statistics when hitting recursive clients
soft quota. [GL #1067]
+ --- 9.15.1 released ---
+
5248. [func] To clarify the configuration of DNSSEC keys,
the "managed-keys" and "trusted-keys" options
have both been deprecated. The new "dnssec-keys"
+CONTRIBUTING
+
BIND Source Access and Contributor Guidelines
Feb 22, 2018
+HISTORY
+
Functional enhancements from prior major releases of BIND 9
BIND 9.14
* Detect duplicates of UDP queries we are recursing on and drop them.
New stats category "duplicates".
* "USE INTERNAL MALLOC" is now runtime selectable.
- * The lame cache is now done on a basis as some servers only appear to
- be lame for certain query types.
+ * The lame cache is now done on a <qname,qclass,qtype> basis as some
+ servers only appear to be lame for certain query types.
* Limit the number of recursive clients that can be waiting for a single
- query () to resolve. New options clients-per-query and
- max-clients-per-query.
+ query (<qname,qtype,qclass>) to resolve. New options clients-per-query
+ and max-clients-per-query.
* dig: report the number of extra bytes still left in the packet after
processing all the records.
* Support for IPSECKEY rdata type.
+OPTIONS
+
Setting the STD_CDEFINES environment variable before running configure can
be used to enable certain compile-time options that are not explicitly
defined in configure.
Some of these settings are:
-Setting Description
+ Setting Description
Overwrite memory with tag values when allocating
-DISC_MEM_DEFAULTFILL=1 or freeing it; this impairs performance but
makes debugging of memory problems easier.
+PLATFORMS
+
Supported platforms
In general, this version of BIND will build and run on any POSIX-compliant
Platform quirks
-ARM
-
-If the compilation ends with following error:
-
-Error: selected processor does not support `yield' in ARM mode
-
-You will need to set -march compiler option to native, so the compiler
-recognizes yield assembler instruction. The proper way to set -march=
-native would be to put it into CFLAGS, e.g. run ./configure like this:
-CFLAGS="-march=native -Os -g" ./configure plus your usual options.
-
-If that doesn't work, you can enforce the minimum CPU and FPU (taken from
-Debian armhf documentation):
-
- * The lowest worthwhile CPU implementation is Armv7-A, therefore the
- recommended build option is -march=armv7-a.
-
- * FPU should be set at VFPv3-D16 as they represent the minimum
- specification of the processors to support here, therefore the
- recommended build option is -mfpu=vfpv3-d16.
-
-The configure command should look like this:
-
-CFLAGS="-march=armv7-a -mfpu=vfpv3-d16 -Os -g" ./configure
-
NetBSD 6 i386
The i386 build of NetBSD requires the libatomic library, available from
+README
+
BIND 9
Contents
Several environment variables that can be set before running configure
will affect compilation:
-Variable Description
+ Variable Description
CC The C compiler to use. configure tries to figure out the
right one for supported systems.
C compiler flags. Defaults to include -g and/or -O2 as
To support the HTTP statistics channel, the server must be linked with at
least one of the following: libxml2 http://xmlsoft.org or json-c https://
-github.com/json-c. If these are installed at a nonstandard location,
-specify the prefix using --with-libxml2=/prefix or --with-libjson=/prefix.
+github.com/json-c. If these are installed at a nonstandard location, then:
+
+ * for libxml2, specify the prefix using --with-libxml2=/prefix,
+ * for json-c, adjust PKG_CONFIG_PATH.
To support compression on the HTTP statistics channel, the server must be
linked against libzlib. If this is installed in a nonstandard location,
changes listed first. Change notes include tags indicating the category of
the change that was made; these categories are:
-Category Description
+ Category Description
[func] New feature
[bug] General bug fix
[security] Fix for a significant security flaw
referred to entries in the "bind9-bugs" RT database, which was not open to
the public. More recent entries use the form [GL #NNN] or, less often, [GL
!NNN], which, respectively, refer to issues or merge requests in the
-Gitlab database. Most of these are publically readable, unless they
-include information which is confidential or security senstive.
+Gitlab database. Most of these are publicly readable, unless they include
+information which is confidential or security senstive.
To look up a Gitlab issue by its number, use the URL https://
gitlab.isc.org/isc-projects/bind9/issues/NNN. To look up a merge request,
* The original development of BIND 9 was underwritten by the following
organizations:
- Sun Microsystems, Inc.
- Hewlett Packard
- Compaq Computer Corporation
- IBM
- Process Software Corporation
- Silicon Graphics, Inc.
- Network Associates, Inc.
- U.S. Defense Information Systems Agency
- USENIX Association
- Stichting NLnet - NLnet Foundation
- Nominum, Inc.
+ Sun Microsystems, Inc.
+ Hewlett Packard
+ Compaq Computer Corporation
+ IBM
+ Process Software Corporation
+ Silicon Graphics, Inc.
+ Network Associates, Inc.
+ U.S. Defense Information Systems Agency
+ USENIX Association
+ Stichting NLnet - NLnet Foundation
+ Nominum, Inc.
* This product includes software developed by the OpenSSL Project for
use in the OpenSSL Toolkit. http://www.OpenSSL.org/
+
* This product includes cryptographic software written by Eric Young
(eay@cryptsoft.com)
+
* This product includes software written by Tim Hudson
(tjh@cryptsoft.com)
and referred to entries in the "bind9-bugs" RT database, which was not open
to the public. More recent entries use the form `[GL #NNN]` or, less often,
`[GL !NNN]`, which, respectively, refer to issues or merge requests in the
-Gitlab database. Most of these are publically readable, unless they include
+Gitlab database. Most of these are publicly readable, unless they include
information which is confidential or security senstive.
To look up a Gitlab issue by its number, use the URL
Note: When reading the trust anchor file,
\fBdelv\fR
treats
-\fBmanaged\-keys\fR
-statements and
-\fBtrusted\-keys\fR
-statements identically\&. That is, for a managed key, it is the
-\fIinitial\fR
-key that is trusted; RFC 5011 key management is not supported\&.
+\fBdnssec\-keys\fR\fBinitial\-key\fR
+and
+\fBstatic\-key\fR
+entries identically\&. That is, even if a key is configured with
+\fBinitial\-key\fR, indicating that it is meant to be used only as an initializing key for RFC 5011 key maintenance, it is still treated by
+\fBdelv\fR
+as if it had been configured as a
+\fBstatic\-key\fR\&.
\fBdelv\fR
-will not consult the managed\-keys database maintained by
+does not consult the managed keys database maintained by
\fBnamed\fR\&. This means that if either of the keys in
/etc/bind\&.keys
is revoked and rolled over, it will be necessary to update
</p>
<p>
Note: When reading the trust anchor file,
- <span class="command"><strong>delv</strong></span> treats <code class="option">managed-keys</code>
- statements and <code class="option">trusted-keys</code> statements
- identically. That is, for a managed key, it is the
- <span class="emphasis"><em>initial</em></span> key that is trusted; RFC 5011
- key management is not supported. <span class="command"><strong>delv</strong></span>
- will not consult the managed-keys database maintained by
- <span class="command"><strong>named</strong></span>. This means that if either of the
- keys in <code class="filename">/etc/bind.keys</code> is revoked
+ <span class="command"><strong>delv</strong></span> treats <code class="option">dnssec-keys</code>
+ <code class="option">initial-key</code> and <code class="option">static-key</code>
+ entries identically. That is, even if a key is configured
+ with <span class="command"><strong>initial-key</strong></span>, indicating that it is
+ meant to be used only as an initializing key for RFC 5011
+ key maintenance, it is still treated by <span class="command"><strong>delv</strong></span>
+ as if it had been configured as a <span class="command"><strong>static-key</strong></span>.
+ <span class="command"><strong>delv</strong></span> does not consult the managed keys
+ database maintained by <span class="command"><strong>named</strong></span>. This means
+ that if either of the keys in
+ <code class="filename">/etc/bind.keys</code> is revoked
and rolled over, it will be necessary to update
<code class="filename">/etc/bind.keys</code> to use DNSSEC
validation in <span class="command"><strong>delv</strong></span>.
.RS 4
Toggle the setting of the RD (recursion desired) bit in the query\&. This bit is set by default, which means
\fBdig\fR
-normally sends recursive queries\&. Recursion is automatically disabled when the
+normally sends recursive queries\&. Recursion is automatically disabled when using the
\fI+nssearch\fR
-or
+option, and when using
\fI+trace\fR
-query options are used\&.
+except for an initial recursive query to get the list of root servers\&.
.RE
.PP
\fB+retry=T\fR
in the query. This bit is set by default, which means
<span class="command"><strong>dig</strong></span> normally sends recursive
queries. Recursion is automatically disabled when
- the <em class="parameter"><code>+nssearch</code></em> or
- <em class="parameter"><code>+trace</code></em> query options are used.
+ using the <em class="parameter"><code>+nssearch</code></em> option, and
+ when using <em class="parameter"><code>+trace</code></em> except for
+ an initial recursive query to get the list of root
+ servers.
</p>
</dd>
<dt><span class="term"><code class="option">+retry=T</code></span></dt>
.\" Title: named.conf
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
-.\" Date: 2018-12-07
+.\" Date: 2019-05-10
.\" Manual: BIND9
.\" Source: ISC
.\" Language: English
.\"
-.TH "NAMED\&.CONF" "5" "2018\-12\-07" "ISC" "BIND9"
+.TH "NAMED\&.CONF" "5" "2019\-05\-10" "ISC" "BIND9"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.if n \{\
.RE
.\}
+.SH "DNSSEC-KEYS"
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+dnssec\-keys { \fIstring\fR ( static\-key |
+ initial\-key ) \fIinteger\fR \fIinteger\fR \fIinteger\fR
+ \fIquoted_string\fR; \&.\&.\&. };
+.fi
+.if n \{\
+.RE
+.\}
.SH "DYNDB"
.sp
.if n \{\
.RE
.\}
.SH "MANAGED-KEYS"
+.PP
+See DNSSEC\-KEYS\&.
.sp
.if n \{\
.RS 4
.\}
.nf
-managed\-keys { \fIstring\fR \fIstring\fR \fIinteger\fR
- \fIinteger\fR \fIinteger\fR \fIquoted_string\fR; \&.\&.\&. };
+managed\-keys { \fIstring\fR ( static\-key |
+ initial\-key ) \fIinteger\fR \fIinteger\fR \fIinteger\fR
+ \fIquoted_string\fR; \&.\&.\&. };
.fi
.if n \{\
.RE
dnsrps\-options { \fIunspecified\-text\fR };
dnssec\-accept\-expired \fIboolean\fR;
dnssec\-dnskey\-kskonly \fIboolean\fR;
- dnssec\-enable \fIboolean\fR;
dnssec\-loadkeys\-interval \fIinteger\fR;
dnssec\-lookaside ( \fIstring\fR trust\-anchor
\fIstring\fR | auto | no );
resolver\-retry\-interval \fIinteger\fR;
response\-padding { \fIaddress_match_element\fR; \&.\&.\&. } block\-size
\fIinteger\fR;
- response\-policy { zone \fIstring\fR [ log \fIboolean\fR ] [ max\-policy\-ttl
- \fIttlval\fR ] [ min\-update\-interval \fIttlval\fR ] [ policy ( cname |
- disabled | drop | given | no\-op | nodata | nxdomain | passthru
- | tcp\-only \fIquoted_string\fR ) ] [ recursive\-only \fIboolean\fR ] [
- nsip\-enable \fIboolean\fR ] [ nsdname\-enable \fIboolean\fR ]; \&.\&.\&. } [
+ response\-policy { zone \fIstring\fR [ add\-soa \fIboolean\fR ] [ log
+ \fIboolean\fR ] [ max\-policy\-ttl \fIttlval\fR ] [ min\-update\-interval
+ \fIttlval\fR ] [ policy ( cname | disabled | drop | given | no\-op |
+ nodata | nxdomain | passthru | tcp\-only \fIquoted_string\fR ) ] [
+ recursive\-only \fIboolean\fR ] [ nsip\-enable \fIboolean\fR ] [
+ nsdname\-enable \fIboolean\fR ]; \&.\&.\&. } [ add\-soa \fIboolean\fR ] [
break\-dnssec \fIboolean\fR ] [ max\-policy\-ttl \fIttlval\fR ] [
min\-update\-interval \fIttlval\fR ] [ min\-ns\-dots \fIinteger\fR ] [
nsip\-wait\-recurse \fIboolean\fR ] [ qname\-wait\-recurse \fIboolean\fR ]
.RE
.\}
.SH "TRUSTED-KEYS"
+.PP
+Deprecated \- see DNSSEC\-KEYS\&.
