--- /dev/null
+Functional enhancements from prior major releases of BIND 9
+
+BIND 9.11
+
+BIND 9.11.0 includes a number of changes from BIND 9.10 and earlier
+releases. New features include:
+
+ * Added support for Catalog Zones, a new method for provisioning
+ servers: a list of zones to be served is stored in a DNS zone, along
+ with their configuration parameters. Changes to the catalog zone are
+ propagated to slaves via normal AXFR/IXFR, whereupon the zones that
+ are listed in it are automatically added, deleted or reconfigured.
+ * Added support for "dnstap", a fast and flexible method of capturing
+ and logging DNS traffic.
+ * Added support for "dyndb", a new API for loading zone data from an
+ external database, developed by Red Hat for the FreeIPA project.
+ * "fetchlimit" quotas are now compiled in by default. These are for the
+ use of recursive resolvers that are are under high query load for
+ domains whose authoritative servers are nonresponsive or are
+ experiencing a denial of service attack:
+ + "fetches-per-server" limits the number of simultaneous queries
+ that can be sent to any single authoritative server. The
+ configured value is a starting point; it is automatically adjusted
+ downward if the server is partially or completely non-responsive.
+ The algorithm used to adjust the quota can be configured via the
+ "fetch-quota-params" option.
+ + "fetches-per-zone" limits the number of simultaneous queries that
+ can be sent for names within a single domain. (Note: Unlike
+ "fetches-per-server", this value is not self-tuning.)
+ + New stats counters have been added to count queries spilled due to
+ these quotas.
+ * Added a new "dnssec-keymgr" key mainenance utility, which can generate
+ or update keys as needed to ensure that a zone's keys match a defined
+ DNSSEC policy.
+ * The experimental "SIT" feature in BIND 9.10 has been renamed "COOKIE"
+ and is no longer optional. EDNS COOKIE is a mechanism enabling clients
+ to detect off-path spoofed responses, and servers to detect
+ spoofed-source queries. Clients that identify themselves using COOKIE
+ options are not subject to response rate limiting (RRL) and can
+ receive larger UDP responses.
+ * SERVFAIL responses can now be cached for a limited time (defaulting to
+ 1 second, with an upper limit of 30). This can reduce the frequency of
+ retries when a query is persistently failing.
+ * Added an "nsip-wait-recurse" switch to RPZ. This causes NSIP rules to
+ be skipped if a name server IP address isn't in the cache yet; the
+ address will be looked up and the rule will be applied on future
+ queries.
+ * Added a Python RNDC module. This allows multiple commands to sent over
+ a persistent RNDC channel, which saves time.
+ * The "controls" block in named.conf can now grant read-only "rndc"
+ access to specified clients or keys. Read-only clients could, for
+ example, check "rndc status" but could not reconfigure or shut down
+ the server.
+ * "rndc" commands can now return arbitrarily large amounts of text to
+ the caller.
+ * The zone serial number of a dynamically updatable zone can now be set
+ via "rndc signing -serial ". This allows inline-signing zones to be
+ set to a specific serial number.
+ * The new "rndc nta" command can be used to set a Negative Trust Anchor
+ (NTA), disabling DNSSEC validation for a specific domain; this can be
+ used when responses from a domain are known to be failing validation
+ due to administrative error rather than because of a spoofing attack.
+ Negative trust anchors are strictly temporary; by default they expire
+ after one hour, but can be configured to last up to one week.
+ * "rndc delzone" can now be used on zones that were not originally
+ created by "rndc addzone".
+ * "rndc modzone" reconfigures a single zone, without requiring the
+ entire server to be reconfigured.
+ * "rndc showzone" displays the current configuration of a zone.
+ * "rndc managed-keys" can be used to check the status of RFC 5001
+ managed trust anchors, or to force trust anchors to be refreshed.
+ * "max-cache-size" can now be set to a percentage of available memory.
+ The default is 90%.
+ * Update forwarding performance has been improved by allowing a single
+ TCP connection to be shared by multiple updates.
+ * The EDNS Client Subnet (ECS) option is now supported for authoritative
+ servers; if a query contains an ECS option then ACLs containing
+ "geoip" or "ecs" elements can match against the the address encoded in
+ the option. This can be used to select a view for a query, so that
+ different answers can be provided depending on the client network.
+ * The EDNS EXPIRE option has been implemented on the client side,
+ allowing a slave server to set the expiration timer correctly when
+ transferring zone data from another slave server.
+ * The key generation and manipulation tools (dnssec-keygen,
+ dnssec-settime, dnssec-importkey, dnssec-keyfromlabel) now take
+ "-Psync" and "-Dsync" options to set the publication and deletion
+ times of CDS and CDNSKEY parent-synchronization records. Both named
+ and dnssec-signzone can now publish and remove these records at the
+ scheduled times.
+ * A new "minimal-any" option reduces the size of UDP responses for query
+ type ANY by returning a single arbitrarily selected RRset instead of
+ all RRsets.
+ * A new "masterfile-style" zone option controls the formatting of text
+ zone files: When set to "full", a zone file is dumped in
+ single-line-per-record format.
+ * "serial-update-method" can now be set to "date". On update, the serial
+ number will be set to the current date in YYYYMMDDNN format.
+ * "dnssec-signzone -N date" sets the serial number to YYYYMMDDNN.
+ * "named -L " causes named to send log messages to the specified file by
+ default instead of to the system log.
+ * "dig +ttlunits" prints TTL values with time-unit suffixes: w, d, h, m,
+ s for weeks, days, hours, minutes, and seconds.
+ * "dig +unknownformat" prints dig output in RFC 3597 "unknown record"
+ presentation format.
+ * "dig +ednsopt" allows dig to set arbitrary EDNS options on requests.
+ * "dig +ednsflags" allows dig to set yet-to-be-defined EDNS flags on
+ requests.
+ * "mdig" is an alternate version of dig which sends multiple pipelined
+ TCP queries to a server. Instead of waiting for a response after
+ sending a query, it sends all queries immediately and displays
+ responses in the order received.
+ * "serial-query-rate" no longer controls NOTIFY messages. These are
+ separately controlled by "notify-rate" and "startup-notify-rate".
+ * "nsupdate" now performs "check-names" processing by default on records
+ to be added. This can be disabled with "check-names no".
+ * The statistics channel now supports DEFLATE compression, reducing the
+ size of the data sent over the network when querying statistics.
+ * New counters have been added to the statistics channel to track the
+ sizes of incoming queries and outgoing responses in histogram buckets,
+ as specified in RSSAC002.
+ * A new NXDOMAIN redirect method (option "nxdomain-redirect") has been
+ added, allowing redirection to a specified DNS namespace instead of a
+ single redirect zone.
+ * When starting up, named now ensures that no other named process is
+ already running.
+ * Files created by named to store information, including "mkeys" and
+ "nzf" files, are now named after their corresponding views unless the
+ view name contains characters incompatible with use as a filename. Old
+ style filenames (based on the hash of the view name) will still work.
+
+BIND 9.10.0
+
+BIND 9.10.0 includes a number of changes from BIND 9.9 and earlier
+releases. New features include:
+
+ * DNS Response-rate limiting (DNS RRL), which blunts the impact of
+ reflection and amplification attacks, is always compiled in and no
+ longer requires a compile-time option to enable it.
+ * An experimental "Source Identity Token" (SIT) EDNS option is now
+ available. Similar to DNS Cookies as invented by Donald Eastlake 3rd,
+ these are designed to enable clients to detect off-path spoofed
+ responses, and to enable servers to detect spoofed-source queries.
+ Servers can be configured to send smaller responses to clients that
+ have not identified themselves using a SIT option, reducing the
+ effectiveness of amplification attacks. RRL processing has also been
+ updated; clients proven to be legitimate via SIT are not subject to
+ rate limiting. Use "configure --enable-sit" to enable this feature in
+ BIND.
+ * A new zone file format, "map", stores zone data in a format that can
+ be mapped directly into memory, allowing significantly faster zone
+ loading.
+ * "delv" (domain entity lookup and validation) is a new tool with
+ dig-like semantics for looking up DNS data and performing internal
+ DNSSEC validation. This allows easy validation in environments where
+ the resolver may not be trustworthy, and assists with troubleshooting
+ of DNSSEC problems. (NOTE: In previous development releases of BIND
+ 9.10, this utility was called "delve". The spelling has been changed
+ to avoid confusion with the "delve" utility included with the Xapian
+ search engine.)
+ * Improved EDNS(0) processing for better resolver performance and
+ reliability over slow or lossy connections.
+ * A new "configure --with-tuning=large" option tunes certain compiled-in
+ constants and default settings to values better suited to large
+ servers with abundant memory. This can improve performance on such
+ servers, but will consume more memory and may degrade performance on
+ smaller systems.
+ * Substantial improvement in response-policy zone (RPZ) performance. Up
+ to 32 response-policy zones can be configured with minimal performance
+ loss.
+ * To improve recursive resolver performance, cache records which are
+ still being requested by clients can now be automatically refreshed
+ from the authoritative server before they expire, reducing or
+ eliminating the time window in which no answer is available in the
+ cache.
+ * New "rpz-client-ip" triggers and drop policies allowing response
+ policies based on the IP address of the client.
+ * ACLs can now be specified based on geographic location using the
+ MaxMind GeoIP databases. Use "configure --with-geoip" to enable.
+ * Zone data can now be shared between views, allowing multiple views to
+ serve the same zones authoritatively without storing multiple copies
+ in memory.
+ * New XML schema (version 3) for the statistics channel includes many
+ new statistics and uses a flattened XML tree for faster parsing. The
+ older schema is now deprecated.
+ * A new stylesheet, based on the Google Charts API, displays XML
+ statistics in charts and graphs on javascript-enabled browsers.
+ * The statistics channel can now provide data in JSON format as well as
+ XML.
+ * New stats counters track TCP and UDP queries received per zone, and
+ EDNS options received in total.
+ * The internal and export versions of the BIND libraries (libisc,
+ libdns, etc) have been unified so that external library clients can
+ use the same libraries as BIND itself.
+ * A new compile-time option, "configure --enable-native-pkcs11", allows
+ BIND 9 cryptography functions to use the PKCS#11 API natively, so that
+ BIND can drive a cryptographic hardware service module (HSM) directly
+ instead of using a modified OpenSSL as an intermediary. (Note: This
+ feature requires an HSM to have a full implementation of the PKCS#11
+ API; many current HSMs only have partial implementations. The new
+ "pkcs11-tokens" command can be used to check API completeness. Native
+ PKCS#11 is known to work with the Thales nShield HSM and with SoftHSM
+ version 2 from the Open DNSSEC project.)
+ * The new "max-zone-ttl" option enforces maximum TTLs for zones. This
+ can simplify the process of rolling DNSSEC keys by guaranteeing that
+ cached signatures will have expired within the specified amount of
+ time.
+ * "dig +subnet" sends an EDNS CLIENT-SUBNET option when querying.
+ * "dig +expire" sends an EDNS EXPIRE option when querying. When this
+ option is sent with an SOA query to a server that supports it, it will
+ report the expiry time of a slave zone.
+ * New "dnssec-coverage" tool to check DNSSEC key coverage for a zone and
+ report if a lapse in signing coverage has been inadvertently
+ scheduled.
+ * Signing algorithm flexibility and other improvements for the "rndc"
+ control channel.
+ * "named-checkzone" and "named-compilezone" can now read journal files,
+ allowing them to process dynamic zones.
+ * Multiple DLZ databases can now be configured. Individual zones can be
+ configured to be served from a specific DLZ database. DLZ databases
+ now serve zones of type "master" and "redirect".
+ * "rndc zonestatus" reports information about a specified zone.
+ * "named" now listens on IPv6 as well as IPv4 interfaces by default.
+ * "named" now preserves the capitalization of names when responding to
+ queries: for instance, a query for "example.com" may be answered with
+ "example.COM" if the name was configured that way in the zone file.
+ Some clients have a bug causing them to depend on the older behavior,
+ in which the case of the answer always matched the case of the query,
+ rather than the case of the name configured in the DNS. Such clients
+ can now be specified in the new "no-case-compress" ACL; this will
+ restore the older behavior of "named" for those clients only.
+ * new "dnssec-importkey" command allows the use of offline DNSSEC keys
+ with automatic DNSKEY management.
+ * New "named-rrchecker" tool to verify the syntactic correctness of
+ individual resource records.
+ * When re-signing a zone, the new "dnssec-signzone -Q" option drops
+ signatures from keys that are still published but are no longer
+ active.
+ * "named-checkconf -px" will print the contents of configuration files
+ with the shared secrets obscured, making it easier to share
+ configuration (e.g. when submitting a bug report) without revealing
+ private information.
+ * "rndc scan" causes named to re-scan network interfaces for changes in
+ local addresses.
+ * On operating systems with support for routing sockets, network
+ interfaces are re-scanned automatically whenever they change.
+ * "tsig-keygen" is now available as an alternate command name to use for
+ "ddns-confgen".
+
+BIND 9.9.0
+
+BIND 9.9.0 includes a number of changes from BIND 9.8 and earlier
+releases. New features include:
+
+ * Inline signing, allowing automatic DNSSEC signing of master zones
+ without modification of the zonefile, or "bump in the wire" signing in
+ slaves.
+ * NXDOMAIN redirection.
+ * New 'rndc flushtree' command clears all data under a given name from
+ the DNS cache.
+ * New 'rndc sync' command dumps pending changes in a dynamic zone to
+ disk without a freeze/thaw cycle.
+ * New 'rndc signing' command displays or clears signing status records
+ in 'auto-dnssec' zones.
+ * NSEC3 parameters for 'auto-dnssec' zones can now be set prior to
+ signing, eliminating the need to initially sign with NSEC.
+ * Startup time improvements on large authoritative servers.
+ * Slave zones are now saved in raw format by default.
+ * Several improvements to response policy zones (RPZ).
+ * Improved hardware scalability by using multiple threads to listen for
+ queries and using finer-grained client locking
+ * The 'also-notify' option now takes the same syntax as 'masters', so it
+ can used named masterlists and TSIG keys.
+ * 'dnssec-signzone -D' writes an output file containing only DNSSEC
+ data, which can be included by the primary zone file.
+ * 'dnssec-signzone -R' forces removal of signatures that are not expired
+ but were created by a key which no longer exists.
+ * 'dnssec-signzone -X' allows a separate expiration date to be specified
+ for DNSKEY signatures from other signatures.
+ * New '-L' option to dnssec-keygen, dnssec-settime, and
+ dnssec-keyfromlabel sets the default TTL for the key.
+ * dnssec-dsfromkey now supports reading from standard input, to make it
+ easier to convert DNSKEY to DS.
+ * RFC 1918 reverse zones have been added to the empty-zones table per
+ RFC 6303.
+ * Dynamic updates can now optionally set the zone's SOA serial number to
+ the current UNIX time.
+ * DLZ modules can now retrieve the source IP address of the querying
+ client.
+ * 'request-ixfr' option can now be set at the per-zone level.
+ * 'dig +rrcomments' turns on comments about DNSKEY records, indicating
+ their key ID, algorithm and function
+ * Simplified nsupdate syntax and added readline support
+
+BIND 9.8.0
+
+BIND 9.8.0 includes a number of changes from BIND 9.7 and earlier
+releases. New features include:
+
+ * Built-in trust anchor for the root zone, which can be switched on via
+ "dnssec-validation auto;"
+ * Support for DNS64.
+ * Support for response policy zones (RPZ).
+ * Support for writable DLZ zones.
+ * Improved ease of configuration of GSS/TSIG for interoperability with
+ Active Directory
+ * Support for GOST signing algorithm for DNSSEC.
