+++ /dev/null
-Functional enhancements from prior major releases of BIND 9
-
-BIND 9.11
-
-BIND 9.11.0 includes a number of changes from BIND 9.10 and earlier
-releases. New features include:
-
- * Added support for Catalog Zones, a new method for provisioning
- servers: a list of zones to be served is stored in a DNS zone, along
- with their configuration parameters. Changes to the catalog zone are
- propagated to slaves via normal AXFR/IXFR, whereupon the zones that
- are listed in it are automatically added, deleted or reconfigured.
- * Added support for "dnstap", a fast and flexible method of capturing
- and logging DNS traffic.
- * Added support for "dyndb", a new API for loading zone data from an
- external database, developed by Red Hat for the FreeIPA project.
- * "fetchlimit" quotas are now compiled in by default. These are for the
- use of recursive resolvers that are are under high query load for
- domains whose authoritative servers are nonresponsive or are
- experiencing a denial of service attack:
- + "fetches-per-server" limits the number of simultaneous queries
- that can be sent to any single authoritative server. The
- configured value is a starting point; it is automatically adjusted
- downward if the server is partially or completely non-responsive.
- The algorithm used to adjust the quota can be configured via the
- "fetch-quota-params" option.
- + "fetches-per-zone" limits the number of simultaneous queries that
- can be sent for names within a single domain. (Note: Unlike
- "fetches-per-server", this value is not self-tuning.)
- + New stats counters have been added to count queries spilled due to
- these quotas.
- * Added a new "dnssec-keymgr" key mainenance utility, which can generate
- or update keys as needed to ensure that a zone's keys match a defined
- DNSSEC policy.
- * The experimental "SIT" feature in BIND 9.10 has been renamed "COOKIE"
- and is no longer optional. EDNS COOKIE is a mechanism enabling clients
- to detect off-path spoofed responses, and servers to detect
- spoofed-source queries. Clients that identify themselves using COOKIE
- options are not subject to response rate limiting (RRL) and can
- receive larger UDP responses.
- * SERVFAIL responses can now be cached for a limited time (defaulting to
- 1 second, with an upper limit of 30). This can reduce the frequency of
- retries when a query is persistently failing.
- * Added an "nsip-wait-recurse" switch to RPZ. This causes NSIP rules to
- be skipped if a name server IP address isn't in the cache yet; the
- address will be looked up and the rule will be applied on future
- queries.
- * Added a Python RNDC module. This allows multiple commands to sent over
- a persistent RNDC channel, which saves time.
- * The "controls" block in named.conf can now grant read-only "rndc"
- access to specified clients or keys. Read-only clients could, for
- example, check "rndc status" but could not reconfigure or shut down
- the server.
- * "rndc" commands can now return arbitrarily large amounts of text to
- the caller.
- * The zone serial number of a dynamically updatable zone can now be set
- via "rndc signing -serial ". This allows inline-signing zones to be
- set to a specific serial number.
- * The new "rndc nta" command can be used to set a Negative Trust Anchor
- (NTA), disabling DNSSEC validation for a specific domain; this can be
- used when responses from a domain are known to be failing validation
- due to administrative error rather than because of a spoofing attack.
- Negative trust anchors are strictly temporary; by default they expire
- after one hour, but can be configured to last up to one week.
- * "rndc delzone" can now be used on zones that were not originally
- created by "rndc addzone".
- * "rndc modzone" reconfigures a single zone, without requiring the
- entire server to be reconfigured.
- * "rndc showzone" displays the current configuration of a zone.
- * "rndc managed-keys" can be used to check the status of RFC 5001
- managed trust anchors, or to force trust anchors to be refreshed.
- * "max-cache-size" can now be set to a percentage of available memory.
- The default is 90%.
- * Update forwarding performance has been improved by allowing a single
- TCP connection to be shared by multiple updates.
- * The EDNS Client Subnet (ECS) option is now supported for authoritative
- servers; if a query contains an ECS option then ACLs containing
- "geoip" or "ecs" elements can match against the the address encoded in
- the option. This can be used to select a view for a query, so that
- different answers can be provided depending on the client network.
- * The EDNS EXPIRE option has been implemented on the client side,
- allowing a slave server to set the expiration timer correctly when
- transferring zone data from another slave server.
- * The key generation and manipulation tools (dnssec-keygen,
- dnssec-settime, dnssec-importkey, dnssec-keyfromlabel) now take
- "-Psync" and "-Dsync" options to set the publication and deletion
- times of CDS and CDNSKEY parent-synchronization records. Both named
- and dnssec-signzone can now publish and remove these records at the
- scheduled times.
- * A new "minimal-any" option reduces the size of UDP responses for query
- type ANY by returning a single arbitrarily selected RRset instead of
- all RRsets.
- * A new "masterfile-style" zone option controls the formatting of text
- zone files: When set to "full", a zone file is dumped in
- single-line-per-record format.
- * "serial-update-method" can now be set to "date". On update, the serial
- number will be set to the current date in YYYYMMDDNN format.
- * "dnssec-signzone -N date" sets the serial number to YYYYMMDDNN.
- * "named -L " causes named to send log messages to the specified file by
- default instead of to the system log.
- * "dig +ttlunits" prints TTL values with time-unit suffixes: w, d, h, m,
- s for weeks, days, hours, minutes, and seconds.
- * "dig +unknownformat" prints dig output in RFC 3597 "unknown record"
- presentation format.
- * "dig +ednsopt" allows dig to set arbitrary EDNS options on requests.
- * "dig +ednsflags" allows dig to set yet-to-be-defined EDNS flags on
- requests.
- * "mdig" is an alternate version of dig which sends multiple pipelined
- TCP queries to a server. Instead of waiting for a response after
- sending a query, it sends all queries immediately and displays
- responses in the order received.
- * "serial-query-rate" no longer controls NOTIFY messages. These are
- separately controlled by "notify-rate" and "startup-notify-rate".
- * "nsupdate" now performs "check-names" processing by default on records
- to be added. This can be disabled with "check-names no".
- * The statistics channel now supports DEFLATE compression, reducing the
- size of the data sent over the network when querying statistics.
- * New counters have been added to the statistics channel to track the
- sizes of incoming queries and outgoing responses in histogram buckets,
- as specified in RSSAC002.
- * A new NXDOMAIN redirect method (option "nxdomain-redirect") has been
- added, allowing redirection to a specified DNS namespace instead of a
- single redirect zone.
- * When starting up, named now ensures that no other named process is
- already running.
- * Files created by named to store information, including "mkeys" and
- "nzf" files, are now named after their corresponding views unless the
- view name contains characters incompatible with use as a filename. Old
- style filenames (based on the hash of the view name) will still work.
-
-BIND 9.10.0
-
-BIND 9.10.0 includes a number of changes from BIND 9.9 and earlier
-releases. New features include:
-
- * DNS Response-rate limiting (DNS RRL), which blunts the impact of
- reflection and amplification attacks, is always compiled in and no
- longer requires a compile-time option to enable it.
- * An experimental "Source Identity Token" (SIT) EDNS option is now
- available. Similar to DNS Cookies as invented by Donald Eastlake 3rd,
- these are designed to enable clients to detect off-path spoofed
- responses, and to enable servers to detect spoofed-source queries.
- Servers can be configured to send smaller responses to clients that
- have not identified themselves using a SIT option, reducing the
- effectiveness of amplification attacks. RRL processing has also been
- updated; clients proven to be legitimate via SIT are not subject to
- rate limiting. Use "configure --enable-sit" to enable this feature in
- BIND.
- * A new zone file format, "map", stores zone data in a format that can
- be mapped directly into memory, allowing significantly faster zone
- loading.
- * "delv" (domain entity lookup and validation) is a new tool with
- dig-like semantics for looking up DNS data and performing internal
- DNSSEC validation. This allows easy validation in environments where
- the resolver may not be trustworthy, and assists with troubleshooting
- of DNSSEC problems. (NOTE: In previous development releases of BIND
- 9.10, this utility was called "delve". The spelling has been changed
- to avoid confusion with the "delve" utility included with the Xapian
- search engine.)
- * Improved EDNS(0) processing for better resolver performance and
- reliability over slow or lossy connections.
- * A new "configure --with-tuning=large" option tunes certain compiled-in
- constants and default settings to values better suited to large
- servers with abundant memory. This can improve performance on such
- servers, but will consume more memory and may degrade performance on
- smaller systems.
- * Substantial improvement in response-policy zone (RPZ) performance. Up
- to 32 response-policy zones can be configured with minimal performance
- loss.
- * To improve recursive resolver performance, cache records which are
- still being requested by clients can now be automatically refreshed
- from the authoritative server before they expire, reducing or
- eliminating the time window in which no answer is available in the
- cache.
- * New "rpz-client-ip" triggers and drop policies allowing response
- policies based on the IP address of the client.
- * ACLs can now be specified based on geographic location using the
- MaxMind GeoIP databases. Use "configure --with-geoip" to enable.
- * Zone data can now be shared between views, allowing multiple views to
- serve the same zones authoritatively without storing multiple copies
- in memory.
- * New XML schema (version 3) for the statistics channel includes many
- new statistics and uses a flattened XML tree for faster parsing. The
- older schema is now deprecated.
- * A new stylesheet, based on the Google Charts API, displays XML
- statistics in charts and graphs on javascript-enabled browsers.
- * The statistics channel can now provide data in JSON format as well as
- XML.
- * New stats counters track TCP and UDP queries received per zone, and
- EDNS options received in total.
- * The internal and export versions of the BIND libraries (libisc,
- libdns, etc) have been unified so that external library clients can
- use the same libraries as BIND itself.
- * A new compile-time option, "configure --enable-native-pkcs11", allows
- BIND 9 cryptography functions to use the PKCS#11 API natively, so that
- BIND can drive a cryptographic hardware service module (HSM) directly
- instead of using a modified OpenSSL as an intermediary. (Note: This
- feature requires an HSM to have a full implementation of the PKCS#11
- API; many current HSMs only have partial implementations. The new
- "pkcs11-tokens" command can be used to check API completeness. Native
- PKCS#11 is known to work with the Thales nShield HSM and with SoftHSM
- version 2 from the Open DNSSEC project.)
- * The new "max-zone-ttl" option enforces maximum TTLs for zones. This
- can simplify the process of rolling DNSSEC keys by guaranteeing that
- cached signatures will have expired within the specified amount of
- time.
- * "dig +subnet" sends an EDNS CLIENT-SUBNET option when querying.
- * "dig +expire" sends an EDNS EXPIRE option when querying. When this
- option is sent with an SOA query to a server that supports it, it will
- report the expiry time of a slave zone.
- * New "dnssec-coverage" tool to check DNSSEC key coverage for a zone and
- report if a lapse in signing coverage has been inadvertently
- scheduled.
- * Signing algorithm flexibility and other improvements for the "rndc"
- control channel.
- * "named-checkzone" and "named-compilezone" can now read journal files,
- allowing them to process dynamic zones.
- * Multiple DLZ databases can now be configured. Individual zones can be
- configured to be served from a specific DLZ database. DLZ databases
- now serve zones of type "master" and "redirect".
- * "rndc zonestatus" reports information about a specified zone.
- * "named" now listens on IPv6 as well as IPv4 interfaces by default.
- * "named" now preserves the capitalization of names when responding to
- queries: for instance, a query for "example.com" may be answered with
- "example.COM" if the name was configured that way in the zone file.
- Some clients have a bug causing them to depend on the older behavior,
- in which the case of the answer always matched the case of the query,
- rather than the case of the name configured in the DNS. Such clients
- can now be specified in the new "no-case-compress" ACL; this will
- restore the older behavior of "named" for those clients only.
- * new "dnssec-importkey" command allows the use of offline DNSSEC keys
- with automatic DNSKEY management.
- * New "named-rrchecker" tool to verify the syntactic correctness of
- individual resource records.
- * When re-signing a zone, the new "dnssec-signzone -Q" option drops
- signatures from keys that are still published but are no longer
- active.
- * "named-checkconf -px" will print the contents of configuration files
- with the shared secrets obscured, making it easier to share
- configuration (e.g. when submitting a bug report) without revealing
- private information.
- * "rndc scan" causes named to re-scan network interfaces for changes in
- local addresses.
- * On operating systems with support for routing sockets, network
- interfaces are re-scanned automatically whenever they change.
- * "tsig-keygen" is now available as an alternate command name to use for
- "ddns-confgen".
-
-BIND 9.9.0
-
-BIND 9.9.0 includes a number of changes from BIND 9.8 and earlier
-releases. New features include:
-
- * Inline signing, allowing automatic DNSSEC signing of master zones
- without modification of the zonefile, or "bump in the wire" signing in
- slaves.
- * NXDOMAIN redirection.
- * New 'rndc flushtree' command clears all data under a given name from
- the DNS cache.
- * New 'rndc sync' command dumps pending changes in a dynamic zone to
- disk without a freeze/thaw cycle.
- * New 'rndc signing' command displays or clears signing status records
- in 'auto-dnssec' zones.
- * NSEC3 parameters for 'auto-dnssec' zones can now be set prior to
- signing, eliminating the need to initially sign with NSEC.
- * Startup time improvements on large authoritative servers.
- * Slave zones are now saved in raw format by default.
- * Several improvements to response policy zones (RPZ).
- * Improved hardware scalability by using multiple threads to listen for
- queries and using finer-grained client locking
- * The 'also-notify' option now takes the same syntax as 'masters', so it
- can used named masterlists and TSIG keys.
- * 'dnssec-signzone -D' writes an output file containing only DNSSEC
- data, which can be included by the primary zone file.
- * 'dnssec-signzone -R' forces removal of signatures that are not expired
- but were created by a key which no longer exists.
- * 'dnssec-signzone -X' allows a separate expiration date to be specified
- for DNSKEY signatures from other signatures.
- * New '-L' option to dnssec-keygen, dnssec-settime, and
- dnssec-keyfromlabel sets the default TTL for the key.
- * dnssec-dsfromkey now supports reading from standard input, to make it
- easier to convert DNSKEY to DS.
- * RFC 1918 reverse zones have been added to the empty-zones table per
- RFC 6303.
- * Dynamic updates can now optionally set the zone's SOA serial number to
- the current UNIX time.
- * DLZ modules can now retrieve the source IP address of the querying
- client.
- * 'request-ixfr' option can now be set at the per-zone level.
- * 'dig +rrcomments' turns on comments about DNSKEY records, indicating
- their key ID, algorithm and function
- * Simplified nsupdate syntax and added readline support
-
-BIND 9.8.0
-
-BIND 9.8.0 includes a number of changes from BIND 9.7 and earlier
-releases. New features include:
-
- * Built-in trust anchor for the root zone, which can be switched on via
- "dnssec-validation auto;"
- * Support for DNS64.
- * Support for response policy zones (RPZ).
- * Support for writable DLZ zones.
- * Improved ease of configuration of GSS/TSIG for interoperability with
- Active Directory
- * Support for GOST signing algorithm for DNSSEC.
- * Removed RTT Banding from server selection algorithm.
- * New "static-stub" zone type.
- * Allow configuration of resolver timeouts via "resolver-query-timeout"
- option.
- * The DLZ "dlopen" driver is now built by default.
- * Added a new include file with function typedefs for the DLZ "dlopen"
- driver.
- * Made "--with-gssapi" default.
- * More verbose error reporting from DLZ LDAP.
-
-BIND 9.7.0
-
-BIND 9.7.0 includes a number of changes from BIND 9.6 and earlier
-releases. Most are intended to simplify DNSSEC configuration. New features
-include:
-
- * Fully automatic signing of zones by "named".
- * Simplified configuration of DNSSEC Lookaside Validation (DLV).
- * Simplified configuration of Dynamic DNS, using the "ddns-confgen"
- command line tool or the "local" update-policy option. (As a side
- effect, this also makes it easier to configure automatic zone
- re-signing.)
- * New named option "attach-cache" that allows multiple views to share a
- single cache.
- * DNS rebinding attack prevention.
- * New default values for dnssec-keygen parameters.
- * Support for RFC 5011 automated trust anchor maintenance
- * Smart signing: simplified tools for zone signing and key maintenance.
- * The "statistics-channels" option is now available on Windows.
- * A new DNSSEC-aware libdns API for use by non-BIND9 applications
- * On some platforms, named and other binaries can now print out a stack
- backtrace on assertion failure, to aid in debugging.
- * A "tools only" installation mode on Windows, which only installs dig,
- host, nslookup and nsupdate.
- * Improved PKCS#11 support, including Keyper support and explicit
- OpenSSL engine selection.
-
-BIND 9.6.0
-
- * Full NSEC3 support
- * Automatic zone re-signing
- * New update-policy methods tcp-self and 6to4-self
- * The BIND 8 resolver library, libbind, has been removed from the BIND 9
- distribution and is now available as a separate download.
- * Change the default pid file location from /var/run to /var/run/
- {named,lwresd} for improved chroot/setuid support.
-
-BIND 9.5.0
-
- * GSS-TSIG support (RFC 3645).
- * DHCID support.
- * Experimental http server and statistics support for named via xml.
- * More detailed statistics counters including those supported in BIND 8.
- * Faster ACL processing.
- * Use Doxygen to generate internal documentation.
- * Efficient LRU cache-cleaning mechanism.
- * NSID support.
-
-BIND 9.4.0
-
- * Implemented "additional section caching (or acache)", an internal
- cache framework for additional section content to improve response
- performance. Several configuration options were provided to control
- the behavior.
- * New notify type 'master-only'. Enable notify for master zones only.
- * Accept 'notify-source' style syntax for query-source.
- * rndc now allows addresses to be set in the server clauses.
- * New option "allow-query-cache". This lets "allow-query" be used to
- specify the default zone access level rather than having to have every
- zone override the global value. "allow-query-cache" can be set at both
- the options and view levels. If "allow-query-cache" is not set then
- "allow-recursion" is used if set, otherwise "allow-query" is used if
- set unless "recursion no;" is set in which case "none;" is used,
- otherwise the default (localhost; localnets;) is used.
- * rndc: the source address can now be specified.
- * ixfr-from-differences now takes master and slave in addition to yes
- and no at the options and view levels.
- * Allow the journal's name to be changed via named.conf.
- * 'rndc notify zone [class [view]]' resend the NOTIFY messages for the
- specified zone.
- * 'dig +trace' now randomly selects the next servers to try. Report if
- there is a bad delegation.
- * Improve check-names error messages.
- * Make public the function to read a key file, dst_key_read_public().
- * dig now returns the byte count for axfr/ixfr.
- * allow-update is now settable at the options / view level.
- * named-checkconf now checks the logging configuration.
- * host now can turn on memory debugging flags with '-m'.
- * Don't send notify messages to self.
- * Perform sanity checks on NS records which refer to 'in zone' names.
- * New zone option "notify-delay". Specify a minimum delay between sets
- of NOTIFY messages.
- * Extend adjusting TTL warning messages.
- * Named and named-checkzone can now both check for non-terminal wildcard
- records.
- * "rndc freeze/thaw" now freezes/thaws all zones.
- * named-checkconf now check acls to verify that they only refer to
- existing acls.
- * The server syntax has been extended to support a range of servers.
- * Report differences between hints and real NS rrset and associated
- address records.
- * Preserve the case of domain names in rdata during zone transfers.
- * Restructured the data locking framework using architecture dependent
- atomic operations (when available), improving response performance on
- multi-processor machines significantly. x86, x86_64, alpha, powerpc,
- and mips are currently supported.
- * UNIX domain controls are now supported.
- * Add support for additional zone file formats for improving loading
- performance. The masterfile-format option in named.conf can be used to
- specify a non-default format. A separate command named-compilezone was
- provided to generate zone files in the new format. Additionally, the
- -I and -O options for dnssec-signzone specify the input and output
- formats.
- * dnssec-signzone can now randomize signature end times (dnssec-signzone
- -j jitter).
- * Add support for CH A record.
- * Add additional zone data constancy checks. named-checkzone has
- extended checking of NS, MX and SRV record and the hosts they
- reference. named has extended post zone load checks. New zone options:
- check-mx and integrity-check.
- * edns-udp-size can now be overridden on a per server basis.
- * dig can now specify the EDNS version when making a query.
- * Added framework for handling multiple EDNS versions.
- * Additional memory debugging support to track size and mctx arguments.
- * Detect duplicates of UDP queries we are recursing on and drop them.
- New stats category "duplicates".
- * "USE INTERNAL MALLOC" is now runtime selectable.
- * The lame cache is now done on a basis as some servers only appear to
- be lame for certain query types.
- * Limit the number of recursive clients that can be waiting for a single
- query () to resolve. New options clients-per-query and
- max-clients-per-query.
- * dig: report the number of extra bytes still left in the packet after
- processing all the records.
- * Support for IPSECKEY rdata type.
- * Raise the UDP recieve buffer size to 32k if it is less than 32k.
- * x86 and x86_64 now have seperate atomic locking implementations.
- * named-checkconf now validates update-policy entries.
- * Attempt to make the amount of work performed in a iteration self
- tuning. The covers nodes clean from the cache per iteration, nodes
- written to disk when rewriting a master file and nodes destroyed per
- iteration when destroying a zone or a cache.
- * ISC string copy API.
- * Automatic empty zone creation for D.F.IP6.ARPA and friends. Note: RFC
- 1918 zones are not yet covered by this but are likely to be in a
- future release.
- * New options: empty-server, empty-contact, empty-zones-enable and
- disable-empty-zone.
- * dig now has a '-q queryname' and '+showsearch' options.
- * host/nslookup now continue (default)/fail on SERVFAIL.
- * dig now warns if 'RA' is not set in the answer when 'RD' was set in
- the query. host/nslookup skip servers that fail to set 'RA' when 'RD'
- is set unless a server is explicitly set.
- * Integrate contibuted DLZ code into named.
- * Integrate contibuted IDN code from JPNIC.
- * libbind: corresponds to that from BIND 8.4.7.
-
-BIND 9.3.0
-
- * DNSSEC is now DS based (RFC 3658).
- * DNSSEC lookaside validation.
- * check-names is now implemented.
- * rrset-order is more complete.
- * IPv4/IPv6 transition support, dual-stack-servers.
- * IXFR deltas can now be generated when loading master files,
- ixfr-from-differences.
- * It is now possible to specify the size of a journal, max-journal-size.
- * It is now possible to define a named set of master servers to be used
- in masters clause, masters.
- * The advertised EDNS UDP size can now be set, edns-udp-size.
- * allow-v6-synthesis has been obsoleted.
- * Zones containing MD and MF will now be rejected.
- * dig, nslookup name. now report "Not Implemented" as NOTIMP rather than
- NOTIMPL. This will have impact on scripts that are looking for
- NOTIMPL.
- * libbind: corresponds to that from BIND 8.4.5.
-
-BIND 9.2.0
-
- * The size of the cache can now be limited using the "max-cache-size"
- option.
- * The server can now automatically convert RFC1886-style recursive
- lookup requests into RFC2874-style lookups, when enabled using the new
- option "allow-v6-synthesis". This allows stub resolvers that support
- AAAA records but not A6 record chains or binary labels to perform
- lookups in domains that make use of these IPv6 DNS features.
- * Performance has been improved.
- * The man pages now use the more portable "man" macros rather than the
- "mandoc" macros, and are installed by "make install".
- * The named.conf parser has been completely rewritten. It now supports
- "include" directives in more places such as inside "view" statements,
- and it no longer has any reserved words.
- * The "rndc status" command is now implemented.
- * rndc can now be configured automatically.
- * A BIND 8 compatible stub resolver library is now included in lib/bind.
- * OpenSSL has been removed from the distribution. This means that to use
- DNSSEC, OpenSSL must be installed and the --with-openssl option must
- be supplied to configure. This does not apply to the use of TSIG,
- which does not require OpenSSL.
- * The source distribution now builds on Windows. See win32utils/
- readme1.txt and win32utils/win32-build.txt for details.
- * This distribution also includes a new lightweight stub resolver
- library and associated resolver daemon that fully support forward and
- reverse lookups of both IPv4 and IPv6 addresses. This library is
- considered experimental and is not a complete replacement for the BIND
- 8 resolver library. Applications that use the BIND 8 res_* functions
- to perform DNS lookups or dynamic updates still need to be linked
- against the BIND 8 libraries. For DNS lookups, they can also use the
- new "getrrsetbyname()" API.
- * BIND 9.2 is capable of acting as an authoritative server for DNSSEC
- secured zones. This functionality is believed to be stable and
- complete except for lacking support for verifications involving
- wildcard records in secure zones.
- * When acting as a caching server, BIND 9.2 can be configured to perform
- DNSSEC secure resolution on behalf of its clients. This part of the
- DNSSEC implementation is still considered experimental. For detailed
- information about the state of the DNSSEC implementation, see the file
- doc/misc/dnssec.
-
+++ /dev/null
-Setting the STD_CDEFINES environment variable before running configure can
-be used to enable certain compile-time options that are not explicitly
-defined in configure.
-
-Some of these settings are:
-
-Setting Description
- Don't ovewrite memory when allocating or freeing
--DISC_MEM_FILL=0 it; this improves performance but makes
- debugging more difficult.
- Don't track memory allocations by file and line
--DISC_MEM_TRACKLINES=0 number; this improves performance but makes
- debugging more difficult.
--DISC_FACILITY=LOG_LOCAL0 Change the default syslog facility for named
--DNS_CLIENT_DROPPORT=0 Disable dropping queries from particular
- well-known ports:
--DCHECK_SIBLING=0 Don't check sibling glue in named-checkzone
--DCHECK_LOCAL=0 Don't check out-of-zone addresses in
- named-checkzone
--DNS_RUN_PID_DIR=0 Create default PID files in ${localstatedir}/run
- rather than ${localstatedir}/run/{named,lwresd}/
-
+++ /dev/null
-BIND 9
-
-Contents
-
- 1. Introduction
- 2. Reporting bugs and getting help
- 3. Contributing to BIND
- 4. BIND 9.12 features
- 5. Building BIND
- 6. Compile-time options
- 7. Automated testing
- 8. Documentation
- 9. Change log
-10. Acknowledgments
-
-Introduction
-
-BIND (Berkeley Internet Name Domain) is a complete, highly portable
-implementation of the DNS (Domain Name System) protocol.
-
-The BIND name server, named, is able to serve as an authoritative name
-server, recursive resolver, DNS forwarder, or all three simultaneously. It
-implements views for split-horizon DNS, automatic DNSSEC zone signing and
-key management, catalog zones to facilitate provisioning of zone data
-throughout a name server constellation, response policy zones (RPZ) to
-protect clients from malicious data, response rate limiting (RRL) and
-recursive query limits to reduce distributed denial of service attacks,
-and many other advanced DNS features. BIND also includes a suite of
-administrative tools, including the dig and delv DNS lookup tools,
-nsupdate for dynamic DNS zone updates, rndc for remote name server
-administration, and more.
-
-BIND 9 is a complete re-write of the BIND architecture that was used in
-versions 4 and 8. Internet Systems Consortium (https://www.isc.org), a 501
-(c)(3) public benefit corporation dedicated to providing software and
-services in support of the Internet infrastructure, developed BIND 9 and
-is responsible for its ongoing maintenance and improvement. BIND is open
-source software licenced under the terms of the Mozilla Public License,
-version 2.0.
-
-For a summary of features introduced in past major releases of BIND, see
-the file HISTORY.
-
-For a detailed list of changes made throughout the history of BIND 9, see
-the file CHANGES. See below for details on the CHANGES file format.
-
-For up-to-date release notes and errata, see http://www.isc.org/software/
-bind9/releasenotes
-
-Reporting bugs and getting help
-
-Please report assertion failure errors and suspected security issues to
-security-officer@isc.org.
-
-General bug reports can be sent to bind9-bugs@isc.org.
-
-Feature requests can be sent to bind-suggest@isc.org.
-
-Please note that, while ISC's ticketing system is not currently publicly
-readable, this may change in the future. Please do not include information
-in bug reports that you consider to be confidential. For example, when
-sending the contents of your configuration file, it is advisable to
-obscure key secrets; this can be done automatically by using
-named-checkconf -px.
-
-Professional support and training for BIND are available from ISC at
-https://www.isc.org/support.
-
-To join the BIND Users mailing list, or view the archives, visit https://
-lists.isc.org/mailman/listinfo/bind-users.
-
-If you're planning on making changes to the BIND 9 source code, you may
-also want to join the BIND Workers mailing list, at https://lists.isc.org/
-mailman/listinfo/bind-workers.
-
-Contributing to BIND
-
-A public git repository for BIND is maintained at http://www.isc.org/git/,
-and also on Github at https://github.com/isc-projects.
-
-Information for BIND contributors can be found in the following files: -
-General information: doc/dev/contrib.md - BIND 9 code style: doc/dev/
-style.md - BIND architecture and developer guide: doc/dev/dev.md
-
-Patches for BIND may be submitted either as Github pull requests or via
-email. When submitting a patch via email, please prepend the subject
-header with "[PATCH]" so it will be easier for us to find. If your patch
-introduces a new feature in BIND, please submit it to bind-suggest@isc.org
-; if it fixes a bug, please submit it to bind9-bugs@isc.org.
-
-BIND 9.12 features
-
-BIND 9.12.0 is the newest development branch of BIND 9. It includes a
-number of changes from BIND 9.11 and earlier releases. New features
-include:
-
- * named and related libraries have been substantially refactored for for
- improved query performance -- particularly on delegation heavy zones
- -- and for improved readability, maintainability, and testability.
- * Code implementing the name server query processing logic has been
- moved into a new libns library, for easier testing and use in tools
- other than named.
- * Cached, validated NSEC and other records can now be used to synthesize
- NXDOMAIN responses.
- * The DNS Response Policy Service API (DNSRPS) is now supported.
- * Setting max-journal-size default now limits the size of journal files
- to twice the size of the zone.
- * The query handling code has been substantially refactored for improved
- readability, maintainability and testability .
- * dnstap-read -x prints a hex dump of the wire format of each logged DNS
- message.
- * dnstap output files can now be configured to roll automatically when
- reaching a given size.
- * Log file timestamps can now also be formatted in ISO 8601 (local) or
- ISO 8601 (UTC) formats.
- * Logging channels and dnstap output files can now be configured to use
- a timestamp as the suffix when rolling to a new file.
- * named-checkconf -l lists zones found in named.conf.
- * Added support for the EDNS Padding and Keepalive options.
- * 'new-zones-directory' option sets the location where the configuration
- data for zones added by rndc addzone is stored
- * named-checkconf -l lists the zones found in named.conf.
-
-Building BIND
-
-BIND requires a UNIX or Linux system with an ANSI C compiler, basic POSIX
-support, and a 64-bit integer type. Successful builds have been observed
-on many versions of Linux and UNIX, including RedHat, Fedora, Debian,
-Ubuntu, SuSE, Slackware, FreeBSD, NetBSD, OpenBSD, Mac OS X, Solaris,
-HP-UX, AIX, SCO OpenServer, and OpenWRT.
-
-BIND is also available for Windows XP, 2003, 2008, and higher. See
-win32utils/readme1st.txt for details on building for Windows systems.
-
-To build on a UNIX or Linux system, use:
-
- $ ./configure
- $ make
-
-If you're planning on making changes to the BIND 9 source, you should run
-make depend. If you're using Emacs, you might find make tags helpful.
-
-Several environment variables that can be set before running configure
-will affect compilation:
-
-Variable Description
-CC The C compiler to use. configure tries to figure out the
- right one for supported systems.
- C compiler flags. Defaults to include -g and/or -O2 as
-CFLAGS supported by the compiler. Please include '-g' if you need
- to set CFLAGS.
- System header file directories. Can be used to specify
-STD_CINCLUDES where add-on thread or IPv6 support is, for example.
- Defaults to empty string.
- Any additional preprocessor symbols you want defined.
-STD_CDEFINES Defaults to empty string. For a list of possible settings,
- see the file OPTIONS.
-LDFLAGS Linker flags. Defaults to empty string.
-BUILD_CC Needed when cross-compiling: the native C compiler to use
- when building for the target system.
-BUILD_CFLAGS Optional, used for cross-compiling
-BUILD_CPPFLAGS
-BUILD_LDFLAGS
-BUILD_LIBS
-
-Compile-time options
-
-To see a full list of configuration options, run configure --help.
-
-On most platforms, BIND 9 is built with multithreading support, allowing
-it to take advantage of multiple CPUs. You can configure this by
-specifying --enable-threads or --disable-threads on the configure command
-line. The default is to enable threads, except on some older operating
-systems on which threads are known to have had problems in the past.
-(Note: Prior to BIND 9.10, the default was to disable threads on Linux
-systems; this has now been reversed. On Linux systems, the threaded build
-is known to change BIND's behavior with respect to file permissions; it
-may be necessary to specify a user with the -u option when running named.)
-
-To build shared libraries, specify --with-libtool on the configure command
-line.
-
-Certain compiled-in constants and default settings can be increased to
-values better suited to large servers with abundant memory resources (e.g,
-64-bit servers with 12G or more of memory) by specifying --with-tuning=
-large on the configure command line. This can improve performance on big
-servers, but will consume more memory and may degrade performance on
-smaller systems.
-
-For the server to support DNSSEC, you need to build it with crypto
-support. To use OpenSSL, you should have OpenSSL 1.0.2e or newer
-installed. If the OpenSSL library is installed in a nonstandard location,
-specify the prefix using "--with-openssl=/prefix" on the configure command
-line. To use a PKCS#11 hardware service module for cryptographic
-operations, specify the path to the PKCS#11 provider library using
-"--with-pkcs11=/prefix", and configure BIND with "--enable-native-pkcs11".
-
-To support the HTTP statistics channel, the server must be linked with at
-least one of the following: libxml2 http://xmlsoft.org or json-c https://
-github.com/json-c. If these are installed at a nonstandard location,
-specify the prefix using --with-libxml2=/prefix or --with-libjson=/prefix.
-
-To support compression on the HTTP statistics channel, the server must be
-linked against libzlib. If this is installed in a nonstandard location,
-specify the prefix using --with-zlib=/prefix.
-
-To support storing configuration data for runtime-added zones in an LMDB
-database, the server must be linked with liblmdb. If this is installed in
-a nonstandard location, specify the prefix using "with-lmdb=/prefix".
-
-To support GeoIP location-based ACLs, the server must be linked with
-libGeoIP. This is not turned on by default; BIND must be configured with
-"--with-geoip". If the library is installed in a nonstandard location, use
-specify the prefix using "--with-geoip=/prefix".
-
-For DNSTAP packet logging, you must have libfstrm https://github.com/
-farsightsec/fstrm and libprotobuf-c https://developers.google.com/
-protocol-buffers, and BIND must be configured with "--enable-dnstap".
-
-Python requires the 'argparse' and 'ply' modules to be available.
-'argparse' is a standard module as of Python 2.7 and Python 3.2. 'ply' is
-available from https://pypi.python.org/pypi/ply.
-
-On some platforms it is necessary to explicitly request large file support
-to handle files bigger than 2GB. This can be done by using
---enable-largefile on the configure command line.
-
-Support for the "fixed" rrset-order option can be enabled or disabled by
-specifying --enable-fixed-rrset or --disable-fixed-rrset on the configure
-command line. By default, fixed rrset-order is disabled to reduce memory
-footprint.
-
-If your operating system has integrated support for IPv6, it will be used
-automatically. If you have installed KAME IPv6 separately, use --with-kame
-[=PATH] to specify its location.
-
-make install will install named and the various BIND 9 libraries. By
-default, installation is into /usr/local, but this can be changed with the
---prefix option when running configure.
