ -353,7 +353,7 @@ nsupdate -l
 <tr>
 <td width="40%" align="left">
 <a accesskey="p" href="man.dig.html">Prev</a> </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
+<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch12.html">Up</a></td>
 <td width="40%" align="right"> <a accesskey="n" href="man.dnssec-checkds.html">Next</a>
 </td>
 </tr>
@@ -365,6 +365,6 @@ nsupdate -l
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0-dev</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1-dev</p>
 </body>
 </html>
index 04cfbcceb4e219191497cbec55a71bc2b87023e1..30302ada04d7a89a2ef28f696fd7d8c25acaf611 100644 (file)
@@ -12,7 +12,7 @@
 <title>dnssec-checkds</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
+<link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
 <link rel="prev" href="man.dnssec-cds.html" title="dnssec-cds">
 <link rel="next" href="man.dnssec-coverage.html" title="dnssec-coverage">
 </head>
 <tr>
 <td width="40%" align="left">
 <a accesskey="p" href="man.dnssec-cds.html">Prev</a> </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
+<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch12.html">Up</a></td>
 <td width="40%" align="right"> <a accesskey="n" href="man.dnssec-coverage.html">Next</a>
 </td>
 </tr>
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0-dev</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1-dev</p>
 </body>
 </html>
index 60b77a1b2f1d4ad80fc64aa8efad60d1916ee104..70beb8037ff914a9034e38057c7abc36b7d8e34a 100644 (file)
@@ -12,7 +12,7 @@
 <title>dnssec-coverage</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
+<link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
 <link rel="prev" href="man.dnssec-checkds.html" title="dnssec-checkds">
 <link rel="next" href="man.dnssec-dsfromkey.html" title="dnssec-dsfromkey">
 </head>
 <tr>
 <td width="40%" align="left">
 <a accesskey="p" href="man.dnssec-checkds.html">Prev</a> </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
+<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch12.html">Up</a></td>
 <td width="40%" align="right"> <a accesskey="n" href="man.dnssec-dsfromkey.html">Next</a>
 </td>
 </tr>
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0-dev</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1-dev</p>
 </body>
 </html>
index c7fce1766a9f99fb2f2b3002daf07810318efaed..2cc1a581a78df233355a847a9e2a847703fe36df 100644 (file)
@@ -12,7 +12,7 @@
 <title>dnssec-dsfromkey</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
+<link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
 <link rel="prev" href="man.dnssec-coverage.html" title="dnssec-coverage">
 <link rel="next" href="man.dnssec-importkey.html" title="dnssec-importkey">
 </head>
 <tr>
 <td width="40%" align="left">
 <a accesskey="p" href="man.dnssec-coverage.html">Prev</a> </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
+<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch12.html">Up</a></td>
 <td width="40%" align="right"> <a accesskey="n" href="man.dnssec-importkey.html">Next</a>
 </td>
 </tr>
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0-dev</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1-dev</p>
 </body>
 </html>
index 6dfbf549cbda1a2841bdc363b194b5b91e2545a3..f51762f10ea4fdfca7a8e5cb81c3525822c6d29e 100644 (file)
@@ -12,7 +12,7 @@
 <title>dnssec-importkey</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
+<link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
 <link rel="prev" href="man.dnssec-dsfromkey.html" title="dnssec-dsfromkey">
 <link rel="next" href="man.dnssec-keyfromlabel.html" title="dnssec-keyfromlabel">
 </head>
 <tr>
 <td width="40%" align="left">
 <a accesskey="p" href="man.dnssec-dsfromkey.html">Prev</a> </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
+<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch12.html">Up</a></td>
 <td width="40%" align="right"> <a accesskey="n" href="man.dnssec-keyfromlabel.html">Next</a>
 </td>
 </tr>
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0-dev</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1-dev</p>
 </body>
 </html>
index df20b181c2abf6d88f7389140306fac9f9890064..c58b240ba088f72267ca5b5e2756044772c5bfe6 100644 (file)
@@ -12,7 +12,7 @@
 <title>dnssec-keyfromlabel</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
+<link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
 <link rel="prev" href="man.dnssec-importkey.html" title="dnssec-importkey">
 <link rel="next" href="man.dnssec-keygen.html" title="dnssec-keygen">
 </head>
 <tr>
 <td width="40%" align="left">
 <a accesskey="p" href="man.dnssec-importkey.html">Prev</a> </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
+<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch12.html">Up</a></td>