+ * Removed RTT Banding from server selection algorithm.
+ * New "static-stub" zone type.
+ * Allow configuration of resolver timeouts via "resolver-query-timeout"
+ option.
+ * The DLZ "dlopen" driver is now built by default.
+ * Added a new include file with function typedefs for the DLZ "dlopen"
+ driver.
+ * Made "--with-gssapi" default.
+ * More verbose error reporting from DLZ LDAP.
+
+BIND 9.7.0
+
+BIND 9.7.0 includes a number of changes from BIND 9.6 and earlier
+releases. Most are intended to simplify DNSSEC configuration. New features
+include:
+
+ * Fully automatic signing of zones by "named".
+ * Simplified configuration of DNSSEC Lookaside Validation (DLV).
+ * Simplified configuration of Dynamic DNS, using the "ddns-confgen"
+ command line tool or the "local" update-policy option. (As a side
+ effect, this also makes it easier to configure automatic zone
+ re-signing.)
+ * New named option "attach-cache" that allows multiple views to share a
+ single cache.
+ * DNS rebinding attack prevention.
+ * New default values for dnssec-keygen parameters.
+ * Support for RFC 5011 automated trust anchor maintenance
+ * Smart signing: simplified tools for zone signing and key maintenance.
+ * The "statistics-channels" option is now available on Windows.
+ * A new DNSSEC-aware libdns API for use by non-BIND9 applications
+ * On some platforms, named and other binaries can now print out a stack
+ backtrace on assertion failure, to aid in debugging.
+ * A "tools only" installation mode on Windows, which only installs dig,
+ host, nslookup and nsupdate.
+ * Improved PKCS#11 support, including Keyper support and explicit
+ OpenSSL engine selection.
+
+BIND 9.6.0
+
+ * Full NSEC3 support
+ * Automatic zone re-signing
+ * New update-policy methods tcp-self and 6to4-self
+ * The BIND 8 resolver library, libbind, has been removed from the BIND 9
+ distribution and is now available as a separate download.
+ * Change the default pid file location from /var/run to /var/run/
+ {named,lwresd} for improved chroot/setuid support.
+
+BIND 9.5.0
+
+ * GSS-TSIG support (RFC 3645).
+ * DHCID support.
+ * Experimental http server and statistics support for named via xml.
+ * More detailed statistics counters including those supported in BIND 8.
+ * Faster ACL processing.
+ * Use Doxygen to generate internal documentation.
+ * Efficient LRU cache-cleaning mechanism.
+ * NSID support.
+
+BIND 9.4.0
+
+ * Implemented "additional section caching (or acache)", an internal
+ cache framework for additional section content to improve response
+ performance. Several configuration options were provided to control
+ the behavior.
+ * New notify type 'master-only'. Enable notify for master zones only.
+ * Accept 'notify-source' style syntax for query-source.
+ * rndc now allows addresses to be set in the server clauses.
+ * New option "allow-query-cache". This lets "allow-query" be used to
+ specify the default zone access level rather than having to have every
+ zone override the global value. "allow-query-cache" can be set at both
+ the options and view levels. If "allow-query-cache" is not set then
+ "allow-recursion" is used if set, otherwise "allow-query" is used if
+ set unless "recursion no;" is set in which case "none;" is used,
+ otherwise the default (localhost; localnets;) is used.
+ * rndc: the source address can now be specified.
+ * ixfr-from-differences now takes master and slave in addition to yes
+ and no at the options and view levels.
+ * Allow the journal's name to be changed via named.conf.
+ * 'rndc notify zone [class [view]]' resend the NOTIFY messages for the
+ specified zone.
+ * 'dig +trace' now randomly selects the next servers to try. Report if
+ there is a bad delegation.
+ * Improve check-names error messages.
+ * Make public the function to read a key file, dst_key_read_public().
+ * dig now returns the byte count for axfr/ixfr.
+ * allow-update is now settable at the options / view level.
+ * named-checkconf now checks the logging configuration.
+ * host now can turn on memory debugging flags with '-m'.
+ * Don't send notify messages to self.
+ * Perform sanity checks on NS records which refer to 'in zone' names.
+ * New zone option "notify-delay". Specify a minimum delay between sets
+ of NOTIFY messages.
+ * Extend adjusting TTL warning messages.
+ * Named and named-checkzone can now both check for non-terminal wildcard
+ records.
+ * "rndc freeze/thaw" now freezes/thaws all zones.
+ * named-checkconf now check acls to verify that they only refer to
+ existing acls.
+ * The server syntax has been extended to support a range of servers.
+ * Report differences between hints and real NS rrset and associated
+ address records.
+ * Preserve the case of domain names in rdata during zone transfers.
+ * Restructured the data locking framework using architecture dependent
+ atomic operations (when available), improving response performance on
+ multi-processor machines significantly. x86, x86_64, alpha, powerpc,
+ and mips are currently supported.
+ * UNIX domain controls are now supported.
+ * Add support for additional zone file formats for improving loading
+ performance. The masterfile-format option in named.conf can be used to
+ specify a non-default format. A separate command named-compilezone was
+ provided to generate zone files in the new format. Additionally, the
+ -I and -O options for dnssec-signzone specify the input and output
+ formats.
+ * dnssec-signzone can now randomize signature end times (dnssec-signzone
+ -j jitter).
+ * Add support for CH A record.
+ * Add additional zone data constancy checks. named-checkzone has
+ extended checking of NS, MX and SRV record and the hosts they
+ reference. named has extended post zone load checks. New zone options:
+ check-mx and integrity-check.
+ * edns-udp-size can now be overridden on a per server basis.
+ * dig can now specify the EDNS version when making a query.
+ * Added framework for handling multiple EDNS versions.
+ * Additional memory debugging support to track size and mctx arguments.
+ * Detect duplicates of UDP queries we are recursing on and drop them.
+ New stats category "duplicates".
+ * "USE INTERNAL MALLOC" is now runtime selectable.
+ * The lame cache is now done on a basis as some servers only appear to
+ be lame for certain query types.
+ * Limit the number of recursive clients that can be waiting for a single
+ query () to resolve. New options clients-per-query and
+ max-clients-per-query.
+ * dig: report the number of extra bytes still left in the packet after
+ processing all the records.
+ * Support for IPSECKEY rdata type.
+ * Raise the UDP recieve buffer size to 32k if it is less than 32k.
+ * x86 and x86_64 now have seperate atomic locking implementations.
+ * named-checkconf now validates update-policy entries.
+ * Attempt to make the amount of work performed in a iteration self
+ tuning. The covers nodes clean from the cache per iteration, nodes
+ written to disk when rewriting a master file and nodes destroyed per
+ iteration when destroying a zone or a cache.
+ * ISC string copy API.
+ * Automatic empty zone creation for D.F.IP6.ARPA and friends. Note: RFC
+ 1918 zones are not yet covered by this but are likely to be in a
+ future release.
+ * New options: empty-server, empty-contact, empty-zones-enable and
+ disable-empty-zone.
+ * dig now has a '-q queryname' and '+showsearch' options.
+ * host/nslookup now continue (default)/fail on SERVFAIL.
+ * dig now warns if 'RA' is not set in the answer when 'RD' was set in
+ the query. host/nslookup skip servers that fail to set 'RA' when 'RD'
+ is set unless a server is explicitly set.
+ * Integrate contibuted DLZ code into named.
+ * Integrate contibuted IDN code from JPNIC.
+ * libbind: corresponds to that from BIND 8.4.7.
+
+BIND 9.3.0
+
+ * DNSSEC is now DS based (RFC 3658).
+ * DNSSEC lookaside validation.
+ * check-names is now implemented.
+ * rrset-order is more complete.
+ * IPv4/IPv6 transition support, dual-stack-servers.
+ * IXFR deltas can now be generated when loading master files,
+ ixfr-from-differences.
+ * It is now possible to specify the size of a journal, max-journal-size.
+ * It is now possible to define a named set of master servers to be used
+ in masters clause, masters.
+ * The advertised EDNS UDP size can now be set, edns-udp-size.
+ * allow-v6-synthesis has been obsoleted.
+ * Zones containing MD and MF will now be rejected.
+ * dig, nslookup name. now report "Not Implemented" as NOTIMP rather than
+ NOTIMPL. This will have impact on scripts that are looking for
+ NOTIMPL.
+ * libbind: corresponds to that from BIND 8.4.5.
+
+BIND 9.2.0
+
+ * The size of the cache can now be limited using the "max-cache-size"
+ option.
+ * The server can now automatically convert RFC1886-style recursive
+ lookup requests into RFC2874-style lookups, when enabled using the new
+ option "allow-v6-synthesis". This allows stub resolvers that support
+ AAAA records but not A6 record chains or binary labels to perform
+ lookups in domains that make use of these IPv6 DNS features.
+ * Performance has been improved.
+ * The man pages now use the more portable "man" macros rather than the
+ "mandoc" macros, and are installed by "make install".
+ * The named.conf parser has been completely rewritten. It now supports
+ "include" directives in more places such as inside "view" statements,
+ and it no longer has any reserved words.
+ * The "rndc status" command is now implemented.
+ * rndc can now be configured automatically.
+ * A BIND 8 compatible stub resolver library is now included in lib/bind.
+ * OpenSSL has been removed from the distribution. This means that to use
+ DNSSEC, OpenSSL must be installed and the --with-openssl option must
+ be supplied to configure. This does not apply to the use of TSIG,
+ which does not require OpenSSL.
+ * The source distribution now builds on Windows. See win32utils/
+ readme1.txt and win32utils/win32-build.txt for details.
+ * This distribution also includes a new lightweight stub resolver
+ library and associated resolver daemon that fully support forward and
+ reverse lookups of both IPv4 and IPv6 addresses. This library is
+ considered experimental and is not a complete replacement for the BIND
+ 8 resolver library. Applications that use the BIND 8 res_* functions
+ to perform DNS lookups or dynamic updates still need to be linked
+ against the BIND 8 libraries. For DNS lookups, they can also use the
+ new "getrrsetbyname()" API.
+ * BIND 9.2 is capable of acting as an authoritative server for DNSSEC
+ secured zones. This functionality is believed to be stable and
+ complete except for lacking support for verifications involving
+ wildcard records in secure zones.
+ * When acting as a caching server, BIND 9.2 can be configured to perform
+ DNSSEC secure resolution on behalf of its clients. This part of the
+ DNSSEC implementation is still considered experimental. For detailed
+ information about the state of the DNSSEC implementation, see the file
+ doc/misc/dnssec.
+
--- /dev/null
+Setting the STD_CDEFINES environment variable before running configure can
+be used to enable certain compile-time options that are not explicitly
+defined in configure.
+
+Some of these settings are:
+
+Setting Description
+ Don't ovewrite memory when allocating or freeing
+-DISC_MEM_FILL=0 it; this improves performance but makes
+ debugging more difficult.
+ Don't track memory allocations by file and line
+-DISC_MEM_TRACKLINES=0 number; this improves performance but makes
+ debugging more difficult.
+-DISC_FACILITY=LOG_LOCAL0 Change the default syslog facility for named
+-DNS_CLIENT_DROPPORT=0 Disable dropping queries from particular
+ well-known ports:
+-DCHECK_SIBLING=0 Don't check sibling glue in named-checkzone
+-DCHECK_LOCAL=0 Don't check out-of-zone addresses in
+ named-checkzone
+-DNS_RUN_PID_DIR=0 Create default PID files in ${localstatedir}/run
+ rather than ${localstatedir}/run/{named,lwresd}/
+
--- /dev/null
+BIND 9
+
+Contents
+
+ 1. Introduction
+ 2. Reporting bugs and getting help
+ 3. Contributing to BIND
+ 4. BIND 9.12 features
+ 5. Building BIND
+ 6. Compile-time options
+ 7. Automated testing
+ 8. Documentation
+ 9. Change log
+10. Acknowledgments
+
+Introduction
+
+BIND (Berkeley Internet Name Domain) is a complete, highly portable
+implementation of the DNS (Domain Name System) protocol.
+
+The BIND name server, named, is able to serve as an authoritative name
+server, recursive resolver, DNS forwarder, or all three simultaneously. It
+implements views for split-horizon DNS, automatic DNSSEC zone signing and
+key management, catalog zones to facilitate provisioning of zone data
+throughout a name server constellation, response policy zones (RPZ) to
+protect clients from malicious data, response rate limiting (RRL) and
+recursive query limits to reduce distributed denial of service attacks,
+and many other advanced DNS features. BIND also includes a suite of
+administrative tools, including the dig and delv DNS lookup tools,
+nsupdate for dynamic DNS zone updates, rndc for remote name server
+administration, and more.
+
+BIND 9 is a complete re-write of the BIND architecture that was used in
+versions 4 and 8. Internet Systems Consortium (https://www.isc.org), a 501
+(c)(3) public benefit corporation dedicated to providing software and
+services in support of the Internet infrastructure, developed BIND 9 and
+is responsible for its ongoing maintenance and improvement. BIND is open
+source software licenced under the terms of the Mozilla Public License,
+version 2.0.
+
+For a summary of features introduced in past major releases of BIND, see
+the file HISTORY.
+
+For a detailed list of changes made throughout the history of BIND 9, see
+the file CHANGES. See below for details on the CHANGES file format.
+
+For up-to-date release notes and errata, see http://www.isc.org/software/
+bind9/releasenotes
+
+Reporting bugs and getting help
+
+Please report assertion failure errors and suspected security issues to
+security-officer@isc.org.
+
+General bug reports can be sent to bind9-bugs@isc.org.
+
+Feature requests can be sent to bind-suggest@isc.org.
+
+Please note that, while ISC's ticketing system is not currently publicly
+readable, this may change in the future. Please do not include information
+in bug reports that you consider to be confidential. For example, when
+sending the contents of your configuration file, it is advisable to
+obscure key secrets; this can be done automatically by using
+named-checkconf -px.
+
+Professional support and training for BIND are available from ISC at
+https://www.isc.org/support.
+
+To join the BIND Users mailing list, or view the archives, visit https://
+lists.isc.org/mailman/listinfo/bind-users.
+
+If you're planning on making changes to the BIND 9 source code, you may
+also want to join the BIND Workers mailing list, at https://lists.isc.org/
+mailman/listinfo/bind-workers.
+
+Contributing to BIND
+
+A public git repository for BIND is maintained at http://www.isc.org/git/,
+and also on Github at https://github.com/isc-projects.
+
+Information for BIND contributors can be found in the following files: -
+General information: doc/dev/contrib.md - BIND 9 code style: doc/dev/
+style.md - BIND architecture and developer guide: doc/dev/dev.md
+
+Patches for BIND may be submitted either as Github pull requests or via
+email. When submitting a patch via email, please prepend the subject
+header with "[PATCH]" so it will be easier for us to find. If your patch
+introduces a new feature in BIND, please submit it to bind-suggest@isc.org
+; if it fixes a bug, please submit it to bind9-bugs@isc.org.
+
+BIND 9.12 features
+
+BIND 9.12.0 is the newest development branch of BIND 9. It includes a
+number of changes from BIND 9.11 and earlier releases. New features
+include:
+
+ * named and related libraries have been substantially refactored for for
+ improved query performance -- particularly on delegation heavy zones
+ -- and for improved readability, maintainability, and testability.
+ * Code implementing the name server query processing logic has been
+ moved into a new libns library, for easier testing and use in tools
+ other than named.
+ * Cached, validated NSEC and other records can now be used to synthesize
+ NXDOMAIN responses.
+ * The DNS Response Policy Service API (DNSRPS) is now supported.