-
-You may specify the option --sysconfdir to set the directory where
-configuration files like named.conf go by default, and --localstatedir to
-set the default parent directory of run/named.pid. For backwards
-compatibility with BIND 8, --sysconfdir defaults to /etc and
---localstatedir defaults to /var if no --prefix option is given. If there
-is a --prefix option, sysconfdir defaults to $prefix/etc and localstatedir
-defaults to $prefix/var.
-
-Automated testing
-
-A system test suite can be run with make test. The system tests require
-you to configure a set of virtual IP addresses on your system (this allows
-multiple servers to run locally and communicate with one another). These
-IP addresses can be configured by by running the script bin/tests/system/
-ifconfig.sh up as root.
-
-Some tests require Perl and the Net::DNS and/or IO::Socket::INET6 modules,
-and will be skipped if these are not available. Some tests require Python
-and the 'dnspython' module and will be skipped if these are not available.
-See bin/tests/system/README for further details.
-
-Unit tests are implemented using Automated Testing Framework (ATF). To run
-them, use configure --with-atf, then run make test or make unit.
-
-Documentation
-
-The BIND 9 Administrator Reference Manual is included with the source
-distribution, in DocBook XML, HTML and PDF format, in the doc/arm
-directory.
-
-Some of the programs in the BIND 9 distribution have man pages in their
-directories. In particular, the command line options of named are
-documented in bin/named/named.8.
-
-Frequently (and not-so-frequently) asked questions and their answers can
-be found in the ISC Knowledge Base at https://kb.isc.org.
-
-Additional information on various subjects can be found in other README
-files throughout the source tree.
-
-Change log
-
-A detailed list of all changes that have been made throughout the
-development BIND 9 is included in the file CHANGES, with the most recent
-changes listed first. Change notes include tags indicating the category of
-the change that was made; these categories are:
-
-Category Description
-[func] New feature
-[bug] General bug fix
-[security] Fix for a significant security flaw
-[experimental] Used for new features when the syntax or other aspects of
- the design are still in flux and may change
-[port] Portability enhancement
-[maint] Updates to built-in data such as root server addresses and
- keys
-[tuning] Changes to built-in configuration defaults and constants to
- improve performance
-[performance] Other changes to improve server performance
-[protocol] Updates to the DNS protocol such as new RR types
-[test] Changes to the automatic tests, not affecting server
- functionality
-[cleanup] Minor corrections and refactoring
-[doc] Documentation
-[contrib] Changes to the contributed tools and libraries in the
- 'contrib' subdirectory
- Used in the master development branch to reserve change
-[placeholder] numbers for use in other branches, e.g. when fixing a bug
- that only exists in older releases
-
-In general, [func] and [experimental] tags will only appear in new-feature
-releases (i.e., those with version numbers ending in zero). Some new
-functionality may be backported to older releases on a case-by-case basis.
-All other change types may be applied to all currently-supported releases.
-
-Acknowledgments
-
- * The original development of BIND 9 was underwritten by the following
- organizations:
-
- Sun Microsystems, Inc.
- Hewlett Packard
- Compaq Computer Corporation
- IBM
- Process Software Corporation
- Silicon Graphics, Inc.
- Network Associates, Inc.
- U.S. Defense Information Systems Agency
- USENIX Association
- Stichting NLnet - NLnet Foundation
- Nominum, Inc.
-
- * This product includes software developed by the OpenSSL Project for
- use in the OpenSSL Toolkit. http://www.OpenSSL.org/
- * This product includes cryptographic software written by Eric Young
- (eay@cryptsoft.com)
- * This product includes software written by Tim Hudson
- (tjh@cryptsoft.com)
-
docdir
oldincludedir
includedir
-runstatedir
localstatedir
sharedstatedir
sysconfdir
sysconfdir='${prefix}/etc'
sharedstatedir='${prefix}/com'
localstatedir='${prefix}/var'
-runstatedir='${localstatedir}/run'
includedir='${prefix}/include'
oldincludedir='/usr/include'
docdir='${datarootdir}/doc/${PACKAGE_TARNAME}'
| -silent | --silent | --silen | --sile | --sil)
silent=yes ;;
- -runstatedir | --runstatedir | --runstatedi | --runstated \
- | --runstate | --runstat | --runsta | --runst | --runs \
- | --run | --ru | --r)
- ac_prev=runstatedir ;;
- -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \
- | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \
- | --run=* | --ru=* | --r=*)
- runstatedir=$ac_optarg ;;
-
-sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb)
ac_prev=sbindir ;;
-sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \
for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \
datadir sysconfdir sharedstatedir localstatedir includedir \
oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
- libdir localedir mandir runstatedir
+ libdir localedir mandir
do
eval ac_val=\$$ac_var
# Remove trailing slashes.
--sysconfdir=DIR read-only single-machine data [PREFIX/etc]
--sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com]
--localstatedir=DIR modifiable single-machine data [PREFIX/var]
- --runstatedir=DIR modifiable per-process data [LOCALSTATEDIR/run]
--libdir=DIR object code libraries [EPREFIX/lib]
--includedir=DIR C header files [PREFIX/include]
--oldincludedir=DIR C header files for non-gcc [/usr/include]
+++ /dev/null
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<!--
- - Copyright (C) 2000-2017 Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
--->
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>Chapter 1. Introduction</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
-<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="prev" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="next" href="Bv9ARM.ch02.html" title="Chapter 2. BIND Resource Requirements">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center">Chapter 1. Introduction</th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="Bv9ARM.html">Prev</a>Â </td>
-<th width="60%" align="center">Â </th>
-<td width="20%" align="right">Â <a accesskey="n" href="Bv9ARM.ch02.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="chapter">
-<div class="titlepage"><div><div><h1 class="title">
-<a name="Bv9ARM.ch01"></a>Chapter 1. Introduction</h1></div></div></div>
-<div class="toc">
-<p><b>Table of Contents</b></p>
-<dl class="toc">
-<dt><span class="section"><a href="Bv9ARM.ch01.html#doc_scope">Scope of Document</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch01.html#organization">Organization of This Document</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch01.html#conventions">Conventions Used in This Document</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch01.html#dns_overview">The Domain Name System (<acronym class="acronym">DNS</acronym>)</a></span></dt>
-<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch01.html#dns_fundamentals">DNS Fundamentals</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch01.html#domain_names">Domains and Domain Names</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch01.html#zones">Zones</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch01.html#auth_servers">Authoritative Name Servers</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch01.html#cache_servers">Caching Name Servers</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch01.html#multi_role">Name Servers in Multiple Roles</a></span></dt>
-</dl></dd>
-</dl>
-</div>
-
- <p>
- The Internet Domain Name System (<acronym class="acronym">DNS</acronym>)
- consists of the syntax
- to specify the names of entities in the Internet in a hierarchical
- manner, the rules used for delegating authority over names, and the
- system implementation that actually maps names to Internet
- addresses. <acronym class="acronym">DNS</acronym> data is maintained in a
- group of distributed
- hierarchical databases.
- </p>
-
- <div class="section">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="doc_scope"></a>Scope of Document</h2></div></div></div>
-
- <p>
- The Berkeley Internet Name Domain
- (<acronym class="acronym">BIND</acronym>) implements a
- domain name server for a number of operating systems. This
- document provides basic information about the installation and
- care of the Internet Systems Consortium (<acronym class="acronym">ISC</acronym>)
- <acronym class="acronym">BIND</acronym> version 9 software package for
- system administrators.
- </p>
- <p>This version of the manual corresponds to BIND version 9.11.</p>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="organization"></a>Organization of This Document</h2></div></div></div>
-
- <p>
- In this document, <span class="emphasis"><em>Chapter 1</em></span> introduces
- the basic <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym> concepts. <span class="emphasis"><em>Chapter 2</em></span>
- describes resource requirements for running <acronym class="acronym">BIND</acronym> in various
- environments. Information in <span class="emphasis"><em>Chapter 3</em></span> is
- <span class="emphasis"><em>task-oriented</em></span> in its presentation and is
- organized functionally, to aid in the process of installing the
- <acronym class="acronym">BIND</acronym> 9 software. The task-oriented
- section is followed by
- <span class="emphasis"><em>Chapter 4</em></span>, which contains more advanced
- concepts that the system administrator may need for implementing
- certain options. <span class="emphasis"><em>Chapter 5</em></span>
- describes the <acronym class="acronym">BIND</acronym> 9 lightweight
- resolver. The contents of <span class="emphasis"><em>Chapter 6</em></span> are
- organized as in a reference manual to aid in the ongoing
- maintenance of the software. <span class="emphasis"><em>Chapter 7</em></span> addresses
- security considerations, and
- <span class="emphasis"><em>Chapter 8</em></span> contains troubleshooting help. The
- main body of the document is followed by several
- <span class="emphasis"><em>appendices</em></span> which contain useful reference
- information, such as a <span class="emphasis"><em>bibliography</em></span> and
- historic information related to <acronym class="acronym">BIND</acronym>
- and the Domain Name
- System.
- </p>
- </div>
- <div class="section">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="conventions"></a>Conventions Used in This Document</h2></div></div></div>
-
- <p>
- In this document, we use the following general typographic
- conventions:
- </p>
-
- <div class="informaltable">
- <table border="1">
-<colgroup>
-<col width="3.000in" class="1">
-<col width="2.625in" class="2">
-</colgroup>
-<tbody>
-<tr>
-<td>
- <p>
- <span class="emphasis"><em>To describe:</em></span>
- </p>
- </td>
-<td>
- <p>
- <span class="emphasis"><em>We use the style:</em></span>
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- a pathname, filename, URL, hostname,
- mailing list name, or new term or concept
- </p>
- </td>
-<td>
- <p>
- <code class="filename">Fixed width</code>
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- literal user
- input
- </p>
- </td>
-<td>
- <p>
- <strong class="userinput"><code>Fixed Width Bold</code></strong>
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- program output
- </p>
- </td>
-<td>
- <p>
- <code class="computeroutput">Fixed Width</code>
- </p>
- </td>
-</tr>
-</tbody>
-</table>
- </div>
-
- <p>
- The following conventions are used in descriptions of the
- <acronym class="acronym">BIND</acronym> configuration file:</p>
-<div class="informaltable">
- <table border="1">
-<colgroup>
-<col width="3.000in" class="1">
-<col width="2.625in" class="2">
-</colgroup>
-<tbody>
-<tr>
-<td>
- <p>
- <span class="emphasis"><em>To describe:</em></span>
- </p>
- </td>
-<td>
- <p>
- <span class="emphasis"><em>We use the style:</em></span>
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- keywords
- </p>
- </td>
-<td>
- <p>
- <code class="literal">Fixed Width</code>
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- variables
- </p>
- </td>
-<td>
- <p>
- <code class="varname">Fixed Width</code>
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- Optional input
- </p>
- </td>
-<td>
- <p>
- [<span class="optional">Text is enclosed in square brackets</span>]
- </p>
- </td>
-</tr>
-</tbody>
-</table>
- </div>
-<p>
- </p>
- </div>
- <div class="section">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="dns_overview"></a>The Domain Name System (<acronym class="acronym">DNS</acronym>)</h2></div></div></div>
-
- <p>
- The purpose of this document is to explain the installation
- and upkeep of the <acronym class="acronym">BIND</acronym> (Berkeley Internet
- Name Domain) software package, and we
- begin by reviewing the fundamentals of the Domain Name System
- (<acronym class="acronym">DNS</acronym>) as they relate to <acronym class="acronym">BIND</acronym>.
- </p>
-
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="dns_fundamentals"></a>DNS Fundamentals</h3></div></div></div>
-
- <p>
- The Domain Name System (DNS) is a hierarchical, distributed
- database. It stores information for mapping Internet host names to
- IP
- addresses and vice versa, mail routing information, and other data
- used by Internet applications.
- </p>
-
- <p>
- Clients look up information in the DNS by calling a
- <span class="emphasis"><em>resolver</em></span> library, which sends queries to one or
- more <span class="emphasis"><em>name servers</em></span> and interprets the responses.
- The <acronym class="acronym">BIND</acronym> 9 software distribution
- contains a name server, <span class="command"><strong>named</strong></span>, and a set
- of associated tools.
- </p>
-
- </div>
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="domain_names"></a>Domains and Domain Names</h3></div></div></div>
-
- <p>
- The data stored in the DNS is identified by <span class="emphasis"><em>domain names</em></span> that are organized as a tree according to
- organizational or administrative boundaries. Each node of the tree,
- called a <span class="emphasis"><em>domain</em></span>, is given a label. The domain
- name of the
- node is the concatenation of all the labels on the path from the
- node to the <span class="emphasis"><em>root</em></span> node. This is represented
- in written form as a string of labels listed from right to left and
- separated by dots. A label need only be unique within its parent
- domain.
- </p>
-
- <p>
- For example, a domain name for a host at the
- company <span class="emphasis"><em>Example, Inc.</em></span> could be
- <code class="literal">ourhost.example.com</code>,
- where <code class="literal">com</code> is the
- top level domain to which
- <code class="literal">ourhost.example.com</code> belongs,
- <code class="literal">example</code> is
- a subdomain of <code class="literal">com</code>, and
- <code class="literal">ourhost</code> is the
- name of the host.
- </p>
-
- <p>
- For administrative purposes, the name space is partitioned into
- areas called <span class="emphasis"><em>zones</em></span>, each starting at a node and
- extending down to the leaf nodes or to nodes where other zones
- start.
- The data for each zone is stored in a <span class="emphasis"><em>name server</em></span>, which answers queries about the zone using the
- <span class="emphasis"><em>DNS protocol</em></span>.
- </p>
-
- <p>
- The data associated with each domain name is stored in the
- form of <span class="emphasis"><em>resource records</em></span> (<acronym class="acronym">RR</acronym>s).
- Some of the supported resource record types are described in
- <a class="xref" href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them" title="Types of Resource Records and When to Use Them">the section called “Types of Resource Records and When to Use Them”</a>.
- </p>
-
- <p>
- For more detailed information about the design of the DNS and
- the DNS protocol, please refer to the standards documents listed in
- <a class="xref" href="Bv9ARM.ch11.html#rfcs" title="Request for Comments (RFCs)">the section called “Request for Comments (RFCs)”</a>.
- </p>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="zones"></a>Zones</h3></div></div></div>
-
- <p>
- To properly operate a name server, it is important to understand
- the difference between a <span class="emphasis"><em>zone</em></span>
- and a <span class="emphasis"><em>domain</em></span>.
- </p>
-
- <p>
- As stated previously, a zone is a point of delegation in
- the <acronym class="acronym">DNS</acronym> tree. A zone consists of
- those contiguous parts of the domain
- tree for which a name server has complete information and over which
- it has authority. It contains all domain names from a certain point
- downward in the domain tree except those which are delegated to
- other zones. A delegation point is marked by one or more
- <span class="emphasis"><em>NS records</em></span> in the
- parent zone, which should be matched by equivalent NS records at
- the root of the delegated zone.
- </p>
-
- <p>
- For instance, consider the <code class="literal">example.com</code>
- domain which includes names
- such as <code class="literal">host.aaa.example.com</code> and
- <code class="literal">host.bbb.example.com</code> even though
- the <code class="literal">example.com</code> zone includes
- only delegations for the <code class="literal">aaa.example.com</code> and
- <code class="literal">bbb.example.com</code> zones. A zone can
- map
- exactly to a single domain, but could also include only part of a
- domain, the rest of which could be delegated to other
- name servers. Every name in the <acronym class="acronym">DNS</acronym>
- tree is a
- <span class="emphasis"><em>domain</em></span>, even if it is
- <span class="emphasis"><em>terminal</em></span>, that is, has no
- <span class="emphasis"><em>subdomains</em></span>. Every subdomain is a domain and
- every domain except the root is also a subdomain. The terminology is
- not intuitive and we suggest that you read RFCs 1033, 1034 and 1035
- to
- gain a complete understanding of this difficult and subtle
- topic.
- </p>
-
- <p>
- Though <acronym class="acronym">BIND</acronym> is called a "domain name
- server",
- it deals primarily in terms of zones. The master and slave
- declarations in the <code class="filename">named.conf</code> file
- specify
- zones, not domains. When you ask some other site if it is willing to
- be a slave server for your <span class="emphasis"><em>domain</em></span>, you are
- actually asking for slave service for some collection of zones.
- </p>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="auth_servers"></a>Authoritative Name Servers</h3></div></div></div>
-
- <p>
- Each zone is served by at least
- one <span class="emphasis"><em>authoritative name server</em></span>,
- which contains the complete data for the zone.
- To make the DNS tolerant of server and network failures,
- most zones have two or more authoritative servers, on
- different networks.
- </p>
-
- <p>
- Responses from authoritative servers have the "authoritative
- answer" (AA) bit set in the response packets. This makes them
- easy to identify when debugging DNS configurations using tools like
- <span class="command"><strong>dig</strong></span> (<a class="xref" href="Bv9ARM.ch03.html#diagnostic_tools" title="Diagnostic Tools">the section called “Diagnostic Tools”</a>).
- </p>
-
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="primary_master"></a>The Primary Master</h4></div></div></div>
-
- <p>
- The authoritative server where the master copy of the zone
- data is maintained is called the
- <span class="emphasis"><em>primary master</em></span> server, or simply the
- <span class="emphasis"><em>primary</em></span>. Typically it loads the zone
- contents from some local file edited by humans or perhaps
- generated mechanically from some other local file which is
- edited by humans. This file is called the
- <span class="emphasis"><em>zone file</em></span> or
- <span class="emphasis"><em>master file</em></span>.
- </p>
-
- <p>
- In some cases, however, the master file may not be edited
- by humans at all, but may instead be the result of
- <span class="emphasis"><em>dynamic update</em></span> operations.
- </p>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="slave_server"></a>Slave Servers</h4></div></div></div>
-
- <p>
- The other authoritative servers, the <span class="emphasis"><em>slave</em></span>
- servers (also known as <span class="emphasis"><em>secondary</em></span> servers)
- load
- the zone contents from another server using a replication process
- known as a <span class="emphasis"><em>zone transfer</em></span>. Typically the data
- are
- transferred directly from the primary master, but it is also
- possible
- to transfer it from another slave. In other words, a slave server
- may itself act as a master to a subordinate slave server.
- </p>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="stealth_server"></a>Stealth Servers</h4></div></div></div>
-
- <p>
- Usually all of the zone's authoritative servers are listed in
- NS records in the parent zone. These NS records constitute
- a <span class="emphasis"><em>delegation</em></span> of the zone from the parent.
- The authoritative servers are also listed in the zone file itself,
- at the <span class="emphasis"><em>top level</em></span> or <span class="emphasis"><em>apex</em></span>
- of the zone. You can list servers in the zone's top-level NS
- records that are not in the parent's NS delegation, but you cannot
- list servers in the parent's delegation that are not present at
- the zone's top level.
- </p>
-
- <p>
- A <span class="emphasis"><em>stealth server</em></span> is a server that is
- authoritative for a zone but is not listed in that zone's NS
- records. Stealth servers can be used for keeping a local copy of
- a
- zone to speed up access to the zone's records or to make sure that
- the
- zone is available even if all the "official" servers for the zone
- are
- inaccessible.
- </p>
-
- <p>
- A configuration where the primary master server itself is a
- stealth server is often referred to as a "hidden primary"
- configuration. One use for this configuration is when the primary
- master
- is behind a firewall and therefore unable to communicate directly
- with the outside world.
- </p>
-
- </div>
-
- </div>
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="cache_servers"></a>Caching Name Servers</h3></div></div></div>
-
-
-
- <p>
- The resolver libraries provided by most operating systems are
- <span class="emphasis"><em>stub resolvers</em></span>, meaning that they are not
- capable of
- performing the full DNS resolution process by themselves by talking
- directly to the authoritative servers. Instead, they rely on a
- local
- name server to perform the resolution on their behalf. Such a
- server
- is called a <span class="emphasis"><em>recursive</em></span> name server; it performs
- <span class="emphasis"><em>recursive lookups</em></span> for local clients.
- </p>
-
- <p>
- To improve performance, recursive servers cache the results of
- the lookups they perform. Since the processes of recursion and
- caching are intimately connected, the terms
- <span class="emphasis"><em>recursive server</em></span> and
- <span class="emphasis"><em>caching server</em></span> are often used synonymously.
- </p>
-
- <p>
- The length of time for which a record may be retained in
- the cache of a caching name server is controlled by the
- Time To Live (TTL) field associated with each resource record.
- </p>
-
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="forwarder"></a>Forwarding</h4></div></div></div>
-
- <p>
- Even a caching name server does not necessarily perform
- the complete recursive lookup itself. Instead, it can
- <span class="emphasis"><em>forward</em></span> some or all of the queries
- that it cannot satisfy from its cache to another caching name
- server,
- commonly referred to as a <span class="emphasis"><em>forwarder</em></span>.
- </p>
-
- <p>
- There may be one or more forwarders,
- and they are queried in turn until the list is exhausted or an
- answer
- is found. Forwarders are typically used when you do not
- wish all the servers at a given site to interact directly with the
- rest of
- the Internet servers. A typical scenario would involve a number
- of internal <acronym class="acronym">DNS</acronym> servers and an
- Internet firewall. Servers unable
- to pass packets through the firewall would forward to the server
- that can do it, and that server would query the Internet <acronym class="acronym">DNS</acronym> servers
- on the internal server's behalf.
- </p>
- </div>
-
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="multi_role"></a>Name Servers in Multiple Roles</h3></div></div></div>
-
- <p>
- The <acronym class="acronym">BIND</acronym> name server can
- simultaneously act as
- a master for some zones, a slave for other zones, and as a caching
- (recursive) server for a set of local clients.
- </p>
-
- <p>
- However, since the functions of authoritative name service
- and caching/recursive name service are logically separate, it is
- often advantageous to run them on separate server machines.
-
- A server that only provides authoritative name service
- (an <span class="emphasis"><em>authoritative-only</em></span> server) can run with
- recursion disabled, improving reliability and security.
-
- A server that is not authoritative for any zones and only provides
- recursive service to local
- clients (a <span class="emphasis"><em>caching-only</em></span> server)
- does not need to be reachable from the Internet at large and can
- be placed inside a firewall.
- </p>
-
- </div>
- </div>
-
- </div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="Bv9ARM.html">Prev</a>Â </td>
-<td width="20%" align="center">Â </td>
-<td width="40%" align="right">Â <a accesskey="n" href="Bv9ARM.ch02.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">BIND 9 Administrator Reference Manual </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> Chapter 2. <acronym class="acronym">BIND</acronym> Resource Requirements</td>
-</tr>
-</table>
-</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.0-pre-alpha</p>
-</body>
-</html>
+++ /dev/null
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<!--
- - Copyright (C) 2000-2017 Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
--->
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>Chapter 2. BIND Resource Requirements</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
-<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="prev" href="Bv9ARM.ch01.html" title="Chapter 1. Introduction">
-<link rel="next" href="Bv9ARM.ch03.html" title="Chapter 3. Name Server Configuration">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center">Chapter 2. <acronym class="acronym">BIND</acronym> Resource Requirements</th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="Bv9ARM.ch01.html">Prev</a>Â </td>
-<th width="60%" align="center">Â </th>
-<td width="20%" align="right">Â <a accesskey="n" href="Bv9ARM.ch03.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="chapter">
-<div class="titlepage"><div><div><h1 class="title">
-<a name="Bv9ARM.ch02"></a>Chapter 2. <acronym class="acronym">BIND</acronym> Resource Requirements</h1></div></div></div>
-<div class="toc">
-<p><b>Table of Contents</b></p>
-<dl class="toc">
-<dt><span class="section"><a href="Bv9ARM.ch02.html#hw_req">Hardware requirements</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch02.html#cpu_req">CPU Requirements</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch02.html#mem_req">Memory Requirements</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch02.html#intensive_env">Name Server Intensive Environment Issues</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch02.html#supported_os">Supported Operating Systems</a></span></dt>
-</dl>
-</div>
-
- <div class="section">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="hw_req"></a>Hardware requirements</h2></div></div></div>
- <p>
- <acronym class="acronym">DNS</acronym> hardware requirements have
- traditionally been quite modest.
- For many installations, servers that have been pensioned off from
- active duty have performed admirably as <acronym class="acronym">DNS</acronym> servers.
- </p>
- <p>
- The DNSSEC features of <acronym class="acronym">BIND</acronym> 9
- may prove to be quite
- CPU intensive however, so organizations that make heavy use of these
- features may wish to consider larger systems for these applications.
- <acronym class="acronym">BIND</acronym> 9 is fully multithreaded, allowing
- full utilization of
- multiprocessor systems for installations that need it.
- </p>
- </div>
- <div class="section">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="cpu_req"></a>CPU Requirements</h2></div></div></div>
- <p>
- CPU requirements for <acronym class="acronym">BIND</acronym> 9 range from
- i486-class machines
- for serving of static zones without caching, to enterprise-class
- machines if you intend to process many dynamic updates and DNSSEC
- signed zones, serving many thousands of queries per second.
- </p>
- </div>
- <div class="section">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="mem_req"></a>Memory Requirements</h2></div></div></div>
- <p>
- The memory of the server has to be large enough to fit the
- cache and zones loaded off disk. The <span class="command"><strong>max-cache-size</strong></span>
- option can be used to limit the amount of memory used by the cache,
- at the expense of reducing cache hit rates and causing more <acronym class="acronym">DNS</acronym>
- traffic.
- It is still good practice to have enough memory to load
- all zone and cache data into memory — unfortunately, the best
- way
- to determine this for a given installation is to watch the name server
- in operation. After a few weeks the server process should reach
- a relatively stable size where entries are expiring from the cache as
- fast as they are being inserted.
- </p>
-
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="intensive_env"></a>Name Server Intensive Environment Issues</h2></div></div></div>
-
- <p>
- For name server intensive environments, there are two alternative
- configurations that may be used. The first is where clients and
- any second-level internal name servers query a main name server, which
- has enough memory to build a large cache. This approach minimizes
- the bandwidth used by external name lookups. The second alternative
- is to set up second-level internal name servers to make queries
- independently.
- In this configuration, none of the individual machines needs to
- have as much memory or CPU power as in the first alternative, but
- this has the disadvantage of making many more external queries,
- as none of the name servers share their cached data.
- </p>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="supported_os"></a>Supported Operating Systems</h2></div></div></div>
-
- <p>
- ISC <acronym class="acronym">BIND</acronym> 9 compiles and runs on a large
- number
- of Unix-like operating systems and on
- Microsoft Windows Server 2003 and 2008, and Windows XP and Vista.
- For an up-to-date
- list of supported systems, see the README file in the top level
- directory
- of the BIND 9 source distribution.
- </p>
- </div>
- </div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="Bv9ARM.ch01.html">Prev</a>Â </td>
-<td width="20%" align="center">Â </td>
-<td width="40%" align="right">Â <a accesskey="n" href="Bv9ARM.ch03.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">Chapter 1. Introduction </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> Chapter 3. Name Server Configuration</td>
-</tr>
-</table>
-</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.0-pre-alpha</p>
-</body>
-</html>
+++ /dev/null
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<!--
- - Copyright (C) 2000-2017 Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
--->
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>Chapter 3. Name Server Configuration</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
-<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="prev" href="Bv9ARM.ch02.html" title="Chapter 2. BIND Resource Requirements">
-<link rel="next" href="Bv9ARM.ch04.html" title="Chapter 4. Advanced DNS Features">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center">Chapter 3. Name Server Configuration</th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="Bv9ARM.ch02.html">Prev</a>Â </td>
-<th width="60%" align="center">Â </th>
-<td width="20%" align="right">Â <a accesskey="n" href="Bv9ARM.ch04.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="chapter">
-<div class="titlepage"><div><div><h1 class="title">
-<a name="Bv9ARM.ch03"></a>Chapter 3. Name Server Configuration</h1></div></div></div>
-<div class="toc">
-<p><b>Table of Contents</b></p>
-<dl class="toc">
-<dt><span class="section"><a href="Bv9ARM.ch03.html#sample_configuration">Sample Configurations</a></span></dt>
-<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch03.html#cache_only_sample">A Caching-only Name Server</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch03.html#auth_only_sample">An Authoritative-only Name Server</a></span></dt>
-</dl></dd>
-<dt><span class="section"><a href="Bv9ARM.ch03.html#load_balancing">Load Balancing</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch03.html#ns_operations">Name Server Operations</a></span></dt>
-<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch03.html#tools">Tools for Use With the Name Server Daemon</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch03.html#signals">Signals</a></span></dt>
-</dl></dd>
-</dl>
-</div>
-
- <p>
- In this chapter we provide some suggested configurations along
- with guidelines for their use. We suggest reasonable values for
- certain option settings.
- </p>
-
- <div class="section">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="sample_configuration"></a>Sample Configurations</h2></div></div></div>
-
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="cache_only_sample"></a>A Caching-only Name Server</h3></div></div></div>
-
- <p>
- The following sample configuration is appropriate for a caching-only
- name server for use by clients internal to a corporation. All
- queries
- from outside clients are refused using the <span class="command"><strong>allow-query</strong></span>
- option. Alternatively, the same effect could be achieved using
- suitable
- firewall rules.
- </p>
-
-<pre class="programlisting">
-// Two corporate subnets we wish to allow queries from.
-acl corpnets { 192.168.4.0/24; 192.168.7.0/24; };
-options {
- // Working directory
- directory "/etc/namedb";
-
- allow-query { corpnets; };
-};
-// Provide a reverse mapping for the loopback
-// address 127.0.0.1
-zone "0.0.127.in-addr.arpa" {
- type master;
- file "localhost.rev";
- notify no;
-};
-</pre>
-
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="auth_only_sample"></a>An Authoritative-only Name Server</h3></div></div></div>
-
- <p>
- This sample configuration is for an authoritative-only server
- that is the master server for "<code class="filename">example.com</code>"
- and a slave for the subdomain "<code class="filename">eng.example.com</code>".
- </p>
-
-<pre class="programlisting">
-options {
- // Working directory
- directory "/etc/namedb";
- // Do not allow access to cache
- allow-query-cache { none; };
- // This is the default
- allow-query { any; };
- // Do not provide recursive service
- recursion no;
-};
-
-// Provide a reverse mapping for the loopback
-// address 127.0.0.1
-zone "0.0.127.in-addr.arpa" {
- type master;
- file "localhost.rev";
- notify no;
-};
-// We are the master server for example.com
-zone "example.com" {
- type master;
- file "example.com.db";
- // IP addresses of slave servers allowed to
- // transfer example.com
- allow-transfer {
- 192.168.4.14;
- 192.168.5.53;
- };
-};
-// We are a slave server for eng.example.com
-zone "eng.example.com" {
- type slave;
- file "eng.example.com.bk";
- // IP address of eng.example.com master server
- masters { 192.168.4.12; };
-};
-</pre>
-
- </div>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="load_balancing"></a>Load Balancing</h2></div></div></div>
-
-
-
- <p>
- A primitive form of load balancing can be achieved in
- the <acronym class="acronym">DNS</acronym> by using multiple records
- (such as multiple A records) for one name.
- </p>
-
- <p>
- For example, if you have three WWW servers with network addresses
- of 10.0.0.1, 10.0.0.2 and 10.0.0.3, a set of records such as the
- following means that clients will connect to each machine one third
- of the time:
- </p>
-
- <div class="informaltable">
- <table border="1">
-<colgroup>
-<col width="0.875in" class="1">
-<col width="0.500in" class="2">
-<col width="0.750in" class="3">
-<col width="0.750in" class="4">
-<col width="2.028in" class="5">
-</colgroup>
-<tbody>
-<tr>
-<td>
- <p>
- Name
- </p>
- </td>
-<td>
- <p>
- TTL
- </p>
- </td>
-<td>
- <p>
- CLASS
- </p>
- </td>
-<td>
- <p>
- TYPE
- </p>
- </td>
-<td>
- <p>
- Resource Record (RR) Data
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- <code class="literal">www</code>
- </p>
- </td>
-<td>
- <p>
- <code class="literal">600</code>
- </p>
- </td>
-<td>
- <p>
- <code class="literal">IN</code>
- </p>
- </td>
-<td>
- <p>
- <code class="literal">A</code>
- </p>
- </td>
-<td>
- <p>
- <code class="literal">10.0.0.1</code>
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p></p>
- </td>
-<td>
- <p>
- <code class="literal">600</code>
- </p>
- </td>
-<td>
- <p>
- <code class="literal">IN</code>
- </p>
- </td>
-<td>
- <p>
- <code class="literal">A</code>
- </p>
- </td>
-<td>
- <p>
- <code class="literal">10.0.0.2</code>
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p></p>
- </td>
-<td>
- <p>
- <code class="literal">600</code>
- </p>
- </td>
-<td>
- <p>
- <code class="literal">IN</code>
- </p>
- </td>
-<td>
- <p>
- <code class="literal">A</code>
- </p>
- </td>
-<td>
- <p>
- <code class="literal">10.0.0.3</code>
- </p>
- </td>
-</tr>
-</tbody>
-</table>
- </div>
- <p>
- When a resolver queries for these records, <acronym class="acronym">BIND</acronym> will rotate
- them and respond to the query with the records in a different
- order. In the example above, clients will randomly receive
- records in the order 1, 2, 3; 2, 3, 1; and 3, 1, 2. Most clients
- will use the first record returned and discard the rest.
- </p>
- <p>
- For more detail on ordering responses, check the
- <span class="command"><strong>rrset-order</strong></span> sub-statement in the
- <span class="command"><strong>options</strong></span> statement, see
- <a class="xref" href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">RRset Ordering</a>.
- </p>
-
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="ns_operations"></a>Name Server Operations</h2></div></div></div>
-
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="tools"></a>Tools for Use With the Name Server Daemon</h3></div></div></div>
- <p>
- This section describes several indispensable diagnostic,
- administrative and monitoring tools available to the system
- administrator for controlling and debugging the name server
- daemon.
- </p>
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="diagnostic_tools"></a>Diagnostic Tools</h4></div></div></div>
- <p>
- The <span class="command"><strong>dig</strong></span>, <span class="command"><strong>host</strong></span>, and
- <span class="command"><strong>nslookup</strong></span> programs are all command
- line tools
- for manually querying name servers. They differ in style and
- output format.
- </p>
-
- <div class="variablelist"><dl class="variablelist">
-<dt><span class="term"><a name="dig"></a><span class="command"><strong>dig</strong></span></span></dt>
-<dd>
- <p>
- <span class="command"><strong>dig</strong></span>
- is the most versatile and complete of these lookup tools.
- It has two modes: simple interactive
- mode for a single query, and batch mode which executes a
- query for
- each in a list of several query lines. All query options are
- accessible
- from the command line.
- </p>
- <div class="cmdsynopsis"><p>
- <code class="command">dig</code>
- [@<em class="replaceable"><code>server</code></em>]
- <em class="replaceable"><code>domain</code></em>
- [<em class="replaceable"><code>query-type</code></em>]
- [<em class="replaceable"><code>query-class</code></em>]
- [+<em class="replaceable"><code>query-option</code></em>]
- [-<em class="replaceable"><code>dig-option</code></em>]
- [%<em class="replaceable"><code>comment</code></em>]
- </p></div>
- <p>
- The usual simple use of <span class="command"><strong>dig</strong></span> will take the form
- </p>
- <p class="simpara">
- <span class="command"><strong>dig @server domain query-type query-class</strong></span>
- </p>
- <p>
- For more information and a list of available commands and
- options, see the <span class="command"><strong>dig</strong></span> man
- page.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>host</strong></span></span></dt>
-<dd>
- <p>
- The <span class="command"><strong>host</strong></span> utility emphasizes
- simplicity
- and ease of use. By default, it converts
- between host names and Internet addresses, but its
- functionality
- can be extended with the use of options.
