+ --- 9.13.2 released ---
+
4987. [cleanup] dns_rdataslab_tordataset() and its related
dns_rdatasetmethods_t callbacks were removed as they
were not being used by anything in BIND. [GL #371]
-4986. [func] When built on Linux, BIND now requires the libcap library
- to set process privileges, unless capability support is
- explicitly overridden with "configure --disable-linux-caps".
- [GL #321]
+4986. [func] When built on Linux, BIND now requires the libcap
+ library to set process privileges, unless capability
+ support is explicitly overridden with "configure
+ --disable-linux-caps". [GL #321]
4985. [func] Add a new slave zone option, "mirror", to enable
serving a non-authoritative copy of a zone that
.\" Title: named.conf
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
-.\" Date: 2018-01-22
+.\" Date: 2018-05-29
.\" Manual: BIND9
.\" Source: ISC
.\" Language: English
.\"
-.TH "NAMED\&.CONF" "5" "2018\-01\-22" "ISC" "BIND9"
+.TH "NAMED\&.CONF" "5" "2018\-05\-29" "ISC" "BIND9"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
\fIinteger\fR ] [ dscp \fIinteger\fR ] { ( \fImasters\fR | \fIipv4_address\fR [
port \fIinteger\fR ] | \fIipv6_address\fR [ port \fIinteger\fR ] ) [ key
\fIstring\fR ]; \&.\&.\&. } ] [ zone\-directory \fIquoted_string\fR ] [
- in\-memory \fIboolean\fR ] [ min\-update\-interval \fIinteger\fR ]; \&.\&.\&. };
+ in\-memory \fIboolean\fR ] [ min\-update\-interval \fIttlval\fR ]; \&.\&.\&. };
check\-dup\-records ( fail | warn | ignore );
check\-integrity \fIboolean\fR;
check\-mx ( fail | warn | ignore );
};
dns64\-contact \fIstring\fR;
dns64\-server \fIstring\fR;
+ dnskey\-sig\-validity \fIinteger\fR;
dnsrps\-enable \fIboolean\fR;
dnsrps\-options { \fIunspecified\-text\fR };
dnssec\-accept\-expired \fIboolean\fR;
fstrm\-set\-output\-notify\-threshold \fIinteger\fR;
fstrm\-set\-output\-queue\-model ( mpsc | spsc );
fstrm\-set\-output\-queue\-size \fIinteger\fR;
- fstrm\-set\-reopen\-interval \fIinteger\fR;
+ fstrm\-set\-reopen\-interval \fIttlval\fR;
geoip\-directory ( \fIquoted_string\fR | none );
- geoip\-use\-ecs \fIboolean\fR;
glue\-cache \fIboolean\fR;
heartbeat\-interval \fIinteger\fR;
hostname ( \fIquoted_string\fR | none );
inline\-signing \fIboolean\fR;
- interface\-interval \fIinteger\fR;
+ interface\-interval \fIttlval\fR;
ixfr\-from\-differences ( primary | master | secondary | slave |
\fIboolean\fR );
keep\-response\-order { \fIaddress_match_element\fR; \&.\&.\&. };
masterfile\-style ( full | relative );
match\-mapped\-addresses \fIboolean\fR;
max\-cache\-size ( default | unlimited | \fIsizeval\fR | \fIpercentage\fR );
- max\-cache\-ttl \fIinteger\fR;
+ max\-cache\-ttl \fIttlval\fR;
max\-clients\-per\-query \fIinteger\fR;
max\-journal\-size ( default | unlimited | \fIsizeval\fR );
- max\-ncache\-ttl \fIinteger\fR;
+ max\-ncache\-ttl \fIttlval\fR;
max\-records \fIinteger\fR;
max\-recursion\-depth \fIinteger\fR;
max\-recursion\-queries \fIinteger\fR;
preferred\-glue \fIstring\fR;
prefetch \fIinteger\fR [ \fIinteger\fR ];
provide\-ixfr \fIboolean\fR;
+ qname\-minimization ( strict | relaxed | disabled );
query\-source ( ( [ address ] ( \fIipv4_address\fR | * ) [ port (
\fIinteger\fR | * ) ] ) | ( [ [ address ] ( \fIipv4_address\fR | * ) ]
port ( \fIinteger\fR | * ) ) ) [ dscp \fIinteger\fR ];
response\-padding { \fIaddress_match_element\fR; \&.\&.\&. } block\-size
\fIinteger\fR;
response\-policy { zone \fIquoted_string\fR [ log \fIboolean\fR ] [
- max\-policy\-ttl \fIinteger\fR ] [ min\-update\-interval \fIinteger\fR ] [
+ max\-policy\-ttl \fIttlval\fR ] [ min\-update\-interval \fIttlval\fR ] [
policy ( cname | disabled | drop | given | no\-op | nodata |
nxdomain | passthru | tcp\-only \fIquoted_string\fR ) ] [
recursive\-only \fIboolean\fR ] [ nsip\-enable \fIboolean\fR ] [
nsdname\-enable \fIboolean\fR ]; \&.\&.\&. } [ break\-dnssec \fIboolean\fR ] [
- max\-policy\-ttl \fIinteger\fR ] [ min\-update\-interval \fIinteger\fR ] [
+ max\-policy\-ttl \fIttlval\fR ] [ min\-update\-interval \fIttlval\fR ] [
min\-ns\-dots \fIinteger\fR ] [ nsip\-wait\-recurse \fIboolean\fR ] [
qname\-wait\-recurse \fIboolean\fR ] [ recursive\-only \fIboolean\fR ] [
nsip\-enable \fIboolean\fR ] [ nsdname\-enable \fIboolean\fR ] [
dnsrps\-enable \fIboolean\fR ] [ dnsrps\-options { \fIunspecified\-text\fR
} ];
root\-delegation\-only [ exclude { \fIquoted_string\fR; \&.\&.\&. } ];
+ root\-key\-sentinel \fIboolean\fR;
rrset\-order { [ class \fIstring\fR ] [ type \fIstring\fR ] [ name
\fIquoted_string\fR ] \fIstring\fR \fIstring\fR; \&.\&.\&. };
secroots\-file \fIquoted_string\fR;
\fIinteger\fR ] [ dscp \fIinteger\fR ] { ( \fImasters\fR | \fIipv4_address\fR [
port \fIinteger\fR ] | \fIipv6_address\fR [ port \fIinteger\fR ] ) [ key
\fIstring\fR ]; \&.\&.\&. } ] [ zone\-directory \fIquoted_string\fR ] [
- in\-memory \fIboolean\fR ] [ min\-update\-interval \fIinteger\fR ]; \&.\&.\&. };
+ in\-memory \fIboolean\fR ] [ min\-update\-interval \fIttlval\fR ]; \&.\&.\&. };
check\-dup\-records ( fail | warn | ignore );
check\-integrity \fIboolean\fR;
check\-mx ( fail | warn | ignore );
};
dns64\-contact \fIstring\fR;
dns64\-server \fIstring\fR;
+ dnskey\-sig\-validity \fIinteger\fR;
dnsrps\-enable \fIboolean\fR;
dnsrps\-options { \fIunspecified\-text\fR };
dnssec\-accept\-expired \fIboolean\fR;
match\-destinations { \fIaddress_match_element\fR; \&.\&.\&. };
match\-recursive\-only \fIboolean\fR;
max\-cache\-size ( default | unlimited | \fIsizeval\fR | \fIpercentage\fR );
- max\-cache\-ttl \fIinteger\fR;
+ max\-cache\-ttl \fIttlval\fR;
max\-clients\-per\-query \fIinteger\fR;
max\-journal\-size ( default | unlimited | \fIsizeval\fR );
- max\-ncache\-ttl \fIinteger\fR;
+ max\-ncache\-ttl \fIttlval\fR;
max\-records \fIinteger\fR;
max\-recursion\-depth \fIinteger\fR;
max\-recursion\-queries \fIinteger\fR;
preferred\-glue \fIstring\fR;
prefetch \fIinteger\fR [ \fIinteger\fR ];
provide\-ixfr \fIboolean\fR;
+ qname\-minimization ( strict | relaxed | disabled );
query\-source ( ( [ address ] ( \fIipv4_address\fR | * ) [ port (
\fIinteger\fR | * ) ] ) | ( [ [ address ] ( \fIipv4_address\fR | * ) ]
port ( \fIinteger\fR | * ) ) ) [ dscp \fIinteger\fR ];
response\-padding { \fIaddress_match_element\fR; \&.\&.\&. } block\-size
\fIinteger\fR;
response\-policy { zone \fIquoted_string\fR [ log \fIboolean\fR ] [
- max\-policy\-ttl \fIinteger\fR ] [ min\-update\-interval \fIinteger\fR ] [
+ max\-policy\-ttl \fIttlval\fR ] [ min\-update\-interval \fIttlval\fR ] [
policy ( cname | disabled | drop | given | no\-op | nodata |
nxdomain | passthru | tcp\-only \fIquoted_string\fR ) ] [
recursive\-only \fIboolean\fR ] [ nsip\-enable \fIboolean\fR ] [
nsdname\-enable \fIboolean\fR ]; \&.\&.\&. } [ break\-dnssec \fIboolean\fR ] [
- max\-policy\-ttl \fIinteger\fR ] [ min\-update\-interval \fIinteger\fR ] [
+ max\-policy\-ttl \fIttlval\fR ] [ min\-update\-interval \fIttlval\fR ] [
min\-ns\-dots \fIinteger\fR ] [ nsip\-wait\-recurse \fIboolean\fR ] [
qname\-wait\-recurse \fIboolean\fR ] [ recursive\-only \fIboolean\fR ] [
nsip\-enable \fIboolean\fR ] [ nsdname\-enable \fIboolean\fR ] [
dnsrps\-enable \fIboolean\fR ] [ dnsrps\-options { \fIunspecified\-text\fR
} ];
root\-delegation\-only [ exclude { \fIquoted_string\fR; \&.\&.\&. } ];
+ root\-key\-sentinel \fIboolean\fR;
rrset\-order { [ class \fIstring\fR ] [ type \fIstring\fR ] [ name
\fIquoted_string\fR ] \fIstring\fR \fIstring\fR; \&.\&.\&. };
send\-cookie \fIboolean\fR;
dialup ( notify | notify\-passive | passive | refresh |
\fIboolean\fR );
dlz \fIstring\fR;
+ dnskey\-sig\-validity \fIinteger\fR;
dnssec\-dnskey\-kskonly \fIboolean\fR;
dnssec\-loadkeys\-interval \fIinteger\fR;
dnssec\-secure\-to\-insecure \fIboolean\fR;
max\-zone\-ttl ( unlimited | \fIttlval\fR );
min\-refresh\-time \fIinteger\fR;