+ * Setting max-journal-size default now limits the size of journal files
+ to twice the size of the zone.
+ * The query handling code has been substantially refactored for improved
+ readability, maintainability and testability .
+ * dnstap-read -x prints a hex dump of the wire format of each logged DNS
+ message.
+ * dnstap output files can now be configured to roll automatically when
+ reaching a given size.
+ * Log file timestamps can now also be formatted in ISO 8601 (local) or
+ ISO 8601 (UTC) formats.
+ * Logging channels and dnstap output files can now be configured to use
+ a timestamp as the suffix when rolling to a new file.
+ * named-checkconf -l lists zones found in named.conf.
+ * Added support for the EDNS Padding and Keepalive options.
+ * 'new-zones-directory' option sets the location where the configuration
+ data for zones added by rndc addzone is stored
+ * named-checkconf -l lists the zones found in named.conf.
+
+Building BIND
+
+BIND requires a UNIX or Linux system with an ANSI C compiler, basic POSIX
+support, and a 64-bit integer type. Successful builds have been observed
+on many versions of Linux and UNIX, including RedHat, Fedora, Debian,
+Ubuntu, SuSE, Slackware, FreeBSD, NetBSD, OpenBSD, Mac OS X, Solaris,
+HP-UX, AIX, SCO OpenServer, and OpenWRT.
+
+BIND is also available for Windows XP, 2003, 2008, and higher. See
+win32utils/readme1st.txt for details on building for Windows systems.
+
+To build on a UNIX or Linux system, use:
+
+ $ ./configure
+ $ make
+
+If you're planning on making changes to the BIND 9 source, you should run
+make depend. If you're using Emacs, you might find make tags helpful.
+
+Several environment variables that can be set before running configure
+will affect compilation:
+
+Variable Description
+CC The C compiler to use. configure tries to figure out the
+ right one for supported systems.
+ C compiler flags. Defaults to include -g and/or -O2 as
+CFLAGS supported by the compiler. Please include '-g' if you need
+ to set CFLAGS.
+ System header file directories. Can be used to specify
+STD_CINCLUDES where add-on thread or IPv6 support is, for example.
+ Defaults to empty string.
+ Any additional preprocessor symbols you want defined.
+STD_CDEFINES Defaults to empty string. For a list of possible settings,
+ see the file OPTIONS.
+LDFLAGS Linker flags. Defaults to empty string.
+BUILD_CC Needed when cross-compiling: the native C compiler to use
+ when building for the target system.
+BUILD_CFLAGS Optional, used for cross-compiling
+BUILD_CPPFLAGS
+BUILD_LDFLAGS
+BUILD_LIBS
+
+Compile-time options
+
+To see a full list of configuration options, run configure --help.
+
+On most platforms, BIND 9 is built with multithreading support, allowing
+it to take advantage of multiple CPUs. You can configure this by
+specifying --enable-threads or --disable-threads on the configure command
+line. The default is to enable threads, except on some older operating
+systems on which threads are known to have had problems in the past.
+(Note: Prior to BIND 9.10, the default was to disable threads on Linux
+systems; this has now been reversed. On Linux systems, the threaded build
+is known to change BIND's behavior with respect to file permissions; it
+may be necessary to specify a user with the -u option when running named.)
+
+To build shared libraries, specify --with-libtool on the configure command
+line.
+
+Certain compiled-in constants and default settings can be increased to
+values better suited to large servers with abundant memory resources (e.g,
+64-bit servers with 12G or more of memory) by specifying --with-tuning=
+large on the configure command line. This can improve performance on big
+servers, but will consume more memory and may degrade performance on
+smaller systems.
+
+For the server to support DNSSEC, you need to build it with crypto
+support. To use OpenSSL, you should have OpenSSL 1.0.2e or newer
+installed. If the OpenSSL library is installed in a nonstandard location,
+specify the prefix using "--with-openssl=/prefix" on the configure command
+line. To use a PKCS#11 hardware service module for cryptographic
+operations, specify the path to the PKCS#11 provider library using
+"--with-pkcs11=/prefix", and configure BIND with "--enable-native-pkcs11".
+
+To support the HTTP statistics channel, the server must be linked with at
+least one of the following: libxml2 http://xmlsoft.org or json-c https://
+github.com/json-c. If these are installed at a nonstandard location,
+specify the prefix using --with-libxml2=/prefix or --with-libjson=/prefix.
+
+To support compression on the HTTP statistics channel, the server must be
+linked against libzlib. If this is installed in a nonstandard location,
+specify the prefix using --with-zlib=/prefix.
+
+To support storing configuration data for runtime-added zones in an LMDB
+database, the server must be linked with liblmdb. If this is installed in
+a nonstandard location, specify the prefix using "with-lmdb=/prefix".
+
+To support GeoIP location-based ACLs, the server must be linked with
+libGeoIP. This is not turned on by default; BIND must be configured with
+"--with-geoip". If the library is installed in a nonstandard location, use
+specify the prefix using "--with-geoip=/prefix".
+
+For DNSTAP packet logging, you must have libfstrm https://github.com/
+farsightsec/fstrm and libprotobuf-c https://developers.google.com/
+protocol-buffers, and BIND must be configured with "--enable-dnstap".
+
+Python requires the 'argparse' and 'ply' modules to be available.
+'argparse' is a standard module as of Python 2.7 and Python 3.2. 'ply' is
+available from https://pypi.python.org/pypi/ply.
+
+On some platforms it is necessary to explicitly request large file support
+to handle files bigger than 2GB. This can be done by using
+--enable-largefile on the configure command line.
+
+Support for the "fixed" rrset-order option can be enabled or disabled by
+specifying --enable-fixed-rrset or --disable-fixed-rrset on the configure
+command line. By default, fixed rrset-order is disabled to reduce memory
+footprint.
+
+If your operating system has integrated support for IPv6, it will be used
+automatically. If you have installed KAME IPv6 separately, use --with-kame
+[=PATH] to specify its location.
+
+make install will install named and the various BIND 9 libraries. By
+default, installation is into /usr/local, but this can be changed with the
+--prefix option when running configure.
+
+You may specify the option --sysconfdir to set the directory where
+configuration files like named.conf go by default, and --localstatedir to
+set the default parent directory of run/named.pid. For backwards
+compatibility with BIND 8, --sysconfdir defaults to /etc and
+--localstatedir defaults to /var if no --prefix option is given. If there
+is a --prefix option, sysconfdir defaults to $prefix/etc and localstatedir
+defaults to $prefix/var.
+
+Automated testing
+
+A system test suite can be run with make test. The system tests require
+you to configure a set of virtual IP addresses on your system (this allows
+multiple servers to run locally and communicate with one another). These
+IP addresses can be configured by by running the script bin/tests/system/
+ifconfig.sh up as root.
+
+Some tests require Perl and the Net::DNS and/or IO::Socket::INET6 modules,
+and will be skipped if these are not available. Some tests require Python
+and the 'dnspython' module and will be skipped if these are not available.
+See bin/tests/system/README for further details.
+
+Unit tests are implemented using Automated Testing Framework (ATF). To run
+them, use configure --with-atf, then run make test or make unit.
+
+Documentation
+
+The BIND 9 Administrator Reference Manual is included with the source
+distribution, in DocBook XML, HTML and PDF format, in the doc/arm
+directory.
+
+Some of the programs in the BIND 9 distribution have man pages in their
+directories. In particular, the command line options of named are
+documented in bin/named/named.8.
+
+Frequently (and not-so-frequently) asked questions and their answers can
+be found in the ISC Knowledge Base at https://kb.isc.org.
+
+Additional information on various subjects can be found in other README
+files throughout the source tree.
+
+Change log
+
+A detailed list of all changes that have been made throughout the
+development BIND 9 is included in the file CHANGES, with the most recent
+changes listed first. Change notes include tags indicating the category of
+the change that was made; these categories are:
+
+Category Description
+[func] New feature
+[bug] General bug fix
+[security] Fix for a significant security flaw
+[experimental] Used for new features when the syntax or other aspects of
+ the design are still in flux and may change
+[port] Portability enhancement
+[maint] Updates to built-in data such as root server addresses and
+ keys
+[tuning] Changes to built-in configuration defaults and constants to
+ improve performance
+[performance] Other changes to improve server performance
+[protocol] Updates to the DNS protocol such as new RR types
+[test] Changes to the automatic tests, not affecting server
+ functionality
+[cleanup] Minor corrections and refactoring
+[doc] Documentation
+[contrib] Changes to the contributed tools and libraries in the
+ 'contrib' subdirectory
+ Used in the master development branch to reserve change
+[placeholder] numbers for use in other branches, e.g. when fixing a bug
+ that only exists in older releases
+
+In general, [func] and [experimental] tags will only appear in new-feature
+releases (i.e., those with version numbers ending in zero). Some new
+functionality may be backported to older releases on a case-by-case basis.
+All other change types may be applied to all currently-supported releases.
+
+Acknowledgments
+
+ * The original development of BIND 9 was underwritten by the following
+ organizations:
+
+ Sun Microsystems, Inc.
+ Hewlett Packard
+ Compaq Computer Corporation
+ IBM
+ Process Software Corporation
+ Silicon Graphics, Inc.
+ Network Associates, Inc.
+ U.S. Defense Information Systems Agency
+ USENIX Association
+ Stichting NLnet - NLnet Foundation
+ Nominum, Inc.
+
+ * This product includes software developed by the OpenSSL Project for
+ use in the OpenSSL Toolkit. http://www.OpenSSL.org/
+ * This product includes cryptographic software written by Eric Young
+ (eay@cryptsoft.com)
+ * This product includes software written by Tim Hudson
+ (tjh@cryptsoft.com)
+
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<!--
+ - Copyright (C) 2000-2017 Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+-->
+<html lang="en">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>BIND 9 Administrator Reference Manual</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
+<link rel="next" href="Bv9ARM.ch01.html" title="Chapter 1. Introduction">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
+<div class="navheader">
+<table width="100%" summary="Navigation header">
+<tr><th colspan="3" align="center">BIND 9 Administrator Reference Manual</th></tr>
+<tr>
+<td width="20%" align="left">Â </td>
+<th width="60%" align="center">Â </th>
+<td width="20%" align="right">Â <a accesskey="n" href="Bv9ARM.ch01.html">Next</a>
+</td>
+</tr>
+</table>
+<hr>
+</div>
+<div class="book">
+<div class="titlepage">
+<div>
+<div><h1 class="title">
+<a name="id-1"></a>BIND 9 Administrator Reference Manual</h1></div>
+<div><p class="releaseinfo">BIND Version 9.12.0-pre-alpha</p></div>
+<div><p class="copyright">Copyright © 2000-2017 Internet Systems Consortium, Inc. ("ISC")</p></div>
+</div>
+<hr>
+</div>
+<div class="toc">
+<p><b>Table of Contents</b></p>
+<dl class="toc">
+<dt><span class="chapter"><a href="Bv9ARM.ch01.html">1. Introduction</a></span></dt>
+<dd><dl>
+<dt><span class="section"><a href="Bv9ARM.ch01.html#doc_scope">Scope of Document</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch01.html#organization">Organization of This Document</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch01.html#conventions">Conventions Used in This Document</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch01.html#dns_overview">The Domain Name System (<acronym class="acronym">DNS</acronym>)</a></span></dt>
+<dd><dl>
+<dt><span class="section"><a href="Bv9ARM.ch01.html#dns_fundamentals">DNS Fundamentals</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch01.html#domain_names">Domains and Domain Names</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch01.html#zones">Zones</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch01.html#auth_servers">Authoritative Name Servers</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch01.html#cache_servers">Caching Name Servers</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch01.html#multi_role">Name Servers in Multiple Roles</a></span></dt>
+</dl></dd>
+</dl></dd>
+<dt><span class="chapter"><a href="Bv9ARM.ch02.html">2. <acronym class="acronym">BIND</acronym> Resource Requirements</a></span></dt>
+<dd><dl>
+<dt><span class="section"><a href="Bv9ARM.ch02.html#hw_req">Hardware requirements</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch02.html#cpu_req">CPU Requirements</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch02.html#mem_req">Memory Requirements</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch02.html#intensive_env">Name Server Intensive Environment Issues</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch02.html#supported_os">Supported Operating Systems</a></span></dt>
+</dl></dd>
+<dt><span class="chapter"><a href="Bv9ARM.ch03.html">3. Name Server Configuration</a></span></dt>
+<dd><dl>
+<dt><span class="section"><a href="Bv9ARM.ch03.html#sample_configuration">Sample Configurations</a></span></dt>
+<dd><dl>
+<dt><span class="section"><a href="Bv9ARM.ch03.html#cache_only_sample">A Caching-only Name Server</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch03.html#auth_only_sample">An Authoritative-only Name Server</a></span></dt>
+</dl></dd>
+<dt><span class="section"><a href="Bv9ARM.ch03.html#load_balancing">Load Balancing</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch03.html#ns_operations">Name Server Operations</a></span></dt>
+<dd><dl>
+<dt><span class="section"><a href="Bv9ARM.ch03.html#tools">Tools for Use With the Name Server Daemon</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch03.html#signals">Signals</a></span></dt>
+</dl></dd>
+</dl></dd>
+<dt><span class="chapter"><a href="Bv9ARM.ch04.html">4. Advanced DNS Features</a></span></dt>
+<dd><dl>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#notify">Notify</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#dynamic_update">Dynamic Update</a></span></dt>
+<dd><dl><dt><span class="section"><a href="Bv9ARM.ch04.html#journal">The journal file</a></span></dt></dl></dd>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#incremental_zone_transfers">Incremental Zone Transfers (IXFR)</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#split_dns">Split DNS</a></span></dt>
+<dd><dl><dt><span class="section"><a href="Bv9ARM.ch04.html#split_dns_sample">Example split DNS setup</a></span></dt></dl></dd>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#tsig">TSIG</a></span></dt>
+<dd><dl>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.6.5">Generating a Shared Key</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.6.6">Loading A New Key</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.6.7">Instructing the Server to Use a Key</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.6.8">TSIG-Based Access Control</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.6.9">Errors</a></span></dt>
+</dl></dd>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#tkey">TKEY</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#sig0">SIG(0)</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt>
+<dd><dl>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec_keys">Generating Keys</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec_signing">Signing the Zone</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec_config">Configuring Servers</a></span></dt>
+</dl></dd>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec.dynamic.zones">DNSSEC, Dynamic Zones, and Automatic Signing</a></span></dt>
+<dd><dl>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.3">Converting from insecure to secure</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.8">Dynamic DNS update method</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.16">Fully automatic zone signing</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.25">Private-type records</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.32">DNSKEY rollovers</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.34">Dynamic DNS update method</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.39">Automatic key rollovers</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.41">NSEC3PARAM rollovers via UPDATE</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.43">Converting from NSEC to NSEC3</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.45">Converting from NSEC3 to NSEC</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.47">Converting from secure to insecure</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.51">Periodic re-signing</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.53">NSEC3 and OPTOUT</a></span></dt>
+</dl></dd>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#rfc5011.support">Dynamic Trust Anchor Management</a></span></dt>
+<dd><dl>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.11.3">Validating Resolver</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.11.4">Authoritative Server</a></span></dt>
+</dl></dd>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#pkcs11">PKCS#11 (Cryptoki) support</a></span></dt>
+<dd><dl>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.6">Prerequisites</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.7">Native PKCS#11</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.8">OpenSSL-based PKCS#11</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.9">PKCS#11 Tools</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.10">Using the HSM</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.11">Specifying the engine on the command line</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.12">Running named with automatic zone re-signing</a></span></dt>
+</dl></dd>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#dlz-info">DLZ (Dynamically Loadable Zones)</a></span></dt>
+<dd><dl>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.13.6">Configuring DLZ</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.13.7">Sample DLZ Driver</a></span></dt>
+</dl></dd>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#dyndb-info">DynDB (Dynamic Database)</a></span></dt>
+<dd><dl>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.14.5">Configuring DynDB</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.14.6">Sample DynDB Module</a></span></dt>
+</dl></dd>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#catz-info">Catalog Zones</a></span></dt>
+<dd><dl>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.15.4">Principle of Operation</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.15.5">Configuring Catalog Zones</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.15.6">Catalog Zone format</a></span></dt>
+</dl></dd>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#ipv6">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