.sp
.if n \{\
.RS 4
.\}
.nf
-trusted\-keys { \fIstring\fR \fIinteger\fR \fIinteger\fR
- \fIinteger\fR \fIquoted_string\fR; \&.\&.\&. };
+trusted\-keys { \fIstring\fR \fIinteger\fR
+ \fIinteger\fR \fIinteger\fR
+ \fIquoted_string\fR; \&.\&.\&. };, deprecated
.fi
.if n \{\
.RE
dnsrps\-options { \fIunspecified\-text\fR };
dnssec\-accept\-expired \fIboolean\fR;
dnssec\-dnskey\-kskonly \fIboolean\fR;
- dnssec\-enable \fIboolean\fR;
+ dnssec\-keys { \fIstring\fR ( static\-key |
+ initial\-key ) \fIinteger\fR \fIinteger\fR
+ \fIinteger\fR \fIquoted_string\fR; \&.\&.\&. };
dnssec\-loadkeys\-interval \fIinteger\fR;
dnssec\-lookaside ( \fIstring\fR trust\-anchor
\fIstring\fR | auto | no );
key\-directory \fIquoted_string\fR;
lame\-ttl \fIttlval\fR;
lmdb\-mapsize \fIsizeval\fR;
- managed\-keys { \fIstring\fR \fIstring\fR
- \fIinteger\fR \fIinteger\fR \fIinteger\fR
- \fIquoted_string\fR; \&.\&.\&. };
+ managed\-keys { \fIstring\fR ( static\-key |
+ initial\-key ) \fIinteger\fR \fIinteger\fR
+ \fIinteger\fR \fIquoted_string\fR; \&.\&.\&. };
masterfile\-format ( map | raw | text );
masterfile\-style ( full | relative );
match\-clients { \fIaddress_match_element\fR; \&.\&.\&. };
resolver\-retry\-interval \fIinteger\fR;
response\-padding { \fIaddress_match_element\fR; \&.\&.\&. } block\-size
\fIinteger\fR;
- response\-policy { zone \fIstring\fR [ log \fIboolean\fR ] [ max\-policy\-ttl
- \fIttlval\fR ] [ min\-update\-interval \fIttlval\fR ] [ policy ( cname |
- disabled | drop | given | no\-op | nodata | nxdomain | passthru
- | tcp\-only \fIquoted_string\fR ) ] [ recursive\-only \fIboolean\fR ] [
- nsip\-enable \fIboolean\fR ] [ nsdname\-enable \fIboolean\fR ]; \&.\&.\&. } [
+ response\-policy { zone \fIstring\fR [ add\-soa \fIboolean\fR ] [ log
+ \fIboolean\fR ] [ max\-policy\-ttl \fIttlval\fR ] [ min\-update\-interval
+ \fIttlval\fR ] [ policy ( cname | disabled | drop | given | no\-op |
+ nodata | nxdomain | passthru | tcp\-only \fIquoted_string\fR ) ] [
+ recursive\-only \fIboolean\fR ] [ nsip\-enable \fIboolean\fR ] [
+ nsdname\-enable \fIboolean\fR ]; \&.\&.\&. } [ add\-soa \fIboolean\fR ] [
break\-dnssec \fIboolean\fR ] [ max\-policy\-ttl \fIttlval\fR ] [
min\-update\-interval \fIttlval\fR ] [ min\-ns\-dots \fIinteger\fR ] [
nsip\-wait\-recurse \fIboolean\fR ] [ qname\-wait\-recurse \fIboolean\fR ]
transfer\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * )
] [ dscp \fIinteger\fR ];
trust\-anchor\-telemetry \fIboolean\fR; // experimental
- trusted\-keys { \fIstring\fR \fIinteger\fR
- \fIinteger\fR \fIinteger\fR \fIquoted_string\fR;
- \&.\&.\&. };
+ trusted\-keys { \fIstring\fR
+ \fIinteger\fR \fIinteger\fR
+ \fIinteger\fR
+ \fIquoted_string\fR; \&.\&.\&. };, deprecated
try\-tcp\-refresh \fIboolean\fR;
update\-check\-ksk \fIboolean\fR;
use\-alt\-transfer\-source \fIboolean\fR;
<div class="refsection">
<a name="id-1.8"></a><h2>ACL</h2>
-
<div class="literallayout"><p><br>
acl <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
</p></div>
<div class="refsection">
<a name="id-1.9"></a><h2>CONTROLS</h2>
-
<div class="literallayout"><p><br>
controls {<br>
inet ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> |<br>
<div class="refsection">
<a name="id-1.10"></a><h2>DLZ</h2>
-
<div class="literallayout"><p><br>
dlz <em class="replaceable"><code>string</code></em> {<br>
database <em class="replaceable"><code>string</code></em>;<br>
</div>
<div class="refsection">
-<a name="id-1.11"></a><h2>DYNDB</h2>
+<a name="id-1.11"></a><h2>DNSSEC-KEYS</h2>
+ <div class="literallayout"><p><br>
+dnssec-keys { <em class="replaceable"><code>string</code></em> ( static-key |<br>
+    initial-key ) <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
+    <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
+</p></div>
+ </div>
+ <div class="refsection">
+<a name="id-1.12"></a><h2>DYNDB</h2>
<div class="literallayout"><p><br>
dyndb <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>quoted_string</code></em> {<br>
    <em class="replaceable"><code>unspecified-text</code></em> };<br>
</div>
<div class="refsection">
-<a name="id-1.12"></a><h2>KEY</h2>
-
+<a name="id-1.13"></a><h2>KEY</h2>
<div class="literallayout"><p><br>
key <em class="replaceable"><code>string</code></em> {<br>
algorithm <em class="replaceable"><code>string</code></em>;<br>
</div>
<div class="refsection">
-<a name="id-1.13"></a><h2>LOGGING</h2>
-
+<a name="id-1.14"></a><h2>LOGGING</h2>
<div class="literallayout"><p><br>
logging {<br>
category <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };<br>
<div class="refsection">
-<a name="id-1.14"></a><h2>MANAGED-KEYS</h2>
-
+<a name="id-1.15"></a><h2>MANAGED-KEYS</h2>
+ <p>See DNSSEC-KEYS.</p>
<div class="literallayout"><p><br>
-managed-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em><br>
-    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
+managed-keys { <em class="replaceable"><code>string</code></em> ( static-key |<br>
+    initial-key ) <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
+    <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
</p></div>
</div>
<div class="refsection">
-<a name="id-1.15"></a><h2>MASTERS</h2>
-
+<a name="id-1.16"></a><h2>MASTERS</h2>
<div class="literallayout"><p><br>
masters <em class="replaceable"><code>string</code></em> [ port <em class="replaceable"><code>integer</code></em> ] [ dscp<br>
    <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<br>
</div>
<div class="refsection">
-<a name="id-1.16"></a><h2>OPTIONS</h2>
-
+<a name="id-1.17"></a><h2>OPTIONS</h2>
<div class="literallayout"><p><br>
options {<br>
allow-new-zones <em class="replaceable"><code>boolean</code></em>;<br>
dnsrps-options { <em class="replaceable"><code>unspecified-text</code></em> };<br>
dnssec-accept-expired <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
- dnssec-enable <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
dnssec-lookaside ( <em class="replaceable"><code>string</code></em> trust-anchor<br>
    <em class="replaceable"><code>string</code></em> | auto | no );<br>
resolver-retry-interval <em class="replaceable"><code>integer</code></em>;<br>
response-padding { <em class="replaceable"><code>address_match_element</code></em>; ... } block-size<br>
    <em class="replaceable"><code>integer</code></em>;<br>
- response-policy { zone <em class="replaceable"><code>string</code></em> [ log <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl<br>
-     <em class="replaceable"><code>ttlval</code></em> ] [ min-update-interval <em class="replaceable"><code>ttlval</code></em> ] [ policy ( cname |<br>
-     disabled | drop | given | no-op | nodata | nxdomain | passthru<br>
-     | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [ recursive-only <em class="replaceable"><code>boolean</code></em> ] [<br>
-     nsip-enable <em class="replaceable"><code>boolean</code></em> ] [ nsdname-enable <em class="replaceable"><code>boolean</code></em> ]; ... } [<br>
+ response-policy { zone <em class="replaceable"><code>string</code></em> [ add-soa <em class="replaceable"><code>boolean</code></em> ] [ log<br>
+     <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>ttlval</code></em> ] [ min-update-interval<br>
+     <em class="replaceable"><code>ttlval</code></em> ] [ policy ( cname | disabled | drop | given | no-op |<br>
+     nodata | nxdomain | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [<br>
+     recursive-only <em class="replaceable"><code>boolean</code></em> ] [ nsip-enable <em class="replaceable"><code>boolean</code></em> ] [<br>
+     nsdname-enable <em class="replaceable"><code>boolean</code></em> ]; ... } [ add-soa <em class="replaceable"><code>boolean</code></em> ] [<br>
    break-dnssec <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>ttlval</code></em> ] [<br>
    min-update-interval <em class="replaceable"><code>ttlval</code></em> ] [ min-ns-dots <em class="replaceable"><code>integer</code></em> ] [<br>
    nsip-wait-recurse <em class="replaceable"><code>boolean</code></em> ] [ qname-wait-recurse <em class="replaceable"><code>boolean</code></em> ]<br>
</div>
<div class="refsection">
-<a name="id-1.17"></a><h2>PLUGIN</h2>
-
+<a name="id-1.18"></a><h2>PLUGIN</h2>
<div class="literallayout"><p><br>
plugin ( query ) <em class="replaceable"><code>string</code></em> [ { <em class="replaceable"><code>unspecified-text</code></em><br>
    } ];<br>
</div>
<div class="refsection">
-<a name="id-1.18"></a><h2>SERVER</h2>
-
+<a name="id-1.19"></a><h2>SERVER</h2>
<div class="literallayout"><p><br>
server <em class="replaceable"><code>netprefix</code></em> {<br>
bogus <em class="replaceable"><code>boolean</code></em>;<br>
</div>
<div class="refsection">
-<a name="id-1.19"></a><h2>STATISTICS-CHANNELS</h2>
-
+<a name="id-1.20"></a><h2>STATISTICS-CHANNELS</h2>
<div class="literallayout"><p><br>
statistics-channels {<br>
inet ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> |<br>
</div>
<div class="refsection">
-<a name="id-1.20"></a><h2>TRUSTED-KEYS</h2>
-
+<a name="id-1.21"></a><h2>TRUSTED-KEYS</h2>
+ <p>Deprecated - see DNSSEC-KEYS.</p>
<div class="literallayout"><p><br>
-trusted-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
-    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
+trusted-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em><br>
+Â Â Â Â <em class="replaceable"><code>integer</code></em>Â <em class="replaceable"><code>integer</code></em><br>
+    <em class="replaceable"><code>quoted_string</code></em>; ... };, deprecated<br>
</p></div>
</div>
<div class="refsection">
-<a name="id-1.21"></a><h2>VIEW</h2>
-
+<a name="id-1.22"></a><h2>VIEW</h2>
<div class="literallayout"><p><br>
view <em class="replaceable"><code>string</code></em> [ <em class="replaceable"><code>class</code></em> ] {<br>
allow-new-zones <em class="replaceable"><code>boolean</code></em>;<br>
dnsrps-options { <em class="replaceable"><code>unspecified-text</code></em> };<br>
dnssec-accept-expired <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
- dnssec-enable <em class="replaceable"><code>boolean</code></em>;<br>
+ dnssec-keys { <em class="replaceable"><code>string</code></em> ( static-key |<br>
+     initial-key ) <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
+     <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
dnssec-lookaside ( <em class="replaceable"><code>string</code></em> trust-anchor<br>
    <em class="replaceable"><code>string</code></em> | auto | no );<br>
key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
lame-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
lmdb-mapsize <em class="replaceable"><code>sizeval</code></em>;<br>
- managed-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em><br>
- Â Â Â Â <em class="replaceable"><code>integer</code></em>Â <em class="replaceable"><code>integer</code></em>Â <em class="replaceable"><code>integer</code></em><br>
-     <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
+ managed-keys { <em class="replaceable"><code>string</code></em> ( static-key |<br>
+     initial-key ) <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
+     <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
masterfile-format ( map | raw | text );<br>
masterfile-style ( full | relative );<br>
match-clients { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
resolver-retry-interval <em class="replaceable"><code>integer</code></em>;<br>
response-padding { <em class="replaceable"><code>address_match_element</code></em>; ... } block-size<br>
    <em class="replaceable"><code>integer</code></em>;<br>
- response-policy { zone <em class="replaceable"><code>string</code></em> [ log <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl<br>
-     <em class="replaceable"><code>ttlval</code></em> ] [ min-update-interval <em class="replaceable"><code>ttlval</code></em> ] [ policy ( cname |<br>
-     disabled | drop | given | no-op | nodata | nxdomain | passthru<br>
-     | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [ recursive-only <em class="replaceable"><code>boolean</code></em> ] [<br>
-     nsip-enable <em class="replaceable"><code>boolean</code></em> ] [ nsdname-enable <em class="replaceable"><code>boolean</code></em> ]; ... } [<br>
+ response-policy { zone <em class="replaceable"><code>string</code></em> [ add-soa <em class="replaceable"><code>boolean</code></em> ] [ log<br>
+     <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>ttlval</code></em> ] [ min-update-interval<br>
+     <em class="replaceable"><code>ttlval</code></em> ] [ policy ( cname | disabled | drop | given | no-op |<br>
+     nodata | nxdomain | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [<br>
+     recursive-only <em class="replaceable"><code>boolean</code></em> ] [ nsip-enable <em class="replaceable"><code>boolean</code></em> ] [<br>
+     nsdname-enable <em class="replaceable"><code>boolean</code></em> ]; ... } [ add-soa <em class="replaceable"><code>boolean</code></em> ] [<br>
    break-dnssec <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>ttlval</code></em> ] [<br>
    min-update-interval <em class="replaceable"><code>ttlval</code></em> ] [ min-ns-dots <em class="replaceable"><code>integer</code></em> ] [<br>
    nsip-wait-recurse <em class="replaceable"><code>boolean</code></em> ] [ qname-wait-recurse <em class="replaceable"><code>boolean</code></em> ]<br>
transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * )<br>
    ] [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
trust-anchor-telemetry <em class="replaceable"><code>boolean</code></em>; // experimental<br>
- trusted-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em><br>
- Â Â Â Â <em class="replaceable"><code>integer</code></em>Â <em class="replaceable"><code>integer</code></em>Â <em class="replaceable"><code>quoted_string</code></em>;<br>
-     ... };<br>
+ trusted-keys { <em class="replaceable"><code>string</code></em><br>
+ Â Â Â Â <em class="replaceable"><code>integer</code></em>Â <em class="replaceable"><code>integer</code></em><br>
+ Â Â Â Â <em class="replaceable"><code>integer</code></em><br>
+     <em class="replaceable"><code>quoted_string</code></em>; ... };, deprecated<br>
try-tcp-refresh <em class="replaceable"><code>boolean</code></em>;<br>
update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br>
use-alt-transfer-source <em class="replaceable"><code>boolean</code></em>;<br>
</div>
<div class="refsection">
-<a name="id-1.22"></a><h2>ZONE</h2>
-
+<a name="id-1.23"></a><h2>ZONE</h2>
<div class="literallayout"><p><br>
zone <em class="replaceable"><code>string</code></em> [ <em class="replaceable"><code>class</code></em> ] {<br>
allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
</div>
<div class="refsection">
-<a name="id-1.23"></a><h2>FILES</h2>
+<a name="id-1.24"></a><h2>FILES</h2>
<p><code class="filename">/etc/named.conf</code>
</p>
</div>
<div class="refsection">
-<a name="id-1.24"></a><h2>SEE ALSO</h2>
+<a name="id-1.25"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry">
<span class="refentrytitle">ddns-confgen</span>(8)
.PP
\fBmanaged\-keys \fR\fB\fI(status | refresh | sync | destroy)\fR\fR\fB \fR\fB[\fIclass\fR [\fIview\fR]]\fR
.RS 4
-Inspect and control the "managed\-keys" database which handles RFC 5011 DNSSEC trust anchor maintenance\&. If a view is specified, these commands are applied to that view; otherwise they are applied to all views\&.