- </p>
- <div class="cmdsynopsis"><p>
- <code class="command">host</code>
- [-aCdlnrsTwv]
- [-c <em class="replaceable"><code>class</code></em>]
- [-N <em class="replaceable"><code>ndots</code></em>]
- [-t <em class="replaceable"><code>type</code></em>]
- [-W <em class="replaceable"><code>timeout</code></em>]
- [-R <em class="replaceable"><code>retries</code></em>]
- [-m <em class="replaceable"><code>flag</code></em>]
- [-4]
- [-6]
- <em class="replaceable"><code>hostname</code></em>
- [<em class="replaceable"><code>server</code></em>]
- </p></div>
- <p>
- For more information and a list of available commands and
- options, see the <span class="command"><strong>host</strong></span> man
- page.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>nslookup</strong></span></span></dt>
-<dd>
- <p><span class="command"><strong>nslookup</strong></span>
- has two modes: interactive and
- non-interactive. Interactive mode allows the user to
- query name servers for information about various
- hosts and domains or to print a list of hosts in a
- domain. Non-interactive mode is used to print just
- the name and requested information for a host or
- domain.
- </p>
- <div class="cmdsynopsis"><p>
- <code class="command">nslookup</code>
- [-option...]
- [
- [<em class="replaceable"><code>host-to-find</code></em>]
- | [- [server]]
- ]
- </p></div>
- <p>
- Interactive mode is entered when no arguments are given (the
- default name server will be used) or when the first argument
- is a
- hyphen (`-') and the second argument is the host name or
- Internet address
- of a name server.
- </p>
- <p>
- Non-interactive mode is used when the name or Internet
- address
- of the host to be looked up is given as the first argument.
- The
- optional second argument specifies the host name or address
- of a name server.
- </p>
- <p>
- Due to its arcane user interface and frequently inconsistent
- behavior, we do not recommend the use of <span class="command"><strong>nslookup</strong></span>.
- Use <span class="command"><strong>dig</strong></span> instead.
- </p>
- </dd>
-</dl></div>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="admin_tools"></a>Administrative Tools</h4></div></div></div>
- <p>
- Administrative tools play an integral part in the management
- of a server.
- </p>
- <div class="variablelist"><dl class="variablelist">
-<dt>
-<a name="named-checkconf"></a><span class="term"><span class="command"><strong>named-checkconf</strong></span></span>
-</dt>
-<dd>
- <p>
- The <span class="command"><strong>named-checkconf</strong></span> program
- checks the syntax of a <code class="filename">named.conf</code> file.
- </p>
- <div class="cmdsynopsis"><p>
- <code class="command">named-checkconf</code>
- [-jvz]
- [-t <em class="replaceable"><code>directory</code></em>]
- [<em class="replaceable"><code>filename</code></em>]
- </p></div>
- </dd>
-<dt>
-<a name="named-checkzone"></a><span class="term"><span class="command"><strong>named-checkzone</strong></span></span>
-</dt>
-<dd>
- <p>
- The <span class="command"><strong>named-checkzone</strong></span> program
- checks a master file for
- syntax and consistency.
- </p>
- <div class="cmdsynopsis"><p>
- <code class="command">named-checkzone</code>
- [-djqvD]
- [-c <em class="replaceable"><code>class</code></em>]
- [-o <em class="replaceable"><code>output</code></em>]
- [-t <em class="replaceable"><code>directory</code></em>]
- [-w <em class="replaceable"><code>directory</code></em>]
- [-k <em class="replaceable"><code>(ignore|warn|fail)</code></em>]
- [-n <em class="replaceable"><code>(ignore|warn|fail)</code></em>]
- [-W <em class="replaceable"><code>(ignore|warn)</code></em>]
- <em class="replaceable"><code>zone</code></em>
- [<em class="replaceable"><code>filename</code></em>]
- </p></div>
- </dd>
-<dt>
-<a name="named-compilezone"></a><span class="term"><span class="command"><strong>named-compilezone</strong></span></span>
-</dt>
-<dd>
- <p>
- Similar to <span class="command"><strong>named-checkzone,</strong></span> but
- it always dumps the zone content to a specified file
- (typically in a different format).
- </p>
- </dd>
-<dt>
-<a name="rndc"></a><span class="term"><span class="command"><strong>rndc</strong></span></span>
-</dt>
-<dd>
- <p>
- The remote name daemon control
- (<span class="command"><strong>rndc</strong></span>) program allows the
- system
- administrator to control the operation of a name server.
- Since <acronym class="acronym">BIND</acronym> 9.2, <span class="command"><strong>rndc</strong></span>
- supports all the commands of the BIND 8 <span class="command"><strong>ndc</strong></span>
- utility except <span class="command"><strong>ndc start</strong></span> and
- <span class="command"><strong>ndc restart</strong></span>, which were also
- not supported in <span class="command"><strong>ndc</strong></span>'s
- channel mode.
- If you run <span class="command"><strong>rndc</strong></span> without any
- options
- it will display a usage message as follows:
- </p>
- <div class="cmdsynopsis"><p>
- <code class="command">rndc</code>
- [-c <em class="replaceable"><code>config</code></em>]
- [-s <em class="replaceable"><code>server</code></em>]
- [-p <em class="replaceable"><code>port</code></em>]
- [-y <em class="replaceable"><code>key</code></em>]
- <em class="replaceable"><code>command</code></em>
- [<em class="replaceable"><code>command</code></em>...]
- </p></div>
-
- <p>See <a class="xref" href="man.rndc.html" title="rndc"><span class="refentrytitle"><span class="application">rndc</span></span>(8)</a> for details of
- the available <span class="command"><strong>rndc</strong></span> commands.
- </p>
-
- <p>
- <span class="command"><strong>rndc</strong></span> requires a configuration file,
- since all
- communication with the server is authenticated with
- digital signatures that rely on a shared secret, and
- there is no way to provide that secret other than with a
- configuration file. The default location for the
- <span class="command"><strong>rndc</strong></span> configuration file is
- <code class="filename">/etc/rndc.conf</code>, but an
- alternate
- location can be specified with the <code class="option">-c</code>
- option. If the configuration file is not found,
- <span class="command"><strong>rndc</strong></span> will also look in
- <code class="filename">/etc/rndc.key</code> (or whatever
- <code class="varname">sysconfdir</code> was defined when
- the <acronym class="acronym">BIND</acronym> build was
- configured).
- The <code class="filename">rndc.key</code> file is
- generated by
- running <span class="command"><strong>rndc-confgen -a</strong></span> as
- described in
- <a class="xref" href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and Usage">the section called “<span class="command"><strong>controls</strong></span> Statement Definition and
- Usage”</a>.
- </p>
-
- <p>
- The format of the configuration file is similar to
- that of <code class="filename">named.conf</code>, but
- limited to
- only four statements, the <span class="command"><strong>options</strong></span>,
- <span class="command"><strong>key</strong></span>, <span class="command"><strong>server</strong></span> and
- <span class="command"><strong>include</strong></span>
- statements. These statements are what associate the
- secret keys to the servers with which they are meant to
- be shared. The order of statements is not
- significant.
- </p>
-
- <p>
- The <span class="command"><strong>options</strong></span> statement has
- three clauses:
- <span class="command"><strong>default-server</strong></span>, <span class="command"><strong>default-key</strong></span>,
- and <span class="command"><strong>default-port</strong></span>.
- <span class="command"><strong>default-server</strong></span> takes a
- host name or address argument and represents the server
- that will
- be contacted if no <code class="option">-s</code>
- option is provided on the command line.
- <span class="command"><strong>default-key</strong></span> takes
- the name of a key as its argument, as defined by a <span class="command"><strong>key</strong></span> statement.
- <span class="command"><strong>default-port</strong></span> specifies the
- port to which
- <span class="command"><strong>rndc</strong></span> should connect if no
- port is given on the command line or in a
- <span class="command"><strong>server</strong></span> statement.
- </p>
-
- <p>
- The <span class="command"><strong>key</strong></span> statement defines a
- key to be used
- by <span class="command"><strong>rndc</strong></span> when authenticating
- with
- <span class="command"><strong>named</strong></span>. Its syntax is
- identical to the
- <span class="command"><strong>key</strong></span> statement in <code class="filename">named.conf</code>.
- The keyword <strong class="userinput"><code>key</code></strong> is
- followed by a key name, which must be a valid
- domain name, though it need not actually be hierarchical;
- thus,
- a string like "<strong class="userinput"><code>rndc_key</code></strong>" is a valid
- name.
- The <span class="command"><strong>key</strong></span> statement has two
- clauses:
- <span class="command"><strong>algorithm</strong></span> and <span class="command"><strong>secret</strong></span>.
- While the configuration parser will accept any string as the
- argument
- to algorithm, currently only the strings
- "<strong class="userinput"><code>hmac-md5</code></strong>",
- "<strong class="userinput"><code>hmac-sha1</code></strong>",
- "<strong class="userinput"><code>hmac-sha224</code></strong>",
- "<strong class="userinput"><code>hmac-sha256</code></strong>",
- "<strong class="userinput"><code>hmac-sha384</code></strong>"
- and "<strong class="userinput"><code>hmac-sha512</code></strong>"
- have any meaning. The secret is a base-64 encoded string
- as specified in RFC 3548.
- </p>
-
- <p>
- The <span class="command"><strong>server</strong></span> statement
- associates a key
- defined using the <span class="command"><strong>key</strong></span>
- statement with a server.
- The keyword <strong class="userinput"><code>server</code></strong> is followed by a
- host name or address. The <span class="command"><strong>server</strong></span> statement
- has two clauses: <span class="command"><strong>key</strong></span> and <span class="command"><strong>port</strong></span>.
- The <span class="command"><strong>key</strong></span> clause specifies the
- name of the key
- to be used when communicating with this server, and the
- <span class="command"><strong>port</strong></span> clause can be used to
- specify the port <span class="command"><strong>rndc</strong></span> should
- connect
- to on the server.
- </p>
-
- <p>
- A sample minimal configuration file is as follows:
- </p>
-
-<pre class="programlisting">
-key rndc_key {
- algorithm "hmac-sha256";
- secret
- "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
-};
-options {
- default-server 127.0.0.1;
- default-key rndc_key;
-};
-</pre>
-
- <p>
- This file, if installed as <code class="filename">/etc/rndc.conf</code>,
- would allow the command:
- </p>
-
- <p>
- <code class="prompt">$ </code><strong class="userinput"><code>rndc reload</code></strong>
- </p>
-
- <p>
- to connect to 127.0.0.1 port 953 and cause the name server
- to reload, if a name server on the local machine were
- running with
- following controls statements:
- </p>
-
-<pre class="programlisting">
-controls {
- inet 127.0.0.1
- allow { localhost; } keys { rndc_key; };
-};
-</pre>
-
- <p>
- and it had an identical key statement for
- <code class="literal">rndc_key</code>.
- </p>
-
- <p>
- Running the <span class="command"><strong>rndc-confgen</strong></span>
- program will
- conveniently create a <code class="filename">rndc.conf</code>
- file for you, and also display the
- corresponding <span class="command"><strong>controls</strong></span>
- statement that you need to
- add to <code class="filename">named.conf</code>.
- Alternatively,
- you can run <span class="command"><strong>rndc-confgen -a</strong></span>
- to set up
- a <code class="filename">rndc.key</code> file and not
- modify
- <code class="filename">named.conf</code> at all.
- </p>
-
- </dd>
-</dl></div>
-
- </div>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="signals"></a>Signals</h3></div></div></div>
- <p>
- Certain UNIX signals cause the name server to take specific
- actions, as described in the following table. These signals can
- be sent using the <span class="command"><strong>kill</strong></span> command.
- </p>
- <div class="informaltable">
- <table border="1">
-<colgroup>
-<col width="1.125in" class="1">
-<col width="4.000in" class="2">
-</colgroup>
-<tbody>
-<tr>
-<td>
- <p><span class="command"><strong>SIGHUP</strong></span></p>
- </td>
-<td>
- <p>
- Causes the server to read <code class="filename">named.conf</code> and
- reload the database.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>SIGTERM</strong></span></p>
- </td>
-<td>
- <p>
- Causes the server to clean up and exit.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>SIGINT</strong></span></p>
- </td>
-<td>
- <p>
- Causes the server to clean up and exit.
- </p>
- </td>
-</tr>
-</tbody>
-</table>
- </div>
- </div>
- </div>
- </div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="Bv9ARM.ch02.html">Prev</a>Â </td>
-<td width="20%" align="center">Â </td>
-<td width="40%" align="right">Â <a accesskey="n" href="Bv9ARM.ch04.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">Chapter 2. <acronym class="acronym">BIND</acronym> Resource Requirements </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> Chapter 4. Advanced DNS Features</td>
-</tr>
-</table>
-</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.0-pre-alpha</p>
-</body>
-</html>
+++ /dev/null
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<!--
- - Copyright (C) 2000-2017 Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
--->
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>Chapter 4. Advanced DNS Features</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
-<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="prev" href="Bv9ARM.ch03.html" title="Chapter 3. Name Server Configuration">
-<link rel="next" href="Bv9ARM.ch05.html" title="Chapter 5. The BIND 9 Lightweight Resolver">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center">Chapter 4. Advanced DNS Features</th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="Bv9ARM.ch03.html">Prev</a>Â </td>
-<th width="60%" align="center">Â </th>
-<td width="20%" align="right">Â <a accesskey="n" href="Bv9ARM.ch05.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="chapter">
-<div class="titlepage"><div><div><h1 class="title">
-<a name="Bv9ARM.ch04"></a>Chapter 4. Advanced DNS Features</h1></div></div></div>
-<div class="toc">
-<p><b>Table of Contents</b></p>
-<dl class="toc">
-<dt><span class="section"><a href="Bv9ARM.ch04.html#notify">Notify</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#dynamic_update">Dynamic Update</a></span></dt>
-<dd><dl><dt><span class="section"><a href="Bv9ARM.ch04.html#journal">The journal file</a></span></dt></dl></dd>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#incremental_zone_transfers">Incremental Zone Transfers (IXFR)</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#split_dns">Split DNS</a></span></dt>
-<dd><dl><dt><span class="section"><a href="Bv9ARM.ch04.html#split_dns_sample">Example split DNS setup</a></span></dt></dl></dd>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#tsig">TSIG</a></span></dt>
-<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.6.5">Generating a Shared Key</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.6.6">Loading A New Key</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.6.7">Instructing the Server to Use a Key</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.6.8">TSIG-Based Access Control</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.6.9">Errors</a></span></dt>
-</dl></dd>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#tkey">TKEY</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#sig0">SIG(0)</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt>
-<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec_keys">Generating Keys</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec_signing">Signing the Zone</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec_config">Configuring Servers</a></span></dt>
-</dl></dd>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec.dynamic.zones">DNSSEC, Dynamic Zones, and Automatic Signing</a></span></dt>
-<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.3">Converting from insecure to secure</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.8">Dynamic DNS update method</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.16">Fully automatic zone signing</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.25">Private-type records</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.32">DNSKEY rollovers</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.34">Dynamic DNS update method</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.39">Automatic key rollovers</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.41">NSEC3PARAM rollovers via UPDATE</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.43">Converting from NSEC to NSEC3</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.45">Converting from NSEC3 to NSEC</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.47">Converting from secure to insecure</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.51">Periodic re-signing</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.53">NSEC3 and OPTOUT</a></span></dt>
-</dl></dd>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#rfc5011.support">Dynamic Trust Anchor Management</a></span></dt>
-<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.11.3">Validating Resolver</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.11.4">Authoritative Server</a></span></dt>
-</dl></dd>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#pkcs11">PKCS#11 (Cryptoki) support</a></span></dt>
-<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.6">Prerequisites</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.7">Native PKCS#11</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.8">OpenSSL-based PKCS#11</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.9">PKCS#11 Tools</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.10">Using the HSM</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.11">Specifying the engine on the command line</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.12">Running named with automatic zone re-signing</a></span></dt>
-</dl></dd>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#dlz-info">DLZ (Dynamically Loadable Zones)</a></span></dt>
-<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.13.6">Configuring DLZ</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.13.7">Sample DLZ Driver</a></span></dt>
-</dl></dd>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#dyndb-info">DynDB (Dynamic Database)</a></span></dt>
-<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.14.5">Configuring DynDB</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.14.6">Sample DynDB Module</a></span></dt>
-</dl></dd>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#catz-info">Catalog Zones</a></span></dt>
-<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.15.4">Principle of Operation</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.15.5">Configuring Catalog Zones</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.15.6">Catalog Zone format</a></span></dt>
-</dl></dd>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#ipv6">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
-<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.16.6">Address Lookups Using AAAA Records</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.16.7">Address to Name Lookups Using Nibble Format</a></span></dt>
-</dl></dd>
-</dl>
-</div>
-
- <div class="section">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="notify"></a>Notify</h2></div></div></div>
- <p>
- <acronym class="acronym">DNS</acronym> NOTIFY is a mechanism that allows master
- servers to notify their slave servers of changes to a zone's data. In
- response to a <span class="command"><strong>NOTIFY</strong></span> from a master server, the
- slave will check to see that its version of the zone is the
- current version and, if not, initiate a zone transfer.
- </p>
-
- <p>
- For more information about <acronym class="acronym">DNS</acronym>
- <span class="command"><strong>NOTIFY</strong></span>, see the description of the
- <span class="command"><strong>notify</strong></span> option in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a> and
- the description of the zone option <span class="command"><strong>also-notify</strong></span> in
- <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. The <span class="command"><strong>NOTIFY</strong></span>
- protocol is specified in RFC 1996.
- </p>
-
- <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p>
- As a slave zone can also be a master to other slaves, <span class="command"><strong>named</strong></span>,
- by default, sends <span class="command"><strong>NOTIFY</strong></span> messages for every zone
- it loads. Specifying <span class="command"><strong>notify master-only;</strong></span> will
- cause <span class="command"><strong>named</strong></span> to only send <span class="command"><strong>NOTIFY</strong></span> for master
- zones that it loads.
- </p>
-</div>
-
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="dynamic_update"></a>Dynamic Update</h2></div></div></div>
-
- <p>
- Dynamic Update is a method for adding, replacing or deleting
- records in a master server by sending it a special form of DNS
- messages. The format and meaning of these messages is specified
- in RFC 2136.
- </p>
-
- <p>
- Dynamic update is enabled by including an
- <span class="command"><strong>allow-update</strong></span> or an <span class="command"><strong>update-policy</strong></span>
- clause in the <span class="command"><strong>zone</strong></span> statement.
- </p>
-
- <p>
- If the zone's <span class="command"><strong>update-policy</strong></span> is set to
- <strong class="userinput"><code>local</code></strong>, updates to the zone
- will be permitted for the key <code class="varname">local-ddns</code>,
- which will be generated by <span class="command"><strong>named</strong></span> at startup.
- See <a class="xref" href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a> for more details.
- </p>
-
- <p>
- Dynamic updates using Kerberos signed requests can be made
- using the TKEY/GSS protocol by setting either the
- <span class="command"><strong>tkey-gssapi-keytab</strong></span> option, or alternatively
- by setting both the <span class="command"><strong>tkey-gssapi-credential</strong></span>
- and <span class="command"><strong>tkey-domain</strong></span> options. Once enabled,
- Kerberos signed requests will be matched against the update
- policies for the zone, using the Kerberos principal as the
- signer for the request.
- </p>
-
- <p>
- Updating of secure zones (zones using DNSSEC) follows RFC
- 3007: RRSIG, NSEC and NSEC3 records affected by updates are
- automatically regenerated by the server using an online
- zone key. Update authorization is based on transaction
- signatures and an explicit server policy.
- </p>
-
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="journal"></a>The journal file</h3></div></div></div>
-
- <p>
- All changes made to a zone using dynamic update are stored
- in the zone's journal file. This file is automatically created
- by the server when the first dynamic update takes place.
- The name of the journal file is formed by appending the extension
- <code class="filename">.jnl</code> to the name of the
- corresponding zone
- file unless specifically overridden. The journal file is in a
- binary format and should not be edited manually.
- </p>
-
- <p>
- The server will also occasionally write ("dump")
- the complete contents of the updated zone to its zone file.
- This is not done immediately after
- each dynamic update, because that would be too slow when a large
- zone is updated frequently. Instead, the dump is delayed by
- up to 15 minutes, allowing additional updates to take place.
- During the dump process, transient files will be created
- with the extensions <code class="filename">.jnw</code> and
- <code class="filename">.jbk</code>; under ordinary circumstances, these
- will be removed when the dump is complete, and can be safely
- ignored.
- </p>
-
- <p>
- When a server is restarted after a shutdown or crash, it will replay
- the journal file to incorporate into the zone any updates that
- took
- place after the last zone dump.
- </p>
-
- <p>
- Changes that result from incoming incremental zone transfers are
- also
- journaled in a similar way.
- </p>
-
- <p>
- The zone files of dynamic zones cannot normally be edited by
- hand because they are not guaranteed to contain the most recent
- dynamic changes — those are only in the journal file.
- The only way to ensure that the zone file of a dynamic zone
- is up to date is to run <span class="command"><strong>rndc stop</strong></span>.
- </p>
-
- <p>
- If you have to make changes to a dynamic zone
- manually, the following procedure will work:
- Disable dynamic updates to the zone using
- <span class="command"><strong>rndc freeze <em class="replaceable"><code>zone</code></em></strong></span>.
- This will update the zone's master file with the changes
- stored in its <code class="filename">.jnl</code> file.
- Edit the zone file. Run
- <span class="command"><strong>rndc thaw <em class="replaceable"><code>zone</code></em></strong></span>
- to reload the changed zone and re-enable dynamic updates.
- </p>
-
- <p>
- <span class="command"><strong>rndc sync <em class="replaceable"><code>zone</code></em></strong></span>
- will update the zone file with changes from the journal file
- without stopping dynamic updates; this may be useful for viewing
- the current zone state. To remove the <code class="filename">.jnl</code>
- file after updating the zone file, use
- <span class="command"><strong>rndc sync -clean</strong></span>.
- </p>
-
- </div>
-
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="incremental_zone_transfers"></a>Incremental Zone Transfers (IXFR)</h2></div></div></div>
-
- <p>
- The incremental zone transfer (IXFR) protocol is a way for
- slave servers to transfer only changed data, instead of having to
- transfer the entire zone. The IXFR protocol is specified in RFC
- 1995. See <a class="xref" href="Bv9ARM.ch11.html#proposed_standards" title="Proposed Standards">Proposed Standards</a>.
- </p>
-
- <p>
- When acting as a master, <acronym class="acronym">BIND</acronym> 9
- supports IXFR for those zones
- where the necessary change history information is available. These
- include master zones maintained by dynamic update and slave zones
- whose data was obtained by IXFR. For manually maintained master
- zones, and for slave zones obtained by performing a full zone
- transfer (AXFR), IXFR is supported only if the option
- <span class="command"><strong>ixfr-from-differences</strong></span> is set
- to <strong class="userinput"><code>yes</code></strong>.
- </p>
-
- <p>
- When acting as a slave, <acronym class="acronym">BIND</acronym> 9 will
- attempt to use IXFR unless
- it is explicitly disabled. For more information about disabling
- IXFR, see the description of the <span class="command"><strong>request-ixfr</strong></span> clause
- of the <span class="command"><strong>server</strong></span> statement.
- </p>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="split_dns"></a>Split DNS</h2></div></div></div>
-
- <p>
- Setting up different views, or visibility, of the DNS space to
- internal and external resolvers is usually referred to as a
- <span class="emphasis"><em>Split DNS</em></span> setup. There are several
- reasons an organization would want to set up its DNS this way.
- </p>
- <p>
- One common reason for setting up a DNS system this way is
- to hide "internal" DNS information from "external" clients on the
- Internet. There is some debate as to whether or not this is actually
- useful.
- Internal DNS information leaks out in many ways (via email headers,
- for example) and most savvy "attackers" can find the information
- they need using other means.
- However, since listing addresses of internal servers that
- external clients cannot possibly reach can result in
- connection delays and other annoyances, an organization may
- choose to use a Split DNS to present a consistent view of itself
- to the outside world.
- </p>
- <p>
- Another common reason for setting up a Split DNS system is
- to allow internal networks that are behind filters or in RFC 1918
- space (reserved IP space, as documented in RFC 1918) to resolve DNS
- on the Internet. Split DNS can also be used to allow mail from outside
- back in to the internal network.
- </p>
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="split_dns_sample"></a>Example split DNS setup</h3></div></div></div>
- <p>
- Let's say a company named <span class="emphasis"><em>Example, Inc.</em></span>
- (<code class="literal">example.com</code>)
- has several corporate sites that have an internal network with
- reserved
- Internet Protocol (IP) space and an external demilitarized zone (DMZ),
- or "outside" section of a network, that is available to the public.
- </p>
- <p>
- <span class="emphasis"><em>Example, Inc.</em></span> wants its internal clients
- to be able to resolve external hostnames and to exchange mail with
- people on the outside. The company also wants its internal resolvers
- to have access to certain internal-only zones that are not available
- at all outside of the internal network.
- </p>
- <p>
- In order to accomplish this, the company will set up two sets
- of name servers. One set will be on the inside network (in the
- reserved
- IP space) and the other set will be on bastion hosts, which are
- "proxy"
- hosts that can talk to both sides of its network, in the DMZ.
- </p>
- <p>
- The internal servers will be configured to forward all queries,
- except queries for <code class="filename">site1.internal</code>, <code class="filename">site2.internal</code>, <code class="filename">site1.example.com</code>,
- and <code class="filename">site2.example.com</code>, to the servers
- in the
- DMZ. These internal servers will have complete sets of information
- for <code class="filename">site1.example.com</code>, <code class="filename">site2.example.com</code>, <code class="filename">site1.internal</code>,
- and <code class="filename">site2.internal</code>.
- </p>
- <p>
- To protect the <code class="filename">site1.internal</code> and <code class="filename">site2.internal</code> domains,
- the internal name servers must be configured to disallow all queries
- to these domains from any external hosts, including the bastion
- hosts.
- </p>
- <p>
- The external servers, which are on the bastion hosts, will
- be configured to serve the "public" version of the <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones.
- This could include things such as the host records for public servers
- (<code class="filename">www.example.com</code> and <code class="filename">ftp.example.com</code>),
- and mail exchange (MX) records (<code class="filename">a.mx.example.com</code> and <code class="filename">b.mx.example.com</code>).
- </p>
- <p>
- In addition, the public <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones
- should have special MX records that contain wildcard (`*') records
- pointing to the bastion hosts. This is needed because external mail
- servers do not have any other way of looking up how to deliver mail
- to those internal hosts. With the wildcard records, the mail will
- be delivered to the bastion host, which can then forward it on to
- internal hosts.
- </p>
- <p>
- Here's an example of a wildcard MX record:
- </p>
- <pre class="programlisting">* IN MX 10 external1.example.com.</pre>
- <p>
- Now that they accept mail on behalf of anything in the internal
- network, the bastion hosts will need to know how to deliver mail
- to internal hosts. In order for this to work properly, the resolvers
- on
- the bastion hosts will need to be configured to point to the internal
- name servers for DNS resolution.
- </p>
- <p>
- Queries for internal hostnames will be answered by the internal
- servers, and queries for external hostnames will be forwarded back
- out to the DNS servers on the bastion hosts.
- </p>
- <p>
- In order for all this to work properly, internal clients will
- need to be configured to query <span class="emphasis"><em>only</em></span> the internal
- name servers for DNS queries. This could also be enforced via
- selective
- filtering on the network.
- </p>
- <p>
- If everything has been set properly, <span class="emphasis"><em>Example, Inc.</em></span>'s
- internal clients will now be able to:
- </p>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-
- Look up any hostnames in the <code class="literal">site1</code>
- and
- <code class="literal">site2.example.com</code> zones.
-
- </li>
-<li class="listitem">
-
- Look up any hostnames in the <code class="literal">site1.internal</code> and
- <code class="literal">site2.internal</code> domains.
-
- </li>
-<li class="listitem">
- Look up any hostnames on the Internet.
- </li>
-<li class="listitem">
- Exchange mail with both internal and external people.
- </li>
-</ul></div>
- <p>
- Hosts on the Internet will be able to:
- </p>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-
- Look up any hostnames in the <code class="literal">site1</code>
- and
- <code class="literal">site2.example.com</code> zones.
-
- </li>
-<li class="listitem">
-
- Exchange mail with anyone in the <code class="literal">site1</code> and
- <code class="literal">site2.example.com</code> zones.
-
- </li>
-</ul></div>
-
- <p>
- Here is an example configuration for the setup we just
- described above. Note that this is only configuration information;
- for information on how to configure your zone files, see <a class="xref" href="Bv9ARM.ch03.html#sample_configuration" title="Sample Configurations">the section called “Sample Configurations”</a>.
- </p>
-
- <p>
- Internal DNS server config:
- </p>
-
-<pre class="programlisting">
-
-acl internals { 172.16.72.0/24; 192.168.1.0/24; };
-
-acl externals { <code class="varname">bastion-ips-go-here</code>; };
-
-options {
- ...
- ...
- forward only;
- // forward to external servers
- forwarders {
- <code class="varname">bastion-ips-go-here</code>;
- };
- // sample allow-transfer (no one)
- allow-transfer { none; };
- // restrict query access
- allow-query { internals; externals; };
- // restrict recursion
- allow-recursion { internals; };
- ...
- ...
-};
-
-// sample master zone
-zone "site1.example.com" {
- type master;
- file "m/site1.example.com";
- // do normal iterative resolution (do not forward)
- forwarders { };
- allow-query { internals; externals; };
- allow-transfer { internals; };
-};
-
-// sample slave zone
-zone "site2.example.com" {
- type slave;
- file "s/site2.example.com";
- masters { 172.16.72.3; };
- forwarders { };
- allow-query { internals; externals; };
- allow-transfer { internals; };
-};
-
-zone "site1.internal" {
- type master;
- file "m/site1.internal";
- forwarders { };
- allow-query { internals; };
- allow-transfer { internals; }
-};
-
-zone "site2.internal" {
- type slave;
- file "s/site2.internal";
- masters { 172.16.72.3; };
- forwarders { };
- allow-query { internals };
- allow-transfer { internals; }
-};
-</pre>
-
- <p>
- External (bastion host) DNS server config:
- </p>
-
-<pre class="programlisting">
-acl internals { 172.16.72.0/24; 192.168.1.0/24; };
-
-acl externals { bastion-ips-go-here; };
-
-options {
- ...
- ...
- // sample allow-transfer (no one)
- allow-transfer { none; };
- // default query access
- allow-query { any; };
- // restrict cache access
- allow-query-cache { internals; externals; };
- // restrict recursion
- allow-recursion { internals; externals; };
- ...
- ...
-};
-
-// sample slave zone
-zone "site1.example.com" {
- type master;
- file "m/site1.foo.com";
- allow-transfer { internals; externals; };
-};
-
-zone "site2.example.com" {
- type slave;
- file "s/site2.foo.com";
- masters { another_bastion_host_maybe; };
- allow-transfer { internals; externals; }
-};
-</pre>
-
- <p>
- In the <code class="filename">resolv.conf</code> (or equivalent) on
- the bastion host(s):
- </p>
-
-<pre class="programlisting">
-search ...
-nameserver 172.16.72.2
-nameserver 172.16.72.3
-nameserver 172.16.72.4
-</pre>
-
- </div>
- </div>
- <div class="section">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="tsig"></a>TSIG</h2></div></div></div>
-
- <p>
- TSIG (Transaction SIGnatures) is a mechanism for authenticating DNS
- messages, originally specified in RFC 2845. It allows DNS messages
- to be cryptographically signed using a shared secret. TSIG can
- be used in any DNS transaction, as a way to restrict access to
- certain server functions (e.g., recursive queries) to authorized
- clients when IP-based access control is insufficient or needs to
- be overridden, or as a way to ensure message authenticity when it
- is critical to the integrity of the server, such as with dynamic
- UPDATE messages or zone transfers from a master to a slave server.
- </p>
- <p>
- This is a guide to setting up TSIG in <acronym class="acronym">BIND</acronym>.
- It describes the configuration syntax and the process of creating
- TSIG keys.
- </p>
- <p>
- <span class="command"><strong>named</strong></span> supports TSIG for server-to-server
- communication, and some of the tools included with
- <acronym class="acronym">BIND</acronym> support it for sending messages to
- <span class="command"><strong>named</strong></span>:
- </p>
-<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
- <a class="xref" href="man.nsupdate.html" title="nsupdate"><span class="refentrytitle"><span class="application">nsupdate</span></span>(1)</a> supports TSIG via the
- <code class="option">-k</code>, <code class="option">-l</code> and
- <code class="option">-y</code> command line options, or via
- the <span class="command"><strong>key</strong></span> command when running
- interactively.
- </li>
-<li class="listitem">
- <a class="xref" href="man.dig.html" title="dig"><span class="refentrytitle">dig</span>(1)</a> supports TSIG via the
- <code class="option">-k</code> and <code class="option">-y</code> command
- line options.
- </li>
-</ul></div>
-<p>
- </p>
-
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.5.6.5"></a>Generating a Shared Key</h3></div></div></div>
- <p>
- TSIG keys can be generated using the <span class="command"><strong>tsig-keygen</strong></span>
- command; the output of the command is a <span class="command"><strong>key</strong></span> directive
- suitable for inclusion in <code class="filename">named.conf</code>. The
- key name, algorithm and size can be specified by command line parameters;
- the defaults are "tsig-key", HMAC-SHA256, and 256 bits, respectively.
- </p>
- <p>
- Any string which is a valid DNS name can be used as a key name.
- For example, a key to be shared between servers called
- <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host2</em></span> could
- be called "host1-host2.", and this key could be generated using:
- </p>
-<pre class="programlisting">
- $ tsig-keygen host1-host2. > host1-host2.key
-</pre>
- <p>
- This key may then be copied to both hosts. The key name and secret
- must be identical on both hosts.
- (Note: copying a shared secret from one server to another is beyond
- the scope of the DNS. A secure transport mechanism should be used:
- secure FTP, SSL, ssh, telephone, encrypted email, etc.)
- </p>
- <p>
- <span class="command"><strong>tsig-keygen</strong></span> can also be run as
- <span class="command"><strong>ddns-confgen</strong></span>, in which case its output includes
- additional configuration text for setting up dynamic DNS in
- <span class="command"><strong>named</strong></span>. See <a class="xref" href="man.ddns-confgen.html" title="ddns-confgen"><span class="refentrytitle"><span class="application">ddns-confgen</span></span>(8)</a>
- for details.
- </p>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.5.6.6"></a>Loading A New Key</h3></div></div></div>
- <p>
- For a key shared between servers called
- <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host2</em></span>,
- the following could be added to each server's
- <code class="filename">named.conf</code> file:
- </p>
-<pre class="programlisting">
-key "host1-host2." {
- algorithm hmac-sha256;
- secret "DAopyf1mhCbFVZw7pgmNPBoLUq8wEUT7UuPoLENP2HY=";
-};
-</pre>
- <p>
- (This is the same key generated above using
- <span class="command"><strong>tsig-keygen</strong></span>.)
- </p>
- <p>
- Since this text contains a secret, it
- is recommended that either <code class="filename">named.conf</code> not be
- world-readable, or that the <span class="command"><strong>key</strong></span> directive
- be stored in a file which is not world-readable, and which is
- included in <code class="filename">named.conf</code> via the
- <span class="command"><strong>include</strong></span> directive.