+<dd><dl>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.16.6">Address Lookups Using AAAA Records</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.16.7">Address to Name Lookups Using Nibble Format</a></span></dt>
+</dl></dd>
+</dl></dd>
+<dt><span class="chapter"><a href="Bv9ARM.ch05.html">5. The <acronym class="acronym">BIND</acronym> 9 Lightweight Resolver</a></span></dt>
+<dd><dl><dt><span class="section"><a href="Bv9ARM.ch05.html#lightweight_resolver">The Lightweight Resolver Library</a></span></dt></dl></dd>
+<dt><span class="chapter"><a href="Bv9ARM.ch06.html">6. <acronym class="acronym">BIND</acronym> 9 Configuration Reference</a></span></dt>
+<dd><dl>
+<dt><span class="section"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt>
+<dd><dl>
+<dt><span class="section"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch06.html#comment_syntax">Comment Syntax</a></span></dt>
+</dl></dd>
+<dt><span class="section"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt>
+<dd><dl>
+<dt><span class="section"><a href="Bv9ARM.ch06.html#acl_grammar"><span class="command"><strong>acl</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch06.html#acl"><span class="command"><strong>acl</strong></span> Statement Definition and
+ Usage</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch06.html#controls_grammar"><span class="command"><strong>controls</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span class="command"><strong>controls</strong></span> Statement Definition and
+ Usage</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch06.html#include_grammar"><span class="command"><strong>include</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch06.html#include_statement"><span class="command"><strong>include</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch06.html#key_grammar"><span class="command"><strong>key</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch06.html#key_statement"><span class="command"><strong>key</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch06.html#logging_grammar"><span class="command"><strong>logging</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch06.html#logging_statement"><span class="command"><strong>logging</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch06.html#masters_grammar"><span class="command"><strong>masters</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch06.html#masters_statement"><span class="command"><strong>masters</strong></span> Statement Definition and
+ Usage</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch06.html#options_grammar"><span class="command"><strong>options</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch06.html#options"><span class="command"><strong>options</strong></span> Statement Definition and
+ Usage</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span class="command"><strong>server</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span class="command"><strong>server</strong></span> Statement Definition and
+ Usage</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch06.html#statschannels"><span class="command"><strong>statistics-channels</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch06.html#statistics_channels"><span class="command"><strong>statistics-channels</strong></span> Statement Definition and
+ Usage</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch06.html#trusted-keys"><span class="command"><strong>trusted-keys</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch06.html#trusted_keys"><span class="command"><strong>trusted-keys</strong></span> Statement Definition
+ and Usage</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch06.html#managed_keys"><span class="command"><strong>managed-keys</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch06.html#managed-keys"><span class="command"><strong>managed-keys</strong></span> Statement Definition
+ and Usage</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch06.html#view_statement_grammar"><span class="command"><strong>view</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch06.html#view_statement"><span class="command"><strong>view</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span class="command"><strong>zone</strong></span>
+ Statement Grammar</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch06.html#zone_statement"><span class="command"><strong>zone</strong></span> Statement Definition and Usage</a></span></dt>
+</dl></dd>
+<dt><span class="section"><a href="Bv9ARM.ch06.html#zone_file">Zone File</a></span></dt>
+<dd><dl>
+<dt><span class="section"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch06.html#mx_records">Discussion of MX Records</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch06.html#ipv4_reverse">Inverse Mapping in IPv4</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch06.html#zone_directives">Other Zone File Directives</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch06.html#generate_directive"><acronym class="acronym">BIND</acronym> Master File Extension: the <span class="command"><strong>$GENERATE</strong></span> Directive</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch06.html#zonefile_format">Additional File Formats</a></span></dt>
+</dl></dd>
+<dt><span class="section"><a href="Bv9ARM.ch06.html#statistics">BIND9 Statistics</a></span></dt>
+<dd><dl>
+<dt><span class="section"><a href="Bv9ARM.ch06.html#statsfile">The Statistics File</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch06.html#statistics_counters">Statistics Counters</a></span></dt>
+</dl></dd>
+</dl></dd>
+<dt><span class="chapter"><a href="Bv9ARM.ch07.html">7. <acronym class="acronym">BIND</acronym> 9 Security Considerations</a></span></dt>
+<dd><dl>
+<dt><span class="section"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch07.html#chroot_and_setuid"><span class="command"><strong>Chroot</strong></span> and <span class="command"><strong>Setuid</strong></span></a></span></dt>
+<dd><dl>
+<dt><span class="section"><a href="Bv9ARM.ch07.html#chroot">The <span class="command"><strong>chroot</strong></span> Environment</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch07.html#setuid">Using the <span class="command"><strong>setuid</strong></span> Function</a></span></dt>
+</dl></dd>
+<dt><span class="section"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
+</dl></dd>
+<dt><span class="chapter"><a href="Bv9ARM.ch08.html">8. Troubleshooting</a></span></dt>
+<dd><dl>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#common_problems">Common Problems</a></span></dt>
+<dd><dl><dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2.2">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.3">Incrementing and Changing the Serial Number</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#more_help">Where Can I Get Help?</a></span></dt>
+</dl></dd>
+<dt><span class="appendix"><a href="Bv9ARM.ch09.html">A. Release Notes</a></span></dt>
+<dd><dl>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.12.0-pre-alpha</a></span></dt>
+<dd><dl>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_license">License Change</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#win_support">Windows XP No Longer Supported</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_features">New Features</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#proto_changes">Protocol Changes</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_bugs">Bug Fixes</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#end_of_life">End of Life</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_thanks">Thank You</a></span></dt>
+</dl></dd>
+</dl></dd>
+<dt><span class="appendix"><a href="Bv9ARM.ch10.html">B. A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></a></span></dt>
+<dt><span class="appendix"><a href="Bv9ARM.ch11.html">C. General <acronym class="acronym">DNS</acronym> Reference Information</a></span></dt>
+<dd><dl>
+<dt><span class="section"><a href="Bv9ARM.ch11.html#ipv6addresses">IPv6 addresses (AAAA)</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch11.html#bibliography">Bibliography (and Suggested Reading)</a></span></dt>
+<dd><dl>
+<dt><span class="section"><a href="Bv9ARM.ch11.html#rfcs">Request for Comments (RFCs)</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch11.html#internet_drafts">Internet Drafts</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch11.html#more_about_bind">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt>
+</dl></dd>
+</dl></dd>
+<dt><span class="appendix"><a href="Bv9ARM.ch12.html">D. BIND 9 DNS Library Support</a></span></dt>
+<dd><dl>
+<dt><span class="section"><a href="Bv9ARM.ch12.html#bind9.library">BIND 9 DNS Library Support</a></span></dt>
+<dd><dl>
+<dt><span class="section"><a href="Bv9ARM.ch12.html#id-1.13.2.4">Prerequisite</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch12.html#id-1.13.2.5">Compilation</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch12.html#id-1.13.2.6">Installation</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch12.html#id-1.13.2.7">Known Defects/Restrictions</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch12.html#id-1.13.2.8">The dns.conf File</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch12.html#id-1.13.2.9">Sample Applications</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch12.html#id-1.13.2.10">Library References</a></span></dt>
+</dl></dd>
+</dl></dd>
+<dt><span class="reference"><a href="Bv9ARM.ch13.html">I. Manual pages</a></span></dt>
+<dd><dl>
+<dt>
+<span class="refentrytitle"><a href="man.dig.html">dig</a></span><span class="refpurpose"> — DNS lookup utility</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.mdig.html"><span class="application">mdig</span></a></span><span class="refpurpose"> — DNS pipelined lookup utility</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.host.html">host</a></span><span class="refpurpose"> — DNS lookup utility</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.delv.html">delv</a></span><span class="refpurpose"> — DNS lookup and validation utility</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.nslookup.html">nslookup</a></span><span class="refpurpose"> — query Internet name servers interactively</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.dnssec-checkds.html"><span class="application">dnssec-checkds</span></a></span><span class="refpurpose"> — DNSSEC delegation consistency checking tool</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.dnssec-coverage.html"><span class="application">dnssec-coverage</span></a></span><span class="refpurpose"> — checks future DNSKEY coverage for a zone</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.dnssec-dsfromkey.html"><span class="application">dnssec-dsfromkey</span></a></span><span class="refpurpose"> — DNSSEC DS RR generation tool</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.dnssec-importkey.html"><span class="application">dnssec-importkey</span></a></span><span class="refpurpose"> — import DNSKEY records from external systems so they can be managed</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.dnssec-keyfromlabel.html"><span class="application">dnssec-keyfromlabel</span></a></span><span class="refpurpose"> — DNSSEC key generation tool</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.dnssec-keygen.html"><span class="application">dnssec-keygen</span></a></span><span class="refpurpose"> — DNSSEC key generation tool</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.dnssec-keymgr.html"><span class="application">dnssec-keymgr</span></a></span><span class="refpurpose"> — Ensures correct DNSKEY coverage for a zone based on a defined policy</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.dnssec-revoke.html"><span class="application">dnssec-revoke</span></a></span><span class="refpurpose"> — set the REVOKED bit on a DNSSEC key</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.dnssec-settime.html"><span class="application">dnssec-settime</span></a></span><span class="refpurpose"> — set the key timing metadata for a DNSSEC key</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.dnssec-signzone.html"><span class="application">dnssec-signzone</span></a></span><span class="refpurpose"> — DNSSEC zone signing tool</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.dnssec-verify.html"><span class="application">dnssec-verify</span></a></span><span class="refpurpose"> — DNSSEC zone verification tool</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.named.html"><span class="application">named</span></a></span><span class="refpurpose"> — Internet domain name server</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.named.conf.html"><code class="filename">named.conf</code></a></span><span class="refpurpose"> — configuration file for <span class="command"><strong>named</strong></span></span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.named-checkconf.html"><span class="application">named-checkconf</span></a></span><span class="refpurpose"> — named configuration file syntax checking tool</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.named-checkzone.html"><span class="application">named-checkzone</span></a></span><span class="refpurpose"> — zone file validity checking or converting tool</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.named-journalprint.html"><span class="application">named-journalprint</span></a></span><span class="refpurpose"> — print zone journal in human-readable form</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.named-nzd2nzf.html"><span class="application">named-nzd2nzf</span></a></span><span class="refpurpose"> —
+ Convert an NZD database to NZF text format
+ </span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.named-rrchecker.html"><span class="application">named-rrchecker</span></a></span><span class="refpurpose"> — syntax checker for individual DNS resource records</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.nsupdate.html"><span class="application">nsupdate</span></a></span><span class="refpurpose"> — Dynamic DNS update utility</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.rndc.html"><span class="application">rndc</span></a></span><span class="refpurpose"> — name server control utility</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.rndc.conf.html"><code class="filename">rndc.conf</code></a></span><span class="refpurpose"> — rndc configuration file</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.rndc-confgen.html"><span class="application">rndc-confgen</span></a></span><span class="refpurpose"> — rndc key generation tool</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.ddns-confgen.html"><span class="application">ddns-confgen</span></a></span><span class="refpurpose"> — ddns key generation tool</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.arpaname.html"><span class="application">arpaname</span></a></span><span class="refpurpose"> — translate IP addresses to the corresponding ARPA names</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.dnstap-read.html"><span class="application">dnstap-read</span></a></span><span class="refpurpose"> — print dnstap data in human-readable form</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.genrandom.html"><span class="application">genrandom</span></a></span><span class="refpurpose"> — generate a file containing random data</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.isc-hmac-fixup.html"><span class="application">isc-hmac-fixup</span></a></span><span class="refpurpose"> — fixes HMAC keys generated by older versions of BIND</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.nsec3hash.html"><span class="application">nsec3hash</span></a></span><span class="refpurpose"> — generate NSEC3 hash</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.pkcs11-destroy.html"><span class="application">pkcs11-destroy</span></a></span><span class="refpurpose"> — destroy PKCS#11 objects</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.pkcs11-list.html"><span class="application">pkcs11-list</span></a></span><span class="refpurpose"> — list PKCS#11 objects</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.pkcs11-keygen.html"><span class="application">pkcs11-keygen</span></a></span><span class="refpurpose"> — generate keys on a PKCS#11 device</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.pkcs11-tokens.html"><span class="application">pkcs11-tokens</span></a></span><span class="refpurpose"> — list PKCS#11 available tokens</span>
+</dt>
+</dl></dd>
+</dl>
+</div>
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ </div>
+<div class="navfooter">
+<hr>
+<table width="100%" summary="Navigation footer">
+<tr>
+<td width="40%" align="left">Â </td>
+<td width="20%" align="center">Â </td>
+<td width="40%" align="right">Â <a accesskey="n" href="Bv9ARM.ch01.html">Next</a>
+</td>
+</tr>
+<tr>
+<td width="40%" align="left" valign="top">Â </td>
+<td width="20%" align="center">Â </td>
+<td width="40%" align="right" valign="top"> Chapter 1. Introduction</td>
+</tr>
+</table>
+</div>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.0-pre-alpha</p>
+</body>
+</html>
--- /dev/null
+<!--
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+-->
+<!-- $Id$ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title></title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="article">
+
+ <div class="section">
+<div class="titlepage"><div><div><h2 class="title" style="clear: both">
+<a name="id-1.2"></a>Release Notes for BIND Version 9.12.0-pre-alpha</h2></div></div></div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
+ <p>
+ BIND 9.12.0 is a new feature release of BIND, still under development.
+ This document summarizes new features and functional changes that
+ have been introduced on this branch. With each development
+ release leading up to the final BIND 9.12.0 release, this document
+ will be updated with additional features added and bugs fixed.
+ </p>
+ </div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes_download"></a>Download</h3></div></div></div>
+ <p>
+ The latest versions of BIND 9 software can always be found at
+ <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
+ There you will find additional information about each release,
+ source code, and pre-compiled versions for Microsoft Windows
+ operating systems.
+ </p>
+ </div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes_license"></a>License Change</h3></div></div></div>
+ <p>
+ With the release of BIND 9.11.0, ISC changed to the open
+ source license for BIND from the ISC license to the Mozilla
+ Public License (MPL 2.0).
+ </p>
+ <p>
+ The MPL-2.0 license requires that if you make changes to
+ licensed software (e.g. BIND) and distribute them outside
+ your organization, that you publish those changes under that
+ same license. It does not require that you publish or disclose
+ anything other than the changes you made to our software.
+ </p>
+ <p>
+ This requirement will not affect anyone who is using BIND
+ without redistributing it, nor anyone redistributing it without
+ changes, therefore this change will be without consequence
+ for most individuals and organizations who are using BIND.
+ </p>
+ <p>
+ Those unsure whether or not the license change affects their
+ use of BIND, or who wish to discuss how to comply with the
+ license may contact ISC at <a class="link" href="https://www.isc.org/mission/contact/" target="_top">
+ https://www.isc.org/mission/contact/</a>.