+Inspect and control the "managed keys" database which handles RFC 5011 DNSSEC trust anchor maintenance\&. If a view is specified, these commands are applied to that view; otherwise they are applied to all views\&.
.sp
.RS 4
.ie n \{\
.\}
When run with the
status
-keyword, prints the current status of the managed\-keys database\&.
+keyword, prints the current status of the managed keys database\&.
.RE
.sp
.RS 4
.\}
When run with the
refresh
-keyword, forces an immediate refresh query to be sent for all the managed keys, updating the managed\-keys database if any new keys are found, without waiting the normal refresh interval\&.
+keyword, forces an immediate refresh query to be sent for all the managed keys, updating the managed keys database if any new keys are found, without waiting the normal refresh interval\&.
.RE
.sp
.RS 4
.\}
When run with the
sync
-keyword, forces an immediate dump of the managed\-keys database to disk (in the file
+keyword, forces an immediate dump of the managed keys database to disk (in the file
managed\-keys\&.bind
or (\fIviewname\fR\&.mkeys)\&. This synchronizes the database with its journal file, so that the database\*(Aqs current contents can be inspected visually\&.
.RE
.\}
When run with the
destroy
-keyword, the managed\-keys database is shut down and deleted, and all key maintenance is terminated\&. This command should be used only with extreme caution\&.
+keyword, the managed keys database is shut down and deleted, and all key maintenance is terminated\&. This command should be used only with extreme caution\&.
.sp
Existing keys that are already trusted are not deleted from memory; DNSSEC validation can continue after this command is used\&. However, key maintenance operations will cease until
\fBnamed\fR
\fBsecroots \fR\fB[\-]\fR\fB \fR\fB[\fIview \&.\&.\&.\fR]\fR
.RS 4
Dump the security roots (i\&.e\&., trust anchors configured via
-\fBtrusted\-keys\fR,
-\fBmanaged\-keys\fR, or
+\fBdnssec\-keys\fR
+statements, or the synonymous
+\fBmanaged\-keys\fR
+or the deprecated
+\fBtrusted\-keys\fR
+statements, or via
\fBdnssec\-validation auto\fR) and negative trust anchors for the specified views\&. If no view is specified, all views are dumped\&. Security roots will indicate whether they are configured as trusted keys, managed keys, or initializing managed keys (managed keys that have not yet been updated by a successful key refresh query)\&.
.sp
If the first argument is "\-", then the output is returned via the
.RS 4
List the names of all TSIG keys currently configured for use by
\fBnamed\fR
-in each view\&. The list both statically configured keys and dynamic TKEY\-negotiated keys\&.
+in each view\&. The list includes both statically configured keys and dynamic TKEY\-negotiated keys\&.
.RE
.PP
\fBvalidation ( on | off | status ) \fR\fB[\fIview \&.\&.\&.\fR]\fR\fB \fR
<dt><span class="term"><strong class="userinput"><code>managed-keys <em class="replaceable"><code>(status | refresh | sync | destroy)</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
<dd>
<p>
- Inspect and control the "managed-keys" database which
+ Inspect and control the "managed keys" database which
handles RFC 5011 DNSSEC trust anchor maintenance. If a view
is specified, these commands are applied to that view;
otherwise they are applied to all views.
<li class="listitem">
<p>
When run with the <code class="literal">status</code> keyword, prints
- the current status of the managed-keys database.
+ the current status of the managed keys database.
</p>
</li>
<li class="listitem">
<p>
When run with the <code class="literal">refresh</code> keyword,
forces an immediate refresh query to be sent for all
- the managed keys, updating the managed-keys database
+ the managed keys, updating the managed keys database
if any new keys are found, without waiting the normal
refresh interval.
</p>
<li class="listitem">
<p>
When run with the <code class="literal">sync</code> keyword, forces an
- immediate dump of the managed-keys database to disk
+ immediate dump of the managed keys database to disk
(in the file <code class="filename">managed-keys.bind</code> or
(<code class="filename"><em class="replaceable"><code>viewname</code></em>.mkeys</code>).
This synchronizes the database with its journal file, so
<li class="listitem">
<p>
When run with the <code class="literal">destroy</code> keyword, the
- managed-keys database is shut down and deleted, and all key
+ managed keys database is shut down and deleted, and all key
maintenance is terminated. This command should be used only
with extreme caution.
</p>
<dd>
<p>
Dump the security roots (i.e., trust anchors
- configured via <span class="command"><strong>trusted-keys</strong></span>,
- <span class="command"><strong>managed-keys</strong></span>, or
- <span class="command"><strong>dnssec-validation auto</strong></span>) and negative trust
+ configured via <span class="command"><strong>dnssec-keys</strong></span> statements,
+ or the synonymous <span class="command"><strong>managed-keys</strong></span> or
+ the deprecated <span class="command"><strong>trusted-keys</strong></span> statements, or
+ via <span class="command"><strong>dnssec-validation auto</strong></span>) and negative trust
anchors for the specified views. If no view is specified, all
views are dumped. Security roots will indicate whether
they are configured as trusted keys, managed keys, or
<p>
List the names of all TSIG keys currently configured
for use by <span class="command"><strong>named</strong></span> in each view. The
- list both statically configured keys and dynamic
+ list includes both statically configured keys and dynamic
TKEY-negotiated keys.
</p>
</dd>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>
<dt><span class="section"><a href="Bv9ARM.ch04.html#sig0">SIG(0)</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt>
<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec_keys">Generating Keys</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#generating_dnssec_keys">Generating Keys</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec_signing">Signing the Zone</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec_config">Configuring Servers for DNSSEC</a></span></dt>
</dl></dd>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
-<a name="dnssec_keys"></a>Generating Keys</h3></div></div></div>
+<a name="generating_dnssec_keys"></a>Generating Keys</h3></div></div></div>
<p>
The <span class="command"><strong>dnssec-keygen</strong></span> program is used to
<strong class="userinput"><code>yes</code></strong>, DNSSEC validation will only occur
if at least one trust anchor has been explicitly configured
in <code class="filename">named.conf</code>
- using a <span class="command"><strong>trusted-keys</strong></span> or
- <span class="command"><strong>managed-keys</strong></span> statement.
+ using a <span class="command"><strong>dnssec-keys</strong></span> statement (or the
+ synonymous <span class="command"><strong>managed-keys</strong></span> or the deprecated
+ <span class="command"><strong>trusted-keys</strong></span> statements).
</p>
<p>
When <span class="command"><strong>dnssec-validation</strong></span> is set to
</p>
<p>
- <span class="command"><strong>trusted-keys</strong></span> are copies of DNSKEY RRs
- for zones that are used to form the first link in the
- cryptographic chain of trust. All keys listed in
- <span class="command"><strong>trusted-keys</strong></span> (and corresponding zones)
- are deemed to exist and only the listed keys will be used
- to validated the DNSKEY RRset that they are from.
+ The keys specified in <span class="command"><strong>dnssec-keys</strong></span>
+ copies of DNSKEY RRs for zones that are used to form the
+ first link in the cryptographic chain of trust. Keys configured
+ with the keyword <span class="command"><strong>static-key</strong></span> are loaded directly
+ into the table of trust anchors, and can only be changed by
+ altering the configuration. Keys configured with
+ <span class="command"><strong>initial-key</strong></span> are used to initialize
+ RFC 5011 trust anchor maintenance, and will be kept up to
+ date automatically after the first time <span class="command"><strong>named</strong></span>
+ runs.
</p>
<p>
- <span class="command"><strong>managed-keys</strong></span> are trusted keys which are
- automatically kept up to date via RFC 5011 trust anchor
- maintenance.
- </p>
-
- <p>
- <span class="command"><strong>trusted-keys</strong></span> and
- <span class="command"><strong>managed-keys</strong></span> are described in more detail
+ <span class="command"><strong>dnssec-keys</strong></span> is described in more detail
later in this document.
</p>
</p>
<pre class="programlisting">
-managed-keys {
+dnssec-keys {
/* Root Key */
"." initial-key 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwS
JxrGkxJWoZu6I7PzJu/E9gx4UC1zGAHlXKdE4zYIpRh
66gKodQj+MiA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ
97S+LKUTpQcq27R7AT3/V5hRQxScINqwcz4jYqZD2fQ
dgxbcDTClU0CRBdiieyLMNzXG3";
-};
-
-trusted-keys {
/* Key for our organization's forward zone */
- example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM6
+ example.com. static-key 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM6
5KbhTjrW1ZaARmPhEZZe3Y9ifgEuq7vZ/z
GZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb
4JKUbbOTcM8pwXlj0EiX3oDFVmjHO444gL
1OTQ09A0=";
/* Key for our reverse zone. */
- 2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwc
+ 2.0.192.IN-ADDRPA.NET. static-key 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwc
xOdNax071L18QqZnQQQAVVr+i
LhGTnNGp3HoWQLUIzKrJVZ3zg
gy3WwNT6kZo6c0tszYqbtvchm
<p>To configure a validating resolver to use RFC 5011 to
maintain a trust anchor, configure the trust anchor using a
- <span class="command"><strong>managed-keys</strong></span> statement. Information about
+ <span class="command"><strong>dnssec-keys</strong></span> statement and the
+ <span class="command"><strong>initial-key</strong></span> keyword. Information about
this can be found in
- <a class="xref" href="Bv9ARM.ch05.html#managed-keys" title="managed-keys Statement Definition and Usage">the section called “<span class="command"><strong>managed-keys</strong></span> Statement Definition
+ <a class="xref" href="Bv9ARM.ch05.html#dnssec-keys" title="dnssec-keys Statement Definition and Usage">the section called “<span class="command"><strong>dnssec-keys</strong></span> Statement Definition
and Usage”</a>.</p>
-
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>
Usage</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#statschannels"><span class="command"><strong>statistics-channels</strong></span> Statement Grammar</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#statistics_channels"><span class="command"><strong>statistics-channels</strong></span> Statement Definition and
- Usage</a></span></dt>
+ Usage</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#dnssec_keys"><span class="command"><strong>dnssec-keys</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#dnssec-keys"><span class="command"><strong>dnssec-keys</strong></span> Statement Definition
+ and Usage</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#managed-keys"><span class="command"><strong>managed-keys</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#managed_keys"><span class="command"><strong>managed-keys</strong></span> Statement Definition
+ and Usage</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#trusted-keys"><span class="command"><strong>trusted-keys</strong></span> Statement Grammar</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#trusted_keys"><span class="command"><strong>trusted-keys</strong></span> Statement Definition
and Usage</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch05.html#managed_keys"><span class="command"><strong>managed-keys</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch05.html#managed-keys"><span class="command"><strong>managed-keys</strong></span> Statement Definition
- and Usage</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#view_statement_grammar"><span class="command"><strong>view</strong></span> Statement Grammar</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#view_statement"><span class="command"><strong>view</strong></span> Statement Definition and Usage</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#zone_statement_grammar"><span class="command"><strong>zone</strong></span>
</tr>
<tr>
<td>
- <p><span class="command"><strong>trusted-keys</strong></span></p>
+ <p><span class="command"><strong>dnssec-keys</strong></span></p>
</td>
<td>
<p>
- defines trusted DNSSEC keys.
+ defines DNSSEC keys: if used with the
+ <span class="command"><strong>initial-key</strong></span> keyword,
+ keys are kept up to date using RFC 5011
+ trust anchor maintenance, and if used with
+ <span class="command"><strong>static-key</strong></span>, keys are permanent.
+ Identical to <span class="command"><strong>managed-keys</strong></span>,
+ but has been added for improved clarity.
</p>
</td>
</tr>
</td>
<td>
<p>
- lists DNSSEC keys to be kept up to date
- using RFC 5011 trust anchor maintenance.
+ is identical to <span class="command"><strong>dnssec-keys</strong></span>,
+ and is retained for backward compatibility.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span class="command"><strong>trusted-keys</strong></span></p>
+ </td>
+<td>
+ <p>
+ defines permanent trusted DNSSEC keys;
+ this option is deprecated in favor
+ of <span class="command"><strong>dnssec-keys</strong></span> with
+ the <span class="command"><strong>static-key</strong></span> keyword,
+ and may be removed in a future release.