min\-retry\-time \fIinteger\fR;
+ mirror \fIboolean\fR;
multi\-master \fIboolean\fR;
notify ( explicit | master\-only | \fIboolean\fR );
notify\-delay \fIinteger\fR;
delegation\-only \fIboolean\fR;
dialup ( notify | notify\-passive | passive | refresh | \fIboolean\fR );
dlz \fIstring\fR;
+ dnskey\-sig\-validity \fIinteger\fR;
dnssec\-dnskey\-kskonly \fIboolean\fR;
dnssec\-loadkeys\-interval \fIinteger\fR;
dnssec\-secure\-to\-insecure \fIboolean\fR;
max\-zone\-ttl ( unlimited | \fIttlval\fR );
min\-refresh\-time \fIinteger\fR;
min\-retry\-time \fIinteger\fR;
+ mirror \fIboolean\fR;
multi\-master \fIboolean\fR;
notify ( explicit | master\-only | \fIboolean\fR );
notify\-delay \fIinteger\fR;
    <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<br>
    port <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] ) [ key<br>
    <em class="replaceable"><code>string</code></em> ]; ... } ] [ zone-directory <em class="replaceable"><code>quoted_string</code></em> ] [<br>
-     in-memory <em class="replaceable"><code>boolean</code></em> ] [ min-update-interval <em class="replaceable"><code>integer</code></em> ]; ... };<br>
+     in-memory <em class="replaceable"><code>boolean</code></em> ] [ min-update-interval <em class="replaceable"><code>ttlval</code></em> ]; ... };<br>
check-dup-records ( fail | warn | ignore );<br>
check-integrity <em class="replaceable"><code>boolean</code></em>;<br>
check-mx ( fail | warn | ignore );<br>
};<br>
dns64-contact <em class="replaceable"><code>string</code></em>;<br>
dns64-server <em class="replaceable"><code>string</code></em>;<br>
+ dnskey-sig-validity <em class="replaceable"><code>integer</code></em>;<br>
dnsrps-enable <em class="replaceable"><code>boolean</code></em>;<br>
dnsrps-options { <em class="replaceable"><code>unspecified-text</code></em> };<br>
dnssec-accept-expired <em class="replaceable"><code>boolean</code></em>;<br>
fstrm-set-output-notify-threshold <em class="replaceable"><code>integer</code></em>;<br>
fstrm-set-output-queue-model ( mpsc | spsc );<br>
fstrm-set-output-queue-size <em class="replaceable"><code>integer</code></em>;<br>
- fstrm-set-reopen-interval <em class="replaceable"><code>integer</code></em>;<br>
+ fstrm-set-reopen-interval <em class="replaceable"><code>ttlval</code></em>;<br>
geoip-directory ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
- geoip-use-ecs <em class="replaceable"><code>boolean</code></em>;<br>
glue-cache <em class="replaceable"><code>boolean</code></em>;<br>
heartbeat-interval <em class="replaceable"><code>integer</code></em>;<br>
hostname ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
inline-signing <em class="replaceable"><code>boolean</code></em>;<br>
- interface-interval <em class="replaceable"><code>integer</code></em>;<br>
+ interface-interval <em class="replaceable"><code>ttlval</code></em>;<br>
ixfr-from-differences ( primary | master | secondary | slave |<br>
    <em class="replaceable"><code>boolean</code></em> );<br>
keep-response-order { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
masterfile-style ( full | relative );<br>
match-mapped-addresses <em class="replaceable"><code>boolean</code></em>;<br>
max-cache-size ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> | <em class="replaceable"><code>percentage</code></em> );<br>
- max-cache-ttl <em class="replaceable"><code>integer</code></em>;<br>
+ max-cache-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
max-clients-per-query <em class="replaceable"><code>integer</code></em>;<br>
max-journal-size ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
- max-ncache-ttl <em class="replaceable"><code>integer</code></em>;<br>
+ max-ncache-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
max-records <em class="replaceable"><code>integer</code></em>;<br>
max-recursion-depth <em class="replaceable"><code>integer</code></em>;<br>
max-recursion-queries <em class="replaceable"><code>integer</code></em>;<br>
preferred-glue <em class="replaceable"><code>string</code></em>;<br>
prefetch <em class="replaceable"><code>integer</code></em> [ <em class="replaceable"><code>integer</code></em> ];<br>
provide-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
+ qname-minimization ( strict | relaxed | disabled );<br>
query-source ( ( [ address ] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port (<br>
    <em class="replaceable"><code>integer</code></em> | * ) ] ) | ( [ [ address ] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) ]<br>
    port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
response-padding { <em class="replaceable"><code>address_match_element</code></em>; ... } block-size<br>
    <em class="replaceable"><code>integer</code></em>;<br>
response-policy { zone <em class="replaceable"><code>quoted_string</code></em> [ log <em class="replaceable"><code>boolean</code></em> ] [<br>
-     max-policy-ttl <em class="replaceable"><code>integer</code></em> ] [ min-update-interval <em class="replaceable"><code>integer</code></em> ] [<br>
+     max-policy-ttl <em class="replaceable"><code>ttlval</code></em> ] [ min-update-interval <em class="replaceable"><code>ttlval</code></em> ] [<br>
    policy ( cname | disabled | drop | given | no-op | nodata |<br>
    nxdomain | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [<br>
    recursive-only <em class="replaceable"><code>boolean</code></em> ] [ nsip-enable <em class="replaceable"><code>boolean</code></em> ] [<br>
    nsdname-enable <em class="replaceable"><code>boolean</code></em> ]; ... } [ break-dnssec <em class="replaceable"><code>boolean</code></em> ] [<br>
-     max-policy-ttl <em class="replaceable"><code>integer</code></em> ] [ min-update-interval <em class="replaceable"><code>integer</code></em> ] [<br>
+     max-policy-ttl <em class="replaceable"><code>ttlval</code></em> ] [ min-update-interval <em class="replaceable"><code>ttlval</code></em> ] [<br>
    min-ns-dots <em class="replaceable"><code>integer</code></em> ] [ nsip-wait-recurse <em class="replaceable"><code>boolean</code></em> ] [<br>
    qname-wait-recurse <em class="replaceable"><code>boolean</code></em> ] [ recursive-only <em class="replaceable"><code>boolean</code></em> ] [<br>
    nsip-enable <em class="replaceable"><code>boolean</code></em> ] [ nsdname-enable <em class="replaceable"><code>boolean</code></em> ] [<br>
    dnsrps-enable <em class="replaceable"><code>boolean</code></em> ] [ dnsrps-options { <em class="replaceable"><code>unspecified-text</code></em><br>
    } ];<br>
root-delegation-only [ exclude { <em class="replaceable"><code>quoted_string</code></em>; ... } ];<br>
+ root-key-sentinel <em class="replaceable"><code>boolean</code></em>;<br>
rrset-order { [ class <em class="replaceable"><code>string</code></em> ] [ type <em class="replaceable"><code>string</code></em> ] [ name<br>
    <em class="replaceable"><code>quoted_string</code></em> ] <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em>; ... };<br>
secroots-file <em class="replaceable"><code>quoted_string</code></em>;<br>
    <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<br>
    port <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] ) [ key<br>
    <em class="replaceable"><code>string</code></em> ]; ... } ] [ zone-directory <em class="replaceable"><code>quoted_string</code></em> ] [<br>
-     in-memory <em class="replaceable"><code>boolean</code></em> ] [ min-update-interval <em class="replaceable"><code>integer</code></em> ]; ... };<br>
+     in-memory <em class="replaceable"><code>boolean</code></em> ] [ min-update-interval <em class="replaceable"><code>ttlval</code></em> ]; ... };<br>
check-dup-records ( fail | warn | ignore );<br>
check-integrity <em class="replaceable"><code>boolean</code></em>;<br>