+ </p>
+ </div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="win_support"></a>Windows XP No Longer Supported</h3></div></div></div>
+ <p>
+ As of BIND 9.11.2, Windows XP is no longer a supported platform for
+ BIND, and Windows XP binaries are no longer available for download
+ from ISC.
+ </p>
+ </div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+ <p>
+ None.
+ </p>
+ </li></ul></div>
+ </div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes_features"></a>New Features</h3></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+ <p>
+ Many aspects of <span class="command"><strong>named</strong></span> have been modified
+ to improve query performance, and in particular, performance
+ for delegation-heavy zones:
+ </p>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">
+<li class="listitem">
+ <p>
+ The additional cache ("acache") was found not to
+ significantly improve performance and has been removed;
+ the <span class="command"><strong>acache-enable</strong></span> and
+ <span class="command"><strong>acache-cleaning-interval</strong></span> options are now
+ deprecated.
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ In place of the acache, <span class="command"><strong>named</strong></span> can now use
+ a glue cache to speed up retrieval of glue records when sending
+ delegation responses. Unlike acache, this feature is on by
+ default; use <span class="command"><strong>glue-cache no;</strong></span> to disable it.
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ The <span class="command"><strong>additional-from-cache</strong></span>
+ and <span class="command"><strong>additional-from-auth</strong></span> options have been
+ deprecated.
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ <span class="command"><strong>minimal-responses</strong></span> is now set
+ to <code class="literal">yes</code> by default.
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ Several functions have been refactored to improve
+ performance, including name compression, owner name
+ case restoration, hashing, and buffers.
+ </p>
+ </li>
+</ul></div>
+ </li>
+<li class="listitem">
+ <p>
+ Several areas of code have been refactored for improved
+ readability, maintainability, and testability:
+ </p>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">
+<li class="listitem">
+ <p>
+ The <span class="command"><strong>named</strong></span> query logic implemented in
+ <span class="command"><strong>query_find()</strong></span> has been split into
+ smaller functions with a context structure to maintain state
+ between them, and extensive comments have been added.
+ [RT #43929]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ Similarly the iterative query logic implemented in
+ <span class="command"><strong>resquery_response()</strong></span> function has been
+ split into smaller functions and comments added. [RT #45362]
+ </p>
+ </li>
+</ul></div>
+ </li>
+<li class="listitem">
+ <p>
+ Code implementing name server query processing has been moved
+ from <span class="command"><strong>named</strong></span> to an external library,
+ <span class="command"><strong>libns</strong></span>. This will make it easier to
+ write unit tests for the code, or to link it into new tools.
+ [RT #45186]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ <span class="command"><strong>named</strong></span> can now synthesize NXDOMAIN responses
+ from cached DNSSEC-verified records returned in negative or
+ wildcard responses. This will reduce query loads on
+ authoritative servers for signed domains: if existing cached
+ records can be used by the resolver to determine that a name does
+ not exist in the authorittive domain, then no query needs to
+ be sent.
+ </p>
+ <p>
+ This behavior is controlled by the new
+ <code class="filename">named.conf</code> option
+ <span class="command"><strong>synth-from-dnssec</strong></span>. It is enabled by
+ default.
+ </p>
+ <p>
+ Note: This initial implementation can only synthesize NXDOMAIN
+ responses, from NSEC records. Support for NODATA responses,
+ wilcard responses, and NSEC3 records will be added soon.
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ The DNS Response Policy Service (DNSRPS) API, a mechanism to
+ allow <span class="command"><strong>named</strong></span> to use an external response policy
+ provider, is now supported. (One example of such a provider is
+ "FastRPZ" from Farsight Security, Inc.) This allows the same
+ types of policy filtering as standard RPZ, but can reduce the
+ workload for <span class="command"><strong>named</strong></span>, particularly when using
+ large and frequently-updated policy zones. It also enables
+ <span class="command"><strong>named</strong></span> to share response policy providers
+ with other DNS implementations such as Unbound.
+ </p>
+ <p>
+ This feature is avaiable if BIND is built with
+ <span class="command"><strong>configure --enable-dnsrps</strong></span>, if a DNSRPS
+ provider is installed, and if <span class="command"><strong>dnsrps-enable</strong></span>
+ is set to "yes" in <code class="filename">named.conf</code>. Standard
+ built-in RPZ is used otherwise.
+ </p>
+ <p>
+ Thanks to Vernon Schryver and Farsight Security for the
+ contribution. [RT #43376]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ Setting <span class="command"><strong>max-journal-size</strong></span> to
+ <code class="literal">default</code> limits journal sizes to twice the
+ size of the zone contents. This can be overridden by setting
+ <span class="command"><strong>max-journal-size</strong></span> to <code class="literal">unlimited</code>
+ or to an explicit value up to 2G. Thanks to Tony Finch for
+ the contribution. [RT #38324]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ <span class="command"><strong>dnstap</strong></span> logfiles can now be configured to
+ automatically roll when they reach a specified size. If
+ <span class="command"><strong>dnstap-output</strong></span> is configured with mode
+ <code class="literal">file</code>, then it can take optional
+ <span class="command"><strong>size</strong></span> and <span class="command"><strong>versions</strong></span>
+ key-value arguments to set the logfile rolling parameters.
+ (These have the same semantics as the corresponding
+ options in a <span class="command"><strong>logging</strong></span> channel statement.)
+ [RT #44502]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ Logging channels and <span class="command"><strong>dnstap-output</strong></span> files can
+ now be configured with a <span class="command"><strong>suffix</strong></span> option,
+ set to either <code class="literal">increment</code> or
+ <code class="literal">timestamp</code>, indicating whether log files
+ should be given incrementing suffixes when they roll
+ over (e.g., <code class="filename">logfile.0</code>,
+ <code class="filename">.1</code>, <code class="filename">.2</code>, etc)
+ or suffixes indicating the time of the roll. The default
+ is <code class="literal">increment</code>. [RT #42838]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ The <code class="option">print-time</code> option in the
+ <code class="option">logging</code> configuration can now take arguments
+ <strong class="userinput"><code>local</code></strong>, <strong class="userinput"><code>iso8601</code></strong> or
+ <strong class="userinput"><code>iso8601-utc</code></strong> to indicate the format in
+ which the date and time should be logged. For backward
+ compatibility, <strong class="userinput"><code>yes</code></strong> is a synonym for
+ <strong class="userinput"><code>local</code></strong>. [RT #42585]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ <span class="command"><strong>nsupdate</strong></span> and <span class="command"><strong>rndc</strong></span> now accepts
+ command line options <span class="command"><strong>-4</strong></span> and <span class="command"><strong>-6</strong></span>
+ which force using only IPv4 or only IPv6, respectively. [RT #45632]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ <span class="command"><strong>nsec3hash -r</strong></span> ("rdata order") takes arguments
+ in the same order as they appear in NSEC3 or NSEC3PARAM records.
+ This makes it easier to generate an NSEC3 hash using values cut
+ and pasted from an existing record. Thanks to Tony Finch for
+ the contribution. [RT #45183]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ The <span class="command"><strong>new-zones-directory</strong></span> option allows
+ <span class="command"><strong>named</strong></span> to store configuration parameters
+ for zones added via <span class="command"><strong>rndc addzone</strong></span> in a
+ location other than the working directory. Thanks to Petr
+ MenšÃk of Red Hat for the contribution.
+ [RT #44853]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ The <span class="command"><strong>dnstap-read -x</strong></span> option prints a hex
+ dump of the wire format DNS message encapsulated in each
+ <span class="command"><strong>dnstap</strong></span> log entry. [RT #44816]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ The <span class="command"><strong>host -A</strong></span> option returns most
+ records for a name, but omits types RRSIG, NSEC and NSEC3.
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ <span class="command"><strong>dig +ednsopt</strong></span> now accepts the names
+ for EDNS options in addition to numeric values. For example,
+ an EDNS Client-Subnet option could be sent using
+ <span class="command"><strong>dig +ednsopt=ecs:...</strong></span>. Thanks to
+ John Worley of Secure64 for the contribution. [RT #44461]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ Added support for the EDNS TCP Keepalive option (RFC 7828);
+ this allows negotiation of longer-lived TCP sessions
+ to reduce the overhead of setting up TCP for individual
+ queries. [RT #42126]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ Added support for the EDNS Padding option (RFC 7830),
+ which obfuscates packet size analysis when DNS queries
+ are sent over an encrypted channel. [RT #42094]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ <span class="command"><strong>rndc</strong></span> commands which refer to zone names
+ can now reference a zone of type <span class="command"><strong>redirect</strong></span>
+ by using the special zone name "-redirect". (Previously this
+ was not possible because <span class="command"><strong>redirect</strong></span> zones
+ always have the name ".", which can be ambiguous.)
+ </p>
+ <p>
+ In the event you need to manipulate a zone actually
+ called "-redirect", use a trailing dot: "-redirect."
+ </p>
+ <p>
+ Note: This change does not appply to the
+ <span class="command"><strong>rndc addzone</strong></span> or
+ <span class="command"><strong>rndc modzone</strong></span> commands.
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ <span class="command"><strong>named-checkconf -l</strong></span> lists the zones found
+ in <code class="filename">named.conf</code>. [RT #43154]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ Query logging now includes the ECS option, if one was
+ present in the query, in the format
+ "[ECS <em class="replaceable"><code>address/source/scope</code></em>]".
+ </p>
+ </li>
+</ul></div>
+ </div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="proto_changes"></a>Protocol Changes</h3></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+ <p>
+ BIND can now use the Ed25519 and Ed448 Edwards Curve DNSSEC
+ signing algorithms described in RFC 8080. Note, however, that
+ these algorithms must be supported in OpenSSL;
+ currently they are only available in the development branch
+ of OpenSSL at
+ <a class="link" href="https://github.com/openssl/openssl" target="_top">https://github.com/openssl/openssl</a>.
+ [RT #44696]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ EDNS KEY TAG options are verified and printed.
+ </p>
+ </li>
+</ul></div>
+ </div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+ <p>
+ The lightweight resolver daemon and library (<span class="command"><strong>lwresd</strong></span>
+ and <span class="command"><strong>liblwres</strong></span>) have been removed. [RT #45186]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ <span class="command"><strong>dnssec-keygen</strong></span> no longer has default
+ algorithm settings. It is necessary to explicitly specify the
+ algorithm on the command line with the <code class="option">-a</code> option
+ when generating keys. This may cause errors with existing signing
+ scripts if they rely on current defaults. The intent is to
+ reduce the long-term cost of transitioning to newer algorithms in
+ the event of RSASHA1 being deprecated. [RT #44755]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ <span class="command"><strong>dig +sigchase</strong></span> and related options
+ <span class="command"><strong>+trusted-keys</strong></span> and <span class="command"><strong>+topdown</strong></span>
+ have been removed. <span class="command"><strong>delv</strong></span> is now the recommended
+ command for looking up records with DNSSEC validation.
+ [RT #42793]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ The Response Policy Zone (RPZ) implementation has been
+ substantially refactored: updates to the RPZ summary
+ database are no longer directly performed by the zone
+ database but by a separate function that is called when
+ a policy zone is updated. This improves both performance
+ and reliability when policy zones receive frequent updates.
+ Summary database updates can be rate-limited by using the
+ <span class="command"><strong>min-update-interval</strong></span> option in a
+ <span class="command"><strong>response-policy</strong></span> statement. [RT #43449]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ <span class="command"><strong>dnstap</strong></span> now stores both the local and remote
+ addresses for all messages, instead of only the remote address.
+ The default output format for <span class="command"><strong>dnstap-read</strong></span> has
+ been updated to include these addresses, with the initiating
+ address first and the responding address second, separated by
+ "-%gt;" or "%lt;-" to indicate in which direction the message
+ was sent. [RT #43595]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ Expanded and improved the YAML output from
+ <span class="command"><strong>dnstap-read -y</strong></span>: it now includes packet
+ size and a detailed breakdown of message contents.
+ [RT #43622] [RT #43642]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ Threads in <span class="command"><strong>named</strong></span> are now set to human-readable
+ names to assist debugging on operating systems that support that.
+ Threads will have names such as "isc-timer", "isc-sockmgr",
+ "isc-worker0001", and so on. This will affect the reporting of
+ subsidiary thread names in <span class="command"><strong>ps</strong></span> and
+ <span class="command"><strong>top</strong></span>, but not the main thread. [RT #43234]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ If an ACL is specified with an address prefix in which the
+ prefix length is longer than the address portion (for example,
+ 192.0.2.1/8), it will now be treated as a fatal error during
+ configuration. [RT #43367]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ <span class="command"><strong>dig</strong></span> now warns about .local queries which are
+ reserved for Multicast DNS. [RT #44783]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ The view associated with the query is now logged unless it
+ it is "_default/IN" or "_dnsclient/IN" when logging DNSSEC
+ validator messages.
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ Multiple <span class="command"><strong>cookie-secret</strong></span> clauses are now
+ supported. The first <span class="command"><strong>cookie-secret</strong></span> in
+ <code class="filename">named.conf</code> is used to generate new
+ server cookies. Any others are used to accept old server
+ cookies or those generated by other servers using the
+ matching <span class="command"><strong>cookie-secret</strong></span>.
+ </p>
+ </li>
+</ul></div>
+ </div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+ <p>
+ None.
+ </p>
+ </li></ul></div>
+ </div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="end_of_life"></a>End of Life</h3></div></div></div>
+ <p>
+ The end of life for BIND 9.12 is yet to be determined but
+ will not be before BIND 9.14.0 has been released for 6 months.
+ <a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>
+ </p>
+ </div>
+ <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes_thanks"></a>Thank You</h3></div></div></div>
+
+ <p>
+ Thank you to everyone who assisted us in making this release possible.
+ If you would like to contribute to ISC to assist us in continuing to
+ make quality open source software, please visit our donations page at
+ <a class="link" href="http://www.isc.org/donate/" target="_top">http://www.isc.org/donate/</a>.
+ </p>
+ </div>
+</div>
+</div></body>
+</html>
--- /dev/null
+
+This is a summary of the named.conf options supported by
+this version of BIND 9.