</p>
</td>
</tr>
<span class="command"><strong>dnsrps-options</strong></span> { <em class="replaceable"><code>unspecified-text</code></em> };
<span class="command"><strong>dnssec-accept-expired</strong></span> <em class="replaceable"><code>boolean</code></em>;
<span class="command"><strong>dnssec-dnskey-kskonly</strong></span> <em class="replaceable"><code>boolean</code></em>;
- <span class="command"><strong>dnssec-enable</strong></span> <em class="replaceable"><code>boolean</code></em>;
<span class="command"><strong>dnssec-loadkeys-interval</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>dnssec-lookaside</strong></span> ( <em class="replaceable"><code>string</code></em> trust-anchor
<em class="replaceable"><code>string</code></em> | auto | no );
<span class="command"><strong>resolver-retry-interval</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>response-padding</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... } block-size
<em class="replaceable"><code>integer</code></em>;
- <span class="command"><strong>response-policy</strong></span> { zone <em class="replaceable"><code>string</code></em> [ log <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl
- <em class="replaceable"><code>ttlval</code></em> ] [ min-update-interval <em class="replaceable"><code>ttlval</code></em> ] [ policy ( cname |
- <span class="command"><strong>disabled</strong></span> | drop | given | no-op | nodata | nxdomain | passthru
- | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [ recursive-only <em class="replaceable"><code>boolean</code></em> ] [
- <span class="command"><strong>nsip-enable</strong></span> <em class="replaceable"><code>boolean</code></em> ] [ nsdname-enable <em class="replaceable"><code>boolean</code></em> ]; ... } [
+ <span class="command"><strong>response-policy</strong></span> { zone <em class="replaceable"><code>string</code></em> [ add-soa <em class="replaceable"><code>boolean</code></em> ] [ log
+ <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>ttlval</code></em> ] [ min-update-interval
+ <em class="replaceable"><code>ttlval</code></em> ] [ policy ( cname | disabled | drop | given | no-op |
+ <span class="command"><strong>nodata</strong></span> | nxdomain | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [
+ <span class="command"><strong>recursive-only</strong></span> <em class="replaceable"><code>boolean</code></em> ] [ nsip-enable <em class="replaceable"><code>boolean</code></em> ] [
+ <span class="command"><strong>nsdname-enable</strong></span> <em class="replaceable"><code>boolean</code></em> ]; ... } [ add-soa <em class="replaceable"><code>boolean</code></em> ] [
<span class="command"><strong>break-dnssec</strong></span> <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>ttlval</code></em> ] [
<span class="command"><strong>min-update-interval</strong></span> <em class="replaceable"><code>ttlval</code></em> ] [ min-ns-dots <em class="replaceable"><code>integer</code></em> ] [
<span class="command"><strong>nsip-wait-recurse</strong></span> <em class="replaceable"><code>boolean</code></em> ] [ qname-wait-recurse <em class="replaceable"><code>boolean</code></em> ]
configurable options be consistent among these
views:
<span class="command"><strong>check-names</strong></span>,
- <span class="command"><strong>cleaning-interval</strong></span>,
<span class="command"><strong>dnssec-accept-expired</strong></span>,
<span class="command"><strong>dnssec-validation</strong></span>,
<span class="command"><strong>max-cache-ttl</strong></span>,
<dd>
<p>
Specifies the directory in which to store the files that
- track managed DNSSEC keys. By default, this is the working
- directory. The directory <span class="emphasis"><em>must</em></span>
- be writable by the effective user ID of the
- <span class="command"><strong>named</strong></span> process.
+ track managed DNSSEC keys (i.e., those configured using
+ the <span class="command"><strong>initial-key</strong></span> keyword in a
+ <span class="command"><strong>dnssec-keys</strong></span> statement). By default,
+ this is the working directory. The directory
+ <span class="emphasis"><em>must</em></span> be writable by the effective
+ user ID of the <span class="command"><strong>named</strong></span> process.
</p>
<p>
If <span class="command"><strong>named</strong></span> is not configured to use views,
then <span class="command"><strong>named</strong></span> will only accept answers if
they are secure. If <strong class="userinput"><code>no</code></strong>, then normal
DNSSEC validation applies allowing for insecure answers to
- be accepted. The specified domain must be under a
- <span class="command"><strong>trusted-keys</strong></span> or
- <span class="command"><strong>managed-keys</strong></span> statement, or
- <span class="command"><strong>dnssec-validation auto</strong></span> must be active.
+ be accepted. The specified domain must be defined as a
+ trust anchor, for instance in a <span class="command"><strong>dnssec-keys</strong></span>
+ statement, or <span class="command"><strong>dnssec-validation auto</strong></span> must
+ be active.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>dns64</strong></span></span></dt>
<p>
Causes <span class="command"><strong>named</strong></span> to send specially-formed
queries once per day to domains for which trust anchors
- have been configured via <span class="command"><strong>trusted-keys</strong></span>,
- <span class="command"><strong>managed-keys</strong></span>, or
+ have been configured via, e.g.,
+ <span class="command"><strong>dnssec-keys</strong></span> or
<span class="command"><strong>dnssec-validation auto</strong></span>.
</p>
<p>
<p>
If set to <strong class="userinput"><code>yes</code></strong>, DNSSEC validation is
enabled, but a trust anchor must be manually configured
- using a <span class="command"><strong>trusted-keys</strong></span>
- or <span class="command"><strong>managed-keys</strong></span> statement; if there
- is no configured trust anchor, validation will not take
- place.
+ using a <span class="command"><strong>dnssec-keys</strong></span> statement (or
+ the synonymous <span class="command"><strong>managed-keys</strong></span>, or the
+ deprecated <span class="command"><strong>trusted-keys</strong></span> statements).
+ If there is no configured trust anchor, validation will
+ not take place.
</p>
<p>
If set to <strong class="userinput"><code>no</code></strong>, DNSSEC validation
<dt><span class="term"><span class="command"><strong>cleaning-interval</strong></span></span></dt>
<dd>
<p>
- This interval is effectively obsolete. Previously,
- the server would remove expired resource records
- from the cache every <span class="command"><strong>cleaning-interval</strong></span> minutes.
- <acronym class="acronym">BIND</acronym> 9 now manages cache
- memory in a more sophisticated manner and does not
- rely on the periodic cleaning any more.
- Specifying this option therefore has no effect on
- the server's behavior.
+ This option is obsolete.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>heartbeat-interval</strong></span></span></dt>
</p>
</div>
- <div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="statschannels"></a><span class="command"><strong>statistics-channels</strong></span> Statement Grammar</h3></div></div></div>
- <pre class="programlisting">
+
<pre class="programlisting">
<span class="command"><strong>statistics-channels</strong></span> {
<span class="command"><strong>inet</strong></span> ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> |
* ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [
} ];
};
</pre>
- </div>
+ </div>
- <div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="statistics_channels"></a><span class="command"><strong>statistics-channels</strong></span> Statement Definition and
- Usage</h3></div></div></div>
+ Usage</h3></div></div></div>
- <p>
- The <span class="command"><strong>statistics-channels</strong></span> statement
- declares communication channels to be used by system
- administrators to get access to statistics information of
- the name server.
- </p>
+ The <span class="command"><strong>statistics-channels</strong></span> statement
+ declares communication channels to be used by system
+ administrators to get access to statistics information of
+ the name server.
+ </p>
- <p>
- This statement intends to be flexible to support multiple
- communication protocols in the future, but currently only
- HTTP access is supported.
- It requires that BIND 9 be compiled with libxml2 and/or
- json-c (also known as libjson0); the
- <span class="command"><strong>statistics-channels</strong></span> statement is
- still accepted even if it is built without the library,
- but any HTTP access will fail with an error.
- </p>
+ This statement intends to be flexible to support multiple
+ communication protocols in the future, but currently only
+ HTTP access is supported.
+ It requires that BIND 9 be compiled with libxml2 and/or
+ json-c (also known as libjson0); the
+ <span class="command"><strong>statistics-channels</strong></span> statement is
+ still accepted even if it is built without the library,
+ but any HTTP access will fail with an error.
+ </p>
- <p>
- An <span class="command"><strong>inet</strong></span> control channel is a TCP socket
- listening at the specified <span class="command"><strong>ip_port</strong></span> on the
- specified <span class="command"><strong>ip_addr</strong></span>, which can be an IPv4 or IPv6
- address. An <span class="command"><strong>ip_addr</strong></span> of <code class="literal">*</code>
- (asterisk) is
- interpreted as the IPv4 wildcard address; connections will be
- accepted on any of the system's IPv4 addresses.
- To listen on the IPv6 wildcard address,
- use an <span class="command"><strong>ip_addr</strong></span> of <code class="literal">::</code>.
- </p>
+ An <span class="command"><strong>inet</strong></span> control channel is a TCP socket
+ listening at the specified <span class="command"><strong>ip_port</strong></span> on the
+ specified <span class="command"><strong>ip_addr</strong></span>, which can be an IPv4 or IPv6
+ address. An <span class="command"><strong>ip_addr</strong></span> of <code class="literal">*</code>
+ (asterisk) is
+ interpreted as the IPv4 wildcard address; connections will be
+ accepted on any of the system's IPv4 addresses.
+ To listen on the IPv6 wildcard address,
+ use an <span class="command"><strong>ip_addr</strong></span> of <code class="literal">::</code>.
+ </p>
- <p>
- If no port is specified, port 80 is used for HTTP channels.
- The asterisk "<code class="literal">*</code>" cannot be used for
- <span class="command"><strong>ip_port</strong></span>.
- </p>
+ If no port is specified, port 80 is used for HTTP channels.
+ The asterisk "<code class="literal">*</code>" cannot be used for
+ <span class="command"><strong>ip_port</strong></span>.
+ </p>
- <p>
- The attempt of opening a statistics channel is
- restricted by the optional <span class="command"><strong>allow</strong></span> clause.
- Connections to the statistics channel are permitted based on the
- <span class="command"><strong>address_match_list</strong></span>.
- If no <span class="command"><strong>allow</strong></span> clause is present,
- <span class="command"><strong>named</strong></span> accepts connection
- attempts from any address; since the statistics may
- contain sensitive internal information, it is highly
- recommended to restrict the source of connection requests
- appropriately.
- </p>
+ The attempt of opening a statistics channel is
+ restricted by the optional <span class="command"><strong>allow</strong></span> clause.
+ Connections to the statistics channel are permitted based on the
+ <span class="command"><strong>address_match_list</strong></span>.
+ If no <span class="command"><strong>allow</strong></span> clause is present,
+ <span class="command"><strong>named</strong></span> accepts connection
+ attempts from any address; since the statistics may
+ contain sensitive internal information, it is highly
+ recommended to restrict the source of connection requests
+ appropriately.
+ </p>
- <p>
- If no <span class="command"><strong>statistics-channels</strong></span> statement is present,
- <span class="command"><strong>named</strong></span> will not open any communication channels.
- </p>
+ If no <span class="command"><strong>statistics-channels</strong></span> statement is present,
+ <span class="command"><strong>named</strong></span> will not open any communication channels.
+ </p>
- <p>
- The statistics are available in various formats and views
- depending on the URI used to access them. For example, if
- the statistics channel is configured to listen on 127.0.0.1
- port 8888, then the statistics are accessible in XML format at
- <a class="link" href="http://127.0.0.1:8888/" target="_top">http://127.0.0.1:8888/</a> or
- <a class="link" href="http://127.0.0.1:8888/xml" target="_top">http://127.0.0.1:8888/xml</a>. A CSS file is
- included which can format the XML statistics into tables
- when viewed with a stylesheet-capable browser, and into
- charts and graphs using the Google Charts API when using a
- javascript-capable browser.
- </p>
+ The statistics are available in various formats and views
+ depending on the URI used to access them. For example, if
+ the statistics channel is configured to listen on 127.0.0.1
+ port 8888, then the statistics are accessible in XML format at
+
<a class="link" href="http://127.0.0.1:8888/" target="_top">http://127.0.0.1:8888/</a> or
+
<a class="link" href="http://127.0.0.1:8888/xml" target="_top">http://127.0.0.1:8888/xml</a>. A CSS file is
+ included which can format the XML statistics into tables
+ when viewed with a stylesheet-capable browser, and into
+ charts and graphs using the Google Charts API when using a
+ javascript-capable browser.
+ </p>
- <p>
- Broken-out subsets of the statistics can be viewed at
- <a class="link" href="http://127.0.0.1:8888/xml/v3/status" target="_top">http://127.0.0.1:8888/xml/v3/status</a>
- (server uptime and last reconfiguration time),
- <a class="link" href="http://127.0.0.1:8888/xml/v3/server" target="_top">http://127.0.0.1:8888/xml/v3/server</a>
- (server and resolver statistics),
- <a class="link" href="http://127.0.0.1:8888/xml/v3/zones" target="_top">http://127.0.0.1:8888/xml/v3/zones</a>
- (zone statistics),
- <a class="link" href="http://127.0.0.1:8888/xml/v3/net" target="_top">http://127.0.0.1:8888/xml/v3/net</a>
- (network status and socket statistics),
- <a class="link" href="http://127.0.0.1:8888/xml/v3/mem" target="_top">http://127.0.0.1:8888/xml/v3/mem</a>
- (memory manager statistics),
- <a class="link" href="http://127.0.0.1:8888/xml/v3/tasks" target="_top">http://127.0.0.1:8888/xml/v3/tasks</a>
- (task manager statistics), and
- <a class="link" href="http://127.0.0.1:8888/xml/v3/traffic" target="_top">http://127.0.0.1:8888/xml/v3/traffic</a>
- (traffic sizes).
- </p>
+ Broken-out subsets of the statistics can be viewed at
+
<a class="link" href="http://127.0.0.1:8888/xml/v3/status" target="_top">http://127.0.0.1:8888/xml/v3/status</a>
+ (server uptime and last reconfiguration time),
+
<a class="link" href="http://127.0.0.1:8888/xml/v3/server" target="_top">http://127.0.0.1:8888/xml/v3/server</a>
+ (server and resolver statistics),
+
<a class="link" href="http://127.0.0.1:8888/xml/v3/zones" target="_top">http://127.0.0.1:8888/xml/v3/zones</a>
+ (zone statistics),
+
<a class="link" href="http://127.0.0.1:8888/xml/v3/net" target="_top">http://127.0.0.1:8888/xml/v3/net</a>
+ (network status and socket statistics),
+
<a class="link" href="http://127.0.0.1:8888/xml/v3/mem" target="_top">http://127.0.0.1:8888/xml/v3/mem</a>
+ (memory manager statistics),
+
<a class="link" href="http://127.0.0.1:8888/xml/v3/tasks" target="_top">http://127.0.0.1:8888/xml/v3/tasks</a>
+ (task manager statistics), and
+
<a class="link" href="http://127.0.0.1:8888/xml/v3/traffic" target="_top">http://127.0.0.1:8888/xml/v3/traffic</a>
+ (traffic sizes).