check-mx ( fail | warn | ignore );<br>
};<br>
dns64-contact <em class="replaceable"><code>string</code></em>;<br>
dns64-server <em class="replaceable"><code>string</code></em>;<br>
+ dnskey-sig-validity <em class="replaceable"><code>integer</code></em>;<br>
dnsrps-enable <em class="replaceable"><code>boolean</code></em>;<br>
dnsrps-options { <em class="replaceable"><code>unspecified-text</code></em> };<br>
dnssec-accept-expired <em class="replaceable"><code>boolean</code></em>;<br>
match-destinations { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
match-recursive-only <em class="replaceable"><code>boolean</code></em>;<br>
max-cache-size ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> | <em class="replaceable"><code>percentage</code></em> );<br>
- max-cache-ttl <em class="replaceable"><code>integer</code></em>;<br>
+ max-cache-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
max-clients-per-query <em class="replaceable"><code>integer</code></em>;<br>
max-journal-size ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
- max-ncache-ttl <em class="replaceable"><code>integer</code></em>;<br>
+ max-ncache-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
max-records <em class="replaceable"><code>integer</code></em>;<br>
max-recursion-depth <em class="replaceable"><code>integer</code></em>;<br>
max-recursion-queries <em class="replaceable"><code>integer</code></em>;<br>
preferred-glue <em class="replaceable"><code>string</code></em>;<br>
prefetch <em class="replaceable"><code>integer</code></em> [ <em class="replaceable"><code>integer</code></em> ];<br>
provide-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
+ qname-minimization ( strict | relaxed | disabled );<br>
query-source ( ( [ address ] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port (<br>
    <em class="replaceable"><code>integer</code></em> | * ) ] ) | ( [ [ address ] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) ]<br>
    port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
response-padding { <em class="replaceable"><code>address_match_element</code></em>; ... } block-size<br>
    <em class="replaceable"><code>integer</code></em>;<br>
response-policy { zone <em class="replaceable"><code>quoted_string</code></em> [ log <em class="replaceable"><code>boolean</code></em> ] [<br>
-     max-policy-ttl <em class="replaceable"><code>integer</code></em> ] [ min-update-interval <em class="replaceable"><code>integer</code></em> ] [<br>
+     max-policy-ttl <em class="replaceable"><code>ttlval</code></em> ] [ min-update-interval <em class="replaceable"><code>ttlval</code></em> ] [<br>
    policy ( cname | disabled | drop | given | no-op | nodata |<br>
    nxdomain | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [<br>
    recursive-only <em class="replaceable"><code>boolean</code></em> ] [ nsip-enable <em class="replaceable"><code>boolean</code></em> ] [<br>
    nsdname-enable <em class="replaceable"><code>boolean</code></em> ]; ... } [ break-dnssec <em class="replaceable"><code>boolean</code></em> ] [<br>
-     max-policy-ttl <em class="replaceable"><code>integer</code></em> ] [ min-update-interval <em class="replaceable"><code>integer</code></em> ] [<br>
+     max-policy-ttl <em class="replaceable"><code>ttlval</code></em> ] [ min-update-interval <em class="replaceable"><code>ttlval</code></em> ] [<br>
    min-ns-dots <em class="replaceable"><code>integer</code></em> ] [ nsip-wait-recurse <em class="replaceable"><code>boolean</code></em> ] [<br>
    qname-wait-recurse <em class="replaceable"><code>boolean</code></em> ] [ recursive-only <em class="replaceable"><code>boolean</code></em> ] [<br>
    nsip-enable <em class="replaceable"><code>boolean</code></em> ] [ nsdname-enable <em class="replaceable"><code>boolean</code></em> ] [<br>
    dnsrps-enable <em class="replaceable"><code>boolean</code></em> ] [ dnsrps-options { <em class="replaceable"><code>unspecified-text</code></em><br>
    } ];<br>
root-delegation-only [ exclude { <em class="replaceable"><code>quoted_string</code></em>; ... } ];<br>
+ root-key-sentinel <em class="replaceable"><code>boolean</code></em>;<br>
rrset-order { [ class <em class="replaceable"><code>string</code></em> ] [ type <em class="replaceable"><code>string</code></em> ] [ name<br>
    <em class="replaceable"><code>quoted_string</code></em> ] <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em>; ... };<br>
send-cookie <em class="replaceable"><code>boolean</code></em>;<br>
dialup ( notify | notify-passive | passive | refresh |<br>
    <em class="replaceable"><code>boolean</code></em> );<br>
dlz <em class="replaceable"><code>string</code></em>;<br>
+ dnskey-sig-validity <em class="replaceable"><code>integer</code></em>;<br>
dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
max-zone-ttl ( unlimited | <em class="replaceable"><code>ttlval</code></em> );<br>
min-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
+ mirror <em class="replaceable"><code>boolean</code></em>;<br>
multi-master <em class="replaceable"><code>boolean</code></em>;<br>
notify ( explicit | master-only | <em class="replaceable"><code>boolean</code></em> );<br>
notify-delay <em class="replaceable"><code>integer</code></em>;<br>
delegation-only <em class="replaceable"><code>boolean</code></em>;<br>
dialup ( notify | notify-passive | passive | refresh | <em class="replaceable"><code>boolean</code></em> );<br>
dlz <em class="replaceable"><code>string</code></em>;<br>
+ dnskey-sig-validity <em class="replaceable"><code>integer</code></em>;<br>
dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
max-zone-ttl ( unlimited | <em class="replaceable"><code>ttlval</code></em> );<br>
min-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
+ mirror <em class="replaceable"><code>boolean</code></em>;<br>
multi-master <em class="replaceable"><code>boolean</code></em>;<br>
notify ( explicit | master-only | <em class="replaceable"><code>boolean</code></em> );<br>
notify-delay <em class="replaceable"><code>integer</code></em>;<br>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
</body>
</html>
<em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [
<span class="command"><strong>port</strong></span> <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] ) [ key
<em class="replaceable"><code>string</code></em> ]; ... } ] [ zone-directory <em class="replaceable"><code>quoted_string</code></em> ] [
- <span class="command"><strong>in-memory</strong></span> <em class="replaceable"><code>boolean</code></em> ] [ min-update-interval <em class="replaceable"><code>integer</code></em> ]; ... };
+ <span class="command"><strong>in-memory</strong></span> <em class="replaceable"><code>boolean</code></em> ] [ min-update-interval <em class="replaceable"><code>ttlval</code></em> ]; ... };
<span class="command"><strong>check-dup-records</strong></span> ( fail | warn | ignore );
<span class="command"><strong>check-integrity</strong></span> <em class="replaceable"><code>boolean</code></em>;
<span class="command"><strong>check-mx</strong></span> ( fail | warn | ignore );
};
<span class="command"><strong>dns64-contact</strong></span> <em class="replaceable"><code>string</code></em>;
<span class="command"><strong>dns64-server</strong></span> <em class="replaceable"><code>string</code></em>;
+ <span class="command"><strong>dnskey-sig-validity</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>dnsrps-enable</strong></span> <em class="replaceable"><code>boolean</code></em>;
<span class="command"><strong>dnsrps-options</strong></span> { <em class="replaceable"><code>unspecified-text</code></em> };
<span class="command"><strong>dnssec-accept-expired</strong></span> <em class="replaceable"><code>boolean</code></em>;