+
+acl <string> { <address_match_element>; ... }; // may occur multiple times
+
+controls {
+ inet ( <ipv4_address> | <ipv6_address> |
+ * ) [ port ( <integer> | * ) ] allow
+ { <address_match_element>; ... } [
+ keys { <string>; ... } ] [ read-only
+ <boolean> ]; // may occur multiple times
+ unix <quoted_string> perm <integer>
+ owner <integer> group <integer> [
+ keys { <string>; ... } ] [ read-only
+ <boolean> ]; // may occur multiple times
+}; // may occur multiple times
+
+dlz <string> {
+ database <string>;
+ search <boolean>;
+}; // may occur multiple times
+
+dyndb <string> <quoted_string> {
+ <unspecified-text> }; // may occur multiple times
+
+key <string> {
+ algorithm <string>;
+ secret <string>;
+}; // may occur multiple times
+
+logging {
+ category <string> { <string>; ... }; // may occur multiple times
+ channel <string> {
+ buffered <boolean>;
+ file <quoted_string> [ versions ( unlimited | <integer> ) ]
+ [ size <size> ] [ suffix ( increment | timestamp ) ];
+ null;
+ print-category <boolean>;
+ print-severity <boolean>;
+ print-time ( iso8601 | iso8601-utc | local | <boolean> );
+ severity <log_severity>;
+ stderr;
+ syslog [ <syslog_facility> ];
+ }; // may occur multiple times
+};
+
+lwres { <unspecified-text> }; // obsolete, may occur multiple times
+
+managed-keys { <string> <string> <integer>
+ <integer> <integer> <quoted_string>; ... }; // may occur multiple times
+
+masters <string> [ port <integer> ] [ dscp
+ <integer> ] { ( <masters> | <ipv4_address> [
+ port <integer> ] | <ipv6_address> [ port
+ <integer> ] ) [ key <string> ]; ... }; // may occur multiple times
+
+options {
+ acache-cleaning-interval <integer>; // obsolete
+ acache-enable <boolean>; // obsolete
+ additional-from-auth <boolean>; // obsolete
+ additional-from-cache <boolean>; // obsolete
+ allow-new-zones <boolean>;
+ allow-notify { <address_match_element>; ... };
+ allow-query { <address_match_element>; ... };
+ allow-query-cache { <address_match_element>; ... };
+ allow-query-cache-on { <address_match_element>; ... };
+ allow-query-on { <address_match_element>; ... };
+ allow-recursion { <address_match_element>; ... };
+ allow-recursion-on { <address_match_element>; ... };
+ allow-transfer { <address_match_element>; ... };
+ allow-update { <address_match_element>; ... };
+ allow-update-forwarding { <address_match_element>; ... };
+ allow-v6-synthesis { <address_match_element>; ... }; // obsolete
+ also-notify [ port <integer> ] [ dscp <integer> ] { ( <masters> |
+ <ipv4_address> [ port <integer> ] | <ipv6_address> [ port
+ <integer> ] ) [ key <string> ]; ... };
+ alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * )
+ ] [ dscp <integer> ];
+ alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> |
+ * ) ] [ dscp <integer> ];
+ attach-cache <string>;
+ auth-nxdomain <boolean>; // default changed
+ auto-dnssec ( allow | maintain | off );
+ automatic-interface-scan <boolean>;
+ avoid-v4-udp-ports { <portrange>; ... };
+ avoid-v6-udp-ports { <portrange>; ... };
+ bindkeys-file <quoted_string>;
+ blackhole { <address_match_element>; ... };
+ cache-file <quoted_string>;
+ catalog-zones { zone <quoted_string> [ default-masters [ port
+ <integer> ] [ dscp <integer> ] { ( <masters> | <ipv4_address> [
+ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key
+ <string> ]; ... } ] [ zone-directory <quoted_string> ] [
+ in-memory <boolean> ] [ min-update-interval <integer> ]; ... };
+ check-dup-records ( fail | warn | ignore );
+ check-integrity <boolean>;
+ check-mx ( fail | warn | ignore );
+ check-mx-cname ( fail | warn | ignore );
+ check-names ( master | slave | response
+ ) ( fail | warn | ignore ); // may occur multiple times
+ check-sibling <boolean>;
+ check-spf ( warn | ignore );
+ check-srv-cname ( fail | warn | ignore );
+ check-wildcard <boolean>;
+ cleaning-interval <integer>;
+ clients-per-query <integer>;
+ cookie-algorithm ( aes | sha1 | sha256 );
+ cookie-secret <string>; // may occur multiple times
+ coresize ( default | unlimited | <sizeval> );
+ datasize ( default | unlimited | <sizeval> );
+ deallocate-on-exit <boolean>; // obsolete
+ deny-answer-addresses { <address_match_element>; ... } [
+ except-from { <quoted_string>; ... } ];
+ deny-answer-aliases { <quoted_string>; ... } [ except-from {
+ <quoted_string>; ... } ];
+ dialup ( notify | notify-passive | passive | refresh | <boolean> );
+ directory <quoted_string>;
+ disable-algorithms <string> { <string>;
+ ... }; // may occur multiple times
+ disable-ds-digests <string> { <string>;
+ ... }; // may occur multiple times
+ disable-empty-zone <string>; // may occur multiple times
+ dns64 <netprefix> {
+ break-dnssec <boolean>;
+ clients { <address_match_element>; ... };
+ exclude { <address_match_element>; ... };
+ mapped { <address_match_element>; ... };
+ recursive-only <boolean>;
+ suffix <ipv6_address>;
+ }; // may occur multiple times
+ dns64-contact <string>;
+ dns64-server <string>;
+ dnsrps-enable <boolean>; // not configured
+ dnsrps-options { <unspecified-text> }; // not configured
+ dnssec-accept-expired <boolean>;
+ dnssec-dnskey-kskonly <boolean>;
+ dnssec-enable <boolean>;
+ dnssec-loadkeys-interval <integer>;
+ dnssec-lookaside ( <string> trust-anchor
+ <string> | auto | no ); // may occur multiple times
+ dnssec-must-be-secure <string> <boolean>; // may occur multiple times
+ dnssec-secure-to-insecure <boolean>;
+ dnssec-update-mode ( maintain | no-resign );
+ dnssec-validation ( yes | no | auto );
+ dnstap { ( all | auth | client | forwarder |
+ resolver ) [ ( query | response ) ]; ... }; // not configured
+ dnstap-identity ( <quoted_string> | none |
+ hostname ); // not configured
+ dnstap-output ( file | unix ) <quoted_string> [
+ size ( unlimited | <size> ) ] [ versions (
+ unlimited | <integer> ) ] [ suffix ( increment
+ | timestamp ) ]; // not configured
+ dnstap-version ( <quoted_string> | none ); // not configured
+ dscp <integer>;
+ dual-stack-servers [ port <integer> ] { ( <quoted_string> [ port
+ <integer> ] [ dscp <integer> ] | <ipv4_address> [ port
+ <integer> ] [ dscp <integer> ] | <ipv6_address> [ port
+ <integer> ] [ dscp <integer> ] ); ... };
+ dump-file <quoted_string>;
+ edns-udp-size <integer>;
+ empty-contact <string>;
+ empty-server <string>;
+ empty-zones-enable <boolean>;
+ fake-iquery <boolean>; // obsolete
+ fetch-glue <boolean>; // obsolete
+ fetch-quota-params <integer> <fixedpoint> <fixedpoint> <fixedpoint>;
+ fetches-per-server <integer> [ ( drop | fail ) ];
+ fetches-per-zone <integer> [ ( drop | fail ) ];
+ files ( default | unlimited | <sizeval> );
+ filter-aaaa { <address_match_element>; ... }; // not configured
+ filter-aaaa-on-v4 ( break-dnssec | <boolean> ); // not configured
+ filter-aaaa-on-v6 ( break-dnssec | <boolean> ); // not configured
+ flush-zones-on-shutdown <boolean>;
+ forward ( first | only );
+ forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address>
+ | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... };
+ fstrm-set-buffer-hint <integer>; // not configured
+ fstrm-set-flush-timeout <integer>; // not configured
+ fstrm-set-input-queue-size <integer>; // not configured
+ fstrm-set-output-notify-threshold <integer>; // not configured
+ fstrm-set-output-queue-model ( mpsc | spsc ); // not configured
+ fstrm-set-output-queue-size <integer>; // not configured
+ fstrm-set-reopen-interval <integer>; // not configured
+ geoip-directory ( <quoted_string> | none ); // not configured
+ geoip-use-ecs <boolean>; // not configured
+ glue-cache <boolean>;
+ has-old-clients <boolean>; // obsolete
+ heartbeat-interval <integer>;
+ host-statistics <boolean>; // not implemented
+ host-statistics-max <integer>; // not implemented
+ hostname ( <quoted_string> | none );
+ inline-signing <boolean>;
+ interface-interval <integer>;
+ ixfr-from-differences ( master | slave | <boolean> );
+ keep-response-order { <address_match_element>; ... };
+ key-directory <quoted_string>;
+ lame-ttl <ttlval>;
+ listen-on [ port <integer> ] [ dscp
+ <integer> ] {
+ <address_match_element>; ... }; // may occur multiple times
+ listen-on-v6 [ port <integer> ] [ dscp
+ <integer> ] {
+ <address_match_element>; ... }; // may occur multiple times
+ lmdb-mapsize <sizeval>; // non-operational
+ lock-file ( <quoted_string> | none );
+ maintain-ixfr-base <boolean>; // obsolete
+ managed-keys-directory <quoted_string>;
+ masterfile-format ( map | raw | text );
+ masterfile-style ( full | relative );
+ match-mapped-addresses <boolean>;
+ max-acache-size ( unlimited | <sizeval> ); // obsolete
+ max-cache-size ( default | unlimited | <sizeval> | <percentage> );
+ max-cache-ttl <integer>;
+ max-clients-per-query <integer>;
+ max-ixfr-log-size ( default | unlimited | <sizeval> ); // obsolete
+ max-journal-size ( default | unlimited | <sizeval> );
+ max-ncache-ttl <integer>;
+ max-records <integer>;
+ max-recursion-depth <integer>;
+ max-recursion-queries <integer>;
+ max-refresh-time <integer>;
+ max-retry-time <integer>;
+ max-rsa-exponent-size <integer>;
+ max-stale-ttl <ttlval>;
+ max-transfer-idle-in <integer>;
+ max-transfer-idle-out <integer>;
+ max-transfer-time-in <integer>;
+ max-transfer-time-out <integer>;
+ max-udp-size <integer>;
+ max-zone-ttl ( unlimited | <ttlval> );
+ memstatistics <boolean>;
+ memstatistics-file <quoted_string>;
+ message-compression <boolean>;
+ min-refresh-time <integer>;
+ min-retry-time <integer>;
+ min-roots <integer>; // not implemented
+ minimal-any <boolean>;
+ minimal-responses ( no-auth | no-auth-recursive | <boolean> );
+ multi-master <boolean>;
+ multiple-cnames <boolean>; // obsolete
+ named-xfer <quoted_string>; // obsolete
+ new-zones-directory <quoted_string>;
+ no-case-compress { <address_match_element>; ... };
+ nocookie-udp-size <integer>;
+ nosit-udp-size <integer>; // obsolete
+ notify ( explicit | master-only | <boolean> );
+ notify-delay <integer>;
+ notify-rate <integer>;
+ notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [
+ dscp <integer> ];
+ notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ]
+ [ dscp <integer> ];
+ notify-to-soa <boolean>;
+ nsec3-test-zone <boolean>; // test only
+ nta-lifetime <ttlval>;
+ nta-recheck <ttlval>;
+ nxdomain-redirect <string>;
+ pid-file ( <quoted_string> | none );
+ port <integer>;
+ preferred-glue <string>;
+ prefetch <integer> [ <integer> ];
+ provide-ixfr <boolean>;
+ query-source ( ( [ address ] ( <ipv4_address> | * ) [ port (
+ <integer> | * ) ] ) | ( [ [ address ] ( <ipv4_address> | * ) ]
+ port ( <integer> | * ) ) ) [ dscp <integer> ];
+ query-source-v6 ( ( [ address ] ( <ipv6_address> | * ) [ port (
+ <integer> | * ) ] ) | ( [ [ address ] ( <ipv6_address> | * ) ]
+ port ( <integer> | * ) ) ) [ dscp <integer> ];
+ querylog <boolean>;
+ queryport-pool-ports <integer>; // obsolete
+ queryport-pool-updateinterval <integer>; // obsolete
+ random-device <quoted_string>;
+ rate-limit {
+ all-per-second <integer>;
+ errors-per-second <integer>;
+ exempt-clients { <address_match_element>; ... };
+ ipv4-prefix-length <integer>;
+ ipv6-prefix-length <integer>;
+ log-only <boolean>;
+ max-table-size <integer>;
+ min-table-size <integer>;
+ nodata-per-second <integer>;
+ nxdomains-per-second <integer>;
+ qps-scale <integer>;
+ referrals-per-second <integer>;
+ responses-per-second <integer>;
+ slip <integer>;
+ window <integer>;
+ };
+ recursing-file <quoted_string>;
+ recursion <boolean>;
+ recursive-clients <integer>;
+ request-expire <boolean>;
+ request-ixfr <boolean>;
+ request-nsid <boolean>;
+ request-sit <boolean>; // obsolete
+ require-server-cookie <boolean>;
+ reserved-sockets <integer>;
+ resolver-nonbackoff-tries <integer>;
+ resolver-query-timeout <integer>;
+ resolver-retry-interval <integer>;
+ response-padding { <address_match_element>; ... } block-size
+ <integer>;
+ response-policy { zone <quoted_string> [ log <boolean> ] [
+ max-policy-ttl <integer> ] [ min-update-interval <integer> ] [
+ policy ( cname | disabled | drop | given | no-op | nodata |
+ nxdomain | passthru | tcp-only <quoted_string> ) ] [
+ recursive-only <boolean> ] [ nsip-enable <boolean> ] [
+ nsdname-enable <boolean> ]; ... } [ break-dnssec <boolean> ] [
+ max-policy-ttl <integer> ] [ min-update-interval <integer> ] [
+ min-ns-dots <integer> ] [ nsip-wait-recurse <boolean> ] [
+ qname-wait-recurse <boolean> ] [ recursive-only <boolean> ] [
+ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [
+ dnsrps-enable <boolean> ] [ dnsrps-options { <unspecified-text>
+ } ];
+ rfc2308-type1 <boolean>; // not yet implemented
+ root-delegation-only [ exclude { <quoted_string>; ... } ];
+ rrset-order { [ class <string> ] [ type <string> ] [ name
+ <quoted_string> ] <string> <string>; ... };
+ secroots-file <quoted_string>;
+ send-cookie <boolean>;
+ serial-queries <integer>; // obsolete
+ serial-query-rate <integer>;
+ serial-update-method ( date | increment | unixtime );
+ server-id ( <quoted_string> | none | hostname );
+ servfail-ttl <ttlval>;
+ session-keyalg <string>;
+ session-keyfile ( <quoted_string> | none );
+ session-keyname <string>;
+ sig-signing-nodes <integer>;
+ sig-signing-signatures <integer>;
+ sig-signing-type <integer>;
+ sig-validity-interval <integer> [ <integer> ];
+ sit-secret <string>; // obsolete
+ sortlist { <address_match_element>; ... };
+ stacksize ( default | unlimited | <sizeval> );
+ stale-answer-enable <boolean>;
+ stale-answer-ttl <ttlval>;
+ startup-notify-rate <integer>;
+ statistics-file <quoted_string>;
+ statistics-interval <integer>; // not yet implemented
+ suppress-initial-notify <boolean>; // not yet implemented
+ synth-from-dnssec <boolean>;
+ tcp-advertised-timeout <integer>;
+ tcp-clients <integer>;
+ tcp-idle-timeout <integer>;
+ tcp-initial-timeout <integer>;
+ tcp-keepalive-timeout <integer>;
+ tcp-listen-queue <integer>;
+ tkey-dhkey <quoted_string> <integer>;
+ tkey-domain <quoted_string>;
+ tkey-gssapi-credential <quoted_string>;
+ tkey-gssapi-keytab <quoted_string>;
+ topology { <address_match_element>; ... }; // not implemented
+ transfer-format ( many-answers | one-answer );
+ transfer-message-size <integer>;
+ transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [
+ dscp <integer> ];
+ transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * )
+ ] [ dscp <integer> ];
+ transfers-in <integer>;
+ transfers-out <integer>;
+ transfers-per-ns <integer>;
+ treat-cr-as-space <boolean>; // obsolete
+ trust-anchor-telemetry <boolean>; // experimental
+ try-tcp-refresh <boolean>;
+ update-check-ksk <boolean>;
+ use-alt-transfer-source <boolean>;
+ use-id-pool <boolean>; // obsolete
+ use-ixfr <boolean>; // obsolete
+ use-queryport-pool <boolean>; // obsolete
+ use-v4-udp-ports { <portrange>; ... };
+ use-v6-udp-ports { <portrange>; ... };
+ v6-bias <integer>;
+ version ( <quoted_string> | none );
+ zero-no-soa-ttl <boolean>;
+ zero-no-soa-ttl-cache <boolean>;
+ zone-statistics ( full | terse | none | <boolean> );
+};
+
+server <netprefix> {
+ bogus <boolean>;
+ edns <boolean>;
+ edns-udp-size <integer>;
+ edns-version <integer>;
+ keys <server_key>;
+ max-udp-size <integer>;
+ notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [
+ dscp <integer> ];
+ notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ]
+ [ dscp <integer> ];
+ padding <integer>;
+ provide-ixfr <boolean>;
+ query-source ( ( [ address ] ( <ipv4_address> | * ) [ port (
+ <integer> | * ) ] ) | ( [ [ address ] ( <ipv4_address> | * ) ]
+ port ( <integer> | * ) ) ) [ dscp <integer> ];
+ query-source-v6 ( ( [ address ] ( <ipv6_address> | * ) [ port (
+ <integer> | * ) ] ) | ( [ [ address ] ( <ipv6_address> | * ) ]
+ port ( <integer> | * ) ) ) [ dscp <integer> ];
+ request-expire <boolean>;
+ request-ixfr <boolean>;
+ request-nsid <boolean>;
+ request-sit <boolean>; // obsolete
+ send-cookie <boolean>;
+ support-ixfr <boolean>; // obsolete
+ tcp-keepalive <boolean>;
+ tcp-only <boolean>;
+ transfer-format ( many-answers | one-answer );
+ transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [
+ dscp <integer> ];
+ transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * )
+ ] [ dscp <integer> ];
+ transfers <integer>;
+}; // may occur multiple times
+
+statistics-channels {
+ inet ( <ipv4_address> | <ipv6_address> |
+ * ) [ port ( <integer> | * ) ] [
+ allow { <address_match_element>; ...