+ </p>
- <p>
- The full set of statistics can also be read in JSON format at
- <a class="link" href="http://127.0.0.1:8888/json" target="_top">http://127.0.0.1:8888/json</a>,
- with the broken-out subsets at
- <a class="link" href="http://127.0.0.1:8888/json/v1/status" target="_top">http://127.0.0.1:8888/json/v1/status</a>
- (server uptime and last reconfiguration time),
- <a class="link" href="http://127.0.0.1:8888/json/v1/server" target="_top">http://127.0.0.1:8888/json/v1/server</a>
- (server and resolver statistics),
- <a class="link" href="http://127.0.0.1:8888/json/v1/zones" target="_top">http://127.0.0.1:8888/json/v1/zones</a>
- (zone statistics),
- <a class="link" href="http://127.0.0.1:8888/json/v1/net" target="_top">http://127.0.0.1:8888/json/v1/net</a>
- (network status and socket statistics),
- <a class="link" href="http://127.0.0.1:8888/json/v1/mem" target="_top">http://127.0.0.1:8888/json/v1/mem</a>
- (memory manager statistics),
- <a class="link" href="http://127.0.0.1:8888/json/v1/tasks" target="_top">http://127.0.0.1:8888/json/v1/tasks</a>
- (task manager statistics), and
- <a class="link" href="http://127.0.0.1:8888/json/v1/traffic" target="_top">http://127.0.0.1:8888/json/v1/traffic</a>
- (traffic sizes).
- </p>
- </div>
+ The full set of statistics can also be read in JSON format at
+
<a class="link" href="http://127.0.0.1:8888/json" target="_top">http://127.0.0.1:8888/json</a>,
+ with the broken-out subsets at
+
<a class="link" href="http://127.0.0.1:8888/json/v1/status" target="_top">http://127.0.0.1:8888/json/v1/status</a>
+ (server uptime and last reconfiguration time),
+
<a class="link" href="http://127.0.0.1:8888/json/v1/server" target="_top">http://127.0.0.1:8888/json/v1/server</a>
+ (server and resolver statistics),
+
<a class="link" href="http://127.0.0.1:8888/json/v1/zones" target="_top">http://127.0.0.1:8888/json/v1/zones</a>
+ (zone statistics),
+
<a class="link" href="http://127.0.0.1:8888/json/v1/net" target="_top">http://127.0.0.1:8888/json/v1/net</a>
+ (network status and socket statistics),
+
<a class="link" href="http://127.0.0.1:8888/json/v1/mem" target="_top">http://127.0.0.1:8888/json/v1/mem</a>
+ (memory manager statistics),
+
<a class="link" href="http://127.0.0.1:8888/json/v1/tasks" target="_top">http://127.0.0.1:8888/json/v1/tasks</a>
+ (task manager statistics), and
+
<a class="link" href="http://127.0.0.1:8888/json/v1/traffic" target="_top">http://127.0.0.1:8888/json/v1/traffic</a>
+ (traffic sizes).
+ </p>
+ </div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
-<a name="trusted-keys"></a><span class="command"><strong>trusted-keys</strong></span> Statement Grammar</h3></div></div></div>
+<a name="dnssec_keys"></a><span class="command"><strong>dnssec-keys</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting">
-<span class="command"><strong>trusted-keys</strong></span> { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em>
- <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; ... };
+<span class="command"><strong>dnssec-keys</strong></span> { <em class="replaceable"><code>string</code></em> ( static-key |
+ <span class="command"><strong>initial-key</strong></span> ) <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em>
+ <em class="replaceable"><code>quoted_string</code></em>; ... };
</pre>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
-<a name="trusted_keys"></a><span class="command"><strong>trusted-keys</strong></span> Statement Definition
+<a name="dnssec-keys"></a><span class="command"><strong>dnssec-keys</strong></span> Statement Definition
and Usage</h3></div></div></div>
<p>
- The <span class="command"><strong>trusted-keys</strong></span> statement defines
- DNSSEC security roots. DNSSEC is described in <a class="xref" href="Bv9ARM.ch04.html#DNSSEC" title="DNSSEC">the section called “DNSSEC”</a>. A security root is defined when the
- public key for a non-authoritative zone is known, but
- cannot be securely obtained through DNS, either because
- it is the DNS root zone or because its parent zone is
- unsigned. Once a key has been configured as a trusted
- key, it is treated as if it had been validated and
- proven secure. The resolver attempts DNSSEC validation
- on all DNS data in subdomains of a security root.
+ The <span class="command"><strong>dnssec-keys</strong></span> statement defines DNSSEC
+ trust anchors. DNSSEC is described in <a class="xref" href="Bv9ARM.ch04.html#DNSSEC" title="DNSSEC">the section called “DNSSEC”</a>.
+ </p>
+ <p>
+ A trust anchor is defined when the public key for
+ a non-authoritative zone is known, but cannot be securely
+ obtained through DNS, either because it is the DNS root zone
+ or because its parent zone is unsigned. Once a key has been
+ configured as a trust anchor, it is treated as if it had
+ been validated and proven secure.
+ </p>
+ <p>
+ The resolver attempts DNSSEC validation on all DNS data
+ in subdomains of configured trust anchors. (Validation below
+ specified names can be temporarily disabled by using
+ <span class="command"><strong>rndc nta</strong></span>, or permanently disabled with
+ the <span class="command"><strong>validate-except</strong></span> option).
</p>
<p>
- All keys (and corresponding zones) listed in
- <span class="command"><strong>trusted-keys</strong></span> are deemed to exist regardless
- of what parent zones say. Similarly for all keys listed in
- <span class="command"><strong>trusted-keys</strong></span> only those keys are
- used to validate the DNSKEY RRset. The parent's DS RRset
- will not be used.
+ All keys listed in <span class="command"><strong>dnssec-keys</strong></span>, and
+ their corresponding zones, are deemed to exist regardless
+ of what parent zones say. Only keys configured as trust anchors
+ are used to validate the DNSKEY RRset for the corresponding
+ name. The parent's DS RRset will not be used.
</p>
<p>
- The <span class="command"><strong>trusted-keys</strong></span> statement can contain
+ The <span class="command"><strong>dnssec-keys</strong></span> statement can contain
multiple key entries, each consisting of the key's
- domain name, flags, protocol, algorithm, and the Base64
- representation of the key data.
- Spaces, tabs, newlines and carriage returns are ignored
+ domain name, followed by the <span class="command"><strong>static-key</strong></span> or
+ <span class="command"><strong>initial-key</strong></span> keyword, then the key's flags,
+ protocol, algorithm, and the Base64 representation of the key
+ data. Spaces, tabs, newlines and carriage returns are ignored
in the key data, so the configuration may be split up into
multiple lines.
</p>
<p>
- <span class="command"><strong>trusted-keys</strong></span> may be set at the top level
+ <span class="command"><strong>dnssec-keys</strong></span> may be set at the top level
of <code class="filename">named.conf</code> or within a view. If it is
- set in both places, they are additive: keys defined at the top
- level are inherited by all views, but keys defined in a view
- are only used within that view.
+ set in both places, the configurations are additive: keys
+ defined at the top level are inherited by all views, but keys
+ defined in a view are only used within that view.
</p>
<p>
- Validation below specified names can be temporarily disabled
- by using <span class="command"><strong>rndc nta</strong></span>.
- </p>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="managed_keys"></a><span class="command"><strong>managed-keys</strong></span> Statement Grammar</h3></div></div></div>
- <pre class="programlisting">
-<span class="command"><strong>managed-keys</strong></span> { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em>
- <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; ... };
-</pre>
- </div>
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="managed-keys"></a><span class="command"><strong>managed-keys</strong></span> Statement Definition
- and Usage</h3></div></div></div>
-
- <p>
- The <span class="command"><strong>managed-keys</strong></span> statement, like
- <span class="command"><strong>trusted-keys</strong></span>, defines DNSSEC
- security roots. The difference is that
- <span class="command"><strong>managed-keys</strong></span> can be kept up to date
- automatically, without intervention from the resolver
- operator.
+ <span class="command"><strong>dnssec-keys</strong></span> entries can be configured with
+ two keywords: <span class="command"><strong>static-key</strong></span> or
+ <span class="command"><strong>initial-key</strong></span>. Keys configured with
+ <span class="command"><strong>static-key</strong></span> are immutable,
+ while keys configured with <span class="command"><strong>initial-key</strong></span>
+ can be kept up to date automatically, without intervention
+ from the resolver operator. (<span class="command"><strong>static-key</strong></span>
+ keys are identical to keys configured using the deprecated
+ <span class="command"><strong>trusted-keys</strong></span> statement.)
</p>
<p>
Suppose, for example, that a zone's key-signing
key was compromised, and the zone owner had to revoke and
- replace the key. A resolver which had the old key in a
- <span class="command"><strong>trusted-keys</strong></span> statement would be
+ replace the key. A resolver which had the original key
+ configured as a <span class="command"><strong>static-key</strong></span> would be
unable to validate this zone any longer; it would
reply with a SERVFAIL response code. This would
continue until the resolver operator had updated the
- <span class="command"><strong>trusted-keys</strong></span> statement with the new key.
+ <span class="command"><strong>dnssec-keys</strong></span> statement with the new key.
</p>
<p>
- If, however, the zone were listed in a
- <span class="command"><strong>managed-keys</strong></span> statement instead, then the
- zone owner could add a "stand-by" key to the zone in advance.
+ If, however, the trust anchor had been configured with
+ <span class="command"><strong>initial-key</strong></span> instead, then the
+ zone owner could add a "stand-by" key to their zone in advance.
<span class="command"><strong>named</strong></span> would store the stand-by key, and
when the original key was revoked, <span class="command"><strong>named</strong></span>
would be able to transition smoothly to the new key. It would
also recognize that the old key had been revoked, and cease
using that key to validate answers, minimizing the damage that
- the compromised key could do.
- </p>
- <p>
- A <span class="command"><strong>managed-keys</strong></span> statement contains a list of
- the keys to be managed, along with information about how the
- keys are to be initialized for the first time. The only
- initialization method currently supported is
- <code class="literal">initial-key</code>.
- This means the <span class="command"><strong>managed-keys</strong></span> statement must
- contain a copy of the initializing key. (Future releases may
- allow keys to be initialized by other methods, eliminating this
- requirement.)
- </p>
- <p>
- Consequently, a <span class="command"><strong>managed-keys</strong></span> statement
- appears similar to a <span class="command"><strong>trusted-keys</strong></span>, differing
- in the presence of the second field, containing the keyword
- <code class="literal">initial-key</code>. The difference is, whereas the
- keys listed in a <span class="command"><strong>trusted-keys</strong></span> continue to be
- trusted until they are removed from
- <code class="filename">named.conf</code>, an initializing key listed
- in a <span class="command"><strong>managed-keys</strong></span> statement is only trusted
- <span class="emphasis"><em>once</em></span>: for as long as it takes to load the
- managed key database and start the RFC 5011 key maintenance
- process.
- </p>
- <p>
- The first time <span class="command"><strong>named</strong></span> runs with a managed key
- configured in <code class="filename">named.conf</code>, it fetches the
+ the compromised key could do. This is the process used to
+ keep the ICANN root DNSSEC key up to date.
+ </p>
+ <p>
+ Whereas <span class="command"><strong>static-key</strong></span>
+ keys continue to be trusted until they are removed from
+ <code class="filename">named.conf</code>, an
+ <span class="command"><strong>initial-key</strong></span> is only trusted
+ <span class="emphasis"><em>once</em></span>: for as long as it
+ takes to load the managed key database and start the RFC 5011
+ key maintenance process.
+ </p>
+ <p>
+ The first time <span class="command"><strong>named</strong></span> runs with an
+ <span class="command"><strong>initial-key</strong></span> configured in
+ <code class="filename">named.conf</code>, it fetches the
DNSKEY RRset directly from the zone apex, and validates it
- using the key specified in the <span class="command"><strong>managed-keys</strong></span>
- statement. If the DNSKEY RRset is validly signed, then it is
+ using the key specified in <span class="command"><strong>dnssec-keys</strong></span>.
+ If the DNSKEY RRset is validly signed, then it is
used as the basis for a new managed keys database.
</p>
<p>
From that point on, whenever <span class="command"><strong>named</strong></span> runs, it
- sees the <span class="command"><strong>managed-keys</strong></span> statement, checks to
+ sees the <span class="command"><strong>initial-key</strong></span> listed in
+ <span class="command"><strong>dnssec-keys</strong></span>, checks to
make sure RFC 5011 key maintenance has already been initialized
for the specified domain, and if so, it simply moves on. The
- key specified in the <span class="command"><strong>managed-keys</strong></span>
- statement is not used to validate answers; it has been
- superseded by the key or keys stored in the managed keys database.
+ key specified in the <span class="command"><strong>dnssec-keys</strong></span>
+ statement is not used to validate answers; it is
+ superseded by the key or keys stored in the managed keys
+ database.
</p>
<p>
- The next time <span class="command"><strong>named</strong></span> runs after a name
- has been <span class="emphasis"><em>removed</em></span> from the
- <span class="command"><strong>managed-keys</strong></span> statement, the corresponding
+ The next time <span class="command"><strong>named</strong></span> runs after an
+ <span class="command"><strong>initial-key</strong></span> has been
+ <span class="emphasis"><em>removed</em></span> from the
+ <span class="command"><strong>dnssec-keys</strong></span> statement (or changed to
+ a <span class="command"><strong>static-key</strong></span>), the corresponding
zone will be removed from the managed keys database,
and RFC 5011 key maintenance will no longer be used for that
domain.