<span class="command"><strong>fstrm-set-output-notify-threshold</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>fstrm-set-output-queue-model</strong></span> ( mpsc | spsc );
<span class="command"><strong>fstrm-set-output-queue-size</strong></span> <em class="replaceable"><code>integer</code></em>;
- <span class="command"><strong>fstrm-set-reopen-interval</strong></span> <em class="replaceable"><code>integer</code></em>;
+ <span class="command"><strong>fstrm-set-reopen-interval</strong></span> <em class="replaceable"><code>ttlval</code></em>;
<span class="command"><strong>geoip-directory</strong></span> ( <em class="replaceable"><code>quoted_string</code></em> | none );
- <span class="command"><strong>geoip-use-ecs</strong></span> <em class="replaceable"><code>boolean</code></em>;
<span class="command"><strong>glue-cache</strong></span> <em class="replaceable"><code>boolean</code></em>;
<span class="command"><strong>heartbeat-interval</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>hostname</strong></span> ( <em class="replaceable"><code>quoted_string</code></em> | none );
<span class="command"><strong>inline-signing</strong></span> <em class="replaceable"><code>boolean</code></em>;
- <span class="command"><strong>interface-interval</strong></span> <em class="replaceable"><code>integer</code></em>;
+ <span class="command"><strong>interface-interval</strong></span> <em class="replaceable"><code>ttlval</code></em>;
<span class="command"><strong>ixfr-from-differences</strong></span> ( primary | master | secondary | slave |
<em class="replaceable"><code>boolean</code></em> );
<span class="command"><strong>keep-response-order</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
<span class="command"><strong>masterfile-style</strong></span> ( full | relative );
<span class="command"><strong>match-mapped-addresses</strong></span> <em class="replaceable"><code>boolean</code></em>;
<span class="command"><strong>max-cache-size</strong></span> ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> | <em class="replaceable"><code>percentage</code></em> );
- <span class="command"><strong>max-cache-ttl</strong></span> <em class="replaceable"><code>integer</code></em>;
+ <span class="command"><strong>max-cache-ttl</strong></span> <em class="replaceable"><code>ttlval</code></em>;
<span class="command"><strong>max-clients-per-query</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>max-journal-size</strong></span> ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );
- <span class="command"><strong>max-ncache-ttl</strong></span> <em class="replaceable"><code>integer</code></em>;
+ <span class="command"><strong>max-ncache-ttl</strong></span> <em class="replaceable"><code>ttlval</code></em>;
<span class="command"><strong>max-records</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>max-recursion-depth</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>max-recursion-queries</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>min-retry-time</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>minimal-any</strong></span> <em class="replaceable"><code>boolean</code></em>;
<span class="command"><strong>minimal-responses</strong></span> ( no-auth | no-auth-recursive | <em class="replaceable"><code>boolean</code></em> );
+ <span class="command"><strong>mirror</strong></span> <em class="replaceable"><code>boolean</code></em>;
<span class="command"><strong>multi-master</strong></span> <em class="replaceable"><code>boolean</code></em>;
<span class="command"><strong>new-zones-directory</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
<span class="command"><strong>no-case-compress</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
<span class="command"><strong>preferred-glue</strong></span> <em class="replaceable"><code>string</code></em>;
<span class="command"><strong>prefetch</strong></span> <em class="replaceable"><code>integer</code></em> [ <em class="replaceable"><code>integer</code></em> ];
<span class="command"><strong>provide-ixfr</strong></span> <em class="replaceable"><code>boolean</code></em>;
+ <span class="command"><strong>qname-minimization</strong></span> ( strict | relaxed | disabled );
<span class="command"><strong>query-source</strong></span> ( ( [ address ] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port (
<em class="replaceable"><code>integer</code></em> | * ) ] ) | ( [ [ address ] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) ]
<span class="command"><strong>port</strong></span> ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [ dscp <em class="replaceable"><code>integer</code></em> ];
<span class="command"><strong>response-padding</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... } block-size
<em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>response-policy</strong></span> { zone <em class="replaceable"><code>quoted_string</code></em> [ log <em class="replaceable"><code>boolean</code></em> ] [
- <span class="command"><strong>max-policy-ttl</strong></span> <em class="replaceable"><code>integer</code></em> ] [ min-update-interval <em class="replaceable"><code>integer</code></em> ] [
+ <span class="command"><strong>max-policy-ttl</strong></span> <em class="replaceable"><code>ttlval</code></em> ] [ min-update-interval <em class="replaceable"><code>ttlval</code></em> ] [
<span class="command"><strong>policy</strong></span> ( cname | disabled | drop | given | no-op | nodata |
<span class="command"><strong>nxdomain</strong></span> | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [
<span class="command"><strong>recursive-only</strong></span> <em class="replaceable"><code>boolean</code></em> ] [ nsip-enable <em class="replaceable"><code>boolean</code></em> ] [
<span class="command"><strong>nsdname-enable</strong></span> <em class="replaceable"><code>boolean</code></em> ]; ... } [ break-dnssec <em class="replaceable"><code>boolean</code></em> ] [
- <span class="command"><strong>max-policy-ttl</strong></span> <em class="replaceable"><code>integer</code></em> ] [ min-update-interval <em class="replaceable"><code>integer</code></em> ] [
+ <span class="command"><strong>max-policy-ttl</strong></span> <em class="replaceable"><code>ttlval</code></em> ] [ min-update-interval <em class="replaceable"><code>ttlval</code></em> ] [
<span class="command"><strong>min-ns-dots</strong></span> <em class="replaceable"><code>integer</code></em> ] [ nsip-wait-recurse <em class="replaceable"><code>boolean</code></em> ] [
<span class="command"><strong>qname-wait-recurse</strong></span> <em class="replaceable"><code>boolean</code></em> ] [ recursive-only <em class="replaceable"><code>boolean</code></em> ] [
<span class="command"><strong>nsip-enable</strong></span> <em class="replaceable"><code>boolean</code></em> ] [ nsdname-enable <em class="replaceable"><code>boolean</code></em> ] [
<span class="command"><strong>dnsrps-enable</strong></span> <em class="replaceable"><code>boolean</code></em> ] [ dnsrps-options { <em class="replaceable"><code>unspecified-text</code></em>
} ];
<span class="command"><strong>root-delegation-only</strong></span> [ exclude { <em class="replaceable"><code>quoted_string</code></em>; ... } ];
+ <span class="command"><strong>root-key-sentinel</strong></span> <em class="replaceable"><code>boolean</code></em>;
<span class="command"><strong>rrset-order</strong></span> { [ class <em class="replaceable"><code>string</code></em> ] [ type <em class="replaceable"><code>string</code></em> ] [ name
<em class="replaceable"><code>quoted_string</code></em> ] <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em>; ... };
<span class="command"><strong>secroots-file</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
its functionality is built into the name server.