- </p>
- <p>
- Once a key has been added to <code class="filename">named.conf</code> and the
- server has been restarted or reconfigured, the server can recognize
- the key. If the server receives a message signed by the
- key, it will be able to verify the signature. If the signature
- is valid, the response will be signed using the same key.
- </p>
- <p>
- TSIG keys that are known to a server can be listed using the
- command <span class="command"><strong>rndc tsig-list</strong></span>.
- </p>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.5.6.7"></a>Instructing the Server to Use a Key</h3></div></div></div>
- <p>
- A server sending a request to another server must be told whether
- to use a key, and if so, which key to use.
- </p>
- <p>
- For example, a key may be specified for each server in the
- <span class="command"><strong>masters</strong></span> statement in the definition of a
- slave zone; in this case, all SOA QUERY messages, NOTIFY
- messages, and zone transfer requests (AXFR or IXFR) will be
- signed using the specified key. Keys may also be specified
- in the <span class="command"><strong>also-notify</strong></span> statement of a master
- or slave zone, causing NOTIFY messages to be signed using
- the specified key.
- </p>
- <p>
- Keys can also be specified in a <span class="command"><strong>server</strong></span>
- directive. Adding the following on <span class="emphasis"><em>host1</em></span>,
- if the IP address of <span class="emphasis"><em>host2</em></span> is 10.1.2.3, would
- cause <span class="emphasis"><em>all</em></span> requests from <span class="emphasis"><em>host1</em></span>
- to <span class="emphasis"><em>host2</em></span>, including normal DNS queries, to be
- signed using the <span class="command"><strong>host1-host2.</strong></span> key:
- </p>
-<pre class="programlisting">
-server 10.1.2.3 {
- keys { host1-host2. ;};
-};
-</pre>
- <p>
- Multiple keys may be present in the <span class="command"><strong>keys</strong></span>
- statement, but only the first one is used. As this directive does
- not contain secrets, it can be used in a world-readable file.
- </p>
- <p>
- Requests sent by <span class="emphasis"><em>host2</em></span> to <span class="emphasis"><em>host1</em></span>
- would <span class="emphasis"><em>not</em></span> be signed, unless a similar
- <span class="command"><strong>server</strong></span> directive were in <span class="emphasis"><em>host2</em></span>'s
- configuration file.
- </p>
- <p>
- Whenever any server sends a TSIG-signed DNS request, it will expect
- the response to be signed with the same key. If a response is not
- signed, or if the signature is not valid, the response will be
- rejected.
- </p>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.5.6.8"></a>TSIG-Based Access Control</h3></div></div></div>
- <p>
- TSIG keys may be specified in ACL definitions and ACL directives
- such as <span class="command"><strong>allow-query</strong></span>, <span class="command"><strong>allow-transfer</strong></span>
- and <span class="command"><strong>allow-update</strong></span>.
- The above key would be denoted in an ACL element as
- <span class="command"><strong>key host1-host2.</strong></span>
- </p>
- <p>
- An example of an <span class="command"><strong>allow-update</strong></span> directive using
- a TSIG key:
- </p>
-<pre class="programlisting">
-allow-update { !{ !localnets; any; }; key host1-host2. ;};
-</pre>
- <p>
- This allows dynamic updates to succeed only if the UPDATE
- request comes from an address in <span class="command"><strong>localnets</strong></span>,
- <span class="emphasis"><em>and</em></span> if it is signed using the
- <span class="command"><strong>host1-host2.</strong></span> key.
- </p>
- <p>
- See <a class="xref" href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a> for a discussion of
- the more flexible <span class="command"><strong>update-policy</strong></span> statement.
- </p>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.5.6.9"></a>Errors</h3></div></div></div>
- <p>
- Processing of TSIG-signed messages can result in several errors:
- </p>
-<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
- If a TSIG-aware server receives a message signed by an
- unknown key, the response will be unsigned, with the TSIG
- extended error code set to BADKEY.
- </li>
-<li class="listitem">
- If a TSIG-aware server receives a message from a known key
- but with an invalid signature, the response will be unsigned,
- with the TSIG extended error code set to BADSIG.
- </li>
-<li class="listitem">
- If a TSIG-aware server receives a message with a time
- outside of the allowed range, the response will be signed, with
- the TSIG extended error code set to BADTIME, and the time values
- will be adjusted so that the response can be successfully
- verified.
- </li>
-</ul></div>
-<p>
- In all of the above cases, the server will return a response code
- of NOTAUTH (not authenticated).
- </p>
- </div>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="tkey"></a>TKEY</h2></div></div></div>
-
- <p>
- TKEY (Transaction KEY) is a mechanism for automatically negotiating
- a shared secret between two hosts, originally specified in RFC 2930.
- </p>
- <p>
- There are several TKEY "modes" that specify how a key is to be
- generated or assigned. <acronym class="acronym">BIND</acronym> 9 implements only
- one of these modes: Diffie-Hellman key exchange. Both hosts are
- required to have a KEY record with algorithm DH (though this
- record is not required to be present in a zone).
- </p>
- <p>
- The TKEY process is initiated by a client or server by sending
- a query of type TKEY to a TKEY-aware server. The query must include
- an appropriate KEY record in the additional section, and
- must be signed using either TSIG or SIG(0) with a previously
- established key. The server's response, if successful, will
- contain a TKEY record in its answer section. After this transaction,
- both participants will have enough information to calculate a
- shared secret using Diffie-Hellman key exchange. The shared secret
- can then be used by to sign subsequent transactions between the
- two servers.
- </p>
- <p>
- TSIG keys known by the server, including TKEY-negotiated keys, can
- be listed using <span class="command"><strong>rndc tsig-list</strong></span>.
- </p>
- <p>
- TKEY-negotiated keys can be deleted from a server using
- <span class="command"><strong>rndc tsig-delete</strong></span>. This can also be done via
- the TKEY protocol itself, by sending an authenticated TKEY query
- specifying the "key deletion" mode.
- </p>
-
- </div>
- <div class="section">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="sig0"></a>SIG(0)</h2></div></div></div>
-
- <p>
- <acronym class="acronym">BIND</acronym> partially supports DNSSEC SIG(0)
- transaction signatures as specified in RFC 2535 and RFC 2931.
- SIG(0) uses public/private keys to authenticate messages. Access control
- is performed in the same manner as TSIG keys; privileges can be
- granted or denied in ACL directives based on the key name.
- </p>
- <p>
- When a SIG(0) signed message is received, it will only be
- verified if the key is known and trusted by the server. The
- server will not attempt to recursively fetch or validate the
- key.
- </p>
- <p>
- SIG(0) signing of multiple-message TCP streams is not supported.
- </p>
- <p>
- The only tool shipped with <acronym class="acronym">BIND</acronym> 9 that
- generates SIG(0) signed messages is <span class="command"><strong>nsupdate</strong></span>.
- </p>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="DNSSEC"></a>DNSSEC</h2></div></div></div>
- <p>
- Cryptographic authentication of DNS information is possible
- through the DNS Security (<span class="emphasis"><em>DNSSEC-bis</em></span>) extensions,
- defined in RFC 4033, RFC 4034, and RFC 4035.
- This section describes the creation and use of DNSSEC signed zones.
- </p>
-
- <p>
- In order to set up a DNSSEC secure zone, there are a series
- of steps which must be followed. <acronym class="acronym">BIND</acronym>
- 9 ships
- with several tools
- that are used in this process, which are explained in more detail
- below. In all cases, the <code class="option">-h</code> option prints a
- full list of parameters. Note that the DNSSEC tools require the
- keyset files to be in the working directory or the
- directory specified by the <code class="option">-d</code> option, and
- that the tools shipped with BIND 9.2.x and earlier are not compatible
- with the current ones.
- </p>
-
- <p>
- There must also be communication with the administrators of
- the parent and/or child zone to transmit keys. A zone's security
- status must be indicated by the parent zone for a DNSSEC capable
- resolver to trust its data. This is done through the presence
- or absence of a <code class="literal">DS</code> record at the
- delegation
- point.
- </p>
-
- <p>
- For other servers to trust data in this zone, they must
- either be statically configured with this zone's zone key or the
- zone key of another zone above this one in the DNS tree.
- </p>
-
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="dnssec_keys"></a>Generating Keys</h3></div></div></div>
-
- <p>
- The <span class="command"><strong>dnssec-keygen</strong></span> program is used to
- generate keys.
- </p>
-
- <p>
- A secure zone must contain one or more zone keys. The
- zone keys will sign all other records in the zone, as well as
- the zone keys of any secure delegated zones. Zone keys must
- have the same name as the zone, a name type of
- <span class="command"><strong>ZONE</strong></span>, and must be usable for
- authentication.
- It is recommended that zone keys use a cryptographic algorithm
- designated as "mandatory to implement" by the IETF; currently
- the only one is RSASHA1.
- </p>
-
- <p>
- The following command will generate a 768-bit RSASHA1 key for
- the <code class="filename">child.example</code> zone:
- </p>
-
- <p>
- <strong class="userinput"><code>dnssec-keygen -a RSASHA1 -b 768 -n ZONE child.example.</code></strong>
- </p>
-
- <p>
- Two output files will be produced:
- <code class="filename">Kchild.example.+005+12345.key</code> and
- <code class="filename">Kchild.example.+005+12345.private</code>
- (where
- 12345 is an example of a key tag). The key filenames contain
- the key name (<code class="filename">child.example.</code>),
- algorithm (3
- is DSA, 1 is RSAMD5, 5 is RSASHA1, etc.), and the key tag (12345 in
- this case).
- The private key (in the <code class="filename">.private</code>
- file) is
- used to generate signatures, and the public key (in the
- <code class="filename">.key</code> file) is used for signature
- verification.
- </p>
-
- <p>
- To generate another key with the same properties (but with
- a different key tag), repeat the above command.
- </p>
-
- <p>
- The <span class="command"><strong>dnssec-keyfromlabel</strong></span> program is used
- to get a key pair from a crypto hardware and build the key
- files. Its usage is similar to <span class="command"><strong>dnssec-keygen</strong></span>.
- </p>
-
- <p>
- The public keys should be inserted into the zone file by
- including the <code class="filename">.key</code> files using
- <span class="command"><strong>$INCLUDE</strong></span> statements.
- </p>
-
- </div>
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="dnssec_signing"></a>Signing the Zone</h3></div></div></div>
-
- <p>
- The <span class="command"><strong>dnssec-signzone</strong></span> program is used
- to sign a zone.
- </p>
-
- <p>
- Any <code class="filename">keyset</code> files corresponding to
- secure sub-zones should be present. The zone signer will
- generate <code class="literal">NSEC</code>, <code class="literal">NSEC3</code>
- and <code class="literal">RRSIG</code> records for the zone, as
- well as <code class="literal">DS</code> for the child zones if
- <code class="literal">'-g'</code> is specified. If <code class="literal">'-g'</code>
- is not specified, then DS RRsets for the secure child
- zones need to be added manually.
- </p>
-
- <p>
- The following command signs the zone, assuming it is in a
- file called <code class="filename">zone.child.example</code>. By
- default, all zone keys which have an available private key are
- used to generate signatures.
- </p>
-
- <p>
- <strong class="userinput"><code>dnssec-signzone -o child.example zone.child.example</code></strong>
- </p>
-
- <p>
- One output file is produced:
- <code class="filename">zone.child.example.signed</code>. This
- file
- should be referenced by <code class="filename">named.conf</code>
- as the
- input file for the zone.
- </p>
-
- <p><span class="command"><strong>dnssec-signzone</strong></span>
- will also produce a keyset and dsset files and optionally a
- dlvset file. These are used to provide the parent zone
- administrators with the <code class="literal">DNSKEYs</code> (or their
- corresponding <code class="literal">DS</code> records) that are the
- secure entry point to the zone.
- </p>
-
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="dnssec_config"></a>Configuring Servers</h3></div></div></div>
-
- <p>
- To enable <span class="command"><strong>named</strong></span> to respond appropriately
- to DNS requests from DNSSEC aware clients,
- <span class="command"><strong>dnssec-enable</strong></span> must be set to yes.
- (This is the default setting.)
- </p>
-
- <p>
- To enable <span class="command"><strong>named</strong></span> to validate answers from
- other servers, the <span class="command"><strong>dnssec-enable</strong></span> option
- must be set to <strong class="userinput"><code>yes</code></strong>, and the
- <span class="command"><strong>dnssec-validation</strong></span> options must be set to
- <strong class="userinput"><code>yes</code></strong> or <strong class="userinput"><code>auto</code></strong>.
- </p>
-
- <p>
- If <span class="command"><strong>dnssec-validation</strong></span> is set to
- <strong class="userinput"><code>auto</code></strong>, then a default
- trust anchor for the DNS root zone will be used.
- If it is set to <strong class="userinput"><code>yes</code></strong>, however,
- then at least one trust anchor must be configured
- with a <span class="command"><strong>trusted-keys</strong></span> or
- <span class="command"><strong>managed-keys</strong></span> statement in
- <code class="filename">named.conf</code>, or DNSSEC validation
- will not occur. The default setting is
- <strong class="userinput"><code>yes</code></strong>.
- </p>
-
- <p>
- <span class="command"><strong>trusted-keys</strong></span> are copies of DNSKEY RRs
- for zones that are used to form the first link in the
- cryptographic chain of trust. All keys listed in
- <span class="command"><strong>trusted-keys</strong></span> (and corresponding zones)
- are deemed to exist and only the listed keys will be used
- to validated the DNSKEY RRset that they are from.
- </p>
-
- <p>
- <span class="command"><strong>managed-keys</strong></span> are trusted keys which are
- automatically kept up to date via RFC 5011 trust anchor
- maintenance.
- </p>
-
- <p>
- <span class="command"><strong>trusted-keys</strong></span> and
- <span class="command"><strong>managed-keys</strong></span> are described in more detail
- later in this document.
- </p>
-
- <p>
- Unlike <acronym class="acronym">BIND</acronym> 8, <acronym class="acronym">BIND</acronym>
- 9 does not verify signatures on load, so zone keys for
- authoritative zones do not need to be specified in the
- configuration file.
- </p>
-
- <p>
- After DNSSEC gets established, a typical DNSSEC configuration
- will look something like the following. It has one or
- more public keys for the root. This allows answers from
- outside the organization to be validated. It will also
- have several keys for parts of the namespace the organization
- controls. These are here to ensure that <span class="command"><strong>named</strong></span>
- is immune to compromises in the DNSSEC components of the security
- of parent zones.
- </p>
-
-<pre class="programlisting">
-managed-keys {
- /* Root Key */
- "." initial-key 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwS
- JxrGkxJWoZu6I7PzJu/E9gx4UC1zGAHlXKdE4zYIpRh
- aBKnvcC2U9mZhkdUpd1Vso/HAdjNe8LmMlnzY3zy2Xy
- 4klWOADTPzSv9eamj8V18PHGjBLaVtYvk/ln5ZApjYg
- hf+6fElrmLkdaz MQ2OCnACR817DF4BBa7UR/beDHyp
- 5iWTXWSi6XmoJLbG9Scqc7l70KDqlvXR3M/lUUVRbke
- g1IPJSidmK3ZyCllh4XSKbje/45SKucHgnwU5jefMtq
- 66gKodQj+MiA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ
- 97S+LKUTpQcq27R7AT3/V5hRQxScINqwcz4jYqZD2fQ
- dgxbcDTClU0CRBdiieyLMNzXG3";
-};
-
-trusted-keys {
- /* Key for our organization's forward zone */
- example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM6
- 5KbhTjrW1ZaARmPhEZZe3Y9ifgEuq7vZ/z
- GZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb
- 4JKUbbOTcM8pwXlj0EiX3oDFVmjHO444gL
- kBOUKUf/mC7HvfwYH/Be22GnClrinKJp1O
- g4ywzO9WglMk7jbfW33gUKvirTHr25GL7S
- TQUzBb5Usxt8lgnyTUHs1t3JwCY5hKZ6Cq
- FxmAVZP20igTixin/1LcrgX/KMEGd/biuv
- F4qJCyduieHukuY3H4XMAcR+xia2nIUPvm
- /oyWR8BW/hWdzOvnSCThlHf3xiYleDbt/o
- 1OTQ09A0=";
-
- /* Key for our reverse zone. */
- 2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwc
- xOdNax071L18QqZnQQQAVVr+i
- LhGTnNGp3HoWQLUIzKrJVZ3zg
- gy3WwNT6kZo6c0tszYqbtvchm
- gQC8CzKojM/W16i6MG/eafGU3
- siaOdS0yOI6BgPsw+YZdzlYMa
- IJGf4M4dyoKIhzdZyQ2bYQrjy
- Q4LB0lC7aOnsMyYKHHYeRvPxj
- IQXmdqgOJGq+vsevG06zW+1xg
- YJh9rCIfnm1GX/KMgxLPG2vXT
- D/RnLX+D3T3UL7HJYHJhAZD5L
- 59VvjSPsZJHeDCUyWYrvPZesZ
- DIRvhDD52SKvbheeTJUm6Ehkz
- ytNN2SN96QRk8j/iI8ib";
-};
-
-options {
- ...
- dnssec-enable yes;
- dnssec-validation yes;
-};
-</pre>
-
- <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p>
- None of the keys listed in this example are valid. In particular,
- the root key is not valid.
- </p>
-</div>
-
- <p>
- When DNSSEC validation is enabled and properly configured,
- the resolver will reject any answers from signed, secure zones
- which fail to validate, and will return SERVFAIL to the client.
- </p>
-
- <p>
- Responses may fail to validate for any of several reasons,
- including missing, expired, or invalid signatures, a key which
- does not match the DS RRset in the parent zone, or an insecure
- response from a zone which, according to its parent, should have
- been secure.
- </p>
-
- <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
- <p>
- When the validator receives a response from an unsigned zone
- that has a signed parent, it must confirm with the parent
- that the zone was intentionally left unsigned. It does
- this by verifying, via signed and validated NSEC/NSEC3 records,
- that the parent zone contains no DS records for the child.
- </p>
- <p>
- If the validator <span class="emphasis"><em>can</em></span> prove that the zone
- is insecure, then the response is accepted. However, if it
- cannot, then it must assume an insecure response to be a
- forgery; it rejects the response and logs an error.
- </p>
- <p>
- The logged error reads "insecurity proof failed" and
- "got insecure response; parent indicates it should be secure".
- (Prior to BIND 9.7, the logged error was "not insecure".
- This referred to the zone, not the response.)
- </p>
- </div>
- </div>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="dnssec.dynamic.zones"></a>DNSSEC, Dynamic Zones, and Automatic Signing</h2></div></div></div>
-
- <p>As of BIND 9.7.0 it is possible to change a dynamic zone
- from insecure to signed and back again. A secure zone can use
- either NSEC or NSEC3 chains.</p>
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.5.10.3"></a>Converting from insecure to secure</h3></div></div></div>
-
- </div>
- <p>Changing a zone from insecure to secure can be done in two
- ways: using a dynamic DNS update, or the
- <span class="command"><strong>auto-dnssec</strong></span> zone option.</p>
- <p>For either method, you need to configure
- <span class="command"><strong>named</strong></span> so that it can see the
- <code class="filename">K*</code> files which contain the public and private
- parts of the keys that will be used to sign the zone. These files
- will have been generated by
- <span class="command"><strong>dnssec-keygen</strong></span>. You can do this by placing them
- in the key-directory, as specified in
- <code class="filename">named.conf</code>:</p>
- <pre class="programlisting">
- zone example.net {
- type master;
- update-policy local;
- file "dynamic/example.net/example.net";
- key-directory "dynamic/example.net";
- };
-</pre>
- <p>If one KSK and one ZSK DNSKEY key have been generated, this
- configuration will cause all records in the zone to be signed
- with the ZSK, and the DNSKEY RRset to be signed with the KSK as
- well. An NSEC chain will be generated as part of the initial
- signing process.</p>
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.5.10.8"></a>Dynamic DNS update method</h3></div></div></div>
-
- </div>
- <p>To insert the keys via dynamic update:</p>
- <pre class="screen">
- % nsupdate
- > ttl 3600
- > update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8=
- > update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk=
- > send
-</pre>
- <p>While the update request will complete almost immediately,
- the zone will not be completely signed until
- <span class="command"><strong>named</strong></span> has had time to walk the zone and
- generate the NSEC and RRSIG records. The NSEC record at the apex
- will be added last, to signal that there is a complete NSEC
- chain.</p>
- <p>If you wish to sign using NSEC3 instead of NSEC, you should
- add an NSEC3PARAM record to the initial update request. If you
- wish the NSEC3 chain to have the OPTOUT bit set, set it in the
- flags field of the NSEC3PARAM record.</p>
- <pre class="screen">
- % nsupdate
- > ttl 3600
- > update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8=
- > update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk=
- > update add example.net NSEC3PARAM 1 1 100 1234567890
- > send
-</pre>
- <p>Again, this update request will complete almost
- immediately; however, the record won't show up until
- <span class="command"><strong>named</strong></span> has had a chance to build/remove the
- relevant chain. A private type record will be created to record
- the state of the operation (see below for more details), and will
- be removed once the operation completes.</p>
- <p>While the initial signing and NSEC/NSEC3 chain generation
- is happening, other updates are possible as well.</p>
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.5.10.16"></a>Fully automatic zone signing</h3></div></div></div>
-
- </div>
- <p>To enable automatic signing, add the
- <span class="command"><strong>auto-dnssec</strong></span> option to the zone statement in
- <code class="filename">named.conf</code>.
- <span class="command"><strong>auto-dnssec</strong></span> has two possible arguments:
- <code class="constant">allow</code> or
- <code class="constant">maintain</code>.</p>
- <p>With
- <span class="command"><strong>auto-dnssec allow</strong></span>,
- <span class="command"><strong>named</strong></span> can search the key directory for keys
- matching the zone, insert them into the zone, and use them to
- sign the zone. It will do so only when it receives an
- <span class="command"><strong>rndc sign <zonename></strong></span>.</p>
- <p>
-
- <span class="command"><strong>auto-dnssec maintain</strong></span> includes the above
- functionality, but will also automatically adjust the zone's
- DNSKEY records on schedule according to the keys' timing metadata.
- (See <a class="xref" href="man.dnssec-keygen.html" title="dnssec-keygen"><span class="refentrytitle"><span class="application">dnssec-keygen</span></span>(8)</a> and
- <a class="xref" href="man.dnssec-settime.html" title="dnssec-settime"><span class="refentrytitle"><span class="application">dnssec-settime</span></span>(8)</a> for more information.)
- </p>
- <p>
- <span class="command"><strong>named</strong></span> will periodically search the key directory
- for keys matching the zone, and if the keys' metadata indicates
- that any change should be made the zone, such as adding, removing,
- or revoking a key, then that action will be carried out. By default,
- the key directory is checked for changes every 60 minutes; this period
- can be adjusted with the <code class="option">dnssec-loadkeys-interval</code>, up
- to a maximum of 24 hours. The <span class="command"><strong>rndc loadkeys</strong></span> forces
- <span class="command"><strong>named</strong></span> to check for key updates immediately.
- </p>
- <p>
- If keys are present in the key directory the first time the zone
- is loaded, the zone will be signed immediately, without waiting for an
- <span class="command"><strong>rndc sign</strong></span> or <span class="command"><strong>rndc loadkeys</strong></span>
- command. (Those commands can still be used when there are unscheduled
- key changes, however.)
- </p>
- <p>
- When new keys are added to a zone, the TTL is set to match that
- of any existing DNSKEY RRset. If there is no existing DNSKEY RRset,
- then the TTL will be set to the TTL specified when the key was
- created (using the <span class="command"><strong>dnssec-keygen -L</strong></span> option), if
- any, or to the SOA TTL.
- </p>
- <p>
- If you wish the zone to be signed using NSEC3 instead of NSEC,
- submit an NSEC3PARAM record via dynamic update prior to the
- scheduled publication and activation of the keys. If you wish the
- NSEC3 chain to have the OPTOUT bit set, set it in the flags field
- of the NSEC3PARAM record. The NSEC3PARAM record will not appear in
- the zone immediately, but it will be stored for later reference. When
- the zone is signed and the NSEC3 chain is completed, the NSEC3PARAM
- record will appear in the zone.
- </p>
- <p>Using the
- <span class="command"><strong>auto-dnssec</strong></span> option requires the zone to be
- configured to allow dynamic updates, by adding an
- <span class="command"><strong>allow-update</strong></span> or
- <span class="command"><strong>update-policy</strong></span> statement to the zone
- configuration. If this has not been done, the configuration will
- fail.</p>
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.5.10.25"></a>Private-type records</h3></div></div></div>
-
- </div>
- <p>The state of the signing process is signaled by
- private-type records (with a default type value of 65534). When
- signing is complete, these records will have a nonzero value for
- the final octet (for those records which have a nonzero initial
- octet).</p>
- <p>The private type record format: If the first octet is
- non-zero then the record indicates that the zone needs to be
- signed with the key matching the record, or that all signatures
- that match the record should be removed.</p>
- <p>
- </p>
-<div class="literallayout"><p><br>
-<br>
-  algorithm (octet 1)<br>
-  key id in network order (octet 2 and 3)<br>
-  removal flag (octet 4)<br>
-  complete flag (octet 5)<br>
-</p></div>
-<p>
- </p>
- <p>Only records flagged as "complete" can be removed via
- dynamic update. Attempts to remove other private type records
- will be silently ignored.</p>
- <p>If the first octet is zero (this is a reserved algorithm
- number that should never appear in a DNSKEY record) then the
- record indicates changes to the NSEC3 chains are in progress. The
- rest of the record contains an NSEC3PARAM record. The flag field
- tells what operation to perform based on the flag bits.</p>
- <p>
- </p>
-<div class="literallayout"><p><br>
-<br>
-Â Â 0x01Â OPTOUT<br>
-Â Â 0x80Â CREATE<br>
-Â Â 0x40Â REMOVE<br>
-Â Â 0x20Â NONSEC<br>
-</p></div>
-<p>
- </p>
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.5.10.32"></a>DNSKEY rollovers</h3></div></div></div>
-
- </div>
- <p>As with insecure-to-secure conversions, rolling DNSSEC
- keys can be done in two ways: using a dynamic DNS update, or the
- <span class="command"><strong>auto-dnssec</strong></span> zone option.</p>
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.5.10.34"></a>Dynamic DNS update method</h3></div></div></div>
-
- </div>
- <p> To perform key rollovers via dynamic update, you need to add
- the <code class="filename">K*</code> files for the new keys so that
- <span class="command"><strong>named</strong></span> can find them. You can then add the new
- DNSKEY RRs via dynamic update.
- <span class="command"><strong>named</strong></span> will then cause the zone to be signed
- with the new keys. When the signing is complete the private type
- records will be updated so that the last octet is non
- zero.</p>
- <p>If this is for a KSK you need to inform the parent and any
- trust anchor repositories of the new KSK.</p>
- <p>You should then wait for the maximum TTL in the zone before
- removing the old DNSKEY. If it is a KSK that is being updated,
- you also need to wait for the DS RRset in the parent to be
- updated and its TTL to expire. This ensures that all clients will
- be able to verify at least one signature when you remove the old
- DNSKEY.</p>
- <p>The old DNSKEY can be removed via UPDATE. Take care to
- specify the correct key.
- <span class="command"><strong>named</strong></span> will clean out any signatures generated
- by the old key after the update completes.</p>
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.5.10.39"></a>Automatic key rollovers</h3></div></div></div>
-
- </div>
- <p>When a new key reaches its activation date (as set by
- <span class="command"><strong>dnssec-keygen</strong></span> or <span class="command"><strong>dnssec-settime</strong></span>),
- if the <span class="command"><strong>auto-dnssec</strong></span> zone option is set to
- <code class="constant">maintain</code>, <span class="command"><strong>named</strong></span> will
- automatically carry out the key rollover. If the key's algorithm
- has not previously been used to sign the zone, then the zone will
- be fully signed as quickly as possible. However, if the new key
- is replacing an existing key of the same algorithm, then the
- zone will be re-signed incrementally, with signatures from the
- old key being replaced with signatures from the new key as their
- signature validity periods expire. By default, this rollover
- completes in 30 days, after which it will be safe to remove the
- old key from the DNSKEY RRset.</p>
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.5.10.41"></a>NSEC3PARAM rollovers via UPDATE</h3></div></div></div>
-
- </div>
- <p>Add the new NSEC3PARAM record via dynamic update. When the
- new NSEC3 chain has been generated, the NSEC3PARAM flag field
- will be zero. At this point you can remove the old NSEC3PARAM
- record. The old chain will be removed after the update request
- completes.</p>
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.5.10.43"></a>Converting from NSEC to NSEC3</h3></div></div></div>
-
- </div>
- <p>To do this, you just need to add an NSEC3PARAM record. When
- the conversion is complete, the NSEC chain will have been removed
- and the NSEC3PARAM record will have a zero flag field. The NSEC3
- chain will be generated before the NSEC chain is
- destroyed.</p>
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.5.10.45"></a>Converting from NSEC3 to NSEC</h3></div></div></div>
-
- </div>
- <p>To do this, use <span class="command"><strong>nsupdate</strong></span> to
- remove all NSEC3PARAM records with a zero flag
- field. The NSEC chain will be generated before the NSEC3 chain is
- removed.</p>
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.5.10.47"></a>Converting from secure to insecure</h3></div></div></div>
-
- </div>
- <p>To convert a signed zone to unsigned using dynamic DNS,
- delete all the DNSKEY records from the zone apex using
- <span class="command"><strong>nsupdate</strong></span>. All signatures, NSEC or NSEC3 chains,
- and associated NSEC3PARAM records will be removed automatically.
- This will take place after the update request completes.</p>
- <p> This requires the
- <span class="command"><strong>dnssec-secure-to-insecure</strong></span> option to be set to
- <strong class="userinput"><code>yes</code></strong> in
- <code class="filename">named.conf</code>.</p>
- <p>In addition, if the <span class="command"><strong>auto-dnssec maintain</strong></span>
- zone statement is used, it should be removed or changed to
- <span class="command"><strong>allow</strong></span> instead (or it will re-sign).
- </p>
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.5.10.51"></a>Periodic re-signing</h3></div></div></div>
-
- </div>
- <p>In any secure zone which supports dynamic updates, <span class="command"><strong>named</strong></span>
- will periodically re-sign RRsets which have not been re-signed as
- a result of some update action. The signature lifetimes will be
- adjusted so as to spread the re-sign load over time rather than
- all at once.</p>
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.5.10.53"></a>NSEC3 and OPTOUT</h3></div></div></div>
-
- </div>
- <p>
- <span class="command"><strong>named</strong></span> only supports creating new NSEC3 chains
- where all the NSEC3 records in the zone have the same OPTOUT
- state.
- <span class="command"><strong>named</strong></span> supports UPDATES to zones where the NSEC3
- records in the chain have mixed OPTOUT state.
- <span class="command"><strong>named</strong></span> does not support changing the OPTOUT
- state of an individual NSEC3 record, the entire chain needs to be
- changed if the OPTOUT state of an individual NSEC3 needs to be
- changed.</p>
-</div>
-
- <div class="section">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="rfc5011.support"></a>Dynamic Trust Anchor Management</h2></div></div></div>
-
- <p>BIND 9.7.0 introduces support for RFC 5011, dynamic trust
- anchor management. Using this feature allows
- <span class="command"><strong>named</strong></span> to keep track of changes to critical
- DNSSEC keys without any need for the operator to make changes to
- configuration files.</p>
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.5.11.3"></a>Validating Resolver</h3></div></div></div>
-
-
- <p>To configure a validating resolver to use RFC 5011 to
- maintain a trust anchor, configure the trust anchor using a
- <span class="command"><strong>managed-keys</strong></span> statement. Information about
- this can be found in
- <a class="xref" href="Bv9ARM.ch06.html#managed-keys" title="managed-keys Statement Definition and Usage">the section called “<span class="command"><strong>managed-keys</strong></span> Statement Definition
- and Usage”</a>.</p>
-
- </div>
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.5.11.4"></a>Authoritative Server</h3></div></div></div>
-
- <p>To set up an authoritative zone for RFC 5011 trust anchor
- maintenance, generate two (or more) key signing keys (KSKs) for
- the zone. Sign the zone with one of them; this is the "active"
- KSK. All KSKs which do not sign the zone are "stand-by"
- keys.</p>
- <p>Any validating resolver which is configured to use the
- active KSK as an RFC 5011-managed trust anchor will take note
- of the stand-by KSKs in the zone's DNSKEY RRset, and store them
- for future reference. The resolver will recheck the zone
- periodically, and after 30 days, if the new key is still there,
- then the key will be accepted by the resolver as a valid trust
- anchor for the zone. Any time after this 30-day acceptance
- timer has completed, the active KSK can be revoked, and the
- zone can be "rolled over" to the newly accepted key.</p>
- <p>The easiest way to place a stand-by key in a zone is to
- use the "smart signing" features of
- <span class="command"><strong>dnssec-keygen</strong></span> and
- <span class="command"><strong>dnssec-signzone</strong></span>. If a key with a publication
- date in the past, but an activation date which is unset or in
- the future, "
- <span class="command"><strong>dnssec-signzone -S</strong></span>" will include the DNSKEY
- record in the zone, but will not sign with it:</p>
- <pre class="screen">
-$ <strong class="userinput"><code>dnssec-keygen -K keys -f KSK -P now -A now+2y example.net</code></strong>
-$ <strong class="userinput"><code>dnssec-signzone -S -K keys example.net</code></strong>
-</pre>
- <p>To revoke a key, the new command
- <span class="command"><strong>dnssec-revoke</strong></span> has been added. This adds the
- REVOKED bit to the key flags and re-generates the
- <code class="filename">K*.key</code> and
- <code class="filename">K*.private</code> files.</p>
- <p>After revoking the active key, the zone must be signed
- with both the revoked KSK and the new active KSK. (Smart
- signing takes care of this automatically.)</p>
- <p>Once a key has been revoked and used to sign the DNSKEY
- RRset in which it appears, that key will never again be
- accepted as a valid trust anchor by the resolver. However,
- validation can proceed using the new active key (which had been
- accepted by the resolver when it was a stand-by key).</p>
- <p>See RFC 5011 for more details on key rollover
- scenarios.</p>
- <p>When a key has been revoked, its key ID changes,
- increasing by 128, and wrapping around at 65535. So, for
- example, the key "<code class="filename">Kexample.com.+005+10000</code>" becomes
- "<code class="filename">Kexample.com.+005+10128</code>".</p>
- <p>If two keys have IDs exactly 128 apart, and one is
- revoked, then the two key IDs will collide, causing several
- problems. To prevent this,
- <span class="command"><strong>dnssec-keygen</strong></span> will not generate a new key if
- another key is present which may collide. This checking will
- only occur if the new keys are written to the same directory
- which holds all other keys in use for that zone.</p>
- <p>Older versions of BIND 9 did not have this precaution.
- Exercise caution if using key revocation on keys that were
- generated by previous releases, or if using keys stored in
- multiple directories or on multiple machines.</p>
- <p>It is expected that a future release of BIND 9 will
- address this problem in a different way, by storing revoked
- keys with their original unrevoked key IDs.</p>
- </div>
-</div>
-
- <div class="section">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="pkcs11"></a>PKCS#11 (Cryptoki) support</h2></div></div></div>
-
- <p>
- PKCS#11 (Public Key Cryptography Standard #11) defines a
- platform-independent API for the control of hardware security
- modules (HSMs) and other cryptographic support devices.