<p>
If the <span class="command"><strong>dnssec-validation</strong></span> option is
set to <strong class="userinput"><code>auto</code></strong>, <span class="command"><strong>named</strong></span>
- will automatically initialize a managed key for the
- root zone. The key that is used to initialize the key
+ will automatically initialize an <span class="command"><strong>initial-key</strong></span>
+ for the root zone. The key that is used to initialize the key
maintenance process is stored in <code class="filename">bind.keys</code>;
the location of this file can be overridden with the
<span class="command"><strong>bindkeys-file</strong></span> option. As a fallback
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
+<a name="managed-keys"></a><span class="command"><strong>managed-keys</strong></span> Statement Grammar</h3></div></div></div>
+ <pre class="programlisting">
+<span class="command"><strong>managed-keys</strong></span> { <em class="replaceable"><code>string</code></em> ( static-key |
+ <span class="command"><strong>initial-key</strong></span> ) <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em>
+ <em class="replaceable"><code>quoted_string</code></em>; ... };
+</pre>
+ </div>
+ <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="managed_keys"></a><span class="command"><strong>managed-keys</strong></span> Statement Definition
+ and Usage</h3></div></div></div>
+
+ <p>
+ The <span class="command"><strong>managed-keys</strong></span> statement is
+ identical to the <span class="command"><strong>dnssec-keys</strong></span>, and is
+ retained for backward compatibility.
+ </p>
+ </div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="trusted-keys"></a><span class="command"><strong>trusted-keys</strong></span> Statement Grammar</h3></div></div></div>
+ <pre class="programlisting">
+<span class="command"><strong>trusted-keys</strong></span> { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em>
+ <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em>
+ <em class="replaceable"><code>quoted_string</code></em>; ... };, deprecated
+</pre>
+ </div>
+ <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="trusted_keys"></a><span class="command"><strong>trusted-keys</strong></span> Statement Definition
+ and Usage</h3></div></div></div>
+
+ <p>
+ The <span class="command"><strong>trusted-keys</strong></span> statement has been
+ deprecated in favor of <a class="xref" href="Bv9ARM.ch05.html#dnssec_keys" title="dnssec-keys Statement Grammar">the section called “<span class="command"><strong>dnssec-keys</strong></span> Statement Grammar”</a>
+ with the <span class="command"><strong>static</strong></span> keyword.
+ </p>
+ </div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
<a name="view_statement_grammar"></a><span class="command"><strong>view</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting"><span class="command"><strong>view</strong></span> <em class="replaceable"><code>view_name</code></em> [ <em class="replaceable"><code>class</code></em> ] <span class="command"><strong>{</strong></span>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>
<div class="toc">
<p><b>Table of Contents</b></p>
<dl class="toc">
-<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.15.0</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.15.1</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_intro">Introduction</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_versions">Note on Version Numbering</a></span></dt>
</div>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.9.2"></a>Release Notes for BIND Version 9.15.0</h2></div></div></div>
+<a name="id-1.9.2"></a>Release Notes for BIND Version 9.15.1</h2></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<p>
The TCP client quota set using the <span class="command"><strong>tcp-clients</strong></span>
option could be exceeded in some cases. This could lead to
- exhaustion of file descriptors. (CVE-2018-5743) [GL #615]
+ exhaustion of file descriptors. This flaw is disclosed in
+ CVE-2018-5743. [GL #615]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ A race condition could trigger an assertion failure when
+ a large number of incoming packets were being rejected.
+ This flaw is disclosed in CVE-2019-6471. [GL #942]
</p>
</li>
</ul></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_features"></a>New Features</h3></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+ <p>
+ In order to clarify the configuration of DNSSEC keys,
+ the <span class="command"><strong>trusted-keys</strong></span> and
+ <span class="command"><strong>managed-keys</strong></span> statements have been
+ deprecated, and the new <span class="command"><strong>dnssec-keys</strong></span>
+ statement should now be used for both types of key.
+ </p>
+ <p>
+ When used with the keyword <span class="command"><strong>initial-key</strong></span>,
+ <span class="command"><strong>dnssec-keys</strong></span> has the same behavior as
+ <span class="command"><strong>managed-keys</strong></span>, i.e., it configures
+ a trust anchor that is to be maintained via RFC 5011.
+ </p>
+ <p>
+ When used with the new keyword <span class="command"><strong>static-key</strong></span>, it
+ has the same behavior as <span class="command"><strong>trusted-keys</strong></span>,
+ configuring a permanent trust anchor that will not automatically
+ be updated. (This usage is not recommended for the root key.)
+ [GL #6]
+ </p>
+ </li>
+<li class="listitem">
<p>
The new <span class="command"><strong>add-soa</strong></span> option specifies whether
or not the <span class="command"><strong>response-policy</strong></span> zone's SOA record
should be included in the additional section of RPZ responses.
[GL #865]
</p>
- </li></ul></div>
+ </li>
+</ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_removed"></a>Removed Features</h3></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
<p>
The <span class="command"><strong>dnssec-enable</strong></span> option has been deprecated and
no longer has any effect. DNSSEC responses are always enabled
if signatures and other DNSSEC data are present. [GL #866]
</p>
- </li></ul></div>
+ </li>
+<li class="listitem">
+ <p>
+ The <span class="command"><strong>cleaning-interval</strong></span> option has been
+ removed. [GL !1731]
+ </p>
+ </li>
+</ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+ <p>
+ <span class="command"><strong>named</strong></span> will now log a warning if
+ a static key is configured for the root zone, or if
+ any key is configured for "dlv.isc.org", which has been shut
+ down. [GL #6]
+ </p>
+ </li>
<li class="listitem">
<p>
- When <span class="command"><strong>trusted-keys</strong></span> and
- <span class="command"><strong>managed-keys</strong></span> were both configured for the
- same name, or when <span class="command"><strong>trusted-keys</strong></span> was used to
+ When static and managed DNSSEC keys were both configured for the
+ same name, or when a static key was used to
configure a trust anchor for the root zone and
<span class="command"><strong>dnssec-validation</strong></span> was set to the default
value of <code class="literal">auto</code>, automatic RFC 5011 key
<span class="command"><strong>dnssec-checkds</strong></span>.
</p>
</li>
+<li class="listitem">
+ <p>
+ JSON-C is now the only supported library for enabling JSON
+ support for BIND statistics. The <span class="command"><strong>configure</strong></span>
+ option has been renamed from <span class="command"><strong>--with-libjson</strong></span>
+ to <span class="command"><strong>--with-json-c</strong></span>. Use
+ <span class="command"><strong>PKG_CONFIG_PATH</strong></span> to specify a custom path to
+ the <span class="command"><strong>json-c</strong></span> library as the new
+ <span class="command"><strong>configure</strong></span> option does not take the library
+ installation path as an optional argument.
+ </p>
+ </li>
</ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
<p>
The <span class="command"><strong>allow-update</strong></span> and
<span class="command"><strong>allow-update-forwarding</strong></span> options were
This has now been corrected.
[GL #913]
</p>
- </li></ul></div>
+ </li>
+<li class="listitem">
+ <p>
+ When <span class="command"><strong>qname-minimization</strong></span> was set to
+ <span class="command"><strong>relaxed</strong></span>, some improperly configured domains
+ would fail to resolve, but would have succeeded when minimization
+ was disabled. <span class="command"><strong>named</strong></span> will now fall back to normal
+ resolution in such cases, and also uses type A rather than NS for
+ minimal queries in order to reduce the likelihood of encountering
+ the problem. [GL #1055]
+ </p>
+ </li>
+</ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_license"></a>License</h3></div></div></div>
<p>
- BIND is open source software licenced under the terms of the Mozilla
+ BIND is open source software licensed under the terms of the Mozilla
Public License, version 2.0 (see the <code class="filename">LICENSE</code>
file for the full text).
</p>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>
parameters. By default the path to this configuration file is
<code class="filename">/etc/dns.conf</code>. This module is very experimental
and the configuration syntax or library interfaces may change in
- future versions. Currently, only the <span class="command"><strong>trusted-keys</strong></span>
- statement is supported, whose syntax is the same as the same
- statement in <code class="filename">named.conf</code>. (See
- <a class="xref" href="Bv9ARM.ch05.html#trusted-keys" title="trusted-keys Statement Grammar">the section called “<span class="command"><strong>trusted-keys</strong></span> Statement Grammar”</a> for details.)
+ future versions. Currently, only static key configuration is supported.
+ <span class="command"><strong>managed-keys</strong></span> and <span class="command"><strong>trusted-keys</strong></span>
+ statements are parsed exactly as they are in
+ <code class="filename">named.conf</code>, except that all
+ <span class="command"><strong>managed-keys</strong></span> entries will be treated as
+ if they were configured with the <span class="command"><strong>static-key</strong></span>
+ keyword, even if they are configured with <span class="command"><strong>initial-key</strong></span>.
+ (See <a class="xref" href="Bv9ARM.ch05.html#managed-keys" title="managed-keys Statement Grammar">the section called “<span class="command"><strong>managed-keys</strong></span> Statement Grammar”</a> for syntax details.)
</p>
</div>
<div class="section">
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>
<div>
<div><h1 class="title">
<a name="id-1"></a>BIND 9 Administrator Reference Manual</h1></div>
-<div><p class="releaseinfo">BIND Version 9.15.0</p></div>
+<div><p class="releaseinfo">BIND Version 9.15.1</p></div>
<div><p class="copyright">Copyright © 2000-2019 Internet Systems Consortium, Inc. ("ISC")</p></div>
</div>
<hr>
<dt><span class="section"><a href="Bv9ARM.ch04.html#sig0">SIG(0)</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt>
<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec_keys">Generating Keys</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch04.html#generating_dnssec_keys">Generating Keys</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec_signing">Signing the Zone</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec_config">Configuring Servers for DNSSEC</a></span></dt>
</dl></dd>
Usage</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#statschannels"><span class="command"><strong>statistics-channels</strong></span> Statement Grammar</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#statistics_channels"><span class="command"><strong>statistics-channels</strong></span> Statement Definition and
- Usage</a></span></dt>
+ Usage</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#dnssec_keys"><span class="command"><strong>dnssec-keys</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#dnssec-keys"><span class="command"><strong>dnssec-keys</strong></span> Statement Definition
+ and Usage</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#managed-keys"><span class="command"><strong>managed-keys</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#managed_keys"><span class="command"><strong>managed-keys</strong></span> Statement Definition
+ and Usage</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#trusted-keys"><span class="command"><strong>trusted-keys</strong></span> Statement Grammar</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#trusted_keys"><span class="command"><strong>trusted-keys</strong></span> Statement Definition
and Usage</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch05.html#managed_keys"><span class="command"><strong>managed-keys</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch05.html#managed-keys"><span class="command"><strong>managed-keys</strong></span> Statement Definition
- and Usage</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#view_statement_grammar"><span class="command"><strong>view</strong></span> Statement Grammar</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#view_statement"><span class="command"><strong>view</strong></span> Statement Definition and Usage</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#zone_statement_grammar"><span class="command"><strong>zone</strong></span>
</dl></dd>
<dt><span class="appendix"><a href="Bv9ARM.ch08.html">A. Release Notes</a></span></dt>
<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.15.0</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.15.1</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_intro">Introduction</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_versions">Note on Version Numbering</a></span></dt>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>
</p>
<p>
Note: When reading the trust anchor file,
- <span class="command"><strong>delv</strong></span> treats <code class="option">managed-keys</code>
- statements and <code class="option">trusted-keys</code> statements
- identically. That is, for a managed key, it is the
- <span class="emphasis"><em>initial</em></span> key that is trusted; RFC 5011
- key management is not supported. <span class="command"><strong>delv</strong></span>
- will not consult the managed-keys database maintained by
- <span class="command"><strong>named</strong></span>. This means that if either of the
- keys in <code class="filename">/etc/bind.keys</code> is revoked
+ <span class="command"><strong>delv</strong></span> treats <code class="option">dnssec-keys</code>
+ <code class="option">initial-key</code> and <code class="option">static-key</code>
+ entries identically. That is, even if a key is configured
+ with <span class="command"><strong>initial-key</strong></span>, indicating that it is
+ meant to be used only as an initializing key for RFC 5011
+ key maintenance, it is still treated by <span class="command"><strong>delv</strong></span>
+ as if it had been configured as a <span class="command"><strong>static-key</strong></span>.
+ <span class="command"><strong>delv</strong></span> does not consult the managed keys
+ database maintained by <span class="command"><strong>named</strong></span>. This means
+ that if either of the keys in
+ <code class="filename">/etc/bind.keys</code> is revoked
and rolled over, it will be necessary to update
<code class="filename">/etc/bind.keys</code> to use DNSSEC
validation in <span class="command"><strong>delv</strong></span>.
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>
in the query. This bit is set by default, which means
<span class="command"><strong>dig</strong></span> normally sends recursive
queries. Recursion is automatically disabled when
- the <em class="parameter"><code>+nssearch</code></em> or
- <em class="parameter"><code>+trace</code></em> query options are used.
+ using the <em class="parameter"><code>+nssearch</code></em> option, and
+ when using <em class="parameter"><code>+trace</code></em> except for
+ an initial recursive query to get the list of root
+ servers.