+ } ]; // may occur multiple times
+}; // may occur multiple times
+
+trusted-keys { <string> <integer> <integer>
+ <integer> <quoted_string>; ... }; // may occur multiple times
+
+view <string> [ <class> ] {
+ acache-cleaning-interval <integer>; // obsolete
+ acache-enable <boolean>; // obsolete
+ additional-from-auth <boolean>; // obsolete
+ additional-from-cache <boolean>; // obsolete
+ allow-new-zones <boolean>;
+ allow-notify { <address_match_element>; ... };
+ allow-query { <address_match_element>; ... };
+ allow-query-cache { <address_match_element>; ... };
+ allow-query-cache-on { <address_match_element>; ... };
+ allow-query-on { <address_match_element>; ... };
+ allow-recursion { <address_match_element>; ... };
+ allow-recursion-on { <address_match_element>; ... };
+ allow-transfer { <address_match_element>; ... };
+ allow-update { <address_match_element>; ... };
+ allow-update-forwarding { <address_match_element>; ... };
+ allow-v6-synthesis { <address_match_element>; ... }; // obsolete
+ also-notify [ port <integer> ] [ dscp <integer> ] { ( <masters> |
+ <ipv4_address> [ port <integer> ] | <ipv6_address> [ port
+ <integer> ] ) [ key <string> ]; ... };
+ alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * )
+ ] [ dscp <integer> ];
+ alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> |
+ * ) ] [ dscp <integer> ];
+ attach-cache <string>;
+ auth-nxdomain <boolean>; // default changed
+ auto-dnssec ( allow | maintain | off );
+ cache-file <quoted_string>;
+ catalog-zones { zone <quoted_string> [ default-masters [ port
+ <integer> ] [ dscp <integer> ] { ( <masters> | <ipv4_address> [
+ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key
+ <string> ]; ... } ] [ zone-directory <quoted_string> ] [
+ in-memory <boolean> ] [ min-update-interval <integer> ]; ... };
+ check-dup-records ( fail | warn | ignore );
+ check-integrity <boolean>;
+ check-mx ( fail | warn | ignore );
+ check-mx-cname ( fail | warn | ignore );
+ check-names ( master | slave | response
+ ) ( fail | warn | ignore ); // may occur multiple times
+ check-sibling <boolean>;
+ check-spf ( warn | ignore );
+ check-srv-cname ( fail | warn | ignore );
+ check-wildcard <boolean>;
+ cleaning-interval <integer>;
+ clients-per-query <integer>;
+ deny-answer-addresses { <address_match_element>; ... } [
+ except-from { <quoted_string>; ... } ];
+ deny-answer-aliases { <quoted_string>; ... } [ except-from {
+ <quoted_string>; ... } ];
+ dialup ( notify | notify-passive | passive | refresh | <boolean> );
+ disable-algorithms <string> { <string>;
+ ... }; // may occur multiple times
+ disable-ds-digests <string> { <string>;
+ ... }; // may occur multiple times
+ disable-empty-zone <string>; // may occur multiple times
+ dlz <string> {
+ database <string>;
+ search <boolean>;
+ }; // may occur multiple times
+ dns64 <netprefix> {
+ break-dnssec <boolean>;
+ clients { <address_match_element>; ... };
+ exclude { <address_match_element>; ... };
+ mapped { <address_match_element>; ... };
+ recursive-only <boolean>;
+ suffix <ipv6_address>;
+ }; // may occur multiple times
+ dns64-contact <string>;
+ dns64-server <string>;
+ dnsrps-enable <boolean>; // not configured
+ dnsrps-options { <unspecified-text> }; // not configured
+ dnssec-accept-expired <boolean>;
+ dnssec-dnskey-kskonly <boolean>;
+ dnssec-enable <boolean>;
+ dnssec-loadkeys-interval <integer>;
+ dnssec-lookaside ( <string> trust-anchor
+ <string> | auto | no ); // may occur multiple times
+ dnssec-must-be-secure <string> <boolean>; // may occur multiple times
+ dnssec-secure-to-insecure <boolean>;
+ dnssec-update-mode ( maintain | no-resign );
+ dnssec-validation ( yes | no | auto );
+ dnstap { ( all | auth | client | forwarder |
+ resolver ) [ ( query | response ) ]; ... }; // not configured
+ dual-stack-servers [ port <integer> ] { ( <quoted_string> [ port
+ <integer> ] [ dscp <integer> ] | <ipv4_address> [ port
+ <integer> ] [ dscp <integer> ] | <ipv6_address> [ port
+ <integer> ] [ dscp <integer> ] ); ... };
+ dyndb <string> <quoted_string> {
+ <unspecified-text> }; // may occur multiple times
+ edns-udp-size <integer>;
+ empty-contact <string>;
+ empty-server <string>;
+ empty-zones-enable <boolean>;
+ fetch-glue <boolean>; // obsolete
+ fetch-quota-params <integer> <fixedpoint> <fixedpoint> <fixedpoint>;
+ fetches-per-server <integer> [ ( drop | fail ) ];
+ fetches-per-zone <integer> [ ( drop | fail ) ];
+ filter-aaaa { <address_match_element>; ... }; // not configured
+ filter-aaaa-on-v4 ( break-dnssec | <boolean> ); // not configured
+ filter-aaaa-on-v6 ( break-dnssec | <boolean> ); // not configured
+ forward ( first | only );
+ forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address>
+ | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... };
+ glue-cache <boolean>;
+ inline-signing <boolean>;
+ ixfr-from-differences ( master | slave | <boolean> );
+ key <string> {
+ algorithm <string>;
+ secret <string>;
+ }; // may occur multiple times
+ key-directory <quoted_string>;
+ lame-ttl <ttlval>;
+ lmdb-mapsize <sizeval>; // non-operational
+ maintain-ixfr-base <boolean>; // obsolete
+ managed-keys { <string> <string>
+ <integer> <integer> <integer>
+ <quoted_string>; ... }; // may occur multiple times
+ masterfile-format ( map | raw | text );
+ masterfile-style ( full | relative );
+ match-clients { <address_match_element>; ... };
+ match-destinations { <address_match_element>; ... };
+ match-recursive-only <boolean>;
+ max-acache-size ( unlimited | <sizeval> ); // obsolete
+ max-cache-size ( default | unlimited | <sizeval> | <percentage> );
+ max-cache-ttl <integer>;
+ max-clients-per-query <integer>;
+ max-ixfr-log-size ( default | unlimited | <sizeval> ); // obsolete
+ max-journal-size ( default | unlimited | <sizeval> );
+ max-ncache-ttl <integer>;
+ max-records <integer>;
+ max-recursion-depth <integer>;
+ max-recursion-queries <integer>;
+ max-refresh-time <integer>;
+ max-retry-time <integer>;
+ max-stale-ttl <ttlval>;
+ max-transfer-idle-in <integer>;
+ max-transfer-idle-out <integer>;
+ max-transfer-time-in <integer>;
+ max-transfer-time-out <integer>;
+ max-udp-size <integer>;
+ max-zone-ttl ( unlimited | <ttlval> );
+ message-compression <boolean>;
+ min-refresh-time <integer>;
+ min-retry-time <integer>;
+ min-roots <integer>; // not implemented
+ minimal-any <boolean>;
+ minimal-responses ( no-auth | no-auth-recursive | <boolean> );
+ multi-master <boolean>;
+ new-zones-directory <quoted_string>;
+ no-case-compress { <address_match_element>; ... };
+ nocookie-udp-size <integer>;
+ nosit-udp-size <integer>; // obsolete
+ notify ( explicit | master-only | <boolean> );
+ notify-delay <integer>;
+ notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [
+ dscp <integer> ];
+ notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ]
+ [ dscp <integer> ];
+ notify-to-soa <boolean>;
+ nsec3-test-zone <boolean>; // test only
+ nta-lifetime <ttlval>;
+ nta-recheck <ttlval>;
+ nxdomain-redirect <string>;
+ preferred-glue <string>;
+ prefetch <integer> [ <integer> ];
+ provide-ixfr <boolean>;
+ query-source ( ( [ address ] ( <ipv4_address> | * ) [ port (
+ <integer> | * ) ] ) | ( [ [ address ] ( <ipv4_address> | * ) ]
+ port ( <integer> | * ) ) ) [ dscp <integer> ];
+ query-source-v6 ( ( [ address ] ( <ipv6_address> | * ) [ port (
+ <integer> | * ) ] ) | ( [ [ address ] ( <ipv6_address> | * ) ]
+ port ( <integer> | * ) ) ) [ dscp <integer> ];
+ queryport-pool-ports <integer>; // obsolete
+ queryport-pool-updateinterval <integer>; // obsolete
+ rate-limit {
+ all-per-second <integer>;
+ errors-per-second <integer>;
+ exempt-clients { <address_match_element>; ... };
+ ipv4-prefix-length <integer>;
+ ipv6-prefix-length <integer>;
+ log-only <boolean>;
+ max-table-size <integer>;
+ min-table-size <integer>;
+ nodata-per-second <integer>;
+ nxdomains-per-second <integer>;
+ qps-scale <integer>;
+ referrals-per-second <integer>;
+ responses-per-second <integer>;
+ slip <integer>;
+ window <integer>;
+ };
+ recursion <boolean>;
+ request-expire <boolean>;
+ request-ixfr <boolean>;
+ request-nsid <boolean>;
+ request-sit <boolean>; // obsolete
+ require-server-cookie <boolean>;
+ resolver-nonbackoff-tries <integer>;
+ resolver-query-timeout <integer>;
+ resolver-retry-interval <integer>;
+ response-padding { <address_match_element>; ... } block-size
+ <integer>;
+ response-policy { zone <quoted_string> [ log <boolean> ] [
+ max-policy-ttl <integer> ] [ min-update-interval <integer> ] [
+ policy ( cname | disabled | drop | given | no-op | nodata |
+ nxdomain | passthru | tcp-only <quoted_string> ) ] [
+ recursive-only <boolean> ] [ nsip-enable <boolean> ] [
+ nsdname-enable <boolean> ]; ... } [ break-dnssec <boolean> ] [
+ max-policy-ttl <integer> ] [ min-update-interval <integer> ] [
+ min-ns-dots <integer> ] [ nsip-wait-recurse <boolean> ] [
+ qname-wait-recurse <boolean> ] [ recursive-only <boolean> ] [
+ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [
+ dnsrps-enable <boolean> ] [ dnsrps-options { <unspecified-text>
+ } ];
+ rfc2308-type1 <boolean>; // not yet implemented
+ root-delegation-only [ exclude { <quoted_string>; ... } ];
+ rrset-order { [ class <string> ] [ type <string> ] [ name
+ <quoted_string> ] <string> <string>; ... };
+ send-cookie <boolean>;
+ serial-update-method ( date | increment | unixtime );
+ server <netprefix> {
+ bogus <boolean>;
+ edns <boolean>;
+ edns-udp-size <integer>;
+ edns-version <integer>;
+ keys <server_key>;
+ max-udp-size <integer>;
+ notify-source ( <ipv4_address> | * ) [ port ( <integer> | *
+ ) ] [ dscp <integer> ];
+ notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer>
+ | * ) ] [ dscp <integer> ];
+ padding <integer>;
+ provide-ixfr <boolean>;
+ query-source ( ( [ address ] ( <ipv4_address> | * ) [ port
+ ( <integer> | * ) ] ) | ( [ [ address ] (
+ <ipv4_address> | * ) ] port ( <integer> | * ) ) ) [
+ dscp <integer> ];
+ query-source-v6 ( ( [ address ] ( <ipv6_address> | * ) [
+ port ( <integer> | * ) ] ) | ( [ [ address ] (
+ <ipv6_address> | * ) ] port ( <integer> | * ) ) ) [
+ dscp <integer> ];
+ request-expire <boolean>;
+ request-ixfr <boolean>;
+ request-nsid <boolean>;
+ request-sit <boolean>; // obsolete
+ send-cookie <boolean>;
+ support-ixfr <boolean>; // obsolete
+ tcp-keepalive <boolean>;
+ tcp-only <boolean>;
+ transfer-format ( many-answers | one-answer );
+ transfer-source ( <ipv4_address> | * ) [ port ( <integer> |
+ * ) ] [ dscp <integer> ];
+ transfer-source-v6 ( <ipv6_address> | * ) [ port (
+ <integer> | * ) ] [ dscp <integer> ];
+ transfers <integer>;
+ }; // may occur multiple times
+ servfail-ttl <ttlval>;
+ sig-signing-nodes <integer>;
+ sig-signing-signatures <integer>;
+ sig-signing-type <integer>;
+ sig-validity-interval <integer> [ <integer> ];
+ sortlist { <address_match_element>; ... };
+ stale-answer-enable <boolean>;
+ stale-answer-ttl <ttlval>;
+ suppress-initial-notify <boolean>; // not yet implemented
+ synth-from-dnssec <boolean>;
+ topology { <address_match_element>; ... }; // not implemented
+ transfer-format ( many-answers | one-answer );
+ transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [
+ dscp <integer> ];
+ transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * )
+ ] [ dscp <integer> ];
+ trust-anchor-telemetry <boolean>; // experimental
+ trusted-keys { <string> <integer>
+ <integer> <integer> <quoted_string>;
+ ... }; // may occur multiple times
+ try-tcp-refresh <boolean>;
+ update-check-ksk <boolean>;
+ use-alt-transfer-source <boolean>;
+ use-queryport-pool <boolean>; // obsolete
+ v6-bias <integer>;
+ zero-no-soa-ttl <boolean>;
+ zero-no-soa-ttl-cache <boolean>;
+ zone <string> [ <class> ] {
+ allow-notify { <address_match_element>; ... };
+ allow-query { <address_match_element>; ... };
+ allow-query-on { <address_match_element>; ... };
+ allow-transfer { <address_match_element>; ... };
+ allow-update { <address_match_element>; ... };
+ allow-update-forwarding { <address_match_element>; ... };
+ also-notify [ port <integer> ] [ dscp <integer> ] { (
+ <masters> | <ipv4_address> [ port <integer> ] |
+ <ipv6_address> [ port <integer> ] ) [ key <string> ];
+ ... };
+ alt-transfer-source ( <ipv4_address> | * ) [ port (
+ <integer> | * ) ] [ dscp <integer> ];
+ alt-transfer-source-v6 ( <ipv6_address> | * ) [ port (
+ <integer> | * ) ] [ dscp <integer> ];
+ auto-dnssec ( allow | maintain | off );
+ check-dup-records ( fail | warn | ignore );
+ check-integrity <boolean>;
+ check-mx ( fail | warn | ignore );
+ check-mx-cname ( fail | warn | ignore );
+ check-names ( fail | warn | ignore );
+ check-sibling <boolean>;
+ check-spf ( warn | ignore );
+ check-srv-cname ( fail | warn | ignore );
+ check-wildcard <boolean>;
+ database <string>;
+ delegation-only <boolean>;
+ dialup ( notify | notify-passive | passive | refresh |
+ <boolean> );
+ dlz <string>;
+ dnssec-dnskey-kskonly <boolean>;
+ dnssec-loadkeys-interval <integer>;