- </p>
- <p>
- BIND 9 is known to work with three HSMs: The AEP Keyper, which has
- been tested with Debian Linux, Solaris x86 and Windows Server 2003;
- the Thales nShield, tested with Debian Linux; and the Sun SCA 6000
- cryptographic acceleration board, tested with Solaris x86. In
- addition, BIND can be used with all current versions of SoftHSM,
- a software-based HSM simulator library produced by the OpenDNSSEC
- project.
- </p>
- <p>
- PKCS#11 makes use of a "provider library": a dynamically loadable
- library which provides a low-level PKCS#11 interface to drive the HSM
- hardware. The PKCS#11 provider library comes from the HSM vendor, and
- it is specific to the HSM to be controlled.
- </p>
- <p>
- There are two available mechanisms for PKCS#11 support in BIND 9:
- OpenSSL-based PKCS#11 and native PKCS#11. When using the first
- mechanism, BIND uses a modified version of OpenSSL, which loads
- the provider library and operates the HSM indirectly; any
- cryptographic operations not supported by the HSM can be carried
- out by OpenSSL instead. The second mechanism enables BIND to bypass
- OpenSSL completely; BIND loads the provider library itself, and uses
- the PKCS#11 API to drive the HSM directly.
- </p>
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.5.12.6"></a>Prerequisites</h3></div></div></div>
-
- <p>
- See the documentation provided by your HSM vendor for
- information about installing, initializing, testing and
- troubleshooting the HSM.
- </p>
- </div>
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.5.12.7"></a>Native PKCS#11</h3></div></div></div>
-
- <p>
- Native PKCS#11 mode will only work with an HSM capable of carrying
- out <span class="emphasis"><em>every</em></span> cryptographic operation BIND 9 may
- need. The HSM's provider library must have a complete implementation
- of the PKCS#11 API, so that all these functions are accessible. As of
- this writing, only the Thales nShield HSM and SoftHSMv2 can be used
- in this fashion. For other HSMs, including the AEP Keyper, Sun SCA
- 6000 and older versions of SoftHSM, use OpenSSL-based PKCS#11.
- (Note: Eventually, when more HSMs become capable of supporting
- native PKCS#11, it is expected that OpenSSL-based PKCS#11 will
- be deprecated.)
- </p>
- <p>
- To build BIND with native PKCS#11, configure as follows:
- </p>
- <pre class="screen">
-$ <strong class="userinput"><code>cd bind9</code></strong>
-$ <strong class="userinput"><code>./configure --enable-native-pkcs11 \
- --with-pkcs11=<em class="replaceable"><code>provider-library-path</code></em></code></strong>
- </pre>
- <p>
- This will cause all BIND tools, including <span class="command"><strong>named</strong></span>
- and the <span class="command"><strong>dnssec-*</strong></span> and <span class="command"><strong>pkcs11-*</strong></span>
- tools, to use the PKCS#11 provider library specified in
- <em class="replaceable"><code>provider-library-path</code></em> for cryptography.
- (The provider library path can be overridden using the
- <code class="option">-E</code> in <span class="command"><strong>named</strong></span> and the
- <span class="command"><strong>dnssec-*</strong></span> tools, or the <code class="option">-m</code> in
- the <span class="command"><strong>pkcs11-*</strong></span> tools.)
- </p>
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id-1.5.12.7.6"></a>Building SoftHSMv2</h4></div></div></div>
-
- <p>
- SoftHSMv2, the latest development version of SoftHSM, is available
- from
- <a class="link" href="https://github.com/opendnssec/SoftHSMv2" target="_top">
- https://github.com/opendnssec/SoftHSMv2
- </a>.
- It is a software library developed by the OpenDNSSEC project
- (<a class="link" href="http://www.opendnssec.org" target="_top">
- http://www.opendnssec.org
- </a>)
- which provides a PKCS#11 interface to a virtual HSM, implemented in
- the form of a SQLite3 database on the local filesystem. It provides
- less security than a true HSM, but it allows you to experiment with
- native PKCS#11 when an HSM is not available. SoftHSMv2 can be
- configured to use either OpenSSL or the Botan library to perform
- cryptographic functions, but when using it for native PKCS#11 in
- BIND, OpenSSL is required.
- </p>
- <p>
- By default, the SoftHSMv2 configuration file is
- <em class="replaceable"><code>prefix</code></em>/etc/softhsm2.conf (where
- <em class="replaceable"><code>prefix</code></em> is configured at compile time).
- This location can be overridden by the SOFTHSM2_CONF environment
- variable. The SoftHSMv2 cryptographic store must be installed and
- initialized before using it with BIND.
- </p>
- <pre class="screen">
-$ <strong class="userinput"><code> cd SoftHSMv2 </code></strong>
-$ <strong class="userinput"><code> configure --with-crypto-backend=openssl --prefix=/opt/pkcs11/usr --enable-gost </code></strong>
-$ <strong class="userinput"><code> make </code></strong>
-$ <strong class="userinput"><code> make install </code></strong>
-$ <strong class="userinput"><code> /opt/pkcs11/usr/bin/softhsm-util --init-token 0 --slot 0 --label softhsmv2 </code></strong>
- </pre>
- </div>
- </div>
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.5.12.8"></a>OpenSSL-based PKCS#11</h3></div></div></div>
-
- <p>
- OpenSSL-based PKCS#11 mode uses a modified version of the
- OpenSSL library; stock OpenSSL does not fully support PKCS#11.
- ISC provides a patch to OpenSSL to correct this. This patch is
- based on work originally done by the OpenSolaris project; it has been
- modified by ISC to provide new features such as PIN management and
- key-by-reference.
- </p>
- <p>
- There are two "flavors" of PKCS#11 support provided by
- the patched OpenSSL, one of which must be chosen at
- configuration time. The correct choice depends on the HSM
- hardware:
- </p>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
- <p>
- Use 'crypto-accelerator' with HSMs that have hardware
- cryptographic acceleration features, such as the SCA 6000
- board. This causes OpenSSL to run all supported
- cryptographic operations in the HSM.
- </p>
- </li>
-<li class="listitem">
- <p>
- Use 'sign-only' with HSMs that are designed to
- function primarily as secure key storage devices, but lack
- hardware acceleration. These devices are highly secure, but
- are not necessarily any faster at cryptography than the
- system CPU — often, they are slower. It is therefore
- most efficient to use them only for those cryptographic
- functions that require access to the secured private key,
- such as zone signing, and to use the system CPU for all
- other computationally-intensive operations. The AEP Keyper
- is an example of such a device.
- </p>
- </li>
-</ul></div>
- <p>
- The modified OpenSSL code is included in the BIND 9 release,
- in the form of a context diff against the latest versions of
- OpenSSL. OpenSSL 0.9.8, 1.0.0, 1.0.1 and 1.0.2 are supported;
- there are separate diffs for each version. In the examples to
- follow, we use OpenSSL 0.9.8, but the same methods work with
- OpenSSL 1.0.0 through 1.0.2.
- </p>
- <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p>
- The OpenSSL patches as of this writing (January 2016)
- support versions 0.9.8zh, 1.0.0t, 1.0.1q and 1.0.2f.
- ISC will provide updated patches as new versions of OpenSSL
- are released. The version number in the following examples
- is expected to change.
- </p>
-</div>
- <p>
- Before building BIND 9 with PKCS#11 support, it will be
- necessary to build OpenSSL with the patch in place, and configure
- it with the path to your HSM's PKCS#11 provider library.
- </p>
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id-1.5.12.8.8"></a>Patching OpenSSL</h4></div></div></div>
-
- <pre class="screen">
-$ <strong class="userinput"><code>wget <a class="link" href="" target="_top">http://www.openssl.org/source/openssl-0.9.8zc.tar.gz</a></code></strong>
- </pre>
- <p>Extract the tarball:</p>
- <pre class="screen">
-$ <strong class="userinput"><code>tar zxf openssl-0.9.8zc.tar.gz</code></strong>
-</pre>
- <p>Apply the patch from the BIND 9 release:</p>
- <pre class="screen">
-$ <strong class="userinput"><code>patch -p1 -d openssl-0.9.8zc \
- < bind9/bin/pkcs11/openssl-0.9.8zc-patch</code></strong>
-</pre>
- <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p>
- The patch file may not be compatible with the
- "patch" utility on all operating systems. You may need to
- install GNU patch.
- </p>
-</div>
- <p>
- When building OpenSSL, place it in a non-standard
- location so that it does not interfere with OpenSSL libraries
- elsewhere on the system. In the following examples, we choose
- to install into "/opt/pkcs11/usr". We will use this location
- when we configure BIND 9.
- </p>
- <p>
- Later, when building BIND 9, the location of the custom-built
- OpenSSL library will need to be specified via configure.
- </p>
- </div>
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id-1.5.12.8.9"></a>Building OpenSSL for the AEP Keyper on Linux</h4></div></div></div>
-
-
- <p>
- The AEP Keyper is a highly secure key storage device,
- but does not provide hardware cryptographic acceleration. It
- can carry out cryptographic operations, but it is probably
- slower than your system's CPU. Therefore, we choose the
- 'sign-only' flavor when building OpenSSL.
- </p>
- <p>
- The Keyper-specific PKCS#11 provider library is
- delivered with the Keyper software. In this example, we place
- it /opt/pkcs11/usr/lib:
- </p>
- <pre class="screen">
-$ <strong class="userinput"><code>cp pkcs11.GCC4.0.2.so.4.05 /opt/pkcs11/usr/lib/libpkcs11.so</code></strong>
-</pre>
- <p>
- The Keyper library requires threads, so we
- must specify -pthread.
- </p>
- <pre class="screen">
-$ <strong class="userinput"><code>cd openssl-0.9.8zc</code></strong>
-$ <strong class="userinput"><code>./Configure linux-x86_64 -pthread \
- --pk11-libname=/opt/pkcs11/usr/lib/libpkcs11.so \
- --pk11-flavor=sign-only \
- --prefix=/opt/pkcs11/usr</code></strong>
-</pre>
- <p>
- After configuring, run "<span class="command"><strong>make</strong></span>"
- and "<span class="command"><strong>make test</strong></span>". If "<span class="command"><strong>make
- test</strong></span>" fails with "pthread_atfork() not found", you forgot to
- add the -pthread above.
- </p>
- </div>
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id-1.5.12.8.10"></a>Building OpenSSL for the SCA 6000 on Solaris</h4></div></div></div>
-
-
- <p>
- The SCA-6000 PKCS#11 provider is installed as a system
- library, libpkcs11. It is a true crypto accelerator, up to 4
- times faster than any CPU, so the flavor shall be
- 'crypto-accelerator'.
- </p>
- <p>
- In this example, we are building on Solaris x86 on an
- AMD64 system.
- </p>
- <pre class="screen">
-$ <strong class="userinput"><code>cd openssl-0.9.8zc</code></strong>
-$ <strong class="userinput"><code>./Configure solaris64-x86_64-cc \
- --pk11-libname=/usr/lib/64/libpkcs11.so \
- --pk11-flavor=crypto-accelerator \
- --prefix=/opt/pkcs11/usr</code></strong>
-</pre>
- <p>
- (For a 32-bit build, use "solaris-x86-cc" and /usr/lib/libpkcs11.so.)
- </p>
- <p>
- After configuring, run
- <span class="command"><strong>make</strong></span> and
- <span class="command"><strong>make test</strong></span>.
- </p>
- </div>
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id-1.5.12.8.11"></a>Building OpenSSL for SoftHSM</h4></div></div></div>
-
-
- <p>
- SoftHSM (version 1) is a software library developed by the
- OpenDNSSEC project
- (<a class="link" href="http://www.opendnssec.org" target="_top">
- http://www.opendnssec.org
- </a>)
- which provides a
- PKCS#11 interface to a virtual HSM, implemented in the form of
- a SQLite3 database on the local filesystem. SoftHSM uses
- the Botan library to perform cryptographic functions. Though
- less secure than a true HSM, it can allow you to experiment
- with PKCS#11 when an HSM is not available.
- </p>
- <p>
- The SoftHSM cryptographic store must be installed and
- initialized before using it with OpenSSL, and the SOFTHSM_CONF
- environment variable must always point to the SoftHSM configuration
- file:
- </p>
- <pre class="screen">
-$ <strong class="userinput"><code> cd softhsm-1.3.7 </code></strong>
-$ <strong class="userinput"><code> configure --prefix=/opt/pkcs11/usr </code></strong>
-$ <strong class="userinput"><code> make </code></strong>
-$ <strong class="userinput"><code> make install </code></strong>
-$ <strong class="userinput"><code> export SOFTHSM_CONF=/opt/pkcs11/softhsm.conf </code></strong>
-$ <strong class="userinput"><code> echo "0:/opt/pkcs11/softhsm.db" > $SOFTHSM_CONF </code></strong>
-$ <strong class="userinput"><code> /opt/pkcs11/usr/bin/softhsm --init-token 0 --slot 0 --label softhsm </code></strong>
-</pre>
- <p>
- SoftHSM can perform all cryptographic operations, but
- since it only uses your system CPU, there is no advantage to using
- it for anything but signing. Therefore, we choose the 'sign-only'
- flavor when building OpenSSL.
- </p>
- <pre class="screen">
-$ <strong class="userinput"><code>cd openssl-0.9.8zc</code></strong>
-$ <strong class="userinput"><code>./Configure linux-x86_64 -pthread \
- --pk11-libname=/opt/pkcs11/usr/lib/libsofthsm.so \
- --pk11-flavor=sign-only \
- --prefix=/opt/pkcs11/usr</code></strong>
-</pre>
- <p>
- After configuring, run "<span class="command"><strong>make</strong></span>"
- and "<span class="command"><strong>make test</strong></span>".
- </p>
- </div>
- <p>
- Once you have built OpenSSL, run
- "<span class="command"><strong>apps/openssl engine pkcs11</strong></span>" to confirm
- that PKCS#11 support was compiled in correctly. The output
- should be one of the following lines, depending on the flavor
- selected:
- </p>
- <pre class="screen">
- (pkcs11) PKCS #11 engine support (sign only)
-</pre>
- <p>Or:</p>
- <pre class="screen">
- (pkcs11) PKCS #11 engine support (crypto accelerator)
-</pre>
- <p>
- Next, run
- "<span class="command"><strong>apps/openssl engine pkcs11 -t</strong></span>". This will
- attempt to initialize the PKCS#11 engine. If it is able to
- do so successfully, it will report
- <span class="quote">“<span class="quote"><code class="literal">[ available ]</code></span>”</span>.
- </p>
- <p>
- If the output is correct, run
- "<span class="command"><strong>make install</strong></span>" which will install the
- modified OpenSSL suite to <code class="filename">/opt/pkcs11/usr</code>.
- </p>
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id-1.5.12.8.18"></a>Configuring BIND 9 for Linux with the AEP Keyper</h4></div></div></div>
-
-
- <p>
- To link with the PKCS#11 provider, threads must be
- enabled in the BIND 9 build.
- </p>
- <pre class="screen">
-$ <strong class="userinput"><code>cd ../bind9</code></strong>
-$ <strong class="userinput"><code>./configure --enable-threads \
- --with-openssl=/opt/pkcs11/usr \
- --with-pkcs11=/opt/pkcs11/usr/lib/libpkcs11.so</code></strong>
-</pre>
- </div>
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id-1.5.12.8.19"></a>Configuring BIND 9 for Solaris with the SCA 6000</h4></div></div></div>
-
-
- <p>
- To link with the PKCS#11 provider, threads must be
- enabled in the BIND 9 build.
- </p>
- <pre class="screen">
-$ <strong class="userinput"><code>cd ../bind9</code></strong>
-$ <strong class="userinput"><code>./configure CC="cc -xarch=amd64" --enable-threads \
- --with-openssl=/opt/pkcs11/usr \
- --with-pkcs11=/usr/lib/64/libpkcs11.so</code></strong>
-</pre>
- <p>(For a 32-bit build, omit CC="cc -xarch=amd64".)</p>
- <p>
- If configure complains about OpenSSL not working, you
- may have a 32/64-bit architecture mismatch. Or, you may have
- incorrectly specified the path to OpenSSL (it should be the
- same as the --prefix argument to the OpenSSL
- Configure).
- </p>
- </div>
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id-1.5.12.8.20"></a>Configuring BIND 9 for SoftHSM</h4></div></div></div>
-
-
- <pre class="screen">
-$ <strong class="userinput"><code>cd ../bind9</code></strong>
-$ <strong class="userinput"><code>./configure --enable-threads \
- --with-openssl=/opt/pkcs11/usr \
- --with-pkcs11=/opt/pkcs11/usr/lib/libsofthsm.so</code></strong>
-</pre>
- </div>
- <p>
- After configuring, run
- "<span class="command"><strong>make</strong></span>",
- "<span class="command"><strong>make test</strong></span>" and
- "<span class="command"><strong>make install</strong></span>".
- </p>
- <p>
- (Note: If "make test" fails in the "pkcs11" system test, you may
- have forgotten to set the SOFTHSM_CONF environment variable.)
- </p>
- </div>
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.5.12.9"></a>PKCS#11 Tools</h3></div></div></div>
-
- <p>
- BIND 9 includes a minimal set of tools to operate the
- HSM, including
- <span class="command"><strong>pkcs11-keygen</strong></span> to generate a new key pair
- within the HSM,
- <span class="command"><strong>pkcs11-list</strong></span> to list objects currently
- available,
- <span class="command"><strong>pkcs11-destroy</strong></span> to remove objects, and
- <span class="command"><strong>pkcs11-tokens</strong></span> to list available tokens.
- </p>
- <p>
- In UNIX/Linux builds, these tools are built only if BIND
- 9 is configured with the --with-pkcs11 option. (Note: If
- --with-pkcs11 is set to "yes", rather than to the path of the
- PKCS#11 provider, then the tools will be built but the
- provider will be left undefined. Use the -m option or the
- PKCS11_PROVIDER environment variable to specify the path to the
- provider.)
- </p>
- </div>
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.5.12.10"></a>Using the HSM</h3></div></div></div>
-
- <p>
- For OpenSSL-based PKCS#11, we must first set up the runtime
- environment so the OpenSSL and PKCS#11 libraries can be loaded:
- </p>
- <pre class="screen">
-$ <strong class="userinput"><code>export LD_LIBRARY_PATH=/opt/pkcs11/usr/lib:${LD_LIBRARY_PATH}</code></strong>
-</pre>
- <p>
- This causes <span class="command"><strong>named</strong></span> and other binaries to load
- the OpenSSL library from <code class="filename">/opt/pkcs11/usr/lib</code>
- rather than from the default location. This step is not necessary
- when using native PKCS#11.
- </p>
- <p>
- Some HSMs require other environment variables to be set.
- For example, when operating an AEP Keyper, it is necessary to
- specify the location of the "machine" file, which stores
- information about the Keyper for use by the provider
- library. If the machine file is in
- <code class="filename">/opt/Keyper/PKCS11Provider/machine</code>,
- use:
- </p>
- <pre class="screen">
-$ <strong class="userinput"><code>export KEYPER_LIBRARY_PATH=/opt/Keyper/PKCS11Provider</code></strong>
-</pre>
- <p>
- Such environment variables must be set whenever running
- any tool that uses the HSM, including
- <span class="command"><strong>pkcs11-keygen</strong></span>,
- <span class="command"><strong>pkcs11-list</strong></span>,
- <span class="command"><strong>pkcs11-destroy</strong></span>,
- <span class="command"><strong>dnssec-keyfromlabel</strong></span>,
- <span class="command"><strong>dnssec-signzone</strong></span>,
- <span class="command"><strong>dnssec-keygen</strong></span>, and
- <span class="command"><strong>named</strong></span>.
- </p>
- <p>
- We can now create and use keys in the HSM. In this case,
- we will create a 2048 bit key and give it the label
- "sample-ksk":
- </p>
- <pre class="screen">
-$ <strong class="userinput"><code>pkcs11-keygen -b 2048 -l sample-ksk</code></strong>
-</pre>
- <p>To confirm that the key exists:</p>
- <pre class="screen">
-$ <strong class="userinput"><code>pkcs11-list</code></strong>
-Enter PIN:
-object[0]: handle 2147483658 class 3 label[8] 'sample-ksk' id[0]
-object[1]: handle 2147483657 class 2 label[8] 'sample-ksk' id[0]
-</pre>
- <p>
- Before using this key to sign a zone, we must create a
- pair of BIND 9 key files. The "dnssec-keyfromlabel" utility
- does this. In this case, we will be using the HSM key
- "sample-ksk" as the key-signing key for "example.net":
- </p>
- <pre class="screen">
-$ <strong class="userinput"><code>dnssec-keyfromlabel -l sample-ksk -f KSK example.net</code></strong>
-</pre>
- <p>
- The resulting K*.key and K*.private files can now be used
- to sign the zone. Unlike normal K* files, which contain both
- public and private key data, these files will contain only the
- public key data, plus an identifier for the private key which
- remains stored within the HSM. Signing with the private key takes
- place inside the HSM.
- </p>
- <p>
- If you wish to generate a second key in the HSM for use
- as a zone-signing key, follow the same procedure above, using a
- different keylabel, a smaller key size, and omitting "-f KSK"
- from the dnssec-keyfromlabel arguments:
- </p>
- <p>
- (Note: When using OpenSSL-based PKCS#11 the label is an arbitrary
- string which identifies the key. With native PKCS#11, the label is
- a PKCS#11 URI string which may include other details about the key
- and the HSM, including its PIN. See
- <a class="xref" href="man.dnssec-keyfromlabel.html" title="dnssec-keyfromlabel"><span class="refentrytitle"><span class="application">dnssec-keyfromlabel</span></span>(8)</a> for details.)
- </p>
- <pre class="screen">
-$ <strong class="userinput"><code>pkcs11-keygen -b 1024 -l sample-zsk</code></strong>
-$ <strong class="userinput"><code>dnssec-keyfromlabel -l sample-zsk example.net</code></strong>
-</pre>
- <p>
- Alternatively, you may prefer to generate a conventional
- on-disk key, using dnssec-keygen:
- </p>
- <pre class="screen">
-$ <strong class="userinput"><code>dnssec-keygen example.net</code></strong>
-</pre>
- <p>
- This provides less security than an HSM key, but since
- HSMs can be slow or cumbersome to use for security reasons, it
- may be more efficient to reserve HSM keys for use in the less
- frequent key-signing operation. The zone-signing key can be
- rolled more frequently, if you wish, to compensate for a
- reduction in key security. (Note: When using native PKCS#11,
- there is no speed advantage to using on-disk keys, as cryptographic
- operations will be done by the HSM regardless.)
- </p>
- <p>
- Now you can sign the zone. (Note: If not using the -S
- option to <span class="command"><strong>dnssec-signzone</strong></span>, it will be
- necessary to add the contents of both <code class="filename">K*.key</code>
- files to the zone master file before signing it.)
- </p>
- <pre class="screen">
-$ <strong class="userinput"><code>dnssec-signzone -S example.net</code></strong>
-Enter PIN:
-Verifying the zone using the following algorithms:
-NSEC3RSASHA1.
-Zone signing complete:
-Algorithm: NSEC3RSASHA1: ZSKs: 1, KSKs: 1 active, 0 revoked, 0 stand-by
-example.net.signed
-</pre>
- </div>
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.5.12.11"></a>Specifying the engine on the command line</h3></div></div></div>
-
- <p>
- When using OpenSSL-based PKCS#11, the "engine" to be used by
- OpenSSL can be specified in <span class="command"><strong>named</strong></span> and all of
- the BIND <span class="command"><strong>dnssec-*</strong></span> tools by using the "-E
- <engine>" command line option. If BIND 9 is built with
- the --with-pkcs11 option, this option defaults to "pkcs11".
- Specifying the engine will generally not be necessary unless
- for some reason you wish to use a different OpenSSL
- engine.
- </p>
- <p>
- If you wish to disable use of the "pkcs11" engine —
- for troubleshooting purposes, or because the HSM is unavailable
- — set the engine to the empty string. For example:
- </p>
- <pre class="screen">
-$ <strong class="userinput"><code>dnssec-signzone -E '' -S example.net</code></strong>
-</pre>
- <p>
- This causes
- <span class="command"><strong>dnssec-signzone</strong></span> to run as if it were compiled
- without the --with-pkcs11 option.
- </p>
- <p>
- When built with native PKCS#11 mode, the "engine" option has a
- different meaning: it specifies the path to the PKCS#11 provider
- library. This may be useful when testing a new provider library.
- </p>
- </div>
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.5.12.12"></a>Running named with automatic zone re-signing</h3></div></div></div>
-
- <p>
- If you want <span class="command"><strong>named</strong></span> to dynamically re-sign zones
- using HSM keys, and/or to to sign new records inserted via nsupdate,
- then <span class="command"><strong>named</strong></span> must have access to the HSM PIN. In OpenSSL-based PKCS#11,
- this is accomplished by placing the PIN into the openssl.cnf file
- (in the above examples,
- <code class="filename">/opt/pkcs11/usr/ssl/openssl.cnf</code>).
- </p>
- <p>
- The location of the openssl.cnf file can be overridden by
- setting the OPENSSL_CONF environment variable before running
- <span class="command"><strong>named</strong></span>.
- </p>
- <p>Sample openssl.cnf:</p>
- <pre class="programlisting">
- openssl_conf = openssl_def
- [ openssl_def ]
- engines = engine_section
- [ engine_section ]
- pkcs11 = pkcs11_section
- [ pkcs11_section ]
- PIN = <em class="replaceable"><code><PLACE PIN HERE></code></em>
-</pre>
- <p>
- This will also allow the dnssec-* tools to access the HSM
- without PIN entry. (The pkcs11-* tools access the HSM directly,
- not via OpenSSL, so a PIN will still be required to use
- them.)
- </p>
- <p>
- In native PKCS#11 mode, the PIN can be provided in a file specified
- as an attribute of the key's label. For example, if a key had the label
- <strong class="userinput"><code>pkcs11:object=local-zsk;pin-source=/etc/hsmpin</code></strong>,
- then the PIN would be read from the file
- <code class="filename">/etc/hsmpin</code>.
- </p>
- <div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Warning</h3>
- <p>
- Placing the HSM's PIN in a text file in this manner may reduce the
- security advantage of using an HSM. Be sure this is what you want to
- do before configuring the system in this way.
- </p>
- </div>
- </div>
-</div>
-
- <div class="section">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="dlz-info"></a>DLZ (Dynamically Loadable Zones)</h2></div></div></div>
-
- <p>
- DLZ (Dynamically Loadable Zones) is an extension to BIND 9 that allows
- zone data to be retrieved directly from an external database. There is
- no required format or schema. DLZ drivers exist for several different
- database backends including PostgreSQL, MySQL, and LDAP and can be
- written for any other.
- </p>
- <p>
- Historically, DLZ drivers had to be statically linked with the <span class="command"><strong>named</strong></span>
- binary and were turned on via a configure option at compile time (for
- example, <strong class="userinput"><code>"configure --with-dlz-ldap"</code></strong>).
- Currently, the drivers provided in the BIND 9 tarball in
- <code class="filename">contrib/dlz/drivers</code> are still linked this
- way.
- </p>
- <p>
- In BIND 9.8 and higher, it is possible to link some DLZ modules
- dynamically at runtime, via the DLZ "dlopen" driver, which acts as a
- generic wrapper around a shared object implementing the DLZ API. The
- "dlopen" driver is linked into <span class="command"><strong>named</strong></span> by default, so configure options
- are no longer necessary when using these dynamically linkable drivers,
- but are still needed for the older drivers in
- <code class="filename">contrib/dlz/drivers</code>.
- </p>
-
- <p>
- When the DLZ module provides data to <span class="command"><strong>named</strong></span>, it does so in text format.
- The response is converted to DNS wire format by <span class="command"><strong>named</strong></span>. This
- conversion, and the lack of any internal caching, places significant
- limits on the query performance of DLZ modules. Consequently, DLZ is
- not recommended for use on high-volume servers. However, it can be
- used in a hidden master configuration, with slaves retrieving zone
- updates via AXFR. (Note, however, that DLZ has no built-in support for
- DNS notify; slaves are not automatically informed of changes to the
- zones in the database.)
- </p>
-
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.5.13.6"></a>Configuring DLZ</h3></div></div></div>
-
- <p>
- A DLZ database is configured with a <span class="command"><strong>dlz</strong></span>
- statement in <code class="filename">named.conf</code>:
- </p>
- <pre class="screen">
- dlz example {
- database "dlopen driver.so <code class="option">args</code>";
- search yes;
- };
- </pre>
- <p>
- This specifies a DLZ module to search when answering queries; the
- module is implemented in <code class="filename">driver.so</code> and is
- loaded at runtime by the dlopen DLZ driver. Multiple
- <span class="command"><strong>dlz</strong></span> statements can be specified; when
- answering a query, all DLZ modules with <code class="option">search</code>
- set to <code class="literal">yes</code> will be queried to find out if
- they contain an answer for the query name; the best available
- answer will be returned to the client.
- </p>
- <p>
- The <code class="option">search</code> option in the above example can be
- omitted, because <code class="literal">yes</code> is the default value.
- </p>
- <p>
- If <code class="option">search</code> is set to <code class="literal">no</code>, then
- this DLZ module is <span class="emphasis"><em>not</em></span> searched for the best
- match when a query is received. Instead, zones in this DLZ must be
- separately specified in a zone statement. This allows you to
- configure a zone normally using standard zone option semantics,
- but specify a different database back-end for storage of the
- zone's data. For example, to implement NXDOMAIN redirection using
- a DLZ module for back-end storage of redirection rules:
- </p>
- <pre class="screen">
- dlz other {
- database "dlopen driver.so <code class="option">args</code>";
- search no;
- };
-
- zone "." {
- type redirect;
- dlz other;
- };
- </pre>
- </div>
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.5.13.7"></a>Sample DLZ Driver</h3></div></div></div>
-
- <p>
- For guidance in implementation of DLZ modules, the directory
- <code class="filename">contrib/dlz/example</code> contains a basic
- dynamically-linkable DLZ module--i.e., one which can be
- loaded at runtime by the "dlopen" DLZ driver.
- The example sets up a single zone, whose name is passed
- to the module as an argument in the <span class="command"><strong>dlz</strong></span>
- statement:
- </p>
- <pre class="screen">
- dlz other {
- database "dlopen driver.so example.nil";
- };
- </pre>
- <p>
- In the above example, the module is configured to create a zone
- "example.nil", which can answer queries and AXFR requests, and
- accept DDNS updates. At runtime, prior to any updates, the zone
- contains an SOA, NS, and a single A record at the apex:
- </p>
- <pre class="screen">
- example.nil. 3600 IN SOA example.nil. hostmaster.example.nil. (
- 123 900 600 86400 3600
- )
- example.nil. 3600 IN NS example.nil.
- example.nil. 1800 IN A 10.53.0.1
- </pre>
- <p>
- The sample driver is capable of retrieving information about the
- querying client, and altering its response on the basis of this
- information. To demonstrate this feature, the example driver
- responds to queries for "source-addr.<code class="option">zonename</code>>/TXT"
- with the source address of the query. Note, however, that this
- record will *not* be included in AXFR or ANY responses. Normally,
- this feature would be used to alter responses in some other fashion,
- e.g., by providing different address records for a particular name
- depending on the network from which the query arrived.
- </p>
- <p>
- Documentation of the DLZ module API can be found in
- <code class="filename">contrib/dlz/example/README</code>. This directory also
- contains the header file <code class="filename">dlz_minimal.h</code>, which
- defines the API and should be included by any dynamically-linkable
- DLZ module.
- </p>
- </div>
-</div>
-
- <div class="section">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="dyndb-info"></a>DynDB (Dynamic Database)</h2></div></div></div>
-
- <p>
- DynDB is an extension to BIND 9 which, like DLZ
- (see <a class="xref" href="Bv9ARM.ch04.html#dlz-info" title="DLZ (Dynamically Loadable Zones)">the section called “DLZ (Dynamically Loadable Zones)”</a>), allows zone data to be
- retrieved from an external database. Unlike DLZ, a DynDB module
- provides a full-featured BIND zone database interface. Where
- DLZ translates DNS queries into real-time database lookups,
- resulting in relatively poor query performance, and is unable
- to handle DNSSEC-signed data due to its limited API, a DynDB
- module can pre-load an in-memory database from the external
- data source, providing the same performance and functionality
- as zones served natively by BIND.
- </p>
- <p>
- A DynDB module supporting LDAP has been created by Red Hat
- and is available from
- <a class="link" href="https://fedorahosted.org/bind-dyndb-ldap/" target="_top">https://fedorahosted.org/bind-dyndb-ldap/</a>.
- </p>
- <p>
- A sample DynDB module for testing and developer guidance
- is included with the BIND source code, in the directory
- <code class="filename">bin/tests/system/dyndb/driver</code>.
- </p>
-
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.5.14.5"></a>Configuring DynDB</h3></div></div></div>
-
- <p>
- A DynDB database is configured with a <span class="command"><strong>dyndb</strong></span>
- statement in <code class="filename">named.conf</code>:
- </p>
- <pre class="screen">
- dyndb example "driver.so" {
- <em class="replaceable"><code>parameters</code></em>
- };
- </pre>
- <p>
- The file <code class="filename">driver.so</code> is a DynDB module which
- implements the full DNS database API. Multiple
- <span class="command"><strong>dyndb</strong></span> statements can be specified, to load
- different drivers or multiple instances of the same driver.
- Zones provided by a DynDB module are added to the view's zone
- table, and are treated as normal authoritative zones when BIND
- is responding to queries. Zone configuration is handled internally
- by the DynDB module.
- </p>
- <p>
- The <em class="replaceable"><code>parameters</code></em> are passed as an opaque
- string to the DynDB module's initialization routine. Configuration
- syntax will differ depending on the driver.
- </p>
- </div>
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.5.14.6"></a>Sample DynDB Module</h3></div></div></div>
-
- <p>
- For guidance in implementation of DynDB modules, the directory
- <code class="filename">bin/tests/system/dyndb/driver</code>.
- contains a basic DynDB module.
- The example sets up two zones, whose names are passed
- to the module as arguments in the <span class="command"><strong>dyndb</strong></span>
- statement:
- </p>
- <pre class="screen">
- dyndb sample "sample.so" { example.nil. arpa. };
- </pre>
- <p>
- In the above example, the module is configured to create a zone
- "example.nil", which can answer queries and AXFR requests, and
- accept DDNS updates. At runtime, prior to any updates, the zone
- contains an SOA, NS, and a single A record at the apex:
- </p>
- <pre class="screen">
- example.nil. 86400 IN SOA example.nil. example.nil. (
- 0 28800 7200 604800 86400
- )
- example.nil. 86400 IN NS example.nil.
- example.nil. 86400 IN A 127.0.0.1
- </pre>
- <p>
- When the zone is updated dynamically, the DynDB module will determine
- whether the updated RR is an address (i.e., type A or AAAA) and if
- so, it will automatically update the corresponding PTR record in a
- reverse zone. (Updates are not stored permanently; all updates are
- lost when the server is restarted.)
- </p>
- </div>
-</div>
-
- <div class="section">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="catz-info"></a>Catalog Zones</h2></div></div></div>
-
- <p>
- A "catalog zone" is a special DNS zone that contains a list of
- other zones to be served, along with their configuration parameters.
- Zones listed in a catalog zone are called "member zones".
- When a catalog zone is loaded or transferred to a slave server
- which supports this functionality, the slave server will create
- the member zones automatically. When the catalog zone is updated
- (for example, to add or delete member zones, or change
- their configuration parameters) those changes are immediately put
- into effect. Because the catalog zone is a normal DNS zone, these
- configuration changes can be propagated using the standard AXFR/IXFR
- zone transfer mechanism.