</p>
</dd>
<dt><span class="term"><code class="option">+retry=T</code></span></dt>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>
<div class="refsection">
<a name="id-1.13.27.8"></a><h2>ACL</h2>
-
<div class="literallayout"><p><br>
acl <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
</p></div>
<div class="refsection">
<a name="id-1.13.27.9"></a><h2>CONTROLS</h2>
-
<div class="literallayout"><p><br>
controls {<br>
inet ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> |<br>
<div class="refsection">
<a name="id-1.13.27.10"></a><h2>DLZ</h2>
-
<div class="literallayout"><p><br>
dlz <em class="replaceable"><code>string</code></em> {<br>
database <em class="replaceable"><code>string</code></em>;<br>
</div>
<div class="refsection">
-<a name="id-1.13.27.11"></a><h2>DYNDB</h2>
+<a name="id-1.13.27.11"></a><h2>DNSSEC-KEYS</h2>
+ <div class="literallayout"><p><br>
+dnssec-keys { <em class="replaceable"><code>string</code></em> ( static-key |<br>
+    initial-key ) <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
+    <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
+</p></div>
+ </div>
+ <div class="refsection">
+<a name="id-1.13.27.12"></a><h2>DYNDB</h2>
<div class="literallayout"><p><br>
dyndb <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>quoted_string</code></em> {<br>
    <em class="replaceable"><code>unspecified-text</code></em> };<br>
</div>
<div class="refsection">
-<a name="id-1.13.27.12"></a><h2>KEY</h2>
-
+<a name="id-1.13.27.13"></a><h2>KEY</h2>
<div class="literallayout"><p><br>
key <em class="replaceable"><code>string</code></em> {<br>
algorithm <em class="replaceable"><code>string</code></em>;<br>
</div>
<div class="refsection">
-<a name="id-1.13.27.13"></a><h2>LOGGING</h2>
-
+<a name="id-1.13.27.14"></a><h2>LOGGING</h2>
<div class="literallayout"><p><br>
logging {<br>
category <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };<br>
<div class="refsection">
-<a name="id-1.13.27.14"></a><h2>MANAGED-KEYS</h2>
-
+<a name="id-1.13.27.15"></a><h2>MANAGED-KEYS</h2>
+ <p>See DNSSEC-KEYS.</p>
<div class="literallayout"><p><br>
-managed-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em><br>
-    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
+managed-keys { <em class="replaceable"><code>string</code></em> ( static-key |<br>
+    initial-key ) <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
+    <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
</p></div>
</div>
<div class="refsection">
-<a name="id-1.13.27.15"></a><h2>MASTERS</h2>
-
+<a name="id-1.13.27.16"></a><h2>MASTERS</h2>
<div class="literallayout"><p><br>
masters <em class="replaceable"><code>string</code></em> [ port <em class="replaceable"><code>integer</code></em> ] [ dscp<br>
    <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<br>
</div>
<div class="refsection">
-<a name="id-1.13.27.16"></a><h2>OPTIONS</h2>
-
+<a name="id-1.13.27.17"></a><h2>OPTIONS</h2>
<div class="literallayout"><p><br>
options {<br>
allow-new-zones <em class="replaceable"><code>boolean</code></em>;<br>
dnsrps-options { <em class="replaceable"><code>unspecified-text</code></em> };<br>
dnssec-accept-expired <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
- dnssec-enable <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
dnssec-lookaside ( <em class="replaceable"><code>string</code></em> trust-anchor<br>
    <em class="replaceable"><code>string</code></em> | auto | no );<br>
resolver-retry-interval <em class="replaceable"><code>integer</code></em>;<br>
response-padding { <em class="replaceable"><code>address_match_element</code></em>; ... } block-size<br>
    <em class="replaceable"><code>integer</code></em>;<br>
- response-policy { zone <em class="replaceable"><code>string</code></em> [ log <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl<br>
-     <em class="replaceable"><code>ttlval</code></em> ] [ min-update-interval <em class="replaceable"><code>ttlval</code></em> ] [ policy ( cname |<br>
-     disabled | drop | given | no-op | nodata | nxdomain | passthru<br>
-     | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [ recursive-only <em class="replaceable"><code>boolean</code></em> ] [<br>
-     nsip-enable <em class="replaceable"><code>boolean</code></em> ] [ nsdname-enable <em class="replaceable"><code>boolean</code></em> ]; ... } [<br>
+ response-policy { zone <em class="replaceable"><code>string</code></em> [ add-soa <em class="replaceable"><code>boolean</code></em> ] [ log<br>
+     <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>ttlval</code></em> ] [ min-update-interval<br>
+     <em class="replaceable"><code>ttlval</code></em> ] [ policy ( cname | disabled | drop | given | no-op |<br>
+     nodata | nxdomain | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [<br>
+     recursive-only <em class="replaceable"><code>boolean</code></em> ] [ nsip-enable <em class="replaceable"><code>boolean</code></em> ] [<br>
+     nsdname-enable <em class="replaceable"><code>boolean</code></em> ]; ... } [ add-soa <em class="replaceable"><code>boolean</code></em> ] [<br>
    break-dnssec <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>ttlval</code></em> ] [<br>
    min-update-interval <em class="replaceable"><code>ttlval</code></em> ] [ min-ns-dots <em class="replaceable"><code>integer</code></em> ] [<br>
    nsip-wait-recurse <em class="replaceable"><code>boolean</code></em> ] [ qname-wait-recurse <em class="replaceable"><code>boolean</code></em> ]<br>
</div>
<div class="refsection">
-<a name="id-1.13.27.17"></a><h2>PLUGIN</h2>
-
+<a name="id-1.13.27.18"></a><h2>PLUGIN</h2>
<div class="literallayout"><p><br>
plugin ( query ) <em class="replaceable"><code>string</code></em> [ { <em class="replaceable"><code>unspecified-text</code></em><br>
    } ];<br>
</div>
<div class="refsection">
-<a name="id-1.13.27.18"></a><h2>SERVER</h2>
-
+<a name="id-1.13.27.19"></a><h2>SERVER</h2>
<div class="literallayout"><p><br>
server <em class="replaceable"><code>netprefix</code></em> {<br>
bogus <em class="replaceable"><code>boolean</code></em>;<br>
</div>
<div class="refsection">
-<a name="id-1.13.27.19"></a><h2>STATISTICS-CHANNELS</h2>
-
+<a name="id-1.13.27.20"></a><h2>STATISTICS-CHANNELS</h2>
<div class="literallayout"><p><br>
statistics-channels {<br>
inet ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> |<br>
</div>
<div class="refsection">
-<a name="id-1.13.27.20"></a><h2>TRUSTED-KEYS</h2>
-
+<a name="id-1.13.27.21"></a><h2>TRUSTED-KEYS</h2>
+ <p>Deprecated - see DNSSEC-KEYS.</p>
<div class="literallayout"><p><br>
-trusted-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
-    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
+trusted-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em><br>
+Â Â Â Â <em class="replaceable"><code>integer</code></em>Â <em class="replaceable"><code>integer</code></em><br>
+    <em class="replaceable"><code>quoted_string</code></em>; ... };, deprecated<br>
</p></div>
</div>
<div class="refsection">
-<a name="id-1.13.27.21"></a><h2>VIEW</h2>
-
+<a name="id-1.13.27.22"></a><h2>VIEW</h2>
<div class="literallayout"><p><br>
view <em class="replaceable"><code>string</code></em> [ <em class="replaceable"><code>class</code></em> ] {<br>
allow-new-zones <em class="replaceable"><code>boolean</code></em>;<br>
dnsrps-options { <em class="replaceable"><code>unspecified-text</code></em> };<br>
dnssec-accept-expired <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
- dnssec-enable <em class="replaceable"><code>boolean</code></em>;<br>
+ dnssec-keys { <em class="replaceable"><code>string</code></em> ( static-key |<br>
+     initial-key ) <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
+     <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
dnssec-lookaside ( <em class="replaceable"><code>string</code></em> trust-anchor<br>
    <em class="replaceable"><code>string</code></em> | auto | no );<br>
key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
lame-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
lmdb-mapsize <em class="replaceable"><code>sizeval</code></em>;<br>
- managed-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em><br>
- Â Â Â Â <em class="replaceable"><code>integer</code></em>Â <em class="replaceable"><code>integer</code></em>Â <em class="replaceable"><code>integer</code></em><br>
-     <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
+ managed-keys { <em class="replaceable"><code>string</code></em> ( static-key |<br>
+     initial-key ) <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
+     <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
masterfile-format ( map | raw | text );<br>
masterfile-style ( full | relative );<br>
match-clients { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
resolver-retry-interval <em class="replaceable"><code>integer</code></em>;<br>
response-padding { <em class="replaceable"><code>address_match_element</code></em>; ... } block-size<br>
    <em class="replaceable"><code>integer</code></em>;<br>
- response-policy { zone <em class="replaceable"><code>string</code></em> [ log <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl<br>
-     <em class="replaceable"><code>ttlval</code></em> ] [ min-update-interval <em class="replaceable"><code>ttlval</code></em> ] [ policy ( cname |<br>
-     disabled | drop | given | no-op | nodata | nxdomain | passthru<br>
-     | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [ recursive-only <em class="replaceable"><code>boolean</code></em> ] [<br>
-     nsip-enable <em class="replaceable"><code>boolean</code></em> ] [ nsdname-enable <em class="replaceable"><code>boolean</code></em> ]; ... } [<br>
+ response-policy { zone <em class="replaceable"><code>string</code></em> [ add-soa <em class="replaceable"><code>boolean</code></em> ] [ log<br>
+     <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>ttlval</code></em> ] [ min-update-interval<br>
+     <em class="replaceable"><code>ttlval</code></em> ] [ policy ( cname | disabled | drop | given | no-op |<br>
+     nodata | nxdomain | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [<br>
+     recursive-only <em class="replaceable"><code>boolean</code></em> ] [ nsip-enable <em class="replaceable"><code>boolean</code></em> ] [<br>
+     nsdname-enable <em class="replaceable"><code>boolean</code></em> ]; ... } [ add-soa <em class="replaceable"><code>boolean</code></em> ] [<br>
    break-dnssec <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>ttlval</code></em> ] [<br>
    min-update-interval <em class="replaceable"><code>ttlval</code></em> ] [ min-ns-dots <em class="replaceable"><code>integer</code></em> ] [<br>
    nsip-wait-recurse <em class="replaceable"><code>boolean</code></em> ] [ qname-wait-recurse <em class="replaceable"><code>boolean</code></em> ]<br>
transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * )<br>
    ] [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
trust-anchor-telemetry <em class="replaceable"><code>boolean</code></em>; // experimental<br>
- trusted-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em><br>
- Â Â Â Â <em class="replaceable"><code>integer</code></em>Â <em class="replaceable"><code>integer</code></em>Â <em class="replaceable"><code>quoted_string</code></em>;<br>
-     ... };<br>
+ trusted-keys { <em class="replaceable"><code>string</code></em><br>
+ Â Â Â Â <em class="replaceable"><code>integer</code></em>Â <em class="replaceable"><code>integer</code></em><br>
+ Â Â Â Â <em class="replaceable"><code>integer</code></em><br>
+     <em class="replaceable"><code>quoted_string</code></em>; ... };, deprecated<br>
try-tcp-refresh <em class="replaceable"><code>boolean</code></em>;<br>
update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br>
use-alt-transfer-source <em class="replaceable"><code>boolean</code></em>;<br>
</div>
<div class="refsection">
-<a name="id-1.13.27.22"></a><h2>ZONE</h2>
-
+<a name="id-1.13.27.23"></a><h2>ZONE</h2>
<div class="literallayout"><p><br>
zone <em class="replaceable"><code>string</code></em> [ <em class="replaceable"><code>class</code></em> ] {<br>
allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
</div>
<div class="refsection">
-<a name="id-1.13.27.23"></a><h2>FILES</h2>
+<a name="id-1.13.27.24"></a><h2>FILES</h2>
<p><code class="filename">/etc/named.conf</code>
</p>
</div>
<div class="refsection">
-<a name="id-1.13.27.24"></a><h2>SEE ALSO</h2>
+<a name="id-1.13.27.25"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry">
<span class="refentrytitle">ddns-confgen</span>(8)
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>
<dt><span class="term"><strong class="userinput"><code>managed-keys <em class="replaceable"><code>(status | refresh | sync | destroy)</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
<dd>
<p>
- Inspect and control the "managed-keys" database which
+ Inspect and control the "managed keys" database which
handles RFC 5011 DNSSEC trust anchor maintenance. If a view
is specified, these commands are applied to that view;
otherwise they are applied to all views.
<li class="listitem">
<p>
When run with the <code class="literal">status</code> keyword, prints
- the current status of the managed-keys database.
+ the current status of the managed keys database.
</p>
</li>
<li class="listitem">
<p>
When run with the <code class="literal">refresh</code> keyword,
forces an immediate refresh query to be sent for all
- the managed keys, updating the managed-keys database
+ the managed keys, updating the managed keys database
if any new keys are found, without waiting the normal
refresh interval.
</p>
<li class="listitem">
<p>
When run with the <code class="literal">sync</code> keyword, forces an
- immediate dump of the managed-keys database to disk
+ immediate dump of the managed keys database to disk
(in the file <code class="filename">managed-keys.bind</code> or
(<code class="filename"><em class="replaceable"><code>viewname</code></em>.mkeys</code>).
This synchronizes the database with its journal file, so
<li class="listitem">
<p>
When run with the <code class="literal">destroy</code> keyword, the
- managed-keys database is shut down and deleted, and all key
+ managed keys database is shut down and deleted, and all key
maintenance is terminated. This command should be used only
with extreme caution.
</p>
<dd>
<p>
Dump the security roots (i.e., trust anchors
- configured via <span class="command"><strong>trusted-keys</strong></span>,
- <span class="command"><strong>managed-keys</strong></span>, or
- <span class="command"><strong>dnssec-validation auto</strong></span>) and negative trust
+ configured via <span class="command"><strong>dnssec-keys</strong></span> statements,
+ or the synonymous <span class="command"><strong>managed-keys</strong></span> or
+ the deprecated <span class="command"><strong>trusted-keys</strong></span> statements, or
+ via <span class="command"><strong>dnssec-validation auto</strong></span>) and negative trust
anchors for the specified views. If no view is specified, all
views are dumped. Security roots will indicate whether
they are configured as trusted keys, managed keys, or
<p>
List the names of all TSIG keys currently configured
for use by <span class="command"><strong>named</strong></span> in each view. The
- list both statically configured keys and dynamic
+ list includes both statically configured keys and dynamic
TKEY-negotiated keys.
</p>
</dd>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.2"></a>Release Notes for BIND Version 9.15.0</h2></div></div></div>
+<a name="id-1.2"></a>Release Notes for BIND Version 9.15.1</h2></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<p>
The TCP client quota set using the <span class="command"><strong>tcp-clients</strong></span>
option could be exceeded in some cases. This could lead to
- exhaustion of file descriptors. (CVE-2018-5743) [GL #615]
+ exhaustion of file descriptors. This flaw is disclosed in
+ CVE-2018-5743. [GL #615]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ A race condition could trigger an assertion failure when
+ a large number of incoming packets were being rejected.