 <td width="40%" align="right"> <a accesskey="n" href="man.dnssec-keygen.html">Next</a>
 </td>
 </tr>
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0-dev</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1-dev</p>
 </body>
 </html>
index 38e9f55386ff65e6e50d8eaab1686f07a1d860f8..c8311e49dc34e0444f39b9b1c76fa521b574457e 100644 (file)
@@ -12,7 +12,7 @@
 <title>dnssec-keygen</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
+<link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
 <link rel="prev" href="man.dnssec-keyfromlabel.html" title="dnssec-keyfromlabel">
 <link rel="next" href="man.dnssec-keymgr.html" title="dnssec-keymgr">
 </head>
 <tr>
 <td width="40%" align="left">
 <a accesskey="p" href="man.dnssec-keyfromlabel.html">Prev</a> </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
+<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch12.html">Up</a></td>
 <td width="40%" align="right"> <a accesskey="n" href="man.dnssec-keymgr.html">Next</a>
 </td>
 </tr>
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0-dev</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1-dev</p>
 </body>
 </html>
index 99425f698b7852dec8658d130246d6f14b3ea221..bfb9a98db71bc103a5d9d739ce5a819f6fe88d21 100644 (file)
@@ -12,7 +12,7 @@
 <title>dnssec-keymgr</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
+<link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
 <link rel="prev" href="man.dnssec-keygen.html" title="dnssec-keygen">
 <link rel="next" href="man.dnssec-revoke.html" title="dnssec-revoke">
 </head>
 <tr>
 <td width="40%" align="left">
 <a accesskey="p" href="man.dnssec-keygen.html">Prev</a> </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
+<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch12.html">Up</a></td>
 <td width="40%" align="right"> <a accesskey="n" href="man.dnssec-revoke.html">Next</a>
 </td>
 </tr>
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0-dev</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1-dev</p>
 </body>
 </html>
index 1df3e90bfdab4a3b0e32201630ca6d1b3a128166..13308508e8c7286889170e7f49732429e1780e96 100644 (file)
@@ -12,7 +12,7 @@
 <title>dnssec-revoke</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
+<link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
 <link rel="prev" href="man.dnssec-keymgr.html" title="dnssec-keymgr">
 <link rel="next" href="man.dnssec-settime.html" title="dnssec-settime">
 </head>
 <tr>
 <td width="40%" align="left">
 <a accesskey="p" href="man.dnssec-keymgr.html">Prev</a> </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
+<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch12.html">Up</a></td>
 <td width="40%" align="right"> <a accesskey="n" href="man.dnssec-settime.html">Next</a>
 </td>
 </tr>
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0-dev</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1-dev</p>
 </body>
 </html>
index 539c84dfd2a092559fa135637c8070d9a410af86..78b62a771422a40037aa93b1cb208a236247917c 100644 (file)
@@ -12,7 +12,7 @@
 <title>dnssec-settime</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
+<link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
 <link rel="prev" href="man.dnssec-revoke.html" title="dnssec-revoke">
 <link rel="next" href="man.dnssec-signzone.html" title="dnssec-signzone">
 </head>
 <tr>
 <td width="40%" align="left">
 <a accesskey="p" href="man.dnssec-revoke.html">Prev</a> </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
+<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch12.html">Up</a></td>
 <td width="40%" align="right"> <a accesskey="n" href="man.dnssec-signzone.html">Next</a>
 </td>
 </tr>
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0-dev</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1-dev</p>
 </body>
 </html>
index 18f089ba1fc0f576511ae52d53052084ef9e51ad..72e38fd229cd237194e58c62a522694253894c3f 100644 (file)
@@ -12,7 +12,7 @@
 <title>dnssec-signzone</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
+<link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
 <link rel="prev" href="man.dnssec-settime.html" title="dnssec-settime">
 <link rel="next" href="man.dnssec-verify.html" title="dnssec-verify">
 </head>
@@ -712,7 +712,7 @@ db.example.com.signed
 <tr>
 <td width="40%" align="left">
 <a accesskey="p" href="man.dnssec-settime.html">Prev</a> </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
+<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch12.html">Up</a></td>
 <td width="40%" align="right"> <a accesskey="n" href="man.dnssec-verify.html">Next</a>
 </td>
 </tr>
@@ -725,6 +725,6 @@ db.example.com.signed
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0-dev</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1-dev</p>
 </body>
 </html>