- </p>
- <p>
- Catalog zones' format and behavior are specified as an internet draft
- for interoperability among DNS implementations. As of this release, the
- latest revision of the DNS catalog zones draft can be found here:
- https://datatracker.ietf.org/doc/draft-muks-dnsop-dns-catalog-zones/
- </p>
-
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.5.15.4"></a>Principle of Operation</h3></div></div></div>
- <p>
- Normally, if a zone is to be served by a slave server, the
- <code class="filename">named.conf</code> file on the server must list the
- zone, or the zone must be added using <span class="command"><strong>rndc addzone</strong></span>.
- In environments with a large number of slave servers and/or where
- the zones being served are changing frequently, the overhead involved
- in maintaining consistent zone configuration on all the slave
- servers can be significant.
- </p>
- <p>
- A catalog zone is a way to ease this administrative burden. It is a
- DNS zone that lists member zones that should be served by slave servers.
- When a slave server receives an update to the catalog zone, it adds,
- removes, or reconfigures member zones based on the data received.
- </p>
- <p>
- To use a catalog zone, it must first be set up as a normal zone on
- the master and the on slave servers that will be configured to use
- it. It must also be added to a <code class="option">catalog-zones</code> list
- in the <code class="option">options</code> or <code class="option">view</code> statement
- in <code class="filename">named.conf</code>. (This is comparable to the way
- a policy zone is configured as a normal zone and also listed in
- a <code class="option">response-policy</code> statement.)
- </p>
- <p>
- To use the catalog zone feature to serve a new member zone:
- </p>
-<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
- <p>
- Set up the the member zone to be served on the master as normal.
- This could be done by editing <code class="filename">named.conf</code>,
- or by running <span class="command"><strong>rndc addzone</strong></span>.
- </p>
- </li>
-<li class="listitem">
- <p>
- Add an entry to the catalog zone for the new member zone.
- This could be done by editing the catalog zone's master file
- and running <span class="command"><strong>rndc reload</strong></span>, or by updating
- the zone using <span class="command"><strong>nsupdate</strong></span>.
- </p>
- </li>
-</ul></div>
-<p>
- The change to the catalog zone will be propagated from the master to all
- slaves using the normal AXFR/IXFR mechanism. When the slave receives the
- update to the catalog zone, it will detect the entry for the new member
- zone, create an instance of of that zone on the slave server, and point
- that instance to the <code class="option">masters</code> specified in the catalog
- zone data. The newly created member zone is a normal slave zone, so
- BIND will immediately initiate a transfer of zone contents from the
- master. Once complete, the slave will start serving the member zone.
- </p>
- <p>
- Removing a member zone from a slave server requires nothing more than
- deleting the member zone's entry in the catalog zone. The change to the
- catalog cone is propagated to the slave server using the normal AXFR/IXFR
- transfer mechanism. The slave server, on processing the update, will
- notice that the member zone has been removed. It will stop serving the
- zone and remove it from its list of configured zones. (Removing the
- member zone from the master server has to be done in the normal way,
- by editing the configuration file or running
- <span class="command"><strong>rndc delzone</strong></span>.)
- </p>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.5.15.5"></a>Configuring Catalog Zones</h3></div></div></div>
- <p>
- Catalog zones are configured with a <span class="command"><strong>catalog-zones</strong></span>
- statement in the <code class="literal">options</code> or <code class="literal">view</code>
- section of <code class="filename">named.conf</code>. For example,
- </p>
-<pre class="screen">
-catalog-zones {
- zone "catalog.example"
- default-masters { 10.53.0.1; }
- in-memory no
- zone-directory "catzones"
- min-update-interval 10;
-};
-</pre>
- <p>
- This statement specifies that the zone
- <code class="literal">catalog.example</code> is a catalog zone. This zone must be
- properly configured in the same view. In most configurations, it would
- be a slave zone.
- </p>
- <p>
- The options following the zone name are not required, and may be
- specified in any order:
- </p>
- <p>
- The <code class="option">default-masters</code> option defines the default masters
- for member zones listed in a catalog zone. This can be overridden by
- options within a catalog zone. If no such options are included, then
- member zones will transfer their contents from the servers listed in
- this option.
- </p>
- <p>
- The <code class="option">in-memory</code> option, if set to <code class="literal">yes</code>,
- causes member zones to be stored only in memory. This is functionally
- equivalent to configuring a slave zone without a <code class="option">file</code>.
- option. The default is <code class="literal">no</code>; member zones' content
- will be stored locally in a file whose name is automatically generated
- from the view name, catalog zone name, and member zone name.
- </p>
- <p>
- The <code class="option">zone-directory</code> option causes local copies of
- member zones' master files (if <code class="option">in-memory</code> is not set
- to <code class="literal">yes</code>) to be stored in the specified directory.
- The default is to store zone files in the server's working directory.
- A non-absolute pathname in <code class="option">zone-directory</code> is
- assumed to be relative to the working directory.
- </p>
- <p>
- The <code class="option">min-update-interval</code> option sets the minimum
- interval between processing of updates to catalog zones, in seconds.
- If an update to a catalog zone (for example, via IXFR) happens less
- than <code class="option">min-update-interval</code> seconds after the most
- recent update, then the changes will not be carried out until this
- interval has elapsed. The default is <code class="literal">5</code> seconds.
- </p>
- <p>
- Catalog zones are defined on a per-view basis. Configuring a non-empty
- <code class="option">catalog-zones</code> statement in a view will automatically
- turn on <code class="option">allow-new-zones</code> for that view. (Note: this
- means <span class="command"><strong>rndc addzone</strong></span> and <span class="command"><strong>rndc delzone</strong></span>
- will also work in any view that supports catalog zones.)
- </p>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.5.15.6"></a>Catalog Zone format</h3></div></div></div>
- <p>
- A catalog zone is a regular DNS zone; therefore, it has to have a
- single <code class="literal">SOA</code> and at least one <code class="literal">NS</code>
- record.
- </p>
- <p>
- A record stating the version of the catalog zone format is
- also required. If the version number listed is not supported by
- the server, then a catalog zone may not be used by that server.
- </p>
-<pre class="screen">
-catalog.example. IN SOA . . 2016022901 900 600 86400 1
-catalog.example. IN NS nsexample.
-version.catalog.example. IN TXT "1"
-</pre>
- <p>
- Note that this record must have the domain name
- version.<em class="replaceable"><code>catalog-zone-name</code></em>. This illustrates
- how the meaning of data stored in a catalog zone is indicated by the
- the domain name label immediately before the catalog zone domain.
- </p>
- <p>
- Catalog zone options can be set either globally for the whole catalog
- zone or for a single member zone. Global options override the settings
- in the configuration file and member zone options override global
- options.
- </p>
- <p>
- Global options are set at the apex of the catalog zone, e.g.:
-</p>
-<pre class="screen">
- masters.catalog.example. IN AAAA 2001:db8::1
-</pre>
- <p>BIND currently supports the following options:</p>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
- <p>A simple <code class="option">masters</code> definition:</p>
- <pre class="screen">
- masters.catalog.example. IN A 192.0.2.1
- </pre>
- <p>
- This option defines a master server for the member zones - it
- can be either an A or AAAA record. If multiple masters are set the
- order in which they are used is random.
- </p>
- </li>
-<li class="listitem">
- <p>A <code class="option">masters</code> with a TSIG key defined:</p>
- <pre class="screen">
- label.masters.catalog.example. IN A 192.0.2.2
- label.masters.catalog.example. IN TXT "tsig_key_name"
- </pre>
- <p>
- This option defines a master server for the member zone with a TSIG
- key set. The TSIG key must be configured in the configuration file.
- <code class="option">label</code> can be any valid DNS label.
- </p>
- </li>
-<li class="listitem">
- <p><code class="option">allow-query</code> and
- <code class="option">allow-transfer</code> ACLs:</p>
- <pre class="screen">
- allow-query.catalog.example. IN APL 1:10.0.0.1/24
- allow-transfer.catalog.example. IN APL !1:10.0.0.1/32 1:10.0.0.0/24
- </pre>
- <p>
- These options are the equivalents of <code class="option">allow-query</code>
- and <code class="option">allow-transfer</code> in a zone declaration in the
- <code class="filename">named.conf</code> configuration file. The ACL is
- processed in order - if there's no match to any rule the default
- policy is to deny access. For the syntax of the APL RR see RFC
- 3123
- </p>
- </li>
-</ul></div>
- <p>
- A member zone is added by including a <code class="literal">PTR</code>
- resource record in the <code class="literal">zones</code> sub-domain of the
- catalog zone. The record label is a <code class="literal">SHA-1</code> hash
- of the member zone name in wire format. The target of the PTR
- record is the member zone name. For example, to add the member
- zone <code class="literal">domain.example</code>:
- </p>
-<pre class="screen">
-5960775ba382e7a4e09263fc06e7c00569b6a05c.zones.catalog.example. IN PTR domain.example.
-</pre>
- <p>
- The hash is necessary to identify options for a specific member
- zone. The member zone-specific options are defined the same way as
- global options, but in the member zone subdomain:
- </p>
-<pre class="screen">
-masters.5960775ba382e7a4e09263fc06e7c00569b6a05c.zones.catalog.example. IN A 192.0.2.2
-label.masters.5960775ba382e7a4e09263fc06e7c00569b6a05c.zones.catalog.example. IN AAAA 2001:db8::2
-label.masters.5960775ba382e7a4e09263fc06e7c00569b6a05c.zones.catalog.example. IN TXT "tsig_key"
-allow-query.5960775ba382e7a4e09263fc06e7c00569b6a05c.zones.catalog.example. IN APL 1:10.0.0.0/24
-</pre>
- <p>
- As would be expected, options defined for a specific zone override
- the global options defined in the catalog zone. These in turn override
- the global options defined in the <code class="literal">catalog-zones</code>
- statement in the configuration file.
- </p>
- <p>
- (Note that none of the global records an option will be inherited if
- any records are defined for that option for the specific zone. For
- example, if the zone had a <code class="literal">masters</code> record of type
- A but not AAAA, then it would <span class="emphasis"><em>not</em></span> inherit the
- type AAAA record from the global option.)
- </p>
- </div>
-</div>
-
- <div class="section">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="ipv6"></a>IPv6 Support in <acronym class="acronym">BIND</acronym> 9</h2></div></div></div>
- <p>
- <acronym class="acronym">BIND</acronym> 9 fully supports all currently
- defined forms of IPv6 name to address and address to name
- lookups. It will also use IPv6 addresses to make queries when
- running on an IPv6 capable system.
- </p>
-
- <p>
- For forward lookups, <acronym class="acronym">BIND</acronym> 9 supports
- only AAAA records. RFC 3363 deprecated the use of A6 records,
- and client-side support for A6 records was accordingly removed
- from <acronym class="acronym">BIND</acronym> 9.
- However, authoritative <acronym class="acronym">BIND</acronym> 9 name servers still
- load zone files containing A6 records correctly, answer queries
- for A6 records, and accept zone transfer for a zone containing A6
- records.
- </p>
-
- <p>
- For IPv6 reverse lookups, <acronym class="acronym">BIND</acronym> 9 supports
- the traditional "nibble" format used in the
- <span class="emphasis"><em>ip6.arpa</em></span> domain, as well as the older, deprecated
- <span class="emphasis"><em>ip6.int</em></span> domain.
- Older versions of <acronym class="acronym">BIND</acronym> 9
- supported the "binary label" (also known as "bitstring") format,
- but support of binary labels has been completely removed per
- RFC 3363.
- Many applications in <acronym class="acronym">BIND</acronym> 9 do not understand
- the binary label format at all any more, and will return an
- error if given.
- In particular, an authoritative <acronym class="acronym">BIND</acronym> 9
- name server will not load a zone file containing binary labels.
- </p>
-
- <p>
- For an overview of the format and structure of IPv6 addresses,
- see <a class="xref" href="Bv9ARM.ch11.html#ipv6addresses" title="IPv6 addresses (AAAA)">the section called “IPv6 addresses (AAAA)”</a>.
- </p>
-
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.5.16.6"></a>Address Lookups Using AAAA Records</h3></div></div></div>
-
- <p>
- The IPv6 AAAA record is a parallel to the IPv4 A record,
- and, unlike the deprecated A6 record, specifies the entire
- IPv6 address in a single record. For example,
- </p>
-
-<pre class="programlisting">
-$ORIGIN example.com.
-host 3600 IN AAAA 2001:db8::1
-</pre>
-
- <p>
- Use of IPv4-in-IPv6 mapped addresses is not recommended.
- If a host has an IPv4 address, use an A record, not
- a AAAA, with <code class="literal">::ffff:192.168.42.1</code> as
- the address.
- </p>
- </div>
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.5.16.7"></a>Address to Name Lookups Using Nibble Format</h3></div></div></div>
-
- <p>
- When looking up an address in nibble format, the address
- components are simply reversed, just as in IPv4, and
- <code class="literal">ip6.arpa.</code> is appended to the
- resulting name.
- For example, the following would provide reverse name lookup for
- a host with address
- <code class="literal">2001:db8::1</code>.
- </p>
-
-<pre class="programlisting">
-$ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
-1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 14400 IN PTR (
- host.example.com. )
-</pre>
-
- </div>
- </div>
- </div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="Bv9ARM.ch03.html">Prev</a>Â </td>
-<td width="20%" align="center">Â </td>
-<td width="40%" align="right">Â <a accesskey="n" href="Bv9ARM.ch05.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">Chapter 3. Name Server Configuration </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> Chapter 5. The <acronym class="acronym">BIND</acronym> 9 Lightweight Resolver</td>
-</tr>
-</table>
-</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.0-pre-alpha</p>
-</body>
-</html>
+++ /dev/null
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<!--
- - Copyright (C) 2000-2017 Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
--->
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>Chapter 5. The BIND 9 Lightweight Resolver</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
-<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="prev" href="Bv9ARM.ch04.html" title="Chapter 4. Advanced DNS Features">
-<link rel="next" href="Bv9ARM.ch06.html" title="Chapter 6. BIND 9 Configuration Reference">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center">Chapter 5. The <acronym class="acronym">BIND</acronym> 9 Lightweight Resolver</th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="Bv9ARM.ch04.html">Prev</a>Â </td>
-<th width="60%" align="center">Â </th>
-<td width="20%" align="right">Â <a accesskey="n" href="Bv9ARM.ch06.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="chapter">
-<div class="titlepage"><div><div><h1 class="title">
-<a name="Bv9ARM.ch05"></a>Chapter 5. The <acronym class="acronym">BIND</acronym> 9 Lightweight Resolver</h1></div></div></div>
-<div class="toc">
-<p><b>Table of Contents</b></p>
-<dl class="toc"><dt><span class="section"><a href="Bv9ARM.ch05.html#lightweight_resolver">The Lightweight Resolver Library</a></span></dt></dl>
-</div>
-
- <div class="section">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="lightweight_resolver"></a>The Lightweight Resolver Library</h2></div></div></div>
-
- <p>
- Traditionally applications have been linked with a stub resolver
- library that sends recursive DNS queries to a local caching name
- server.
- </p>
- <p>
- IPv6 once introduced new complexity into the resolution process,
- such as following A6 chains and DNAME records, and simultaneous
- lookup of IPv4 and IPv6 addresses. Though most of the complexity was
- then removed, these are hard or impossible
- to implement in a traditional stub resolver.
- </p>
- <p>
- <acronym class="acronym">BIND</acronym> 9 therefore can also provide resolution
- services to local clients
- using a combination of a lightweight resolver library and a resolver
- daemon process running on the local host. These communicate using
- a simple UDP-based protocol, the "lightweight resolver protocol"
- that is distinct from and simpler than the full DNS protocol.
- </p>
- </div>
- </div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="Bv9ARM.ch04.html">Prev</a>Â </td>
-<td width="20%" align="center">Â </td>
-<td width="40%" align="right">Â <a accesskey="n" href="Bv9ARM.ch06.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">Chapter 4. Advanced DNS Features </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> Chapter 6. <acronym class="acronym">BIND</acronym> 9 Configuration Reference</td>
-</tr>
-</table>
-</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.0-pre-alpha</p>
-</body>
-</html>
+++ /dev/null
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<!--
- - Copyright (C) 2000-2017 Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
--->
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>Chapter 6. BIND 9 Configuration Reference</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
-<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="prev" href="Bv9ARM.ch05.html" title="Chapter 5. The BIND 9 Lightweight Resolver">
-<link rel="next" href="Bv9ARM.ch07.html" title="Chapter 7. BIND 9 Security Considerations">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center">Chapter 6. <acronym class="acronym">BIND</acronym> 9 Configuration Reference</th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="Bv9ARM.ch05.html">Prev</a>Â </td>
-<th width="60%" align="center">Â </th>
-<td width="20%" align="right">Â <a accesskey="n" href="Bv9ARM.ch07.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="chapter">
-<div class="titlepage"><div><div><h1 class="title">
-<a name="Bv9ARM.ch06"></a>Chapter 6. <acronym class="acronym">BIND</acronym> 9 Configuration Reference</h1></div></div></div>
-<div class="toc">
-<p><b>Table of Contents</b></p>
-<dl class="toc">
-<dt><span class="section"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt>
-<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#comment_syntax">Comment Syntax</a></span></dt>
-</dl></dd>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt>
-<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#acl_grammar"><span class="command"><strong>acl</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#acl"><span class="command"><strong>acl</strong></span> Statement Definition and
- Usage</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#controls_grammar"><span class="command"><strong>controls</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span class="command"><strong>controls</strong></span> Statement Definition and
- Usage</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#include_grammar"><span class="command"><strong>include</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#include_statement"><span class="command"><strong>include</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#key_grammar"><span class="command"><strong>key</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#key_statement"><span class="command"><strong>key</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#logging_grammar"><span class="command"><strong>logging</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#logging_statement"><span class="command"><strong>logging</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#masters_grammar"><span class="command"><strong>masters</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#masters_statement"><span class="command"><strong>masters</strong></span> Statement Definition and
- Usage</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#options_grammar"><span class="command"><strong>options</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#options"><span class="command"><strong>options</strong></span> Statement Definition and
- Usage</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span class="command"><strong>server</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span class="command"><strong>server</strong></span> Statement Definition and
- Usage</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#statschannels"><span class="command"><strong>statistics-channels</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#statistics_channels"><span class="command"><strong>statistics-channels</strong></span> Statement Definition and
- Usage</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#trusted-keys"><span class="command"><strong>trusted-keys</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#trusted_keys"><span class="command"><strong>trusted-keys</strong></span> Statement Definition
- and Usage</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#managed_keys"><span class="command"><strong>managed-keys</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#managed-keys"><span class="command"><strong>managed-keys</strong></span> Statement Definition
- and Usage</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#view_statement_grammar"><span class="command"><strong>view</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#view_statement"><span class="command"><strong>view</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span class="command"><strong>zone</strong></span>
- Statement Grammar</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#zone_statement"><span class="command"><strong>zone</strong></span> Statement Definition and Usage</a></span></dt>
-</dl></dd>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#zone_file">Zone File</a></span></dt>
-<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#mx_records">Discussion of MX Records</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#ipv4_reverse">Inverse Mapping in IPv4</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#zone_directives">Other Zone File Directives</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#generate_directive"><acronym class="acronym">BIND</acronym> Master File Extension: the <span class="command"><strong>$GENERATE</strong></span> Directive</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#zonefile_format">Additional File Formats</a></span></dt>
-</dl></dd>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#statistics">BIND9 Statistics</a></span></dt>
-<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#statsfile">The Statistics File</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#statistics_counters">Statistics Counters</a></span></dt>
-</dl></dd>
-</dl>
-</div>
-
- <p>
- <acronym class="acronym">BIND</acronym> 9 configuration is broadly similar
- to <acronym class="acronym">BIND</acronym> 8; however, there are a few new
- areas
- of configuration, such as views. <acronym class="acronym">BIND</acronym>
- 8 configuration files should work with few alterations in <acronym class="acronym">BIND</acronym>
- 9, although more complex configurations should be reviewed to check
- if they can be more efficiently implemented using the new features
- found in <acronym class="acronym">BIND</acronym> 9.
- </p>
-
- <p>
- <acronym class="acronym">BIND</acronym> 4 configuration files can be
- converted to the new format
- using the shell script
- <code class="filename">contrib/named-bootconf/named-bootconf.sh</code>.
- </p>
- <div class="section">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="configuration_file_elements"></a>Configuration File Elements</h2></div></div></div>
-
- <p>
- Following is a list of elements used throughout the <acronym class="acronym">BIND</acronym> configuration
- file documentation:
- </p>
- <div class="informaltable">
- <table border="1">
-<colgroup>
-<col width="1.855in" class="1">
-<col width="3.770in" class="2">
-</colgroup>
-<tbody>
-<tr>
-<td>
- <p>
- <code class="varname">acl_name</code>
- </p>
- </td>
-<td>
- <p>
- The name of an <code class="varname">address_match_list</code> as
- defined by the <span class="command"><strong>acl</strong></span> statement.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- <code class="varname">address_match_list</code>
- </p>
- </td>
-<td>
- <p>
- A list of one or more
- <code class="varname">ip_addr</code>,
- <code class="varname">ip_prefix</code>, <code class="varname">key_id</code>,
- or <code class="varname">acl_name</code> elements, see
- <a class="xref" href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called “Address Match Lists”</a>.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- <code class="varname">masters_list</code>
- </p>
- </td>
-<td>
- <p>
- A named list of one or more <code class="varname">ip_addr</code>
- with optional <code class="varname">key_id</code> and/or
- <code class="varname">ip_port</code>.
- A <code class="varname">masters_list</code> may include other
- <code class="varname">masters_lists</code>.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- <code class="varname">domain_name</code>
- </p>
- </td>
-<td>
- <p>
- A quoted string which will be used as
- a DNS name, for example "<code class="literal">my.test.domain</code>".
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- <code class="varname">namelist</code>
- </p>
- </td>
-<td>
- <p>
- A list of one or more <code class="varname">domain_name</code>
- elements.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- <code class="varname">dotted_decimal</code>
- </p>
- </td>
-<td>
- <p>
- One to four integers valued 0 through
- 255 separated by dots (`.'), such as <span class="command"><strong>123</strong></span>,
- <span class="command"><strong>45.67</strong></span> or <span class="command"><strong>89.123.45.67</strong></span>.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- <code class="varname">ip4_addr</code>
- </p>
- </td>
-<td>
- <p>
- An IPv4 address with exactly four elements
- in <code class="varname">dotted_decimal</code> notation.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- <code class="varname">ip6_addr</code>
- </p>
- </td>
-<td>
- <p>
- An IPv6 address, such as <span class="command"><strong>2001:db8::1234</strong></span>.
- IPv6 scoped addresses that have ambiguity on their
- scope zones must be disambiguated by an appropriate
- zone ID with the percent character (`%') as
- delimiter. It is strongly recommended to use
- string zone names rather than numeric identifiers,
- in order to be robust against system configuration
- changes. However, since there is no standard
- mapping for such names and identifier values,
- currently only interface names as link identifiers
- are supported, assuming one-to-one mapping between
- interfaces and links. For example, a link-local
- address <span class="command"><strong>fe80::1</strong></span> on the link
- attached to the interface <span class="command"><strong>ne0</strong></span>
- can be specified as <span class="command"><strong>fe80::1%ne0</strong></span>.
- Note that on most systems link-local addresses
- always have the ambiguity, and need to be
- disambiguated.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- <code class="varname">ip_addr</code>
- </p>
- </td>
-<td>
- <p>
- An <code class="varname">ip4_addr</code> or <code class="varname">ip6_addr</code>.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- <code class="varname">ip_dscp</code>
- </p>
- </td>
-<td>
- <p>
- A <code class="varname">number</code> between 0 and 63, used
- to select a differentiated services code point (DSCP)
- value for use with outgoing traffic on operating systems
- that support DSCP.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- <code class="varname">ip_port</code>
- </p>
- </td>
-<td>
- <p>
- An IP port <code class="varname">number</code>.
- The <code class="varname">number</code> is limited to 0
- through 65535, with values
- below 1024 typically restricted to use by processes running
- as root.
- In some cases, an asterisk (`*') character can be used as a
- placeholder to
- select a random high-numbered port.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- <code class="varname">ip_prefix</code>
- </p>
- </td>
-<td>
- <p>
- An IP network specified as an <code class="varname">ip_addr</code>,
- followed by a slash (`/') and then the number of bits in the
- netmask.
- Trailing zeros in a <code class="varname">ip_addr</code>
- may omitted.
- For example, <span class="command"><strong>127/8</strong></span> is the
- network <span class="command"><strong>127.0.0.0</strong></span> with
- netmask <span class="command"><strong>255.0.0.0</strong></span> and <span class="command"><strong>1.2.3.0/28</strong></span> is
- network <span class="command"><strong>1.2.3.0</strong></span> with netmask <span class="command"><strong>255.255.255.240</strong></span>.
- </p>
- <p>
- When specifying a prefix involving a IPv6 scoped address
- the scope may be omitted. In that case the prefix will
- match packets from any scope.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- <code class="varname">key_id</code>
- </p>
- </td>
-<td>
- <p>
- A <code class="varname">domain_name</code> representing
- the name of a shared key, to be used for transaction
- security.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- <code class="varname">key_list</code>
- </p>
- </td>
-<td>
- <p>
- A list of one or more
- <code class="varname">key_id</code>s,
- separated by semicolons and ending with a semicolon.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- <code class="varname">number</code>
- </p>
- </td>
-<td>
- <p>
- A non-negative 32-bit integer
- (i.e., a number between 0 and 4294967295, inclusive).
- Its acceptable value might further
- be limited by the context in which it is used.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- <code class="varname">path_name</code>
- </p>
- </td>
-<td>
- <p>
- A quoted string which will be used as
- a pathname, such as <code class="filename">zones/master/my.test.domain</code>.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- <code class="varname">port_list</code>
- </p>
- </td>
-<td>
- <p>
- A list of an <code class="varname">ip_port</code> or a port
- range.
- A port range is specified in the form of
- <strong class="userinput"><code>range</code></strong> followed by
- two <code class="varname">ip_port</code>s,
- <code class="varname">port_low</code> and
- <code class="varname">port_high</code>, which represents
- port numbers from <code class="varname">port_low</code> through
- <code class="varname">port_high</code>, inclusive.
- <code class="varname">port_low</code> must not be larger than
- <code class="varname">port_high</code>.
- For example,
- <strong class="userinput"><code>range 1024 65535</code></strong> represents
- ports from 1024 through 65535.
- In either case an asterisk (`*') character is not
- allowed as a valid <code class="varname">ip_port</code>.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- <code class="varname">size_spec</code>
- </p>
- </td>
-<td>
- <p>
- A 64-bit unsigned integer, or the keywords
- <strong class="userinput"><code>unlimited</code></strong> or
- <strong class="userinput"><code>default</code></strong>.
- </p>
- <p>
- Integers may take values
- 0 <= value <= 18446744073709551615, though
- certain parameters
- (such as <span class="command"><strong>max-journal-size</strong></span>) may
- use a more limited range within these extremes.
- In most cases, setting a value to 0 does not
- literally mean zero; it means "undefined" or
- "as big as possible", depending on the context.
- See the explanations of particular parameters
- that use <code class="varname">size_spec</code>
- for details on how they interpret its use.
- </p>
- <p>
- Numeric values can optionally be followed by a
- scaling factor:
- <strong class="userinput"><code>K</code></strong> or <strong class="userinput"><code>k</code></strong>
- for kilobytes,
- <strong class="userinput"><code>M</code></strong> or <strong class="userinput"><code>m</code></strong>
- for megabytes, and
- <strong class="userinput"><code>G</code></strong> or <strong class="userinput"><code>g</code></strong>
- for gigabytes, which scale by 1024, 1024*1024, and
- 1024*1024*1024 respectively.
- </p>
- <p>
- <code class="varname">unlimited</code> generally means
- "as big as possible", and is usually the best
- way to safely set a very large number.
- </p>
- <p>
- <code class="varname">default</code>
- uses the limit that was in force when the server was started.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- <code class="varname">size_or_percent</code>
- </p>
- </td>
-<td>
- <p>
- <code class="varname">size_spec</code> or integer value
- followed by '%' to represent percents.
- </p>
- <p>
- The behavior is exactly the same as
- <code class="varname">size_spec</code>, but
- <code class="varname">size_or_percent</code> allows also
- to specify a positive integer value followed by
- '%' sign to represent percents.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- <code class="varname">yes_or_no</code>
- </p>
- </td>
-<td>
- <p>
- Either <strong class="userinput"><code>yes</code></strong> or <strong class="userinput"><code>no</code></strong>.
- The words <strong class="userinput"><code>true</code></strong> and <strong class="userinput"><code>false</code></strong> are
- also accepted, as are the numbers <strong class="userinput"><code>1</code></strong>
- and <strong class="userinput"><code>0</code></strong>.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- <code class="varname">dialup_option</code>
- </p>
- </td>
-<td>
- <p>
- One of <strong class="userinput"><code>yes</code></strong>,
- <strong class="userinput"><code>no</code></strong>, <strong class="userinput"><code>notify</code></strong>,
- <strong class="userinput"><code>notify-passive</code></strong>, <strong class="userinput"><code>refresh</code></strong> or
- <strong class="userinput"><code>passive</code></strong>.
- When used in a zone, <strong class="userinput"><code>notify-passive</code></strong>,
- <strong class="userinput"><code>refresh</code></strong>, and <strong class="userinput"><code>passive</code></strong>
- are restricted to slave and stub zones.
- </p>
- </td>
-</tr>
-</tbody>
-</table>
- </div>
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="address_match_lists"></a>Address Match Lists</h3></div></div></div>
-
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id-1.7.4.4.2"></a>Syntax</h4></div></div></div>
-
-<pre class="programlisting"><em class="replaceable"><code>address_match_list</code></em> = <em class="replaceable"><code>address_match_list_element</code></em> <span class="command"><strong>;</strong></span> ...
-
-<em class="replaceable"><code>address_match_list_element</code></em> = [ <span class="command"><strong>!</strong></span> ] ( <em class="replaceable"><code>ip_address</code></em> | <em class="replaceable"><code>ip_prefix</code></em> |
- <span class="command"><strong>key</strong></span> <em class="replaceable"><code>key_id</code></em> | <em class="replaceable"><code>acl_name</code></em> | <span class="command"><strong>{</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> )
-</pre>
-
- </div>
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id-1.7.4.4.3"></a>Definition and Usage</h4></div></div></div>
-
- <p>
- Address match lists are primarily used to determine access
- control for various server operations. They are also used in
- the <span class="command"><strong>listen-on</strong></span> and <span class="command"><strong>sortlist</strong></span>
- statements. The elements which constitute an address match
- list can be any of the following:
- </p>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
- an IP address (IPv4 or IPv6)
- </li>
-<li class="listitem">
- an IP prefix (in `/' notation)
- </li>
-<li class="listitem">
-
- a key ID, as defined by the <span class="command"><strong>key</strong></span>
- statement
-
- </li>
-<li class="listitem">
- the name of an address match list defined with
- the <span class="command"><strong>acl</strong></span> statement
-
- </li>
-<li class="listitem">
- a nested address match list enclosed in braces
- </li>
-</ul></div>
-
- <p>
- Elements can be negated with a leading exclamation mark (`!'),
- and the match list names "any", "none", "localhost", and
- "localnets" are predefined. More information on those names
- can be found in the description of the acl statement.
- </p>
-
- <p>
- The addition of the key clause made the name of this syntactic
- element something of a misnomer, since security keys can be used
- to validate access without regard to a host or network address.
- Nonetheless, the term "address match list" is still used
- throughout the documentation.
- </p>
-
- <p>
- When a given IP address or prefix is compared to an address
- match list, the comparison takes place in approximately O(1)
- time. However, key comparisons require that the list of keys
- be traversed until a matching key is found, and therefore may
- be somewhat slower.
- </p>
-
- <p>
- The interpretation of a match depends on whether the list is being
- used for access control, defining <span class="command"><strong>listen-on</strong></span> ports, or in a
- <span class="command"><strong>sortlist</strong></span>, and whether the element was negated.
- </p>
-
- <p>
- When used as an access control list, a non-negated match
- allows access and a negated match denies access. If
- there is no match, access is denied. The clauses
- <span class="command"><strong>allow-notify</strong></span>,
- <span class="command"><strong>allow-recursion</strong></span>,
- <span class="command"><strong>allow-recursion-on</strong></span>,
- <span class="command"><strong>allow-query</strong></span>,
- <span class="command"><strong>allow-query-on</strong></span>,
- <span class="command"><strong>allow-query-cache</strong></span>,
- <span class="command"><strong>allow-query-cache-on</strong></span>,
- <span class="command"><strong>allow-transfer</strong></span>,
- <span class="command"><strong>allow-update</strong></span>,
- <span class="command"><strong>allow-update-forwarding</strong></span>,
- <span class="command"><strong>blackhole</strong></span>, and
- <span class="command"><strong>keep-response-order</strong></span> all use address match
- lists. Similarly, the <span class="command"><strong>listen-on</strong></span> option will cause the
- server to refuse queries on any of the machine's
- addresses which do not match the list.
- </p>
-
- <p>
- Order of insertion is significant. If more than one element
- in an ACL is found to match a given IP address or prefix,
- preference will be given to the one that came
- <span class="emphasis"><em>first</em></span> in the ACL definition.
- Because of this first-match behavior, an element that
- defines a subset of another element in the list should
- come before the broader element, regardless of whether
- either is negated. For example, in
- <span class="command"><strong>1.2.3/24; ! 1.2.3.13;</strong></span>
- the 1.2.3.13 element is completely useless because the
- algorithm will match any lookup for 1.2.3.13 to the 1.2.3/24
- element. Using <span class="command"><strong>! 1.2.3.13; 1.2.3/24</strong></span> fixes
- that problem by having 1.2.3.13 blocked by the negation, but
- all other 1.2.3.* hosts fall through.
- </p>
- </div>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="comment_syntax"></a>Comment Syntax</h3></div></div></div>
-
- <p>
- The <acronym class="acronym">BIND</acronym> 9 comment syntax allows for
- comments to appear
- anywhere that whitespace may appear in a <acronym class="acronym">BIND</acronym> configuration
- file. To appeal to programmers of all kinds, they can be written
- in the C, C++, or shell/perl style.
- </p>
-
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id-1.7.4.5.3"></a>Syntax</h4></div></div></div>
-
- <p>
- </p>
-<pre class="programlisting">/* This is a <acronym class="acronym">BIND</acronym> comment as in C */</pre>
-<p>
- </p>
-<pre class="programlisting">// This is a <acronym class="acronym">BIND</acronym> comment as in C++</pre>
-<p>
- </p>
-<pre class="programlisting"># This is a <acronym class="acronym">BIND</acronym> comment as in common UNIX shells
-# and perl</pre>
-<p>
- </p>
- </div>
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id-1.7.4.5.4"></a>Definition and Usage</h4></div></div></div>
-
- <p>
- Comments may appear anywhere that whitespace may appear in
- a <acronym class="acronym">BIND</acronym> configuration file.
- </p>
- <p>
- C-style comments start with the two characters /* (slash,
- star) and end with */ (star, slash). Because they are completely
- delimited with these characters, they can be used to comment only
- a portion of a line or to span multiple lines.
- </p>
- <p>
- C-style comments cannot be nested. For example, the following
- is not valid because the entire comment ends with the first */:
- </p>
- <p>
-
-</p>
-<pre class="programlisting">/* This is the start of a comment.
- This is still part of the comment.
-/* This is an incorrect attempt at nesting a comment. */
- This is no longer in any comment. */
-</pre>
-<p>
-
- </p>
-
- <p>
- C++-style comments start with the two characters // (slash,
- slash) and continue to the end of the physical line. They cannot
- be continued across multiple physical lines; to have one logical
- comment span multiple lines, each line must use the // pair.