</p>
</dd>
+<dt><span class="term"><span class="command"><strong>qname-minimization</strong></span></span></dt>
+<dd>
+ <p>
+ This option controls QNAME minimization behaviour
+ in the BIND resolver. When set to <span class="command"><strong>strict</strong></span>,
+ BIND will follow the QNAME minimization algorithm to
+ the letter, as specified in RFC 7816. Setting this
+ option to <span class="command"><strong>relaxed</strong></span> will cause BIND
+ to fall back to normal (non-minimized) query mode
+ when it receives either NXDOMAIN or other unexpected
+ responses (e.g. SERVFAIL, improper zone cut, REFUSED)
+ to a minimized query. <span class="command"><strong>disabled</strong></span> disables
+ QNAME minimization completely. The current default is
+ <span class="command"><strong>relaxed</strong></span>, but it might be changed to
+ <span class="command"><strong>strict</strong></span> in a future release.
+ </p>
+ </dd>
<dt><span class="term"><span class="command"><strong>tkey-gssapi-keytab</strong></span></span></dt>
<dd>
<p>
<dt><span class="term"><span class="command"><strong>answer-cookie</strong></span></span></dt>
<dd>
<p>
- <span class="emphasis"><em>This option is obsolete</em></span>.
- This option was used to prevent the sending of
- a DNS COOKIE option in response to a request with
- one present in BIND 9.11 and BIND 9.12.
+ When set to the default value of <strong class="userinput"><code>yes</code></strong>,
+ COOKIE EDNS options will be sent when applicable in
+ replies to client queries. If set to
+ <strong class="userinput"><code>no</code></strong>, COOKIE EDNS options will not
+ be sent in replies. This can only be set at the global
+ options level, not per-view.
+ </p>
+ <p>
+ <span class="command"><strong>answer-cookie no</strong></span> is intended as a
+ temporary measure, for use when <span class="command"><strong>named</strong></span>
+ shares an IP address with other servers that do not yet
+ support DNS COOKIE. A mismatch between servers on the same
+ address is not expected to cause operational problems, but
+ the option to disable COOKIE responses so that all servers
+ have the same behavior is provided out of an abundance of
+ caution. DNS COOKIE is an important security mechanism,
+ and should not be disabled unless absolutely necessary.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>send-cookie</strong></span></span></dt>
<span class="command"><strong>database</strong></span> <em class="replaceable"><code>string</code></em>;
<span class="command"><strong>dialup</strong></span> ( notify | notify-passive | passive | refresh | <em class="replaceable"><code>boolean</code></em> );
<span class="command"><strong>dlz</strong></span> <em class="replaceable"><code>string</code></em>;
+ <span class="command"><strong>dnskey-sig-validity</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>dnssec-dnskey-kskonly</strong></span> <em class="replaceable"><code>boolean</code></em>;
<span class="command"><strong>dnssec-loadkeys-interval</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>dnssec-secure-to-insecure</strong></span> <em class="replaceable"><code>boolean</code></em>;
<span class="command"><strong>database</strong></span> <em class="replaceable"><code>string</code></em>;
<span class="command"><strong>dialup</strong></span> ( notify | notify-passive | passive | refresh | <em class="replaceable"><code>boolean</code></em> );
<span class="command"><strong>dlz</strong></span> <em class="replaceable"><code>string</code></em>;
+ <span class="command"><strong>dnskey-sig-validity</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>dnssec-dnskey-kskonly</strong></span> <em class="replaceable"><code>boolean</code></em>;
<span class="command"><strong>dnssec-loadkeys-interval</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>dnssec-update-mode</strong></span> ( maintain | no-resign );
<span class="command"><strong>max-transfer-time-out</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>min-refresh-time</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>min-retry-time</strong></span> <em class="replaceable"><code>integer</code></em>;
+ <span class="command"><strong>mirror</strong></span> <em class="replaceable"><code>boolean</code></em>;
<span class="command"><strong>multi-master</strong></span> <em class="replaceable"><code>boolean</code></em>;
<span class="command"><strong>notify</strong></span> ( explicit | master-only | <em class="replaceable"><code>boolean</code></em> );
<span class="command"><strong>notify-delay</strong></span> <em class="replaceable"><code>integer</code></em>;
behavior is disabled by default.
</p>
</dd>
+<dt><span class="term"><span class="command"><strong>mirror</strong></span></span></dt>
+<dd>
+ <p>
+ If set to <strong class="userinput"><code>yes</code></strong>, this causes the
+ zone to become a mirror zone. A mirror zone is a
+ <strong class="userinput"><code>secondary</code></strong> zone whose data
+ is subject to DNSSEC validation before being
+ used in answers. The default is
+ <strong class="userinput"><code>no</code></strong>.
+ </p>
+ <p>
+ A mirror zone's contents are validated during the transfer
+ process, and again when the zone file is loaded from disk
+ when <span class="command"><strong>named</strong></span> is restarted. If validation
+ fails, a retransfer of the zone is scheduled; if the mirror
+ zone had not previously been loaded or if the previous
+ version has expired, traditional DNS recursion will be used
+ to look up the answers instead.
+ </p>
+ <p>
+ For validation to succeed, a key-signing key (KSK) for
+ the zone must be configured as a trust anchor in
+ <code class="filename">named.conf</code>:
+ that is, a key for the zone must either be specified in
+ <span class="command"><strong>managed-keys</strong></span> or
+ <span class="command"><strong>trusted-keys</strong></span>, or in the case of
+ the root zone, <span class="command"><strong>dnssec-validation</strong></span>
+ must be set to <strong class="userinput"><code>auto</code></strong>.
+ Answers coming from a mirror zone look almost exactly like
+ answers from a normal slave zone, with the notable
+ exceptions that the AA bit ("authoritative answer") is
+ not set, and the AD bit ("authenticated data") is.
+ </p>
+ <p>
+ Though this option can be used for other zones, it
+ is intended to be used to set up a fast local copy of
+ the root zone, as described in RFC 7706.
+ This can be done by using the following configuration:
+ </p>
+<pre class="programlisting">zone "." {
+ type slave;
+ mirror yes;
+ file "root.mirror";
+ masters {
+ 192.228.79.201; # b.root-servers.net
+ 192.33.4.12; # c.root-servers.net
+ 192.5.5.241; # f.root-servers.net
+ 192.112.36.4; # g.root-servers.net
+ 193.0.14.129; # k.root-servers.net
+ 192.0.47.132; # xfr.cjr.dns.icann.org
+ 192.0.32.132; # xfr.lax.dns.icann.org
+ 2001:500:84::b; # b.root-servers.net
+ 2001:500:2f::f; # f.root-servers.net
+ 2001:7fd::1; # k.root-servers.net
+ 2620:0:2830:202::132; # xfr.cjr.dns.icann.org
+ 2620:0:2d0:202::132; # xfr.lax.dns.icann.org
+ };
+};</pre>
+ </dd>
<dt><span class="term"><span class="command"><strong>multi-master</strong></span></span></dt>
<dd>
<p>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
</body>
</html>
<div class="toc">
<p><b>Table of Contents</b></p>
<dl class="toc">
-<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.13.1</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.13.2</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_intro">Introduction</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_versions">Note on Version Numbering</a></span></dt>
</div>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.9.2"></a>Release Notes for BIND Version 9.13.1</h2></div></div></div>
+<a name="id-1.9.2"></a>Release Notes for BIND Version 9.13.2</h2></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_features"></a>New Features</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+ <p>
+ A new secondary zone option, <span class="command"><strong>mirror</strong></span>,
+ enables <span class="command"><strong>named</strong></span> to serve a transferred copy
+ of a zone's contents without acting as an authority for the
+ zone. A zone must be fully validated against an active trust
+ anchor before it can be used as a mirror zone. DNS responses
+ from mirror zones do not set the AA bit ("authoritative answer"),
+ but do set the AD bit ("authenticated data"). This feature is
+ meant to facilitate deployment of a local copy of the root zone,
+ as described in RFC 7706. [GL #33]
+ </p>
+ </li>
<li class="listitem">
<p>
BIND now can be compiled against the <span class="command"><strong>libidn2</strong></span>
signatures covering DNSKEY RRsets. [GL #145]
</p>
</li>
+<li class="listitem">
+ <p>
+ Support for QNAME minimization was added and enabled by default
+ in <span class="command"><strong>relaxed</strong></span> mode, in which BIND will fall back
+ to normal resolution if the remote server returns something
+ unexpected during the query minimization process. This default
+ setting might change to <span class="command"><strong>strict</strong></span> in the future.