index 7664c949ae09dbae76320caa6a13b612dedbb9c2..4a3f657122117e236c9f9ef7dfc30828d81d5823 100644 (file)
@@ -12,7 +12,7 @@
 <title>dnssec-verify</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
+<link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
 <link rel="prev" href="man.dnssec-signzone.html" title="dnssec-signzone">
 <link rel="next" href="man.dnstap-read.html" title="dnstap-read">
 </head>
 <tr>
 <td width="40%" align="left">
 <a accesskey="p" href="man.dnssec-signzone.html">Prev</a> </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
+<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch12.html">Up</a></td>
 <td width="40%" align="right"> <a accesskey="n" href="man.dnstap-read.html">Next</a>
 </td>
 </tr>
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0-dev</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1-dev</p>
 </body>
 </html>
index 7c66eff117cd97123fba05ba674e012ba4cd188c..90b4517323de5679f89f5496292f02d1dddc5198 100644 (file)
@@ -12,7 +12,7 @@
 <title>dnstap-read</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
+<link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
 <link rel="prev" href="man.dnssec-verify.html" title="dnssec-verify">
 <link rel="next" href="man.genrandom.html" title="genrandom">
 </head>
 <tr>
 <td width="40%" align="left">
 <a accesskey="p" href="man.dnssec-verify.html">Prev</a> </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
+<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch12.html">Up</a></td>
 <td width="40%" align="right"> <a accesskey="n" href="man.genrandom.html">Next</a>
 </td>
 </tr>
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0-dev</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1-dev</p>
 </body>
 </html>
index 770b35df85e884583336a9a917d717a67e219d86..a870ec08c7464ebb8a1f73d4d7f0ba8cbfe9e4f3 100644 (file)
@@ -12,7 +12,7 @@
 <title>genrandom</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
+<link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
 <link rel="prev" href="man.dnstap-read.html" title="dnstap-read">
 <link rel="next" href="man.host.html" title="host">
 </head>
 <tr>
 <td width="40%" align="left">
 <a accesskey="p" href="man.dnstap-read.html">Prev</a> </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
+<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch12.html">Up</a></td>
 <td width="40%" align="right"> <a accesskey="n" href="man.host.html">Next</a>
 </td>
 </tr>
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0-dev</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1-dev</p>
 </body>
 </html>
index 03a883a9221d5cd9911eb31fff9bfdd79a48b972..1849aec75926d38b331f4fe407b9c2efa4e243e0 100644 (file)
@@ -12,7 +12,7 @@
 <title>host</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
+<link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
 <link rel="prev" href="man.genrandom.html" title="genrandom">
 <link rel="next" href="man.mdig.html" title="mdig">
 </head>
 <tr>
 <td width="40%" align="left">
 <a accesskey="p" href="man.genrandom.html">Prev</a> </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
+<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch12.html">Up</a></td>
 <td width="40%" align="right"> <a accesskey="n" href="man.mdig.html">Next</a>
 </td>
 </tr>
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0-dev</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1-dev</p>
 </body>
 </html>
index 70de431075f8bf77a7afe45965c9e3218baca815..0e0192ad5870ea89deebbce4c310e4983a17817d 100644 (file)
@@ -12,7 +12,7 @@
 <title>mdig</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
+<link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
 <link rel="prev" href="man.host.html" title="host">
 <link rel="next" href="man.named-checkconf.html" title="named-checkconf">
 </head>
 <tr>
 <td width="40%" align="left">
 <a accesskey="p" href="man.host.html">Prev</a> </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
+<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch12.html">Up</a></td>
 <td width="40%" align="right"> <a accesskey="n" href="man.named-checkconf.html">Next</a>
 </td>
 </tr>
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0-dev</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1-dev</p>
 </body>
 </html>
index da087bc2c4833d3d36816cb523df591c1fc62706..2c5da288f7db8ce829e31e2c6348ec9322897efb 100644 (file)
@@ -12,7 +12,7 @@
 <title>named-checkconf</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
+<link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
 <link rel="prev" href="man.mdig.html" title="mdig">
 <link rel="next" href="man.named-checkzone.html" title="named-checkzone">
 </head>
 <tr>
 <td width="40%" align="left">
 <a accesskey="p" href="man.mdig.html">Prev</a> </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
