Document caveats related to single source port in the ARM

Discourage the single source port on general level and document that the
source port cannot be same as the listening port.  This applies to
query-source, transfer-source, notify-source, parental-source, and their
respective IPv6 counterparts.

(cherry picked from commit c9a17c878ac8c136b1313102d8c9b874379266d0)

diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
index b16cd304e9eada34da5b7128783f01a138fe10c4..fef55d3be826f5ed03efbac68a88105db9f13a65 100644 (file)
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@@ -2607,14 +2607,19 @@ options are:
 ``queryport-pool-updateinterval``
    This option is obsolete.
 
-   .. note:: The address specified in the ``query-source`` option is used for both
-      UDP and TCP queries, but the port applies only to UDP queries. TCP
-      queries always use a random unprivileged port.
+.. note:: The address specified in the ``query-source`` option is used for both
+   UDP and TCP queries, but the port applies only to UDP queries. TCP
+   queries always use a random unprivileged port.
 
-   .. note:: Solaris 2.5.1 and earlier does not support setting the source address
-      for TCP sockets.
+.. note:: Solaris 2.5.1 and earlier does not support setting the source address
+   for TCP sockets.
 
-   .. note:: See also ``transfer-source``, ``notify-source`` and ``parental-source``.
+.. warning:: Specifying a single port is discouraged, as it removes a layer of
+   protection against spoofing errors.
+
+.. warning:: The configured ``port`` must not be same as the listening port.
+
+.. note:: See also ``transfer-source``, ``notify-source`` and ``parental-source``.
 
 .. _zone_transfers:
 
@@ -2752,6 +2757,11 @@ options apply to zone transfers.
    .. note:: Solaris 2.5.1 and earlier does not support setting the source
       address for TCP sockets.
 
+   .. warning:: Specifying a single port is discouraged, as it removes a layer of
+      protection against spoofing errors.
+
+   .. warning:: The configured ``port`` must not be same as the listening port.
+
 ``transfer-source-v6``
    This option is the same as ``transfer-source``, except zone transfers are performed
    using IPv6.
@@ -2785,6 +2795,11 @@ options apply to zone transfers.
    .. note:: Solaris 2.5.1 and earlier does not support setting the source
       address for TCP sockets.
 
+   .. warning:: Specifying a single port is discouraged, as it removes a layer of
+      protection against spoofing errors.
+
+   .. warning:: The configured ``port`` must not be same as the listening port.
+
 ``notify-source-v6``
    This option acts like ``notify-source``, but applies to notify messages sent to IPv6
    addresses.
@@ -5076,6 +5091,11 @@ The following options apply to DS queries sent to ``parental-agents``:
    .. note:: Solaris 2.5.1 and earlier does not support setting the source
       address for TCP sockets.
 
+   .. warning:: Specifying a single port is discouraged, as it removes a layer of
+      protection against spoofing errors.
+
+   .. warning:: The configured ``port`` must not be same as the listening port.
+
 ``parental-source-v6``
    This option acts like ``parental-source``, but applies to parental DS
    queries sent to IPv6 addresses.