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ When built on Linux, BIND now requires the <span class="command"><strong>libcap</strong></span>
+ library to set process privileges. The adds a new compile-time
+ dependency, which can be met on most Linux platforms by installing the
+ <span class="command"><strong>libcap-dev</strong></span> or <span class="command"><strong>libcap-devel</strong></span>
+ package. BIND can also be built without capability support by using
+ <span class="command"><strong>configure --disable-linux-caps</strong></span>, at the cost of some
+ loss of security.
+ </p>
+ </li>
</ul></div>
</div>
signatures and digest, nor it will validate them.
</p>
</li>
+<li class="listitem">
+ <p>
+ Add the ability to not return a DNS COOKIE option when one
+ is present in the request. To prevent a cookie being returned
+ add 'answer-cookie no;' to named.conf. [GL #173]
+ </p>
+ <p>
+ <span class="command"><strong>answer-cookie</strong></span> is only intended as a temporary
+ measure, for use when <span class="command"><strong>named</strong></span> shares an IP address
+ with other servers that do not yet support DNS COOKIE. A mismatch
+ between servers on the same address is not expected to cause
+ operational problems, but the option to disable COOKIE responses so
+ that all servers have the same behavior is provided out of an
+ abundance of caution. DNS COOKIE is an important security mechanism,
+ and should not be disabled unless absolutely necessary.
+ </p>
+ </li>
</ul></div>
</div>
<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
- None.
+ <span class="command"><strong>named</strong></span> now rejects excessively large
+ incremental (IXFR) zone transfers in order to prevent
+ possible corruption of journal files which could cause
+ <span class="command"><strong>named</strong></span> to abort when loading zones. [GL #339]
</p>
</li></ul></div>
</div>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
</body>
</html>
<div>
<div><h1 class="title">
<a name="id-1"></a>BIND 9 Administrator Reference Manual</h1></div>
-<div><p class="releaseinfo">BIND Version 9.13.1</p></div>
+<div><p class="releaseinfo">BIND Version 9.13.2</p></div>
<div><p class="copyright">Copyright © 2000-2018 Internet Systems Consortium, Inc. ("ISC")</p></div>
</div>
<hr>
</dl></dd>
<dt><span class="appendix"><a href="Bv9ARM.ch08.html">A. Release Notes</a></span></dt>
<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.13.1</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.13.2</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_intro">Introduction</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_versions">Note on Version Numbering</a></span></dt>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
</body>
</html>
    <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<br>
    port <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] ) [ key<br>
    <em class="replaceable"><code>string</code></em> ]; ... } ] [ zone-directory <em class="replaceable"><code>quoted_string</code></em> ] [<br>
-     in-memory <em class="replaceable"><code>boolean</code></em> ] [ min-update-interval <em class="replaceable"><code>integer</code></em> ]; ... };<br>
+     in-memory <em class="replaceable"><code>boolean</code></em> ] [ min-update-interval <em class="replaceable"><code>ttlval</code></em> ]; ... };<br>
check-dup-records ( fail | warn | ignore );<br>
check-integrity <em class="replaceable"><code>boolean</code></em>;<br>
check-mx ( fail | warn | ignore );<br>
};<br>
dns64-contact <em class="replaceable"><code>string</code></em>;<br>
dns64-server <em class="replaceable"><code>string</code></em>;<br>
+ dnskey-sig-validity <em class="replaceable"><code>integer</code></em>;<br>
dnsrps-enable <em class="replaceable"><code>boolean</code></em>;<br>
dnsrps-options { <em class="replaceable"><code>unspecified-text</code></em> };<br>
dnssec-accept-expired <em class="replaceable"><code>boolean</code></em>;<br>
fstrm-set-output-notify-threshold <em class="replaceable"><code>integer</code></em>;<br>
fstrm-set-output-queue-model ( mpsc | spsc );<br>
fstrm-set-output-queue-size <em class="replaceable"><code>integer</code></em>;<br>
- fstrm-set-reopen-interval <em class="replaceable"><code>integer</code></em>;<br>
+ fstrm-set-reopen-interval <em class="replaceable"><code>ttlval</code></em>;<br>
geoip-directory ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
- geoip-use-ecs <em class="replaceable"><code>boolean</code></em>;<br>
glue-cache <em class="replaceable"><code>boolean</code></em>;<br>
heartbeat-interval <em class="replaceable"><code>integer</code></em>;<br>
hostname ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
inline-signing <em class="replaceable"><code>boolean</code></em>;<br>
- interface-interval <em class="replaceable"><code>integer</code></em>;<br>
+ interface-interval <em class="replaceable"><code>ttlval</code></em>;<br>
ixfr-from-differences ( primary | master | secondary | slave |<br>
    <em class="replaceable"><code>boolean</code></em> );<br>
keep-response-order { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
masterfile-style ( full | relative );<br>
match-mapped-addresses <em class="replaceable"><code>boolean</code></em>;<br>
max-cache-size ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> | <em class="replaceable"><code>percentage</code></em> );<br>
- max-cache-ttl <em class="replaceable"><code>integer</code></em>;<br>
+ max-cache-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
max-clients-per-query <em class="replaceable"><code>integer</code></em>;<br>
max-journal-size ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
- max-ncache-ttl <em class="replaceable"><code>integer</code></em>;<br>
+ max-ncache-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
max-records <em class="replaceable"><code>integer</code></em>;<br>
max-recursion-depth <em class="replaceable"><code>integer</code></em>;<br>
max-recursion-queries <em class="replaceable"><code>integer</code></em>;<br>
preferred-glue <em class="replaceable"><code>string</code></em>;<br>
prefetch <em class="replaceable"><code>integer</code></em> [ <em class="replaceable"><code>integer</code></em> ];<br>
provide-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
+ qname-minimization ( strict | relaxed | disabled );<br>
query-source ( ( [ address ] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port (<br>
    <em class="replaceable"><code>integer</code></em> | * ) ] ) | ( [ [ address ] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) ]<br>
    port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
response-padding { <em class="replaceable"><code>address_match_element</code></em>; ... } block-size<br>
    <em class="replaceable"><code>integer</code></em>;<br>
response-policy { zone <em class="replaceable"><code>quoted_string</code></em> [ log <em class="replaceable"><code>boolean</code></em> ] [<br>
-     max-policy-ttl <em class="replaceable"><code>integer</code></em> ] [ min-update-interval <em class="replaceable"><code>integer</code></em> ] [<br>
+     max-policy-ttl <em class="replaceable"><code>ttlval</code></em> ] [ min-update-interval <em class="replaceable"><code>ttlval</code></em> ] [<br>
    policy ( cname | disabled | drop | given | no-op | nodata |<br>
    nxdomain | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [<br>
    recursive-only <em class="replaceable"><code>boolean</code></em> ] [ nsip-enable <em class="replaceable"><code>boolean</code></em> ] [<br>
    nsdname-enable <em class="replaceable"><code>boolean</code></em> ]; ... } [ break-dnssec <em class="replaceable"><code>boolean</code></em> ] [<br>
-     max-policy-ttl <em class="replaceable"><code>integer</code></em> ] [ min-update-interval <em class="replaceable"><code>integer</code></em> ] [<br>
+     max-policy-ttl <em class="replaceable"><code>ttlval</code></em> ] [ min-update-interval <em class="replaceable"><code>ttlval</code></em> ] [<br>
    min-ns-dots <em class="replaceable"><code>integer</code></em> ] [ nsip-wait-recurse <em class="replaceable"><code>boolean</code></em> ] [<br>
    qname-wait-recurse <em class="replaceable"><code>boolean</code></em> ] [ recursive-only <em class="replaceable"><code>boolean</code></em> ] [<br>
    nsip-enable <em class="replaceable"><code>boolean</code></em> ] [ nsdname-enable <em class="replaceable"><code>boolean</code></em> ] [<br>
    dnsrps-enable <em class="replaceable"><code>boolean</code></em> ] [ dnsrps-options { <em class="replaceable"><code>unspecified-text</code></em><br>
    } ];<br>
root-delegation-only [ exclude { <em class="replaceable"><code>quoted_string</code></em>; ... } ];<br>
+ root-key-sentinel <em class="replaceable"><code>boolean</code></em>;<br>