+<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch12.html">Up</a></td>
 <td width="40%" align="right"> <a accesskey="n" href="man.named-checkzone.html">Next</a>
 </td>
 </tr>
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0-dev</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1-dev</p>
 </body>
 </html>
index fe051d19b44a3a6c15107e5d3535afbc92d650d3..fd68950c656900bb7d9a4b75d148db51a9eba5ca 100644 (file)
@@ -12,7 +12,7 @@
 <title>named-checkzone</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
+<link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
 <link rel="prev" href="man.named-checkconf.html" title="named-checkconf">
 <link rel="next" href="man.named-journalprint.html" title="named-journalprint">
 </head>
 <tr>
 <td width="40%" align="left">
 <a accesskey="p" href="man.named-checkconf.html">Prev</a> </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
+<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch12.html">Up</a></td>
 <td width="40%" align="right"> <a accesskey="n" href="man.named-journalprint.html">Next</a>
 </td>
 </tr>
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0-dev</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1-dev</p>
 </body>
 </html>
index ff72c860f85d716ff8dd7a13b0217dacf6a57b8b..a9800a1c135185316e416dec5b8147e74de68824 100644 (file)
@@ -12,7 +12,7 @@
 <title>named-journalprint</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
+<link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
 <link rel="prev" href="man.named-checkzone.html" title="named-checkzone">
 <link rel="next" href="man.named-nzd2nzf.html" title="named-nzd2nzf">
 </head>
 <tr>
 <td width="40%" align="left">
 <a accesskey="p" href="man.named-checkzone.html">Prev</a> </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
+<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch12.html">Up</a></td>
 <td width="40%" align="right"> <a accesskey="n" href="man.named-nzd2nzf.html">Next</a>
 </td>
 </tr>
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0-dev</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1-dev</p>
 </body>
 </html>
index 75823d6dc830aafd9f7baeda2f7558000441d7d7..cfa6bbf8f0a27df473acbc24e42bce26db807ba9 100644 (file)
@@ -12,7 +12,7 @@
 <title>named-nzd2nzf</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
+<link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
 <link rel="prev" href="man.named-journalprint.html" title="named-journalprint">
 <link rel="next" href="man.named-rrchecker.html" title="named-rrchecker">
 </head>
 <tr>
 <td width="40%" align="left">
 <a accesskey="p" href="man.named-journalprint.html">Prev</a> </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
+<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch12.html">Up</a></td>
 <td width="40%" align="right"> <a accesskey="n" href="man.named-rrchecker.html">Next</a>
 </td>
 </tr>
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0-dev</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1-dev</p>
 </body>
 </html>
index 27720ece6866cc3d812d64cb44e6e20c08f80324..d037885f0d3ebc7808474b012178c630c9dbae55 100644 (file)
@@ -12,7 +12,7 @@
 <title>named-rrchecker</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
+<link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
 <link rel="prev" href="man.named-nzd2nzf.html" title="named-nzd2nzf">
 <link rel="next" href="man.named.conf.html" title="named.conf">
 </head>
 <tr>
 <td width="40%" align="left">
 <a accesskey="p" href="man.named-nzd2nzf.html">Prev</a> </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
+<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch12.html">Up</a></td>
 <td width="40%" align="right"> <a accesskey="n" href="man.named.conf.html">Next</a>
 </td>
 </tr>
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0-dev</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1-dev</p>
 </body>
 </html>
index dbe5a06e9052f728e75f0f03416b18c24e320e1a..4af3ed3d483a506dd4d31c4ccc4c3ce449ca0da6 100644 (file)
@@ -12,7 +12,7 @@
 <title>named.conf</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
+<link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
 <link rel="prev" href="man.named-rrchecker.html" title="named-rrchecker">
 <link rel="next" href="man.named.html" title="named">
 </head>
@@ -1044,7 +1044,7 @@ zone
 <tr>
 <td width="40%" align="left">
 <a accesskey="p" href="man.named-rrchecker.html">Prev</a> </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
+<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch12.html">Up</a></td>
 <td width="40%" align="right"> <a accesskey="n" href="man.named.html">Next</a>
 </td>
 </tr>
@@ -1057,6 +1057,6 @@ zone
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0-dev</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1-dev</p>
 </body>