- For example:
- </p>
- <p>
-
-</p>
-<pre class="programlisting">// This is the start of a comment. The next line
-// is a new comment, even though it is logically
-// part of the previous comment.
-</pre>
-<p>
-
- </p>
- <p>
- Shell-style (or perl-style, if you prefer) comments start
- with the character <code class="literal">#</code> (number sign)
- and continue to the end of the
- physical line, as in C++ comments.
- For example:
- </p>
-
- <p>
-
-</p>
-<pre class="programlisting"># This is the start of a comment. The next line
-# is a new comment, even though it is logically
-# part of the previous comment.
-</pre>
-<p>
-
- </p>
-
- <div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Warning</h3>
- <p>
- You cannot use the semicolon (`;') character
- to start a comment such as you would in a zone file. The
- semicolon indicates the end of a configuration
- statement.
- </p>
- </div>
- </div>
- </div>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="Configuration_File_Grammar"></a>Configuration File Grammar</h2></div></div></div>
-
- <p>
- A <acronym class="acronym">BIND</acronym> 9 configuration consists of
- statements and comments.
- Statements end with a semicolon. Statements and comments are the
- only elements that can appear without enclosing braces. Many
- statements contain a block of sub-statements, which are also
- terminated with a semicolon.
- </p>
-
- <p>
- The following statements are supported:
- </p>
-
- <div class="informaltable">
- <table border="1">
-<colgroup>
-<col width="1.336in" class="1">
-<col width="3.778in" class="2">
-</colgroup>
-<tbody>
-<tr>
-<td>
- <p><span class="command"><strong>acl</strong></span></p>
- </td>
-<td>
- <p>
- defines a named IP address
- matching list, for access control and other uses.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>controls</strong></span></p>
- </td>
-<td>
- <p>
- declares control channels to be used
- by the <span class="command"><strong>rndc</strong></span> utility.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>include</strong></span></p>
- </td>
-<td>
- <p>
- includes a file.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>key</strong></span></p>
- </td>
-<td>
- <p>
- specifies key information for use in
- authentication and authorization using TSIG.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>logging</strong></span></p>
- </td>
-<td>
- <p>
- specifies what the server logs, and where
- the log messages are sent.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>masters</strong></span></p>
- </td>
-<td>
- <p>
- defines a named masters list for
- inclusion in stub and slave zones'
- <span class="command"><strong>masters</strong></span> or
- <span class="command"><strong>also-notify</strong></span> lists.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>options</strong></span></p>
- </td>
-<td>
- <p>
- controls global server configuration
- options and sets defaults for other statements.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>server</strong></span></p>
- </td>
-<td>
- <p>
- sets certain configuration options on
- a per-server basis.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>statistics-channels</strong></span></p>
- </td>
-<td>
- <p>
- declares communication channels to get access to
- <span class="command"><strong>named</strong></span> statistics.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>trusted-keys</strong></span></p>
- </td>
-<td>
- <p>
- defines trusted DNSSEC keys.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>managed-keys</strong></span></p>
- </td>
-<td>
- <p>
- lists DNSSEC keys to be kept up to date
- using RFC 5011 trust anchor maintenance.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>view</strong></span></p>
- </td>
-<td>
- <p>
- defines a view.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>zone</strong></span></p>
- </td>
-<td>
- <p>
- defines a zone.
- </p>
- </td>
-</tr>
-</tbody>
-</table>
- </div>
-
- <p>
- The <span class="command"><strong>logging</strong></span> and
- <span class="command"><strong>options</strong></span> statements may only occur once
- per
- configuration.
- </p>
-
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="acl_grammar"></a><span class="command"><strong>acl</strong></span> Statement Grammar</h3></div></div></div>
-
-<pre class="programlisting"><span class="command"><strong>acl</strong></span> <em class="replaceable"><code>acl-name</code></em> <span class="command"><strong>{</strong></span>
- <em class="replaceable"><code>address_match_list</code></em>
-<span class="command"><strong>};</strong></span>
-</pre>
-
- </div>
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="acl"></a><span class="command"><strong>acl</strong></span> Statement Definition and
- Usage</h3></div></div></div>
-
- <p>
- The <span class="command"><strong>acl</strong></span> statement assigns a symbolic
- name to an address match list. It gets its name from a primary
- use of address match lists: Access Control Lists (ACLs).
- </p>
-
- <p>
- The following ACLs are built-in:
- </p>
-
- <div class="informaltable">
- <table border="1">
-<colgroup>
-<col width="1.130in" class="1">
-<col width="4.000in" class="2">
-</colgroup>
-<tbody>
-<tr>
-<td>
- <p><span class="command"><strong>any</strong></span></p>
- </td>
-<td>
- <p>
- Matches all hosts.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>none</strong></span></p>
- </td>
-<td>
- <p>
- Matches no hosts.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>localhost</strong></span></p>
- </td>
-<td>
- <p>
- Matches the IPv4 and IPv6 addresses of all network
- interfaces on the system. When addresses are
- added or removed, the <span class="command"><strong>localhost</strong></span>
- ACL element is updated to reflect the changes.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>localnets</strong></span></p>
- </td>
-<td>
- <p>
- Matches any host on an IPv4 or IPv6 network
- for which the system has an interface.
- When addresses are added or removed,
- the <span class="command"><strong>localnets</strong></span>
- ACL element is updated to reflect the changes.
- Some systems do not provide a way to determine the prefix
- lengths of
- local IPv6 addresses.
- In such a case, <span class="command"><strong>localnets</strong></span>
- only matches the local
- IPv6 addresses, just like <span class="command"><strong>localhost</strong></span>.
- </p>
- </td>
-</tr>
-</tbody>
-</table>
- </div>
- </div>
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="controls_grammar"></a><span class="command"><strong>controls</strong></span> Statement Grammar</h3></div></div></div>
-
-<pre class="programlisting"><span class="command"><strong>controls {</strong></span>
- [ <span class="command"><strong>inet</strong></span> ( <em class="replaceable"><code>ip_addr</code></em> | <span class="command"><strong>*</strong></span> ) [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] <span class="command"><strong>allow {</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span>
- [ <span class="command"><strong>keys {</strong></span> <em class="replaceable"><code>key_list</code></em> <span class="command"><strong>}</strong></span> ]
- [ <span class="command"><strong>read-only</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ] <span class="command"><strong>;</strong></span> ]
- [ <span class="command"><strong>unix</strong></span> <em class="replaceable"><code>path</code></em> <span class="command"><strong>perm</strong></span> <em class="replaceable"><code>number</code></em> <span class="command"><strong>owner</strong></span> <em class="replaceable"><code>number</code></em> <span class="command"><strong>group</strong></span> <em class="replaceable"><code>number</code></em>
- [ <span class="command"><strong>keys {</strong></span> <em class="replaceable"><code>key_list</code></em> <span class="command"><strong>}</strong></span> ]
- [ <span class="command"><strong>read-only</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ] <span class="command"><strong>;</strong></span> ]
- [ ...; ]
-<span class="command"><strong>};</strong></span>
-</pre>
-
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="controls_statement_definition_and_usage"></a><span class="command"><strong>controls</strong></span> Statement Definition and
- Usage</h3></div></div></div>
-
- <p>
- The <span class="command"><strong>controls</strong></span> statement declares control
- channels to be used by system administrators to control the
- operation of the name server. These control channels are
- used by the <span class="command"><strong>rndc</strong></span> utility to send
- commands to and retrieve non-DNS results from a name server.
- </p>
-
- <p>
- An <span class="command"><strong>inet</strong></span> control channel is a TCP socket
- listening at the specified <span class="command"><strong>ip_port</strong></span> on the
- specified <span class="command"><strong>ip_addr</strong></span>, which can be an IPv4 or IPv6
- address. An <span class="command"><strong>ip_addr</strong></span> of <code class="literal">*</code> (asterisk) is
- interpreted as the IPv4 wildcard address; connections will be
- accepted on any of the system's IPv4 addresses.
- To listen on the IPv6 wildcard address,
- use an <span class="command"><strong>ip_addr</strong></span> of <code class="literal">::</code>.
- If you will only use <span class="command"><strong>rndc</strong></span> on the local host,
- using the loopback address (<code class="literal">127.0.0.1</code>
- or <code class="literal">::1</code>) is recommended for maximum security.
- </p>
-
- <p>
- If no port is specified, port 953 is used. The asterisk
- "<code class="literal">*</code>" cannot be used for <span class="command"><strong>ip_port</strong></span>.
- </p>
-
- <p>
- The ability to issue commands over the control channel is
- restricted by the <span class="command"><strong>allow</strong></span> and
- <span class="command"><strong>keys</strong></span> clauses.
- Connections to the control channel are permitted based on the
- <span class="command"><strong>address_match_list</strong></span>. This is for simple
- IP address based filtering only; any <span class="command"><strong>key_id</strong></span>
- elements of the <span class="command"><strong>address_match_list</strong></span>
- are ignored.
- </p>
-
- <p>
- A <span class="command"><strong>unix</strong></span> control channel is a UNIX domain
- socket listening at the specified path in the file system.
- Access to the socket is specified by the <span class="command"><strong>perm</strong></span>,
- <span class="command"><strong>owner</strong></span> and <span class="command"><strong>group</strong></span> clauses.
- Note on some platforms (SunOS and Solaris) the permissions
- (<span class="command"><strong>perm</strong></span>) are applied to the parent directory
- as the permissions on the socket itself are ignored.
- </p>
-
- <p>
- The primary authorization mechanism of the command
- channel is the <span class="command"><strong>key_list</strong></span>, which
- contains a list of <span class="command"><strong>key_id</strong></span>s.
- Each <span class="command"><strong>key_id</strong></span> in the <span class="command"><strong>key_list</strong></span>
- is authorized to execute commands over the control channel.
- See <a class="xref" href="Bv9ARM.ch03.html#rndc">Remote Name Daemon Control application</a> in <a class="xref" href="Bv9ARM.ch03.html#admin_tools" title="Administrative Tools">the section called “Administrative Tools”</a>)
- for information about configuring keys in <span class="command"><strong>rndc</strong></span>.
- </p>
-
- <p>
- If the <span class="command"><strong>read-only</strong></span> clause is enabled, the
- control channel is limited to the following set of read-only
- commands: <span class="command"><strong>nta -dump</strong></span>,
- <span class="command"><strong>null</strong></span>, <span class="command"><strong>status</strong></span>,
- <span class="command"><strong>showzone</strong></span>, <span class="command"><strong>testgen</strong></span>, and
- <span class="command"><strong>zonestatus</strong></span>. By default,
- <span class="command"><strong>read-only</strong></span> is not enabled and the control
- channel allows read-write access.
- </p>
-
- <p>
- If no <span class="command"><strong>controls</strong></span> statement is present,
- <span class="command"><strong>named</strong></span> will set up a default
- control channel listening on the loopback address 127.0.0.1
- and its IPv6 counterpart ::1.
- In this case, and also when the <span class="command"><strong>controls</strong></span> statement
- is present but does not have a <span class="command"><strong>keys</strong></span> clause,
- <span class="command"><strong>named</strong></span> will attempt to load the command channel key
- from the file <code class="filename">rndc.key</code> in
- <code class="filename">/etc</code> (or whatever <code class="varname">sysconfdir</code>
- was specified as when <acronym class="acronym">BIND</acronym> was built).
- To create a <code class="filename">rndc.key</code> file, run
- <strong class="userinput"><code>rndc-confgen -a</code></strong>.
- </p>
-
- <p>
- The <code class="filename">rndc.key</code> feature was created to
- ease the transition of systems from <acronym class="acronym">BIND</acronym> 8,
- which did not have digital signatures on its command channel
- messages and thus did not have a <span class="command"><strong>keys</strong></span> clause.
-
- It makes it possible to use an existing <acronym class="acronym">BIND</acronym> 8
- configuration file in <acronym class="acronym">BIND</acronym> 9 unchanged,
- and still have <span class="command"><strong>rndc</strong></span> work the same way
- <span class="command"><strong>ndc</strong></span> worked in BIND 8, simply by executing the
- command <strong class="userinput"><code>rndc-confgen -a</code></strong> after BIND 9 is
- installed.
- </p>
-
- <p>
- Since the <code class="filename">rndc.key</code> feature
- is only intended to allow the backward-compatible usage of
- <acronym class="acronym">BIND</acronym> 8 configuration files, this
- feature does not
- have a high degree of configurability. You cannot easily change
- the key name or the size of the secret, so you should make a
- <code class="filename">rndc.conf</code> with your own key if you
- wish to change
- those things. The <code class="filename">rndc.key</code> file
- also has its
- permissions set such that only the owner of the file (the user that
- <span class="command"><strong>named</strong></span> is running as) can access it.
- If you
- desire greater flexibility in allowing other users to access
- <span class="command"><strong>rndc</strong></span> commands, then you need to create
- a
- <code class="filename">rndc.conf</code> file and make it group
- readable by a group
- that contains the users who should have access.
- </p>
-
- <p>
- To disable the command channel, use an empty
- <span class="command"><strong>controls</strong></span> statement:
- <span class="command"><strong>controls { };</strong></span>.
- </p>
-
- </div>
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="include_grammar"></a><span class="command"><strong>include</strong></span> Statement Grammar</h3></div></div></div>
-
- <pre class="programlisting"><span class="command"><strong>include</strong></span> <em class="replaceable"><code>filename</code></em><span class="command"><strong>;</strong></span></pre>
- </div>
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="include_statement"></a><span class="command"><strong>include</strong></span> Statement Definition and Usage</h3></div></div></div>
-
- <p>
- The <span class="command"><strong>include</strong></span> statement inserts the
- specified file at the point where the <span class="command"><strong>include</strong></span>
- statement is encountered. The <span class="command"><strong>include</strong></span>
- statement facilitates the administration of configuration
- files
- by permitting the reading or writing of some things but not
- others. For example, the statement could include private keys
- that are readable only by the name server.
- </p>
-
- </div>
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="key_grammar"></a><span class="command"><strong>key</strong></span> Statement Grammar</h3></div></div></div>
-
-<pre class="programlisting"><span class="command"><strong>key</strong></span> <em class="replaceable"><code>key_id</code></em> <span class="command"><strong>{</strong></span>
- <span class="command"><strong>algorithm</strong></span> <em class="replaceable"><code>algorithm_id</code></em><span class="command"><strong>;</strong></span>
- <span class="command"><strong>secret</strong></span> <em class="replaceable"><code>secret_string</code></em><span class="command"><strong>;</strong></span>
-<span class="command"><strong>};</strong></span>
-</pre>
-
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="key_statement"></a><span class="command"><strong>key</strong></span> Statement Definition and Usage</h3></div></div></div>
-
- <p>
- The <span class="command"><strong>key</strong></span> statement defines a shared
- secret key for use with TSIG (see <a class="xref" href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called “TSIG”</a>)
- or the command channel
- (see <a class="xref" href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and Usage">the section called “<span class="command"><strong>controls</strong></span> Statement Definition and
- Usage”</a>).
- </p>
-
- <p>
- The <span class="command"><strong>key</strong></span> statement can occur at the
- top level
- of the configuration file or inside a <span class="command"><strong>view</strong></span>
- statement. Keys defined in top-level <span class="command"><strong>key</strong></span>
- statements can be used in all views. Keys intended for use in
- a <span class="command"><strong>controls</strong></span> statement
- (see <a class="xref" href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and Usage">the section called “<span class="command"><strong>controls</strong></span> Statement Definition and
- Usage”</a>)
- must be defined at the top level.
- </p>
-
- <p>
- The <em class="replaceable"><code>key_id</code></em>, also known as the
- key name, is a domain name uniquely identifying the key. It can
- be used in a <span class="command"><strong>server</strong></span>
- statement to cause requests sent to that
- server to be signed with this key, or in address match lists to
- verify that incoming requests have been signed with a key
- matching this name, algorithm, and secret.
- </p>
-
- <p>
- The <em class="replaceable"><code>algorithm_id</code></em> is a string
- that specifies a security/authentication algorithm. The
- <span class="command"><strong>named</strong></span> server supports <code class="literal">hmac-md5</code>,
- <code class="literal">hmac-sha1</code>, <code class="literal">hmac-sha224</code>,
- <code class="literal">hmac-sha256</code>, <code class="literal">hmac-sha384</code>
- and <code class="literal">hmac-sha512</code> TSIG authentication.
- Truncated hashes are supported by appending the minimum
- number of required bits preceded by a dash, e.g.
- <code class="literal">hmac-sha1-80</code>. The
- <em class="replaceable"><code>secret_string</code></em> is the secret
- to be used by the algorithm, and is treated as a base-64
- encoded string.
- </p>
-
- </div>
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="logging_grammar"></a><span class="command"><strong>logging</strong></span> Statement Grammar</h3></div></div></div>
-
-<pre class="programlisting"><span class="command"><strong>logging {</strong></span>
- [ <span class="command"><strong>channel</strong></span> <em class="replaceable"><code>channel_name</code></em> <span class="command"><strong>{</strong></span>
- ( ( <span class="command"><strong>file</strong></span> <em class="replaceable"><code>path_name</code></em>
- [ <span class="command"><strong>versions</strong></span> ( <em class="replaceable"><code>number</code></em> | <code class="option">unlimited</code> ) ]
- [ <span class="command"><strong>size</strong></span> <em class="replaceable"><code>size_spec</code></em> ]
- [ <span class="command"><strong>suffix</strong></span> ( <code class="option">increment</code> | <code class="option">timestamp</code> ) )
- | <span class="command"><strong>syslog</strong></span> <em class="replaceable"><code>syslog_facility</code></em>
- | <span class="command"><strong>stderr</strong></span>
- | <span class="command"><strong>null</strong></span> ) <span class="command"><strong>;</strong></span>
- [ <span class="command"><strong>severity</strong></span> ( <code class="option">critical</code> | <code class="option">error</code> | <code class="option">warning</code> | <code class="option">notice</code> |
- <code class="option">info</code> | <code class="option">debug</code> [ <em class="replaceable"><code>level</code></em> ] | <code class="option">dynamic</code> ) <span class="command"><strong>;</strong></span> ]
- [ <span class="command"><strong>print-category</strong></span> <em class="replaceable"><code>yes_or_no</code></em> <span class="command"><strong>;</strong></span> ]
- [ <span class="command"><strong>print-severity</strong></span> <em class="replaceable"><code>yes_or_no</code></em> <span class="command"><strong>;</strong></span> ]
- [ <span class="command"><strong>print-time</strong></span> ( <code class="option">yes</code> | <code class="option">no</code> | <code class="option">local</code> | <code class="option">iso8601</code> | <code class="option">iso8601-utc</code> ) ;
- [ <span class="command"><strong>buffered</strong></span> <em class="replaceable"><code>yes_or_no</code></em> <span class="command"><strong>;</strong></span> ]
- <span class="command"><strong>};</strong></span> ]
- [ <span class="command"><strong>category</strong></span> <em class="replaceable"><code>category_name</code></em> <span class="command"><strong>{</strong></span>
- <em class="replaceable"><code>channel_name</code></em> <span class="command"><strong>;</strong></span> ...
- <span class="command"><strong>};</strong></span> ]
- ...
-<span class="command"><strong>};</strong></span>
-</pre>
-
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="logging_statement"></a><span class="command"><strong>logging</strong></span> Statement Definition and Usage</h3></div></div></div>
-
- <p>
- The <span class="command"><strong>logging</strong></span> statement configures a
- wide
- variety of logging options for the name server. Its <span class="command"><strong>channel</strong></span> phrase
- associates output methods, format options and severity levels with
- a name that can then be used with the <span class="command"><strong>category</strong></span> phrase
- to select how various classes of messages are logged.
- </p>
- <p>
- Only one <span class="command"><strong>logging</strong></span> statement is used to
- define
- as many channels and categories as are wanted. If there is no <span class="command"><strong>logging</strong></span> statement,
- the logging configuration will be:
- </p>
-
-<pre class="programlisting">logging {
- category default { default_syslog; default_debug; };
- category unmatched { null; };
-};
-</pre>
-
- <p>
- If <span class="command"><strong>named</strong></span> is started with the
- <code class="option">-L</code> option, it logs to the specified file
- at startup, instead of using syslog. In this case the logging
- configuration will be:
- </p>
-
-<pre class="programlisting">logging {
- category default { default_logfile; default_debug; };
- category unmatched { null; };
-};
-</pre>
-
- <p>
- In <acronym class="acronym">BIND</acronym> 9, the logging configuration
- is only established when
- the entire configuration file has been parsed. In <acronym class="acronym">BIND</acronym> 8, it was
- established as soon as the <span class="command"><strong>logging</strong></span>
- statement
- was parsed. When the server is starting up, all logging messages
- regarding syntax errors in the configuration file go to the default
- channels, or to standard error if the <code class="option">-g</code> option
- was specified.
- </p>
-
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="channel"></a>The <span class="command"><strong>channel</strong></span> Phrase</h4></div></div></div>
-
- <p>
- All log output goes to one or more <span class="emphasis"><em>channels</em></span>;
- you can make as many of them as you want.
- </p>
-
- <p>
- Every channel definition must include a destination clause that
- says whether messages selected for the channel go to a file, to a
- particular syslog facility, to the standard error stream, or are
- discarded. It can optionally also limit the message severity level
- that will be accepted by the channel (the default is
- <span class="command"><strong>info</strong></span>), and whether to include a
- <span class="command"><strong>named</strong></span>-generated time stamp, the
- category name
- and/or severity level (the default is not to include any).
- </p>
-
- <p>
- The <span class="command"><strong>null</strong></span> destination clause
- causes all messages sent to the channel to be discarded;
- in that case, other options for the channel are meaningless.
- </p>
-
- <p>
- The <span class="command"><strong>file</strong></span> destination clause directs
- the channel to a disk file. It can include additional
- arguments to specify how large the file is allowed to
- become before it is rolled to a backup file
- (<span class="command"><strong>size</strong></span>), how many backup versions of
- the file will be saved each time this happens
- (<span class="command"><strong>versions</strong></span>), and the format to use
- for naming backup versions (<span class="command"><strong>suffix</strong></span>).
- </p>
-
- <p>
- The <span class="command"><strong>size</strong></span> option is used to limit
- log file growth. If the file ever exceeds the specified
- size, then <span class="command"><strong>named</strong></span> will stop writing to the
- file unless it has a <span class="command"><strong>versions</strong></span> option
- associated with it. If backup versions are kept, the files
- are rolled as described below. If there is no
- <span class="command"><strong>versions</strong></span> option, no more data will
- be written to the log until some out-of-band mechanism
- removes or truncates the log to less than the maximum size.
- The default behavior is not to limit the size of the file.
- </p>
- <p>
- File rolling only occurs when the file exceeds the size
- specified with the <span class="command"><strong>size</strong></span> option. No
- backup versions are kept by default; any existing
- log file is simply appended. The
- <span class="command"><strong>versions</strong></span> option specifies
- how many backup versions of the file should be kept.
- If set to <code class="literal">unlimited</code>, there is no limit.
- </p>
- <p>
- The <span class="command"><strong>suffix</strong></span> option can be set to
- either <code class="literal">increment</code> or
- <code class="literal">timestamp</code>. If set to
- <code class="literal">timestamp</code>, then when a log file is
- rolled, it is saved with the current timestamp as a
- file suffix. If set to <code class="literal">increment</code>,
- then backup files are saved with incrementing numbers
- as suffixes; older files are renamed when rolling.
- For example, if <span class="command"><strong>versions</strong></span>
- is set to 3 and <span class="command"><strong>suffix</strong></span> to
- <code class="literal">increment</code>, then when
- <code class="filename">filename.log</code> reaches the size
- specified by <span class="command"><strong>size</strong></span>,
- <code class="filename">filename.log.1</code> is renamed to
- <code class="filename">filename.log.2</code>,
- <code class="filename">filename.log.0</code> is renamed
- to <code class="filename">filename.log.1</code>,
- and <code class="filename">filename.log</code> is
- renamed to <code class="filename">filename.log.0</code>,
- whereupon a new <code class="filename">filename.log</code> is
- opened.
- </p>
-
- <p>
- Example usage of the <span class="command"><strong>size</strong></span>,
- <span class="command"><strong>versions</strong></span>, and <span class="command"><strong>suffix</strong></span>
- options:
- </p>
-
-<pre class="programlisting">channel an_example_channel {
- file "example.log" versions 3 size 20m suffix increment;
- print-time yes;
- print-category yes;
-};
-</pre>
-
- <p>
- The <span class="command"><strong>syslog</strong></span> destination clause
- directs the
- channel to the system log. Its argument is a
- syslog facility as described in the <span class="command"><strong>syslog</strong></span> man
- page. Known facilities are <span class="command"><strong>kern</strong></span>, <span class="command"><strong>user</strong></span>,
- <span class="command"><strong>mail</strong></span>, <span class="command"><strong>daemon</strong></span>, <span class="command"><strong>auth</strong></span>,
- <span class="command"><strong>syslog</strong></span>, <span class="command"><strong>lpr</strong></span>, <span class="command"><strong>news</strong></span>,
- <span class="command"><strong>uucp</strong></span>, <span class="command"><strong>cron</strong></span>, <span class="command"><strong>authpriv</strong></span>,
- <span class="command"><strong>ftp</strong></span>, <span class="command"><strong>local0</strong></span>, <span class="command"><strong>local1</strong></span>,
- <span class="command"><strong>local2</strong></span>, <span class="command"><strong>local3</strong></span>, <span class="command"><strong>local4</strong></span>,
- <span class="command"><strong>local5</strong></span>, <span class="command"><strong>local6</strong></span> and
- <span class="command"><strong>local7</strong></span>, however not all facilities
- are supported on
- all operating systems.
- How <span class="command"><strong>syslog</strong></span> will handle messages
- sent to
- this facility is described in the <span class="command"><strong>syslog.conf</strong></span> man
- page. If you have a system which uses a very old version of <span class="command"><strong>syslog</strong></span> that
- only uses two arguments to the <span class="command"><strong>openlog()</strong></span> function,
- then this clause is silently ignored.
- </p>
- <p>
- On Windows machines syslog messages are directed to the EventViewer.
- </p>
- <p>
- The <span class="command"><strong>severity</strong></span> clause works like <span class="command"><strong>syslog</strong></span>'s
- "priorities", except that they can also be used if you are writing
- straight to a file rather than using <span class="command"><strong>syslog</strong></span>.
- Messages which are not at least of the severity level given will
- not be selected for the channel; messages of higher severity
- levels
- will be accepted.
- </p>
- <p>
- If you are using <span class="command"><strong>syslog</strong></span>, then the <span class="command"><strong>syslog.conf</strong></span> priorities
- will also determine what eventually passes through. For example,
- defining a channel facility and severity as <span class="command"><strong>daemon</strong></span> and <span class="command"><strong>debug</strong></span> but
- only logging <span class="command"><strong>daemon.warning</strong></span> via <span class="command"><strong>syslog.conf</strong></span> will
- cause messages of severity <span class="command"><strong>info</strong></span> and
- <span class="command"><strong>notice</strong></span> to
- be dropped. If the situation were reversed, with <span class="command"><strong>named</strong></span> writing
- messages of only <span class="command"><strong>warning</strong></span> or higher,
- then <span class="command"><strong>syslogd</strong></span> would
- print all messages it received from the channel.
- </p>
-
- <p>
- The <span class="command"><strong>stderr</strong></span> destination clause
- directs the
- channel to the server's standard error stream. This is intended
- for
- use when the server is running as a foreground process, for
- example
- when debugging a configuration.
- </p>
-
- <p>
- The server can supply extensive debugging information when
- it is in debugging mode. If the server's global debug level is
- greater
- than zero, then debugging mode will be active. The global debug
- level is set either by starting the <span class="command"><strong>named</strong></span> server
- with the <code class="option">-d</code> flag followed by a positive integer,
- or by running <span class="command"><strong>rndc trace</strong></span>.
- The global debug level
- can be set to zero, and debugging mode turned off, by running <span class="command"><strong>rndc
-notrace</strong></span>. All debugging messages in the server have a debug
- level, and higher debug levels give more detailed output. Channels
- that specify a specific debug severity, for example:
- </p>
-
-<pre class="programlisting">channel specific_debug_level {
- file "foo";
- severity debug 3;
-};
-</pre>
-
- <p>
- will get debugging output of level 3 or less any time the
- server is in debugging mode, regardless of the global debugging
- level. Channels with <span class="command"><strong>dynamic</strong></span>
- severity use the
- server's global debug level to determine what messages to print.
- </p>
- <p>
- <span class="command"><strong>print-time</strong></span> can be set to
- <strong class="userinput"><code>yes</code></strong>, <strong class="userinput"><code>no</code></strong>,
- or a time format specifier, which may be one of
- <code class="option">local</code>, <code class="option">iso8601</code> or
- <code class="option">iso8601-utc</code>. If set to
- <strong class="userinput"><code>no</code></strong>, then the date and time will
- not be logged. If set to <strong class="userinput"><code>yes</code></strong>
- or <code class="option">local</code>, the date and time are logged
- in a human readable format, using the local time zone.
- If set to <code class="option">iso8601</code> the local time is
- logged in ISO8601 format. If set to
- <code class="option">iso8601-utc</code>, then the date and time
- are logged in ISO8601 format, with time zone set to
- UTC. The default is <code class="option">local</code>.
- </p>
- <p>
- <span class="command"><strong>print-time</strong></span> may
- be specified for a <span class="command"><strong>syslog</strong></span> channel,
- but it is usually
- pointless since <span class="command"><strong>syslog</strong></span> also logs
- the date and time.
- </p>
- <p>
- If <span class="command"><strong>print-category</strong></span> is
- requested, then the
- category of the message will be logged as well. Finally, if <span class="command"><strong>print-severity</strong></span> is
- on, then the severity level of the message will be logged. The <span class="command"><strong>print-</strong></span> options may
- be used in any combination, and will always be printed in the
- following
- order: time, category, severity. Here is an example where all
- three <span class="command"><strong>print-</strong></span> options
- are on:
- </p>
-
- <p>
- <code class="computeroutput">28-Feb-2000 15:05:32.863 general: notice: running</code>
- </p>
-
- <p>
- If <span class="command"><strong>buffered</strong></span> has been turned on the output
- to files will not be flushed after each log entry. By default
- all log messages are flushed.
- </p>
-
- <p>
- There are four predefined channels that are used for
- <span class="command"><strong>named</strong></span>'s default logging as follows.
- If <span class="command"><strong>named</strong></span> is started with the
- <code class="option">-L</code> then a
- fifth channel <span class="command"><strong>default_logfile</strong></span> is added.
- How they are
- used is described in <a class="xref" href="Bv9ARM.ch06.html#the_category_phrase" title="The category Phrase">the section called “The <span class="command"><strong>category</strong></span> Phrase”</a>.
- </p>
-
-<pre class="programlisting">channel default_syslog {
- // send to syslog's daemon facility
- syslog daemon;
- // only send priority info and higher
- severity info;
-
-channel default_debug {
- // write to named.run in the working directory
- // Note: stderr is used instead of "named.run" if
- // the server is started with the '-g' option.
- file "named.run";
- // log at the server's current debug level
- severity dynamic;
-};
-
-channel default_stderr {
- // writes to stderr
- stderr;
- // only send priority info and higher
- severity info;
-};
-
-channel null {
- // toss anything sent to this channel
- null;
-};
-
-channel default_logfile {
- // this channel is only present if named is
- // started with the -L option, whose argument
- // provides the file name
- file "...";
- // log at the server's current debug level
- severity dynamic;
-};
-</pre>
-
- <p>
- The <span class="command"><strong>default_debug</strong></span> channel has the
- special
- property that it only produces output when the server's debug
- level is
- nonzero. It normally writes to a file called <code class="filename">named.run</code>
- in the server's working directory.
- </p>
-
- <p>
- For security reasons, when the <code class="option">-u</code>
- command line option is used, the <code class="filename">named.run</code> file
- is created only after <span class="command"><strong>named</strong></span> has
- changed to the
- new UID, and any debug output generated while <span class="command"><strong>named</strong></span> is
- starting up and still running as root is discarded. If you need
- to capture this output, you must run the server with the <code class="option">-L</code>
- option to specify a default logfile, or the <code class="option">-g</code>
- option to log to standard error which you can redirect to a file.
- </p>
-
- <p>
- Once a channel is defined, it cannot be redefined. Thus you
- cannot alter the built-in channels directly, but you can modify
- the default logging by pointing categories at channels you have
- defined.
- </p>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="the_category_phrase"></a>The <span class="command"><strong>category</strong></span> Phrase</h4></div></div></div>
-
- <p>
- There are many categories, so you can send the logs you want
- to see wherever you want, without seeing logs you don't want. If
- you don't specify a list of channels for a category, then log
- messages
- in that category will be sent to the <span class="command"><strong>default</strong></span> category
- instead. If you don't specify a default category, the following
- "default default" is used:
- </p>
-
-<pre class="programlisting">category default { default_syslog; default_debug; };
-</pre>
-
- <p>
- If you start <span class="command"><strong>named</strong></span> with the
- <code class="option">-L</code> option then the default category is:
- </p>
-
-<pre class="programlisting">category default { default_logfile; default_debug; };
-</pre>
-
- <p>
- As an example, let's say you want to log security events to
- a file, but you also want keep the default logging behavior. You'd
- specify the following:
- </p>
-
-<pre class="programlisting">channel my_security_channel {
- file "my_security_file";
- severity info;
-};
-category security {
- my_security_channel;
- default_syslog;
- default_debug;
-};</pre>
-
- <p>
- To discard all messages in a category, specify the <span class="command"><strong>null</strong></span> channel:
- </p>
-
-<pre class="programlisting">category xfer-out { null; };
-category notify { null; };
-</pre>
-
- <p>
- Following are the available categories and brief descriptions
- of the types of log information they contain. More
- categories may be added in future <acronym class="acronym">BIND</acronym> releases.
- </p>
- <div class="informaltable">
- <table border="1">
-<colgroup>
-<col width="1.150in" class="1">
-<col width="3.350in" class="2">
-</colgroup>
-<tbody>
-<tr>
-<td>
- <p><span class="command"><strong>client</strong></span></p>
- </td>
-<td>
- <p>
- Processing of client requests.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>cname</strong></span></p>
- </td>
-<td>
- <p>
- Logs nameservers that are skipped due to them being
- a CNAME rather than A / AAAA records.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>config</strong></span></p>
- </td>
-<td>
- <p>
- Configuration file parsing and processing.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>database</strong></span></p>
- </td>
-<td>
- <p>
- Messages relating to the databases used
- internally by the name server to store zone and cache
- data.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>default</strong></span></p>
- </td>
-<td>
- <p>
- The default category defines the logging
- options for those categories where no specific
- configuration has been
- defined.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>delegation-only</strong></span></p>
- </td>
-<td>
- <p>
- Delegation only. Logs queries that have been
- forced to NXDOMAIN as the result of a
- delegation-only zone or a
- <span class="command"><strong>delegation-only</strong></span> in a
- forward, hint or stub zone declaration.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>dispatch</strong></span></p>
- </td>
-<td>
- <p>
- Dispatching of incoming packets to the
- server modules where they are to be processed.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>dnssec</strong></span></p>
- </td>
-<td>
- <p>
- DNSSEC and TSIG protocol processing.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>dnstap</strong></span></p>
- </td>
-<td>
- <p>
- The "dnstap" DNS traffic capture system.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>edns-disabled</strong></span></p>
- </td>
-<td>
- <p>
- Log queries that have been forced to use plain
- DNS due to timeouts. This is often due to
- the remote servers not being RFC 1034 compliant
- (not always returning FORMERR or similar to
- EDNS queries and other extensions to the DNS
- when they are not understood). In other words, this is
- targeted at servers that fail to respond to
- DNS queries that they don't understand.