+ dnssec-secure-to-insecure <boolean>;
+ dnssec-update-mode ( maintain | no-resign );
+ file <quoted_string>;
+ forward ( first | only );
+ forwarders [ port <integer> ] [ dscp <integer> ] { (
+ <ipv4_address> | <ipv6_address> ) [ port <integer> ] [
+ dscp <integer> ]; ... };
+ in-view <string>;
+ inline-signing <boolean>;
+ ixfr-base <quoted_string>; // obsolete
+ ixfr-from-differences <boolean>;
+ ixfr-tmp-file <quoted_string>; // obsolete
+ journal <quoted_string>;
+ key-directory <quoted_string>;
+ maintain-ixfr-base <boolean>; // obsolete
+ masterfile-format ( map | raw | text );
+ masterfile-style ( full | relative );
+ masters [ port <integer> ] [ dscp <integer> ] { ( <masters>
+ | <ipv4_address> [ port <integer> ] | <ipv6_address> [
+ port <integer> ] ) [ key <string> ]; ... };
+ max-ixfr-log-size ( default | unlimited |
+ <sizeval> ); // obsolete
+ max-journal-size ( default | unlimited | <sizeval> );
+ max-records <integer>;
+ max-refresh-time <integer>;
+ max-retry-time <integer>;
+ max-transfer-idle-in <integer>;
+ max-transfer-idle-out <integer>;
+ max-transfer-time-in <integer>;
+ max-transfer-time-out <integer>;
+ max-zone-ttl ( unlimited | <ttlval> );
+ min-refresh-time <integer>;
+ min-retry-time <integer>;
+ multi-master <boolean>;
+ notify ( explicit | master-only | <boolean> );
+ notify-delay <integer>;
+ notify-source ( <ipv4_address> | * ) [ port ( <integer> | *
+ ) ] [ dscp <integer> ];
+ notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer>
+ | * ) ] [ dscp <integer> ];
+ notify-to-soa <boolean>;
+ nsec3-test-zone <boolean>; // test only
+ pubkey <integer>
+ <integer>
+ <integer>
+ <quoted_string>; // obsolete, may occur multiple times
+ request-expire <boolean>;
+ request-ixfr <boolean>;
+ serial-update-method ( date | increment | unixtime );
+ server-addresses { ( <ipv4_address> | <ipv6_address> ) [
+ port <integer> ]; ... };
+ server-names { <quoted_string>; ... };
+ sig-signing-nodes <integer>;
+ sig-signing-signatures <integer>;
+ sig-signing-type <integer>;
+ sig-validity-interval <integer> [ <integer> ];
+ transfer-source ( <ipv4_address> | * ) [ port ( <integer> |
+ * ) ] [ dscp <integer> ];
+ transfer-source-v6 ( <ipv6_address> | * ) [ port (
+ <integer> | * ) ] [ dscp <integer> ];
+ try-tcp-refresh <boolean>;
+ type ( delegation-only | forward | hint | master | redirect
+ | slave | static-stub | stub );
+ update-check-ksk <boolean>;
+ update-policy ( local | { ( deny | grant ) <string> (
+ 6to4-self | external | krb5-self | krb5-subdomain |
+ ms-self | ms-subdomain | name | self | selfsub |
+ selfwild | subdomain | tcp-self | wildcard | zonesub )
+ [ <string> ] <rrtypelist>; ... };
+ use-alt-transfer-source <boolean>;
+ zero-no-soa-ttl <boolean>;
+ zone-statistics ( full | terse | none | <boolean> );
+ }; // may occur multiple times
+ zone-statistics ( full | terse | none | <boolean> );
+}; // may occur multiple times
+
+zone <string> [ <class> ] {
+ allow-notify { <address_match_element>; ... };
+ allow-query { <address_match_element>; ... };
+ allow-query-on { <address_match_element>; ... };
+ allow-transfer { <address_match_element>; ... };
+ allow-update { <address_match_element>; ... };
+ allow-update-forwarding { <address_match_element>; ... };
+ also-notify [ port <integer> ] [ dscp <integer> ] { ( <masters> |
+ <ipv4_address> [ port <integer> ] | <ipv6_address> [ port
+ <integer> ] ) [ key <string> ]; ... };
+ alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * )
+ ] [ dscp <integer> ];
+ alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> |
+ * ) ] [ dscp <integer> ];
+ auto-dnssec ( allow | maintain | off );
+ check-dup-records ( fail | warn | ignore );
+ check-integrity <boolean>;
+ check-mx ( fail | warn | ignore );
+ check-mx-cname ( fail | warn | ignore );
+ check-names ( fail | warn | ignore );
+ check-sibling <boolean>;
+ check-spf ( warn | ignore );
+ check-srv-cname ( fail | warn | ignore );
+ check-wildcard <boolean>;
+ database <string>;
+ delegation-only <boolean>;
+ dialup ( notify | notify-passive | passive | refresh | <boolean> );
+ dlz <string>;
+ dnssec-dnskey-kskonly <boolean>;
+ dnssec-loadkeys-interval <integer>;
+ dnssec-secure-to-insecure <boolean>;
+ dnssec-update-mode ( maintain | no-resign );
+ file <quoted_string>;
+ forward ( first | only );
+ forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address>
+ | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... };
+ in-view <string>;
+ inline-signing <boolean>;
+ ixfr-base <quoted_string>; // obsolete
+ ixfr-from-differences <boolean>;
+ ixfr-tmp-file <quoted_string>; // obsolete
+ journal <quoted_string>;
+ key-directory <quoted_string>;
+ maintain-ixfr-base <boolean>; // obsolete
+ masterfile-format ( map | raw | text );
+ masterfile-style ( full | relative );
+ masters [ port <integer> ] [ dscp <integer> ] { ( <masters> |
+ <ipv4_address> [ port <integer> ] | <ipv6_address> [ port
+ <integer> ] ) [ key <string> ]; ... };
+ max-ixfr-log-size ( default | unlimited | <sizeval> ); // obsolete
+ max-journal-size ( default | unlimited | <sizeval> );
+ max-records <integer>;
+ max-refresh-time <integer>;
+ max-retry-time <integer>;
+ max-transfer-idle-in <integer>;
+ max-transfer-idle-out <integer>;
+ max-transfer-time-in <integer>;
+ max-transfer-time-out <integer>;
+ max-zone-ttl ( unlimited | <ttlval> );
+ min-refresh-time <integer>;
+ min-retry-time <integer>;
+ multi-master <boolean>;
+ notify ( explicit | master-only | <boolean> );
+ notify-delay <integer>;
+ notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [
+ dscp <integer> ];
+ notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ]
+ [ dscp <integer> ];
+ notify-to-soa <boolean>;
+ nsec3-test-zone <boolean>; // test only
+ pubkey <integer> <integer>
+ <integer> <quoted_string>; // obsolete, may occur multiple times
+ request-expire <boolean>;
+ request-ixfr <boolean>;
+ serial-update-method ( date | increment | unixtime );
+ server-addresses { ( <ipv4_address> | <ipv6_address> ) [ port
+ <integer> ]; ... };
+ server-names { <quoted_string>; ... };
+ sig-signing-nodes <integer>;
+ sig-signing-signatures <integer>;
+ sig-signing-type <integer>;
+ sig-validity-interval <integer> [ <integer> ];
+ transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [
+ dscp <integer> ];
+ transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * )
+ ] [ dscp <integer> ];
+ try-tcp-refresh <boolean>;
+ type ( delegation-only | forward | hint | master | redirect | slave
+ | static-stub | stub );
+ update-check-ksk <boolean>;
+ update-policy ( local | { ( deny | grant ) <string> ( 6to4-self |
+ external | krb5-self | krb5-subdomain | ms-self | ms-subdomain
+ | name | self | selfsub | selfwild | subdomain | tcp-self |
+ wildcard | zonesub ) [ <string> ] <rrtypelist>; ... };
+ use-alt-transfer-source <boolean>;
+ zero-no-soa-ttl <boolean>;
+ zone-statistics ( full | terse | none | <boolean> );
+}; // may occur multiple times
+
--- /dev/null
+.\" Copyright (C) 2009, 2014-2017 Internet Systems Consortium, Inc. ("ISC")
+.\"
+.\" This Source Code Form is subject to the terms of the Mozilla Public
+.\" License, v. 2.0. If a copy of the MPL was not distributed with this
+.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
+.\"
+.hy 0
+.ad l
+'\" t
+.\" Title: isc-config.sh
+.\" Author:
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\" Date: 2009-02-18
+.\" Manual: BIND9
+.\" Source: ISC
+.\" Language: English
+.\"
+.TH "ISC\-CONFIG\&.SH" "1" "2009\-02\-18" "ISC" "BIND9"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
+.SH "NAME"
+isc-config.sh \- Get information about the installed version of ISC BIND
+.SH "SYNOPSIS"
+.HP \w'\fBisc\-config\&.sh\fR\ 'u
+\fBisc\-config\&.sh\fR [\fB\-\-cflags\fR] [\fB\-\-exec\-prefix\fR] [\fB\-\-libs\fR] [\fB\-\-prefix\fR] [\fB\-\-version\fR] [libraries...]
+.SH "DESCRIPTION"
+.PP
+\fBisc\-config\&.sh\fR
+prints information related to the installed version of ISC BIND, such as the compiler and linker flags required to compile and link programs that use ISC BIND libraries\&.
+.PP
+The optional libraries are used to report specific details for compiling and linking for the listed libraries\&. The allowed choices are:
+\fBisc\fR,
+\fBisccc\fR,
+\fBisccfg\fR,
+\fBdns\fR,
+\fBbind9\fR\&. Multiple libraries may be listed on the command line\&. (Some libraries require other libraries, so are implied\&.)
+.SH "OPTIONS"
+.PP
+\-\-cflags
+.RS 4
+Prints the compiler command line options required to compile files that use ISC BIND\&. Use the
+\fBlibraries\fR
+command line argument(s) to print additional specific flags to pass to the C compiler\&.
+.RE
+.PP
+\-\-exec\-prefix
+.RS 4
+Prints the directory prefix used in the ISC BIND installation for architecture dependent files to standard output\&.
+.RE
+.PP
+\-\-libs
+.RS 4
+Prints the linker command line options used to link with the ISC BIND libraries\&. Use the
+\fBlibraries\fR
+command line argument(s) to print additional specific flags\&.
+.RE
+.PP
+\-\-prefix
+.RS 4
+Prints the directory prefix used in the ISC BIND installation for architecture independent files to standard output\&.
+.RE
+.PP
+\-\-version
+.RS 4
+Prints the version of the installed ISC BIND suite\&.
+.RE
+.SH "RETURN VALUES"
+.PP
+\fBisc\-config\&.sh\fR
+returns an exit status of 1 if invoked with invalid arguments or no arguments at all\&. It returns 0 if information was successfully printed\&.
+.SH "AUTHOR"
+.PP
+\fBInternet Systems Consortium, Inc\&.\fR
+.SH "COPYRIGHT"
+.br
+Copyright \(co 2009, 2014-2017 Internet Systems Consortium, Inc. ("ISC")
+.br
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<!--
+ - Copyright (C) 2009, 2014-2017 Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+-->
+<html lang="en">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>isc-config.sh</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
+<a name="man.isc-config.sh"></a><div class="titlepage"></div>
+
+
+
+
+
+
+
+ <div class="refnamediv">
+<h2>Name</h2>
+<p>
+ <span class="application">isc-config.sh</span>
+ — Get information about the installed version of ISC BIND
+ </p>
+</div>
+
+ <div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+ <div class="cmdsynopsis"><p>
+ <code class="command">isc-config.sh</code>
+ [<code class="option">--cflags</code>]
+ [<code class="option">--exec-prefix</code>]
+ [<code class="option">--libs</code>]
+ [<code class="option">--prefix</code>]
+ [<code class="option">--version</code>]
+ [libraries...]
+ </p></div>
+ </div>
+
+ <div class="refsection">
+<a name="id-1.7"></a><h2>DESCRIPTION</h2>
+
+ <p><span class="command"><strong>isc-config.sh</strong></span>
+ prints information related to the installed version of ISC BIND,
+ such as the compiler and linker flags required to compile
+ and link programs that use ISC BIND libraries.
+ </p>
+ <p>
+ The optional libraries are used to report specific details
+ for compiling and linking for the listed libraries.
+ The allowed choices are:
+ <code class="option">isc</code>,
+ <code class="option">isccc</code>,
+ <code class="option">isccfg</code>,
+ <code class="option">dns</code>,
+ <code class="option">bind9</code>.
+ Multiple libraries may be listed on the command line.
+ (Some libraries require other libraries, so are implied.)
+ </p>
+
+ </div>
+
+ <div class="refsection">
+<a name="id-1.8"></a><h2>OPTIONS</h2>
+
+
+ <div class="variablelist"><dl class="variablelist">
+<dt><span class="term">--cflags</span></dt>
+<dd>
+ <p>
+ Prints the compiler command line options required to
+ compile files that use ISC BIND.
+ Use the <code class="option">libraries</code> command line argument(s)
+ to print additional specific flags to pass to the C compiler.
+ </p>
+ </dd>
+<dt><span class="term">--exec-prefix</span></dt>
+<dd>
+ <p>
+ Prints the directory prefix used in the ISC BIND installation
+ for architecture dependent files to standard output.
+ </p>
+ </dd>
+<dt><span class="term">--libs</span></dt>
+<dd>
+ <p>
+ Prints the linker command line options used to
+ link with the ISC BIND libraries.
+ Use the <code class="option">libraries</code> command line argument(s)
+ to print additional specific flags.
+ </p>
+ </dd>
+<dt><span class="term">--prefix</span></dt>
+<dd>
+ <p>
+ Prints the directory prefix used in the ISC BIND installation
+ for architecture independent files to standard output.
+ </p>
+ </dd>
+<dt><span class="term">--version</span></dt>
+<dd>
+ <p>
+ Prints the version of the installed ISC BIND suite.
+ </p>
+ </dd>
+</dl></div>
+
+ </div>
+
+ <div class="refsection">
+<a name="id-1.9"></a><h2>RETURN VALUES</h2>
+
+ <p><span class="command"><strong>isc-config.sh</strong></span>
+ returns an exit status of 1 if
+ invoked with invalid arguments or no arguments at all.
+ It returns 0 if information was successfully printed.
+ </p>
+ </div>
+
+</div></body>
+</html>
projects / thirdparty / bind9.git / commitdiff