 </html>
index 1df613c56663dd1e94b4db5adcadd2212e43919f..ba8c486670f32ebb42c86f7d87a9f6f61f843c3a 100644 (file)
@@ -12,7 +12,7 @@
 <title>named</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
+<link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
 <link rel="prev" href="man.named.conf.html" title="named.conf">
 <link rel="next" href="man.nsec3hash.html" title="nsec3hash">
 </head>
 <tr>
 <td width="40%" align="left">
 <a accesskey="p" href="man.named.conf.html">Prev</a> </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
+<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch12.html">Up</a></td>
 <td width="40%" align="right"> <a accesskey="n" href="man.nsec3hash.html">Next</a>
 </td>
 </tr>
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0-dev</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1-dev</p>
 </body>
 </html>
index 3ccf75b05f8361d3eb7bb5f8d0eda061a79f32c1..b46191d81fa2a8c09168fdb1531c9af2842c0103 100644 (file)
@@ -12,7 +12,7 @@
 <title>nsec3hash</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
+<link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
 <link rel="prev" href="man.named.html" title="named">
 <link rel="next" href="man.nslookup.html" title="nslookup">
 </head>
 <tr>
 <td width="40%" align="left">
 <a accesskey="p" href="man.named.html">Prev</a> </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
+<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch12.html">Up</a></td>
 <td width="40%" align="right"> <a accesskey="n" href="man.nslookup.html">Next</a>
 </td>
 </tr>
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0-dev</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1-dev</p>
 </body>
 </html>
index 3c24f926f06bceb0fddefdd81efaa8ef9cd7233f..841b830edcaa7fc78ddb901e3420b707f3f8845d 100644 (file)
@@ -12,7 +12,7 @@
 <title>nslookup</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
+<link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
 <link rel="prev" href="man.nsec3hash.html" title="nsec3hash">
 <link rel="next" href="man.nsupdate.html" title="nsupdate">
 </head>
@@ -407,7 +407,7 @@ nslookup -query=hinfo  -timeout=10
 <tr>
 <td width="40%" align="left">
 <a accesskey="p" href="man.nsec3hash.html">Prev</a> </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
+<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch12.html">Up</a></td>
 <td width="40%" align="right"> <a accesskey="n" href="man.nsupdate.html">Next</a>
 </td>
 </tr>
@@ -420,6 +420,6 @@ nslookup -query=hinfo  -timeout=10
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0-dev</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1-dev</p>
 </body>
 </html>
index 98ef9cb35ad952016577ae668d2dbf6e2ceead48..8f4c6c5fd3cfd7ccabc6724b56ccd50970eb40ac 100644 (file)
@@ -12,7 +12,7 @@
 <title>nsupdate</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
+<link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
 <link rel="prev" href="man.nslookup.html" title="nslookup">
 <link rel="next" href="man.pkcs11-destroy.html" title="pkcs11-destroy">
 </head>
 <tr>
 <td width="40%" align="left">
 <a accesskey="p" href="man.nslookup.html">Prev</a> </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
+<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch12.html">Up</a></td>
 <td width="40%" align="right"> <a accesskey="n" href="man.pkcs11-destroy.html">Next</a>
 </td>
 </tr>
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0-dev</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1-dev</p>
 </body>
 </html>
index e4241b551668aa3926b4813663b7c94c0ce74912..6b704cc0a907d8ddf0a6698f17aa02ed80aa4330 100644 (file)
@@ -12,7 +12,7 @@
 <title>pkcs11-destroy</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
+<link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
 <link rel="prev" href="man.nsupdate.html" title="nsupdate">
 <link rel="next" href="man.pkcs11-keygen.html" title="pkcs11-keygen">
 </head>
 <tr>
 <td width="40%" align="left">
 <a accesskey="p" href="man.nsupdate.html">Prev</a> </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
+<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch12.html">Up</a></td>
 <td width="40%" align="right"> <a accesskey="n" href="man.pkcs11-keygen.html">Next</a>
 </td>
 </tr>
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0-dev</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1-dev</p>
 </body>
 </html>
index 45de09149cfdb8735f32dad0dad46c28c0fa3013..5ec62746154c1c14dedb4458b198b30d806e29ff 100644 (file)
@@ -12,7 +12,7 @@
 <title>pkcs11-keygen</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
+<link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
 <link rel="prev" href="man.pkcs11-destroy.html" title="pkcs11-destroy">
 <link rel="next" href="man.pkcs11-list.html" title="pkcs11-list">