rrset-order { [ class <em class="replaceable"><code>string</code></em> ] [ type <em class="replaceable"><code>string</code></em> ] [ name<br>
    <em class="replaceable"><code>quoted_string</code></em> ] <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em>; ... };<br>
secroots-file <em class="replaceable"><code>quoted_string</code></em>;<br>
    <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<br>
    port <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] ) [ key<br>
    <em class="replaceable"><code>string</code></em> ]; ... } ] [ zone-directory <em class="replaceable"><code>quoted_string</code></em> ] [<br>
-     in-memory <em class="replaceable"><code>boolean</code></em> ] [ min-update-interval <em class="replaceable"><code>integer</code></em> ]; ... };<br>
+     in-memory <em class="replaceable"><code>boolean</code></em> ] [ min-update-interval <em class="replaceable"><code>ttlval</code></em> ]; ... };<br>
check-dup-records ( fail | warn | ignore );<br>
check-integrity <em class="replaceable"><code>boolean</code></em>;<br>
check-mx ( fail | warn | ignore );<br>
};<br>
dns64-contact <em class="replaceable"><code>string</code></em>;<br>
dns64-server <em class="replaceable"><code>string</code></em>;<br>
+ dnskey-sig-validity <em class="replaceable"><code>integer</code></em>;<br>
dnsrps-enable <em class="replaceable"><code>boolean</code></em>;<br>
dnsrps-options { <em class="replaceable"><code>unspecified-text</code></em> };<br>
dnssec-accept-expired <em class="replaceable"><code>boolean</code></em>;<br>
match-destinations { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
match-recursive-only <em class="replaceable"><code>boolean</code></em>;<br>
max-cache-size ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> | <em class="replaceable"><code>percentage</code></em> );<br>
- max-cache-ttl <em class="replaceable"><code>integer</code></em>;<br>
+ max-cache-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
max-clients-per-query <em class="replaceable"><code>integer</code></em>;<br>
max-journal-size ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
- max-ncache-ttl <em class="replaceable"><code>integer</code></em>;<br>
+ max-ncache-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
max-records <em class="replaceable"><code>integer</code></em>;<br>
max-recursion-depth <em class="replaceable"><code>integer</code></em>;<br>
max-recursion-queries <em class="replaceable"><code>integer</code></em>;<br>
preferred-glue <em class="replaceable"><code>string</code></em>;<br>
prefetch <em class="replaceable"><code>integer</code></em> [ <em class="replaceable"><code>integer</code></em> ];<br>
provide-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
+ qname-minimization ( strict | relaxed | disabled );<br>
query-source ( ( [ address ] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port (<br>
    <em class="replaceable"><code>integer</code></em> | * ) ] ) | ( [ [ address ] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) ]<br>
    port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
response-padding { <em class="replaceable"><code>address_match_element</code></em>; ... } block-size<br>
    <em class="replaceable"><code>integer</code></em>;<br>
response-policy { zone <em class="replaceable"><code>quoted_string</code></em> [ log <em class="replaceable"><code>boolean</code></em> ] [<br>
-     max-policy-ttl <em class="replaceable"><code>integer</code></em> ] [ min-update-interval <em class="replaceable"><code>integer</code></em> ] [<br>
+     max-policy-ttl <em class="replaceable"><code>ttlval</code></em> ] [ min-update-interval <em class="replaceable"><code>ttlval</code></em> ] [<br>
    policy ( cname | disabled | drop | given | no-op | nodata |<br>
    nxdomain | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [<br>
    recursive-only <em class="replaceable"><code>boolean</code></em> ] [ nsip-enable <em class="replaceable"><code>boolean</code></em> ] [<br>
    nsdname-enable <em class="replaceable"><code>boolean</code></em> ]; ... } [ break-dnssec <em class="replaceable"><code>boolean</code></em> ] [<br>
-     max-policy-ttl <em class="replaceable"><code>integer</code></em> ] [ min-update-interval <em class="replaceable"><code>integer</code></em> ] [<br>
+     max-policy-ttl <em class="replaceable"><code>ttlval</code></em> ] [ min-update-interval <em class="replaceable"><code>ttlval</code></em> ] [<br>
    min-ns-dots <em class="replaceable"><code>integer</code></em> ] [ nsip-wait-recurse <em class="replaceable"><code>boolean</code></em> ] [<br>
    qname-wait-recurse <em class="replaceable"><code>boolean</code></em> ] [ recursive-only <em class="replaceable"><code>boolean</code></em> ] [<br>
    nsip-enable <em class="replaceable"><code>boolean</code></em> ] [ nsdname-enable <em class="replaceable"><code>boolean</code></em> ] [<br>
    dnsrps-enable <em class="replaceable"><code>boolean</code></em> ] [ dnsrps-options { <em class="replaceable"><code>unspecified-text</code></em><br>
    } ];<br>
root-delegation-only [ exclude { <em class="replaceable"><code>quoted_string</code></em>; ... } ];<br>
+ root-key-sentinel <em class="replaceable"><code>boolean</code></em>;<br>
rrset-order { [ class <em class="replaceable"><code>string</code></em> ] [ type <em class="replaceable"><code>string</code></em> ] [ name<br>
    <em class="replaceable"><code>quoted_string</code></em> ] <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em>; ... };<br>
send-cookie <em class="replaceable"><code>boolean</code></em>;<br>
dialup ( notify | notify-passive | passive | refresh |<br>
    <em class="replaceable"><code>boolean</code></em> );<br>
dlz <em class="replaceable"><code>string</code></em>;<br>
+ dnskey-sig-validity <em class="replaceable"><code>integer</code></em>;<br>
dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
max-zone-ttl ( unlimited | <em class="replaceable"><code>ttlval</code></em> );<br>
min-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
+ mirror <em class="replaceable"><code>boolean</code></em>;<br>
multi-master <em class="replaceable"><code>boolean</code></em>;<br>
notify ( explicit | master-only | <em class="replaceable"><code>boolean</code></em> );<br>
notify-delay <em class="replaceable"><code>integer</code></em>;<br>
delegation-only <em class="replaceable"><code>boolean</code></em>;<br>
dialup ( notify | notify-passive | passive | refresh | <em class="replaceable"><code>boolean</code></em> );<br>
dlz <em class="replaceable"><code>string</code></em>;<br>
+ dnskey-sig-validity <em class="replaceable"><code>integer</code></em>;<br>
dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
max-zone-ttl ( unlimited | <em class="replaceable"><code>ttlval</code></em> );<br>
min-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
+ mirror <em class="replaceable"><code>boolean</code></em>;<br>
multi-master <em class="replaceable"><code>boolean</code></em>;<br>
notify ( explicit | master-only | <em class="replaceable"><code>boolean</code></em> );<br>
notify-delay <em class="replaceable"><code>integer</code></em>;<br>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
</body>
</html>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.2"></a>Release Notes for BIND Version 9.13.1</h2></div></div></div>
+<a name="id-1.2"></a>Release Notes for BIND Version 9.13.2</h2></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_features"></a>New Features</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+ <p>
+ A new secondary zone option, <span class="command"><strong>mirror</strong></span>,
+ enables <span class="command"><strong>named</strong></span> to serve a transferred copy
+ of a zone's contents without acting as an authority for the
+ zone. A zone must be fully validated against an active trust
+ anchor before it can be used as a mirror zone. DNS responses
+ from mirror zones do not set the AA bit ("authoritative answer"),
+ but do set the AD bit ("authenticated data"). This feature is
+ meant to facilitate deployment of a local copy of the root zone,
+ as described in RFC 7706. [GL #33]
+ </p>
+ </li>
<li class="listitem">
<p>
BIND now can be compiled against the <span class="command"><strong>libidn2</strong></span>
signatures covering DNSKEY RRsets. [GL #145]
</p>
</li>
+<li class="listitem">
+ <p>
+ Support for QNAME minimization was added and enabled by default
+ in <span class="command"><strong>relaxed</strong></span> mode, in which BIND will fall back
+ to normal resolution if the remote server returns something
+ unexpected during the query minimization process. This default
+ setting might change to <span class="command"><strong>strict</strong></span> in the future.