+ This flaw is disclosed in CVE-2019-6471. [GL #942]
</p>
</li>
</ul></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_features"></a>New Features</h3></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+ <p>
+ In order to clarify the configuration of DNSSEC keys,
+ the <span class="command"><strong>trusted-keys</strong></span> and
+ <span class="command"><strong>managed-keys</strong></span> statements have been
+ deprecated, and the new <span class="command"><strong>dnssec-keys</strong></span>
+ statement should now be used for both types of key.
+ </p>
+ <p>
+ When used with the keyword <span class="command"><strong>initial-key</strong></span>,
+ <span class="command"><strong>dnssec-keys</strong></span> has the same behavior as
+ <span class="command"><strong>managed-keys</strong></span>, i.e., it configures
+ a trust anchor that is to be maintained via RFC 5011.
+ </p>
+ <p>
+ When used with the new keyword <span class="command"><strong>static-key</strong></span>, it
+ has the same behavior as <span class="command"><strong>trusted-keys</strong></span>,
+ configuring a permanent trust anchor that will not automatically
+ be updated. (This usage is not recommended for the root key.)
+ [GL #6]
+ </p>
+ </li>
+<li class="listitem">
<p>
The new <span class="command"><strong>add-soa</strong></span> option specifies whether
or not the <span class="command"><strong>response-policy</strong></span> zone's SOA record
should be included in the additional section of RPZ responses.
[GL #865]
</p>
- </li></ul></div>
+ </li>
+</ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_removed"></a>Removed Features</h3></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
<p>
The <span class="command"><strong>dnssec-enable</strong></span> option has been deprecated and
no longer has any effect. DNSSEC responses are always enabled
if signatures and other DNSSEC data are present. [GL #866]
</p>
- </li></ul></div>
+ </li>
+<li class="listitem">
+ <p>
+ The <span class="command"><strong>cleaning-interval</strong></span> option has been
+ removed. [GL !1731]
+ </p>
+ </li>
+</ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+ <p>
+ <span class="command"><strong>named</strong></span> will now log a warning if
+ a static key is configured for the root zone, or if
+ any key is configured for "dlv.isc.org", which has been shut
+ down. [GL #6]
+ </p>
+ </li>
<li class="listitem">
<p>
- When <span class="command"><strong>trusted-keys</strong></span> and
- <span class="command"><strong>managed-keys</strong></span> were both configured for the
- same name, or when <span class="command"><strong>trusted-keys</strong></span> was used to
+ When static and managed DNSSEC keys were both configured for the
+ same name, or when a static key was used to
configure a trust anchor for the root zone and
<span class="command"><strong>dnssec-validation</strong></span> was set to the default
value of <code class="literal">auto</code>, automatic RFC 5011 key
<span class="command"><strong>dnssec-checkds</strong></span>.
</p>
</li>
+<li class="listitem">
+ <p>
+ JSON-C is now the only supported library for enabling JSON
+ support for BIND statistics. The <span class="command"><strong>configure</strong></span>
+ option has been renamed from <span class="command"><strong>--with-libjson</strong></span>
+ to <span class="command"><strong>--with-json-c</strong></span>. Use
+ <span class="command"><strong>PKG_CONFIG_PATH</strong></span> to specify a custom path to
+ the <span class="command"><strong>json-c</strong></span> library as the new
+ <span class="command"><strong>configure</strong></span> option does not take the library
+ installation path as an optional argument.
+ </p>
+ </li>
</ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
<p>
The <span class="command"><strong>allow-update</strong></span> and
<span class="command"><strong>allow-update-forwarding</strong></span> options were
This has now been corrected.
[GL #913]
</p>
- </li></ul></div>
+ </li>
+<li class="listitem">
+ <p>
+ When <span class="command"><strong>qname-minimization</strong></span> was set to
+ <span class="command"><strong>relaxed</strong></span>, some improperly configured domains
+ would fail to resolve, but would have succeeded when minimization
+ was disabled. <span class="command"><strong>named</strong></span> will now fall back to normal
+ resolution in such cases, and also uses type A rather than NS for
+ minimal queries in order to reduce the likelihood of encountering
+ the problem. [GL #1055]
+ </p>
+ </li>
+</ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_license"></a>License</h3></div></div></div>
<p>
- BIND is open source software licenced under the terms of the Mozilla
+ BIND is open source software licensed under the terms of the Mozilla
Public License, version 2.0 (see the <code class="filename">LICENSE</code>
file for the full text).
</p>
-Release Notes for BIND Version 9.15.0
+Release Notes for BIND Version 9.15.1
Introduction
* The TCP client quota set using the tcp-clients option could be
exceeded in some cases. This could lead to exhaustion of file
- descriptors. (CVE-2018-5743) [GL #615]
+ descriptors. This flaw is disclosed in CVE-2018-5743. [GL #615]
+
+ * A race condition could trigger an assertion failure when a large
+ number of incoming packets were being rejected. This flaw is disclosed
+ in CVE-2019-6471. [GL #942]
New Features
+ * In order to clarify the configuration of DNSSEC keys, the trusted-keys
+ and managed-keys statements have been deprecated, and the new
+ dnssec-keys statement should now be used for both types of key.
+
+ When used with the keyword initial-key, dnssec-keys has the same
+ behavior as managed-keys, i.e., it configures a trust anchor that is
+ to be maintained via RFC 5011.
+
+ When used with the new keyword static-key, it has the same behavior as
+ trusted-keys, configuring a permanent trust anchor that will not
+ automatically be updated. (This usage is not recommended for the root
+ key.) [GL #6]
+
* The new add-soa option specifies whether or not the response-policy
zone's SOA record should be included in the additional section of RPZ
responses. [GL #865]
effect. DNSSEC responses are always enabled if signatures and other
DNSSEC data are present. [GL #866]
+ * The cleaning-interval option has been removed. [GL !1731]
+
Feature Changes
- * When trusted-keys and managed-keys were both configured for the same
- name, or when trusted-keys was used to configure a trust anchor for
+ * named will now log a warning if a static key is configured for the
+ root zone, or if any key is configured for "dlv.isc.org", which has
+ been shut down. [GL #6]
+
+ * When static and managed DNSSEC keys were both configured for the same
+ name, or when a static key was used to configure a trust anchor for
the root zone and dnssec-validation was set to the default value of
auto, automatic RFC 5011 key rollovers would be disabled. This
combination of settings was never intended to work, but there was no
"sync" timing parameters in key files, and the checks performed by
dnssec-checkds.
+ * JSON-C is now the only supported library for enabling JSON support for
+ BIND statistics. The configure option has been renamed from
+ --with-libjson to --with-json-c. Use PKG_CONFIG_PATH to specify a
+ custom path to the json-c library as the new configure option does not
+ take the library installation path as an optional argument.
+
Bug Fixes
* The allow-update and allow-update-forwarding options were
inadvertently treated as configuration errors when used at the options
or view level. This has now been corrected. [GL #913]
+ * When qname-minimization was set to relaxed, some improperly configured
+ domains would fail to resolve, but would have succeeded when
+ minimization was disabled. named will now fall back to normal
+ resolution in such cases, and also uses type A rather than NS for
+ minimal queries in order to reduce the likelihood of encountering the
+ problem. [GL #1055]
+
License
-BIND is open source software licenced under the terms of the Mozilla
+BIND is open source software licensed under the terms of the Mozilla
Public License, version 2.0 (see the LICENSE file for the full text).
The license requires that if you make changes to BIND and distribute them
<section xml:id="relnotes_features"><info><title>New Features</title></info>
<itemizedlist>
+ <listitem>
+ <para>
+ In order to clarify the configuration of DNSSEC keys,
+ the <command>trusted-keys</command> and
+ <command>managed-keys</command> statements have been
+ deprecated, and the new <command>dnssec-keys</command>
+ statement should now be used for both types of key.
+ </para>
+ <para>
+ When used with the keyword <command>initial-key</command>,
+ <command>dnssec-keys</command> has the same behavior as
+ <command>managed-keys</command>, i.e., it configures
+ a trust anchor that is to be maintained via RFC 5011.
+ </para>
+ <para>
+ When used with the new keyword <command>static-key</command>, it
+ has the same behavior as <command>trusted-keys</command>,
+ configuring a permanent trust anchor that will not automatically
+ be updated. (This usage is not recommended for the root key.)
+ [GL #6]
+ </para>
+ </listitem>
<listitem>
<para>
The new <command>add-soa</command> option specifies whether
<section xml:id="relnotes_changes"><info><title>Feature Changes</title></info>
<itemizedlist>
- <listitem>
- <para>
- The new <command>dnssec-keys</command> statement can now be
- used to configure all DNSSEC trust anchors. The older
- <command>managed-keys</command> statement is a synonym for
- <command>dnssec-keys</command>, retained for backward
- compatibility. Both statements can now use the
- keyword <command>static-key</command> in place of
- <command>initial-key</command> if it is necessary to
- configure trusted keys for which RFC 5011 trust anchor
- maintenance is not to be used. [GL #6]
- </para>
- </listitem>
<listitem>
<para>
<command>named</command> will now log a warning if
</itemizedlist>
</section>
- <section xml:id="relnotes_removed"><info><title>Removed Features</title></info>
- <itemizedlist>
- <listitem>
- <para>
- In order to clarify the configuration of DNSSEC keys,
- the <command>trusted-keys</command> and
- <command>managed-keys</command> statement has been
- deprecated. The new <command>dnssec-keys</command> should
- be used for both types of keys.
- </para>
- <para>
- When used with the keyword <command>initial-key</command>,
- <command>dnssec-keys</command> has the same behavior as
- <command>managed-keys</command>, i.e., it configures
- a trust anchor that is to be maintained via RFC 5011.
- </para>
- <para>
- When used with the new keyword <command>static-key</command>, it
- has the same behavior as <command>trusted-keys</command>,
- configuring a permanent trust anchor that will not automatically
- be updated. This usage is not recommended for the root key.
- [GL #6]
- </para>
- </listitem>
- </itemizedlist>
- </section>
-
<section xml:id="relnotes_bugs"><info><title>Bug Fixes</title></info>
<itemizedlist>
<listitem>
[GL #913]
</para>
</listitem>
+ <listitem>
+ <para>
+ When <command>qname-minimization</command> was set to
+ <command>relaxed</command>, some improperly configured domains
+ would fail to resolve, but would have succeeded when minimization
+ was disabled. <command>named</command> will now fall back to normal
+ resolution in such cases, and also uses type A rather than NS for
+ minimal queries in order to reduce the likelihood of encountering
+ the problem. [GL #1055]
+ </para>
+ </listitem>
</itemizedlist>
</section>
lwres { <unspecified-text> }; // obsolete, may occur multiple times
-managed-keys { <string> ( static-key |
- initial-key ) <integer> <integer> <integer>
- <quoted_string>; ... }; // may occur multiple times
+managed-keys { <string> ( static-key
+ | initial-key ) <integer>
+ <integer> <integer>
+ <quoted_string>; ... }; // may occur multiple times, deprecated
masters <string> [ port <integer> ] [ dscp
<integer> ] { ( <masters> | <ipv4_address> [
check-spf ( warn | ignore );
check-srv-cname ( fail | warn | ignore );
check-wildcard <boolean>;
- cleaning-interval <integer>;
+ cleaning-interval <integer>; // obsolete
clients-per-query <integer>;
cookie-algorithm ( aes | sha1 | sha256 );
cookie-secret <string>; // may occur multiple times
listen-on-v6 [ port <integer> ] [ dscp
<integer> ] {
<address_match_element>; ... }; // may occur multiple times
- lmdb-mapsize <sizeval>;
+ lmdb-mapsize <sizeval>; // non-operational
lock-file ( <quoted_string> | none );
maintain-ixfr-base <boolean>; // ancient
managed-keys-directory <quoted_string>;
check-spf ( warn | ignore );
check-srv-cname ( fail | warn | ignore );
check-wildcard <boolean>;
- cleaning-interval <integer>;
+ cleaning-interval <integer>; // obsolete
clients-per-query <integer>;
deny-answer-addresses { <address_match_element>; ... } [
except-from { <string>; ... } ];
}; // may occur multiple times
key-directory <quoted_string>;
lame-ttl <ttlval>;
- lmdb-mapsize <sizeval>;
+ lmdb-mapsize <sizeval>; // non-operational
maintain-ixfr-base <boolean>; // ancient
- managed-keys { <string> ( static-key |
- initial-key ) <integer> <integer>
- <integer> <quoted_string>; ... }; // may occur multiple times
+ managed-keys { <string> (
+ static-key | initial-key
+ ) <integer> <integer>
+ <integer>
+ <quoted_string>; ... }; // may occur multiple times, deprecated
masterfile-format ( map | raw | text );
masterfile-style ( full | relative );
match-clients { <address_match_element>; ... };
# 9.12: 1200-1299
# 9.13/9.14: 1300-1499
# 9.15/9.16: 1500-1699
-LIBINTERFACE = 1500
+LIBINTERFACE = 1501
LIBREVISION = 0
LIBAGE = 0
# 9.13/9.14: 1300-1499
# 9.15/9.16: 1500-1699
LIBINTERFACE = 1500
-LIBREVISION = 0
+LIBREVISION = 1
LIBAGE = 0
# 9.12: 1200-1299
# 9.13/9.14: 1300-1499
# 9.15/9.16: 1500-1699
-LIBINTERFACE = 1500
+LIBINTERFACE = 1501
LIBREVISION = 0
LIBAGE = 0
# 9.13/9.14: 1300-1499
# 9.15/9.16: 1500-1699
LIBINTERFACE = 1500
-LIBREVISION = 0
+LIBREVISION = 1
LIBAGE = 0
DESCRIPTION="(Development Release)"
MAJORVER=9
MINORVER=15
-PATCHVER=0
+PATCHVER=1
RELEASETYPE=
RELEASEVER=
EXTENSIONS=
projects / thirdparty / bind9.git / commitdiff