 </head>
 <tr>
 <td width="40%" align="left">
 <a accesskey="p" href="man.pkcs11-destroy.html">Prev</a> </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
+<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch12.html">Up</a></td>
 <td width="40%" align="right"> <a accesskey="n" href="man.pkcs11-list.html">Next</a>
 </td>
 </tr>
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0-dev</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1-dev</p>
 </body>
 </html>
index fe09d5de037ac20a6f911c6c727657359c700692..44824f8847653e48813cec4a814ee3c2b3f40109 100644 (file)
@@ -12,7 +12,7 @@
 <title>pkcs11-list</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
+<link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
 <link rel="prev" href="man.pkcs11-keygen.html" title="pkcs11-keygen">
 <link rel="next" href="man.pkcs11-tokens.html" title="pkcs11-tokens">
 </head>
 <tr>
 <td width="40%" align="left">
 <a accesskey="p" href="man.pkcs11-keygen.html">Prev</a> </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
+<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch12.html">Up</a></td>
 <td width="40%" align="right"> <a accesskey="n" href="man.pkcs11-tokens.html">Next</a>
 </td>
 </tr>
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0-dev</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1-dev</p>
 </body>
 </html>
index 6a9894832b5a0c1e1a6e1d053b9a9f9ad0b482cc..e78e15afec8c4527c36cd880c14ca7155d24415f 100644 (file)
@@ -12,7 +12,7 @@
 <title>pkcs11-tokens</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
+<link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
 <link rel="prev" href="man.pkcs11-list.html" title="pkcs11-list">
 <link rel="next" href="man.rndc-confgen.html" title="rndc-confgen">
 </head>
 <tr>
 <td width="40%" align="left">
 <a accesskey="p" href="man.pkcs11-list.html">Prev</a> </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
+<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch12.html">Up</a></td>
 <td width="40%" align="right"> <a accesskey="n" href="man.rndc-confgen.html">Next</a>
 </td>
 </tr>
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0-dev</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1-dev</p>
 </body>
 </html>
index 76e286f8aee4bf7e8b7e2e3e765bc5fd5d73d14a..71f36dfe18cbf0343ed787727287c5ad4e5decbf 100644 (file)
@@ -12,7 +12,7 @@
 <title>rndc-confgen</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
+<link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
 <link rel="prev" href="man.pkcs11-tokens.html" title="pkcs11-tokens">
 <link rel="next" href="man.rndc.conf.html" title="rndc.conf">
 </head>
 <tr>
 <td width="40%" align="left">
 <a accesskey="p" href="man.pkcs11-tokens.html">Prev</a> </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
+<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch12.html">Up</a></td>
 <td width="40%" align="right"> <a accesskey="n" href="man.rndc.conf.html">Next</a>
 </td>
 </tr>
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0-dev</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1-dev</p>
 </body>
 </html>
index e6bc67591a274696e038f0dbabadc44c1e5f45a2..8dcbe623fe65f57f60d30c6ec1ba3876719d36d3 100644 (file)
@@ -12,7 +12,7 @@
 <title>rndc.conf</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
+<link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
 <link rel="prev" href="man.rndc-confgen.html" title="rndc-confgen">
 <link rel="next" href="man.rndc.html" title="rndc">
 </head>
 <tr>
 <td width="40%" align="left">
 <a accesskey="p" href="man.rndc-confgen.html">Prev</a> </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
+<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch12.html">Up</a></td>
 <td width="40%" align="right"> <a accesskey="n" href="man.rndc.html">Next</a>
 </td>
 </tr>
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0-dev</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1-dev</p>
 </body>
 </html>
index 5f889e63c79d968eeb9fca164e22f2493003b8ef..897400bfda9f352a4597ae5c24e4913f625605b5 100644 (file)
@@ -12,7 +12,7 @@
 <title>rndc</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
 <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
+<link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
 <link rel="prev" href="man.rndc.conf.html" title="rndc.conf">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <tr>
 <td width="40%" align="left">
 <a accesskey="p" href="man.rndc.conf.html">Prev</a> </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
+<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch12.html">Up</a></td>
 <td width="40%" align="right"> </td>
 </tr>
 <tr>
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0-dev</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.1-dev</p>
 </body>
 </html>