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ When built on Linux, BIND now requires the <span class="command"><strong>libcap</strong></span>
+ library to set process privileges. The adds a new compile-time
+ dependency, which can be met on most Linux platforms by installing the
+ <span class="command"><strong>libcap-dev</strong></span> or <span class="command"><strong>libcap-devel</strong></span>
+ package. BIND can also be built without capability support by using
+ <span class="command"><strong>configure --disable-linux-caps</strong></span>, at the cost of some
+ loss of security.
+ </p>
+ </li>
</ul></div>
</div>
signatures and digest, nor it will validate them.
</p>
</li>
+<li class="listitem">
+ <p>
+ Add the ability to not return a DNS COOKIE option when one
+ is present in the request. To prevent a cookie being returned
+ add 'answer-cookie no;' to named.conf. [GL #173]
+ </p>
+ <p>
+ <span class="command"><strong>answer-cookie</strong></span> is only intended as a temporary
+ measure, for use when <span class="command"><strong>named</strong></span> shares an IP address
+ with other servers that do not yet support DNS COOKIE. A mismatch
+ between servers on the same address is not expected to cause
+ operational problems, but the option to disable COOKIE responses so
+ that all servers have the same behavior is provided out of an
+ abundance of caution. DNS COOKIE is an important security mechanism,
+ and should not be disabled unless absolutely necessary.
+ </p>
+ </li>
</ul></div>
</div>
<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
- None.
+ <span class="command"><strong>named</strong></span> now rejects excessively large
+ incremental (IXFR) zone transfers in order to prevent
+ possible corruption of journal files which could cause
+ <span class="command"><strong>named</strong></span> to abort when loading zones. [GL #339]
</p>
</li></ul></div>
</div>
-Release Notes for BIND Version 9.13.1
+Release Notes for BIND Version 9.13.2
Introduction
New Features
+ * A new secondary zone option, mirror, enables named to serve a
+ transferred copy of a zone's contents without acting as an authority
+ for the zone. A zone must be fully validated against an active trust
+ anchor before it can be used as a mirror zone. DNS responses from
+ mirror zones do not set the AA bit ("authoritative answer"), but do
+ set the AD bit ("authenticated data"). This feature is meant to
+ facilitate deployment of a local copy of the root zone, as described
+ in RFC 7706. [GL #33]
+
* BIND now can be compiled against the libidn2 library to add IDNA2008
support. Previously, BIND supported IDNA2003 using the (now obsolete
and unsupported) idnkit-1 library.
* The dnskey-sig-validity option allows the sig-validity-interval to be
overriden for signatures covering DNSKEY RRsets. [GL #145]
+ * Support for QNAME minimization was added and enabled by default in
+ relaxed mode, in which BIND will fall back to normal resolution if the
+ remote server returns something unexpected during the query
+ minimization process. This default setting might change to strict in
+ the future.
+
+ * When built on Linux, BIND now requires the libcap library to set
+ process privileges. The adds a new compile-time dependency, which can
+ be met on most Linux platforms by installing the libcap-dev or
+ libcap-devel package. BIND can also be built without capability
+ support by using configure --disable-linux-caps, at the cost of some
+ loss of security.
+
Removed Features
* named can no longer use the EDNS CLIENT-SUBNET option for view
create new DNSSEC keys, signatures and digest, nor it will validate
them.
+ * Add the ability to not return a DNS COOKIE option when one is present
+ in the request. To prevent a cookie being returned add 'answer-cookie
+ no;' to named.conf. [GL #173]
+
+ answer-cookie is only intended as a temporary measure, for use when
+ named shares an IP address with other servers that do not yet support
+ DNS COOKIE. A mismatch between servers on the same address is not
+ expected to cause operational problems, but the option to disable
+ COOKIE responses so that all servers have the same behavior is
+ provided out of an abundance of caution. DNS COOKIE is an important
+ security mechanism, and should not be disabled unless absolutely
+ necessary.
+
Feature Changes
* BIND will now always use the best CSPRNG (cryptographically-secure
Bug Fixes
- * None.
+ * named now rejects excessively large incremental (IXFR) zone transfers
+ in order to prevent possible corruption of journal files which could
+ cause named to abort when loading zones. [GL #339]
License
] [ dscp <integer> ];
alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> |
* ) ] [ dscp <integer> ];
- answer-cookie <boolean>; // obsolete
+ answer-cookie <boolean>;
attach-cache <string>;
auth-nxdomain <boolean>; // default changed
auto-dnssec ( allow | maintain | off );
listen-on-v6 [ port <integer> ] [ dscp
<integer> ] {
<address_match_element>; ... }; // may occur multiple times
- lmdb-mapsize <sizeval>;
+ lmdb-mapsize <sizeval>; // non-operational
lock-file ( <quoted_string> | none );
maintain-ixfr-base <boolean>; // obsolete
managed-keys-directory <quoted_string>;
min-roots <integer>; // not implemented
minimal-any <boolean>;
minimal-responses ( no-auth | no-auth-recursive | <boolean> );
+ mirror <boolean>;
multi-master <boolean>;
multiple-cnames <boolean>; // obsolete
named-xfer <quoted_string>; // obsolete
preferred-glue <string>;
prefetch <integer> [ <integer> ];
provide-ixfr <boolean>;
- qname-minimization ( strict | relaxed | disabled );
+ qname-minimization ( strict | relaxed | disabled | off );
query-source ( ( [ address ] ( <ipv4_address> | * ) [ port (
<integer> | * ) ] ) | ( [ [ address ] ( <ipv4_address> | * ) ]
port ( <integer> | * ) ) ) [ dscp <integer> ];
}; // may occur multiple times
key-directory <quoted_string>;
lame-ttl <ttlval>;
- lmdb-mapsize <sizeval>;
+ lmdb-mapsize <sizeval>; // non-operational
maintain-ixfr-base <boolean>; // obsolete
managed-keys { <string> <string>
<integer> <integer> <integer>
min-roots <integer>; // not implemented
minimal-any <boolean>;
minimal-responses ( no-auth | no-auth-recursive | <boolean> );
+ mirror <boolean>;
multi-master <boolean>;
new-zones-directory <quoted_string>;
no-case-compress { <address_match_element>; ... };
preferred-glue <string>;
prefetch <integer> [ <integer> ];
provide-ixfr <boolean>;
- qname-minimization ( strict | relaxed | disabled );
+ qname-minimization ( strict | relaxed | disabled | off );
query-source ( ( [ address ] ( <ipv4_address> | * ) [ port (
<integer> | * ) ] ) | ( [ [ address ] ( <ipv4_address> | * ) ]
port ( <integer> | * ) ) ) [ dscp <integer> ];
# 9.12: 1200-1299
# 9.13: 1300-1399
LIBINTERFACE = 1300
-LIBREVISION = 1
+LIBREVISION = 2
LIBAGE = 0
# 9.11: 160-169,1100-1199
# 9.12: 1200-1299
# 9.13: 1300-1399
-LIBINTERFACE = 1301
+LIBINTERFACE = 1302
LIBREVISION = 0
LIBAGE = 0
# 9.11: 160-169,1100-1199
# 9.12: 1200-1299
# 9.13: 1300-1399
-LIBINTERFACE = 1301
+LIBINTERFACE = 1302
LIBREVISION = 0
-LIBAGE = 0
+LIBAGE = 1
# 9.12: 1200-1299
# 9.13: 1300-1399
LIBINTERFACE = 1301
-LIBREVISION = 0
+LIBREVISION = 1
LIBAGE = 1
# 9.11: 160-169
# 9.12: 1200-1299
# 9.13: 1300-1399
-LIBINTERFACE = 1301
+LIBINTERFACE = 1302
LIBREVISION = 0
-LIBAGE = 1
+LIBAGE = 0
DESCRIPTION="(Development Release)"
MAJORVER=9
MINORVER=13
-PATCHVER=1
+PATCHVER=2
RELEASETYPE=
RELEASEVER=
EXTENSIONS=
projects / thirdparty / bind9.git / commitdiff