- </p>
- <p>
- Note: the log message can also be due to
- packet loss. Before reporting servers for
- non-RFC 1034 compliance they should be re-tested
- to determine the nature of the non-compliance.
- This testing should prevent or reduce the
- number of false-positive reports.
- </p>
- <p>
- Note: eventually <span class="command"><strong>named</strong></span> will have to stop
- treating such timeouts as due to RFC 1034 non
- compliance and start treating it as plain
- packet loss. Falsely classifying packet
- loss as due to RFC 1034 non compliance impacts
- on DNSSEC validation which requires EDNS for
- the DNSSEC records to be returned.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>general</strong></span></p>
- </td>
-<td>
- <p>
- The catch-all. Many things still aren't
- classified into categories, and they all end up here.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>lame-servers</strong></span></p>
- </td>
-<td>
- <p>
- Lame servers. These are misconfigurations
- in remote servers, discovered by BIND 9 when trying to
- query those servers during resolution.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>network</strong></span></p>
- </td>
-<td>
- <p>
- Network operations.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>notify</strong></span></p>
- </td>
-<td>
- <p>
- The NOTIFY protocol.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>queries</strong></span></p>
- </td>
-<td>
- <p>
- Specify where queries should be logged to.
- </p>
- <p>
- At startup, specifying the category <span class="command"><strong>queries</strong></span> will also
- enable query logging unless <span class="command"><strong>querylog</strong></span> option has been
- specified.
- </p>
-
- <p>
- The query log entry first reports a client object
- identifier in @0x<hexadecimal-number>
- format. Next, it reports the client's IP
- address and port number, and the query name,
- class and type. Next, it reports whether the
- Recursion Desired flag was set (+ if set, -
- if not set), whether the query was signed (S),
- whether EDNS was in use along with the EDNS version
- number (E(#)), whether TCP was used (T), whether
- DO (DNSSEC Ok) was set (D), whether CD (Checking
- Disabled) was set (C), whether a valid DNS Server
- COOKIE was received (V), and whether a DNS
- COOKIE option without a valid Server COOKIE was
- present (K). After this the destination
- address the query was sent to is reported.
- Finally, if any CLIENT-SUBNET option
- was present in the client query, it is
- included in square brackets in the format
- [ECS <em class="replaceable"><code>address/source/scope</code></em>].
- </p>
-
- <p>
- <code class="computeroutput">client 127.0.0.1#62536 (www.example.com): query: www.example.com IN AAAA +SE</code>
- </p>
- <p>
- <code class="computeroutput">client ::1#62537 (www.example.net): query: www.example.net IN AAAA -SE</code>
- </p>
- <p>
- (The first part of this log message, showing the
- client address/port number and query name, is
- repeated in all subsequent log messages related
- to the same query.)
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>query-errors</strong></span></p>
- </td>
-<td>
- <p>
- Information about queries that resulted in some
- failure.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>rate-limit</strong></span></p>
- </td>
-<td>
- <p>
- The start, periodic, and final notices of the
- rate limiting of a stream of responses are logged at
- <span class="command"><strong>info</strong></span> severity in this category.
- These messages include a hash value of the domain name
- of the response and the name itself,
- except when there is insufficient memory to record
- the name for the final notice
- The final notice is normally delayed until about one
- minute after rate limit stops.
- A lack of memory can hurry the final notice,
- in which case it starts with an asterisk (*).
- Various internal events are logged at debug 1 level
- and higher.
- </p>
- <p>
- Rate limiting of individual requests
- is logged in the <span class="command"><strong>query-errors</strong></span> category.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>resolver</strong></span></p>
- </td>
-<td>
- <p>
- DNS resolution, such as the recursive
- lookups performed on behalf of clients by a caching name
- server.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>rpz</strong></span></p>
- </td>
-<td>
- <p>
- Information about errors in response policy zone files,
- rewritten responses, and at the highest
- <span class="command"><strong>debug</strong></span> levels, mere rewriting
- attempts.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>security</strong></span></p>
- </td>
-<td>
- <p>
- Approval and denial of requests.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>spill</strong></span></p>
- </td>
-<td>
- <p>
- Logs queries that have been terminated, either by dropping
- or responding with SERVFAIL, as a result of a fetchlimit
- quota being exceeded.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>unmatched</strong></span></p>
- </td>
-<td>
- <p>
- Messages that <span class="command"><strong>named</strong></span> was unable to determine the
- class of or for which there was no matching <span class="command"><strong>view</strong></span>.
- A one line summary is also logged to the <span class="command"><strong>client</strong></span> category.
- This category is best sent to a file or stderr, by
- default it is sent to
- the <span class="command"><strong>null</strong></span> channel.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>update</strong></span></p>
- </td>
-<td>
- <p>
- Dynamic updates.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>update-security</strong></span></p>
- </td>
-<td>
- <p>
- Approval and denial of update requests.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>xfer-in</strong></span></p>
- </td>
-<td>
- <p>
- Zone transfers the server is receiving.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>xfer-out</strong></span></p>
- </td>
-<td>
- <p>
- Zone transfers the server is sending.
- </p>
- </td>
-</tr>
-</tbody>
-</table>
-</div>
- </div>
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="query_errors"></a>The <span class="command"><strong>query-errors</strong></span> Category</h4></div></div></div>
- <p>
- The <span class="command"><strong>query-errors</strong></span> category is
- specifically intended for debugging purposes: To identify
- why and how specific queries result in responses which
- indicate an error.
- Messages of this category are therefore only logged
- with <span class="command"><strong>debug</strong></span> levels.
- </p>
-
- <p>
- At the debug levels of 1 or higher, each response with the
- rcode of SERVFAIL is logged as follows:
- </p>
- <p>
- <code class="computeroutput">client 127.0.0.1#61502: query failed (SERVFAIL) for www.example.com/IN/AAAA at query.c:3880</code>
- </p>
- <p>
- This means an error resulting in SERVFAIL was
- detected at line 3880 of source file
- <code class="filename">query.c</code>.
- Log messages of this level will particularly
- help identify the cause of SERVFAIL for an
- authoritative server.
- </p>
- <p>
- At the debug levels of 2 or higher, detailed context
- information of recursive resolutions that resulted in
- SERVFAIL is logged.
- The log message will look like as follows:
- </p>
- <p>
-
- </p>
-<pre class="programlisting">
-fetch completed at resolver.c:2970 for www.example.com/A
-in 30.000183: timed out/success [domain:example.com,
-referral:2,restart:7,qrysent:8,timeout:5,lame:0,neterr:0,
-badresp:1,adberr:0,findfail:0,valfail:0]
- </pre>
-<p>
- </p>
- <p>
- The first part before the colon shows that a recursive
- resolution for AAAA records of www.example.com completed
- in 30.000183 seconds and the final result that led to the
- SERVFAIL was determined at line 2970 of source file
- <code class="filename">resolver.c</code>.
- </p>
- <p>
- The following part shows the detected final result and the
- latest result of DNSSEC validation.
- The latter is always success when no validation attempt
- is made.
- In this example, this query resulted in SERVFAIL probably
- because all name servers are down or unreachable, leading
- to a timeout in 30 seconds.
- DNSSEC validation was probably not attempted.
- </p>
- <p>
- The last part enclosed in square brackets shows statistics
- information collected for this particular resolution
- attempt.
- The <code class="varname">domain</code> field shows the deepest zone
- that the resolver reached;
- it is the zone where the error was finally detected.
- The meaning of the other fields is summarized in the
- following table.
- </p>
-
- <div class="informaltable">
- <table border="1">
-<colgroup>
-<col width="1.150in" class="1">
-<col width="3.350in" class="2">
-</colgroup>
-<tbody>
-<tr>
-<td>
- <p><code class="varname">referral</code></p>
- </td>
-<td>
- <p>
- The number of referrals the resolver received
- throughout the resolution process.
- In the above example this is 2, which are most
- likely com and example.com.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><code class="varname">restart</code></p>
- </td>
-<td>
- <p>
- The number of cycles that the resolver tried
- remote servers at the <code class="varname">domain</code>
- zone.
- In each cycle the resolver sends one query
- (possibly resending it, depending on the response)
- to each known name server of
- the <code class="varname">domain</code> zone.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><code class="varname">qrysent</code></p>
- </td>
-<td>
- <p>
- The number of queries the resolver sent at the
- <code class="varname">domain</code> zone.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><code class="varname">timeout</code></p>
- </td>
-<td>
- <p>
- The number of timeouts since the resolver
- received the last response.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><code class="varname">lame</code></p>
- </td>
-<td>
- <p>
- The number of lame servers the resolver detected
- at the <code class="varname">domain</code> zone.
- A server is detected to be lame either by an
- invalid response or as a result of lookup in
- BIND9's address database (ADB), where lame
- servers are cached.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><code class="varname">neterr</code></p>
- </td>
-<td>
- <p>
- The number of erroneous results that the
- resolver encountered in sending queries
- at the <code class="varname">domain</code> zone.
- One common case is the remote server is
- unreachable and the resolver receives an ICMP
- unreachable error message.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><code class="varname">badresp</code></p>
- </td>
-<td>
- <p>
- The number of unexpected responses (other than
- <code class="varname">lame</code>) to queries sent by the
- resolver at the <code class="varname">domain</code> zone.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><code class="varname">adberr</code></p>
- </td>
-<td>
- <p>
- Failures in finding remote server addresses
- of the <code class="varname">domain</code> zone in the ADB.
- One common case of this is that the remote
- server's name does not have any address records.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><code class="varname">findfail</code></p>
- </td>
-<td>
- <p>
- Failures of resolving remote server addresses.
- This is a total number of failures throughout
- the resolution process.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><code class="varname">valfail</code></p>
- </td>
-<td>
- <p>
- Failures of DNSSEC validation.
- Validation failures are counted throughout
- the resolution process (not limited to
- the <code class="varname">domain</code> zone), but should
- only happen in <code class="varname">domain</code>.
- </p>
- </td>
-</tr>
-</tbody>
-</table>
- </div>
- <p>
- At the debug levels of 3 or higher, the same messages
- as those at the debug 1 level are logged for other errors
- than SERVFAIL.
- Note that negative responses such as NXDOMAIN are not
- regarded as errors here.
- </p>
- <p>
- At the debug levels of 4 or higher, the same messages
- as those at the debug 2 level are logged for other errors
- than SERVFAIL.
- Unlike the above case of level 3, messages are logged for
- negative responses.
- This is because any unexpected results can be difficult to
- debug in the recursion case.
- </p>
- </div>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="masters_grammar"></a><span class="command"><strong>masters</strong></span> Statement Grammar</h3></div></div></div>
-
-<pre class="programlisting">
-<span class="command"><strong>masters</strong></span> <em class="replaceable"><code>name</code></em> [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] <span class="command"><strong>{</strong></span>
- ( <em class="replaceable"><code>masters_list</code></em> <span class="command"><strong>;</strong></span> ) |
- ( <em class="replaceable"><code>ip_addr</code></em> [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>key</strong></span> <em class="replaceable"><code>key</code></em> ] <span class="command"><strong>;</strong></span> )
- ...
-<span class="command"><strong>};</strong></span>
-</pre>
-
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="masters_statement"></a><span class="command"><strong>masters</strong></span> Statement Definition and
- Usage</h3></div></div></div>
-
- <p><span class="command"><strong>masters</strong></span>
- lists allow for a common set of masters to be easily used by
- multiple stub and slave zones in their <span class="command"><strong>masters</strong></span>
- or <span class="command"><strong>also-notify</strong></span> lists.
- </p>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="options_grammar"></a><span class="command"><strong>options</strong></span> Statement Grammar</h3></div></div></div>
-
- <p>
- This is the grammar of the <span class="command"><strong>options</strong></span>
- statement in the <code class="filename">named.conf</code> file:
- </p>
-
-<pre class="programlisting"><span class="command"><strong>options {</strong></span>
- [ <span class="command"><strong>attach-cache</strong></span> <em class="replaceable"><code>cache_name</code></em> ; ]
- [ <span class="command"><strong>version</strong></span> <em class="replaceable"><code>version_string</code></em> ; ]
- [ <span class="command"><strong>hostname</strong></span> <em class="replaceable"><code>hostname_string</code></em> ; ]
- [ <span class="command"><strong>server-id</strong></span> <em class="replaceable"><code>server_id_string</code></em> ; ]
- [ <span class="command"><strong>directory</strong></span> <em class="replaceable"><code>path_name</code></em> ; ]
- [ <span class="command"><strong>dnstap {</strong></span> <em class="replaceable"><code>message_type</code></em> ; ... <span class="command"><strong>}</strong></span> ; ]
- [ <span class="command"><strong>dnstap-output</strong></span> ( <code class="option">file</code> | <code class="option">unix</code> ) <em class="replaceable"><code>path_name</code></em> [ <span class="command"><strong>size</strong></span> <em class="replaceable"><code>size_spec</code></em> ] [ <span class="command"><strong>versions</strong></span> ( <em class="replaceable"><code>number</code></em> | <code class="option">unlimited</code> ) ] ; ]
- [ <span class="command"><strong>dnstap-identity</strong></span> ( <em class="replaceable"><code>string</code></em> | <code class="option">hostname</code> | <code class="option">none</code> ) ; ]
- [ <span class="command"><strong>dnstap-version</strong></span> ( <em class="replaceable"><code>string</code></em> | <code class="option">none</code> ) ; ]
- [ <span class="command"><strong>fstrm-set-buffer-hint</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>fstrm-set-flush-timeout</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>fstrm-set-input-queue-size</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>fstrm-set-output-notify-threshold</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>fstrm-set-output-queue-model</strong></span> ( <code class="option">mpsc</code> | <code class="option">spsc</code> ) ; ]
- [ <span class="command"><strong>fstrm-set-output-queue-size</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>fstrm-set-reopen-interval</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>geoip-directory</strong></span> <em class="replaceable"><code>path_name</code></em> ; ]
- [ <span class="command"><strong>key-directory</strong></span> <em class="replaceable"><code>path_name</code></em> ; ]
- [ <span class="command"><strong>managed-keys-directory</strong></span> <em class="replaceable"><code>path_name</code></em> ; ]
- [ <span class="command"><strong>new-zones-directory</strong></span> <em class="replaceable"><code>path_name</code></em> ; ]
- [ <span class="command"><strong>named-xfer</strong></span> <em class="replaceable"><code>path_name</code></em> ; ]
- [ <span class="command"><strong>tkey-gssapi-keytab</strong></span> <em class="replaceable"><code>path_name</code></em> ; ]
- [ <span class="command"><strong>tkey-gssapi-credential</strong></span> <em class="replaceable"><code>principal</code></em> ; ]
- [ <span class="command"><strong>tkey-domain</strong></span> <em class="replaceable"><code>domain_name</code></em> ; ]
- [ <span class="command"><strong>tkey-dhkey</strong></span> <em class="replaceable"><code>key_name</code></em> <em class="replaceable"><code>key_tag</code></em> ; ]
- [ <span class="command"><strong>cache-file</strong></span> <em class="replaceable"><code>path_name</code></em> ; ]
- [ <span class="command"><strong>dump-file</strong></span> <em class="replaceable"><code>path_name</code></em> ; ]
- [ <span class="command"><strong>bindkeys-file</strong></span> <em class="replaceable"><code>path_name</code></em> ; ]
- [ <span class="command"><strong>lock-file</strong></span> <em class="replaceable"><code>path_name</code></em> ; ]
- [ <span class="command"><strong>secroots-file</strong></span> <em class="replaceable"><code>path_name</code></em> ; ]
- [ <span class="command"><strong>session-keyfile</strong></span> <em class="replaceable"><code>path_name</code></em> ; ]
- [ <span class="command"><strong>session-keyname</strong></span> <em class="replaceable"><code>key_name</code></em> ; ]
- [ <span class="command"><strong>session-keyalg</strong></span> <em class="replaceable"><code>algorithm_id</code></em> ; ]
- [ <span class="command"><strong>memstatistics</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>memstatistics-file</strong></span> <em class="replaceable"><code>path_name</code></em> ; ]
- [ <span class="command"><strong>pid-file</strong></span> <em class="replaceable"><code>path_name</code></em> ; ]
- [ <span class="command"><strong>recursing-file</strong></span> <em class="replaceable"><code>path_name</code></em> ; ]
- [ <span class="command"><strong>statistics-file</strong></span> <em class="replaceable"><code>path_name</code></em> ; ]
- [ <span class="command"><strong>zone-statistics</strong></span> ( <code class="option">full</code> | <code class="option">terse</code> | <code class="option">none</code> ) ; ]
- [ <span class="command"><strong>auth-nxdomain</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>nxdomain-redirect</strong></span> <em class="replaceable"><code>string</code></em> ; ]
- [ <span class="command"><strong>deallocate-on-exit</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>dialup</strong></span> <em class="replaceable"><code>dialup_option</code></em> ; ]
- [ <span class="command"><strong>fake-iquery</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>fetch-glue</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>flush-zones-on-shutdown</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>has-old-clients</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>host-statistics</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>host-statistics-max</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>glue-cache</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>minimal-any</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>minimal-responses</strong></span> ( <em class="replaceable"><code>yes_or_no</code></em> | <code class="option">no-auth</code> | <code class="option">no-auth-recursive</code> ) ; ]
- [ <span class="command"><strong>multiple-cnames</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>notify</strong></span> ( <em class="replaceable"><code>yes_or_no</code></em> | <code class="option">explicit</code> | <code class="option">master-only</code> ) ; ]
- [ <span class="command"><strong>recursion</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>send-cookie</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>require-server-cookie</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>cookie-algorithm</strong></span> <em class="replaceable"><code>algorithm_id</code></em> ; ]
- [ <span class="command"><strong>cookie-secret</strong></span> <em class="replaceable"><code>secret_string</code></em> ; ]
- [ <span class="command"><strong>nocookie-udp-size</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>request-nsid</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>rfc2308-type1</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>use-id-pool</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>maintain-ixfr-base</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>ixfr-from-differences</strong></span> ( <em class="replaceable"><code>yes_or_no</code></em> | <code class="option">master</code> | <code class="option">slave</code> ) ; ]
- [ <span class="command"><strong>auto-dnssec</strong></span> ( <code class="option">allow</code> | <code class="option">maintain</code> | <code class="option">off</code> ) ; ]
- [ <span class="command"><strong>dnssec-enable</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>dnssec-validation</strong></span> ( <em class="replaceable"><code>yes_or_no</code></em> | <code class="option">auto</code> ) ; ]
- [ <span class="command"><strong>dnssec-lookaside</strong></span> ( <code class="option">auto</code> | <code class="option">no</code> | <em class="replaceable"><code>domain</code></em> trust-anchor <em class="replaceable"><code>domain</code></em> ) ; ]
- [ <span class="command"><strong>dnssec-must-be-secure</strong></span> <em class="replaceable"><code>domain yes_or_no</code></em> ; ]
- [ <span class="command"><strong>dnssec-accept-expired</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>forward</strong></span> ( <code class="option">only</code> | <code class="option">first</code> ) ; ]
- [ <span class="command"><strong>forwarders {</strong></span>
- ( <em class="replaceable"><code>ip_addr</code></em> [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] ; )
- ...
- <span class="command"><strong>}</strong></span> ; ]
- [ <span class="command"><strong>dual-stack-servers</strong></span> [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] <span class="command"><strong>{</strong></span>
- ( ( <em class="replaceable"><code>domain_name</code></em> | <em class="replaceable"><code>ip_addr</code></em> ) [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] ; )
- ...
- <span class="command"><strong>}</strong></span> ; ]
- [ <span class="command"><strong>check-names</strong></span> ( <code class="option">master</code> | <code class="option">slave</code> | <code class="option">response</code> )
- ( <code class="option">warn</code> | <code class="option">fail</code> | <code class="option">ignore</code> ) ; ]
- [ <span class="command"><strong>check-dup-records</strong></span> ( <code class="option">warn</code> | <code class="option">fail</code> | <code class="option">ignore</code> ) ; ]
- [ <span class="command"><strong>check-mx</strong></span> ( <code class="option">warn</code> | <code class="option">fail</code> | <code class="option">ignore</code> ) ; ]
- [ <span class="command"><strong>check-wildcard</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>check-integrity</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>check-mx-cname</strong></span> ( <code class="option">warn</code> | <code class="option">fail</code> | <code class="option">ignore</code> ) ; ]
- [ <span class="command"><strong>check-srv-cname</strong></span> ( <code class="option">warn</code> | <code class="option">fail</code> | <code class="option">ignore</code> ) ; ]
- [ <span class="command"><strong>check-sibling</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>check-spf</strong></span> ( <code class="option">warn</code> | <code class="option">ignore</code> ) ; ]
- [ <span class="command"><strong>allow-new-zones</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>allow-notify {</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
- [ <span class="command"><strong>allow-query {</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
- [ <span class="command"><strong>allow-query-on {</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
- [ <span class="command"><strong>allow-query-cache {</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
- [ <span class="command"><strong>allow-query-cache-on {</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
- [ <span class="command"><strong>allow-transfer {</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
- [ <span class="command"><strong>allow-recursion {</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
- [ <span class="command"><strong>allow-recursion-on {</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
- [ <span class="command"><strong>allow-update {</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ]
- [ <span class="command"><strong>allow-update-forwarding {</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
- [ <span class="command"><strong>automatic-interface-scan</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>geoip-use-ecs</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>update-check-ksk</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>dnssec-update-mode</strong></span> ( <code class="option">maintain</code> | <code class="option">no-resign</code> ) ; ]
- [ <span class="command"><strong>dnssec-dnskey-kskonly</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>dnssec-loadkeys-interval</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>dnssec-secure-to-insecure</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>try-tcp-refresh</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>allow-v6-synthesis {</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
- [ <span class="command"><strong>blackhole {</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
- [ <span class="command"><strong>keep-response-order {</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
- [ <span class="command"><strong>no-case-compress {</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
- [ <span class="command"><strong>message-compression</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>use-v4-udp-ports {</strong></span> <em class="replaceable"><code>port_list</code></em> <span class="command"><strong>}</strong></span> ; ]
- [ <span class="command"><strong>avoid-v4-udp-ports {</strong></span> <em class="replaceable"><code>port_list</code></em> <span class="command"><strong>}</strong></span> ; ]
- [ <span class="command"><strong>use-v6-udp-ports {</strong></span> <em class="replaceable"><code>port_list</code></em> <span class="command"><strong>}</strong></span> ; ]
- [ <span class="command"><strong>avoid-v6-udp-ports {</strong></span> <em class="replaceable"><code>port_list</code></em> <span class="command"><strong>}</strong></span> ; ]
- [ <span class="command"><strong>listen-on</strong></span> [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] <span class="command"><strong>{</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
- [ <span class="command"><strong>listen-on-v6</strong></span> [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] <span class="command"><strong>{</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
- [ <span class="command"><strong>query-source</strong></span> ( [ <span class="command"><strong>address</strong></span> ] ( <em class="replaceable"><code>ip4_addr</code></em> | <code class="option">*</code> ) )
- [ <span class="command"><strong>port</strong></span> ( <em class="replaceable"><code>ip_port</code></em> | <code class="option">*</code> ) ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] ] ;
- [ <span class="command"><strong>query-source-v6</strong></span> ( [ <span class="command"><strong>address</strong></span> ] ( <em class="replaceable"><code>ip6_addr</code></em> | <code class="option">*</code> ) )
- [ <span class="command"><strong>port</strong></span> ( <em class="replaceable"><code>ip_port</code></em> | <code class="option">*</code> ) ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] ] ;
- [ <span class="command"><strong>use-queryport-pool</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>queryport-pool-ports</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>queryport-pool-updateinterval</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>max-records</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>max-transfer-time-in</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>max-transfer-time-out</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>max-transfer-idle-in</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>max-transfer-idle-out</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>reserved-sockets</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>recursive-clients</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>tcp-clients</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>clients-per-query</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>max-clients-per-query</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>fetches-per-server</strong></span> <em class="replaceable"><code>number</code></em> [ ( <code class="option">drop</code> | <code class="option">fail</code> ) ] ; ]
- [ <span class="command"><strong>fetches-per-zone</strong></span> <em class="replaceable"><code>number</code></em> [ ( <code class="option">drop</code> | <code class="option">fail</code> ) ] ; ]
- [ <span class="command"><strong>fetch-quota-params</strong></span> <em class="replaceable"><code>number fixedpoint fixedpoint fixedpoint</code></em> ; ]
- [ <span class="command"><strong>notify-rate</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>startup-notify-rate</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>serial-query-rate</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>serial-queries</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>tcp-listen-queue</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>tcp-initial-timeout</strong></span> <em class="replaceable"><code>number</code></em>; ]
- [ <span class="command"><strong>tcp-idle-timeout</strong></span> <em class="replaceable"><code>number</code></em>; ]
- [ <span class="command"><strong>tcp-keepalive-timeout</strong></span> <em class="replaceable"><code>number</code></em>; ]
- [ <span class="command"><strong>tcp-advertised-timeout</strong></span> <em class="replaceable"><code>number</code></em>; ]
- [ <span class="command"><strong>transfer-format</strong></span> ( <code class="option">one-answer</code> | <code class="option">many-answers</code> ) ; ]
- [ <span class="command"><strong>transfer-message-size</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>transfers-in</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>transfers-out</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>transfers-per-ns</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>transfer-source</strong></span> ( <em class="replaceable"><code>ip4_addr</code></em> | <code class="option">*</code> )
- [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] ; ]
- [ <span class="command"><strong>transfer-source-v6</strong></span> ( <em class="replaceable"><code>ip6_addr</code></em> | <code class="option">*</code> )
- [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] ; ]
- [ <span class="command"><strong>alt-transfer-source</strong></span> ( <em class="replaceable"><code>ip4_addr</code></em> | <code class="option">*</code> )
- [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] ; ]
- [ <span class="command"><strong>alt-transfer-source-v6</strong></span> ( <em class="replaceable"><code>ip6_addr</code></em> | <code class="option">*</code> )
- [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] ; ]
- [ <span class="command"><strong>use-alt-transfer-source</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>notify-delay</strong></span> <em class="replaceable"><code>seconds</code></em> ; ]
- [ <span class="command"><strong>notify-source</strong></span> ( <em class="replaceable"><code>ip4_addr</code></em> | <code class="option">*</code> )
- [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] ; ]
- [ <span class="command"><strong>notify-source-v6</strong></span> ( <em class="replaceable"><code>ip6_addr</code></em> | <code class="option">*</code> )
- [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] ; ]
- [ <span class="command"><strong>notify-to-soa</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>also-notify</strong></span> [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em>] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em>] <span class="command"><strong>{</strong></span>
- ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ip_addr</code></em> [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] ) [ <span class="command"><strong>key</strong></span> <em class="replaceable"><code>key_name</code></em> ] ;
- ...
- <span class="command"><strong>}</strong></span> ; ]
- [ <span class="command"><strong>max-ixfr-log-size</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>max-journal-size</strong></span> <em class="replaceable"><code>size_spec</code></em> ; ]
- [ <span class="command"><strong>coresize</strong></span> <em class="replaceable"><code>size_spec</code></em> ; ]
- [ <span class="command"><strong>datasize</strong></span> <em class="replaceable"><code>size_spec</code></em> ; ]
- [ <span class="command"><strong>files</strong></span> <em class="replaceable"><code>size_spec</code></em> ; ]
- [ <span class="command"><strong>stacksize</strong></span> <em class="replaceable"><code>size_spec</code></em> ; ]
- [ <span class="command"><strong>cleaning-interval</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>heartbeat-interval</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>interface-interval</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>statistics-interval</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>topology {</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
- [ <span class="command"><strong>sortlist {</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
- [ <span class="command"><strong>rrset-order {</strong></span> <em class="replaceable"><code>order_spec</code></em> ; ... <span class="command"><strong>}</strong></span> ; ]
- [ <span class="command"><strong>lame-ttl</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>max-ncache-ttl</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>max-cache-ttl</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>max-stale-ttl</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>max-zone-ttl</strong></span> ( <code class="option">unlimited</code> | <em class="replaceable"><code>number</code></em> ) ; ]
- [ <span class="command"><strong>stale-answer-enable</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>stale-answer-ttl</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>serial-update-method</strong></span> ( <code class="option">increment</code> | <code class="option">unixtime</code> | <code class="option">date</code> ) ; ]
- [ <span class="command"><strong>servfail-ttl</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>sig-validity-interval</strong></span> <em class="replaceable"><code>number</code></em> [<em class="replaceable"><code>number</code></em>] ; ]
- [ <span class="command"><strong>sig-signing-nodes</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>sig-signing-signatures</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>sig-signing-type</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>min-roots</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>use-ixfr</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>provide-ixfr</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>request-ixfr</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>request-expire</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>treat-cr-as-space</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>min-refresh-time</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>max-refresh-time</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>min-retry-time</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>max-retry-time</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>nta-lifetime</strong></span> <em class="replaceable"><code>duration</code></em> ; ]
- [ <span class="command"><strong>nta-recheck</strong></span> <em class="replaceable"><code>duration</code></em> ; ]
- [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ; ]
- [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ; ]
- [ <span class="command"><strong>random-device</strong></span> <em class="replaceable"><code>path_name</code></em> ; ]
- [ <span class="command"><strong>max-cache-size</strong></span> <em class="replaceable"><code>size_or_percent</code></em> ; ]
- [ <span class="command"><strong>match-mapped-addresses</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>filter-aaaa-on-v4</strong></span> ( <em class="replaceable"><code>yes_or_no</code></em> | <code class="option">break-dnssec</code> ) ; ]
- [ <span class="command"><strong>filter-aaaa-on-v6</strong></span> ( <em class="replaceable"><code>yes_or_no</code></em> | <code class="option">break-dnssec</code> ) ; ]
- [ <span class="command"><strong>filter-aaaa {</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
- [ <span class="command"><strong>dns64</strong></span> <em class="replaceable"><code>ipv6-prefix</code></em> <span class="command"><strong>{</strong></span>
- [ <span class="command"><strong>clients {</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
- [ <span class="command"><strong>mapped {</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
- [ <span class="command"><strong>exclude {</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
- [ <span class="command"><strong>suffix</strong></span> <em class="replaceable"><code>ip6-address</code></em> ; ]
- [ <span class="command"><strong>recursive-only</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>break-dnssec</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- <span class="command"><strong>}</strong></span> ; ]
- [ <span class="command"><strong>dns64-server</strong></span> <em class="replaceable"><code>name</code></em> ]
- [ <span class="command"><strong>dns64-contact</strong></span> <em class="replaceable"><code>name</code></em> ]
- [ <span class="command"><strong>preferred-glue</strong></span> ( <code class="option">A</code> | <code class="option">AAAA</code> | <code class="option">none</code> ); ]
- [ <span class="command"><strong>edns-udp-size</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>max-udp-size</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>response-padding</strong></span> { <em class="replaceable"><code>address_match_list</code></em> } block-size <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>max-rsa-exponent-size</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>root-delegation-only</strong></span> [ <span class="command"><strong>exclude {</strong></span> <em class="replaceable"><code>namelist</code></em> <span class="command"><strong>}</strong></span> ] ; ]
- [ <span class="command"><strong>querylog</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>disable-algorithms</strong></span> <em class="replaceable"><code>domain</code></em> <span class="command"><strong>{</strong></span> <em class="replaceable"><code>algorithm</code></em> ; ... <span class="command"><strong>}</strong></span> ; ]
- [ <span class="command"><strong>disable-ds-digests</strong></span> <em class="replaceable"><code>domain</code></em> <span class="command"><strong>{</strong></span> <em class="replaceable"><code>digest_type</code></em> ; ... <span class="command"><strong>}</strong></span> ; ]
- [ <span class="command"><strong>max-recursion-depth</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>max-recursion-queries</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>masterfile-format</strong></span> ( <code class="option">text</code> | <code class="option">raw</code> | <code class="option">map</code> ) ; ]
- [ <span class="command"><strong>masterfile-style</strong></span> ( <code class="option">relative</code> | <code class="option">full</code> ) ; ]
- [ <span class="command"><strong>empty-server</strong></span> <em class="replaceable"><code>name</code></em> ; ]
- [ <span class="command"><strong>empty-contact</strong></span> <em class="replaceable"><code>name</code></em> ; ]
- [ <span class="command"><strong>empty-zones-enable</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>disable-empty-zone</strong></span> <em class="replaceable"><code>zone_name</code></em> ; ]
- [ <span class="command"><strong>zero-no-soa-ttl</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>zero-no-soa-ttl-cache</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>resolver-query-timeout</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>deny-answer-addresses {</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span>
- [ <span class="command"><strong>except-from {</strong></span> <em class="replaceable"><code>namelist</code></em> <span class="command"><strong>}</strong></span> ] ; ]
- [ <span class="command"><strong>deny-answer-aliases {</strong></span> <em class="replaceable"><code>namelist</code></em> <span class="command"><strong>}</strong></span>
- [ <span class="command"><strong>except-from {</strong></span> <em class="replaceable"><code>namelist</code></em> <span class="command"><strong>}</strong></span> ] ; ]
- [ <span class="command"><strong>prefetch</strong></span> <em class="replaceable"><code>number</code></em> [ <em class="replaceable"><code>number</code></em> ] ; ]
- [ <span class="command"><strong>rate-limit {</strong></span>
- [ <span class="command"><strong>responses-per-second</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>referrals-per-second</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>nodata-per-second</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>nxdomains-per-second</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>errors-per-second</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>all-per-second</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>window</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>log-only</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>qps-scale</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>ipv4-prefix-length</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>ipv6-prefix-length</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>slip</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>exempt-clients {</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
- [ <span class="command"><strong>max-table-size</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>min-table-size</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- <span class="command"><strong>}</strong></span> ; ]
- [ <span class="command"><strong>response-policy {</strong></span>
- <span class="command"><strong>zone</strong></span> <em class="replaceable"><code>zone_name</code></em>
- [ <span class="command"><strong>policy</strong></span> ( given | disabled | passthru | drop |
- tcp-only | nxdomain | nodata | cname <em class="replaceable"><code>domain</code></em> ) ]
- [ <span class="command"><strong>recursive-only</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ]
- [ <span class="command"><strong>log</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ]
- [ <span class="command"><strong>max-policy-ttl</strong></span> <em class="replaceable"><code>number</code></em> ]
- [ <span class="command"><strong>min-update-interval</strong></span> <em class="replaceable"><code>number</code></em> ] ;
- ...
- <span class="command"><strong>}</strong></span> [ <span class="command"><strong>recursive-only</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ]
- [ <span class="command"><strong>max-policy-ttl</strong></span> <em class="replaceable"><code>number</code></em> ]
- [ <span class="command"><strong>min-update-interval</strong></span> <em class="replaceable"><code>number</code></em> ]
- [ <span class="command"><strong>break-dnssec</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ]
- [ <span class="command"><strong>min-ns-dots</strong></span> <em class="replaceable"><code>number</code></em> ]
- [ <span class="command"><strong>nsip-wait-recurse</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ]
- [ <span class="command"><strong>qname-wait-recurse</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ] ; ]
- [ <span class="command"><strong>catalog-zones {</strong></span>
- <span class="command"><strong>zone</strong></span> <em class="replaceable"><code>quoted_string</code></em>
- [ <code class="option">default-masters</code> [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] <span class="command"><strong>{</strong></span>
- ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> [<span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em>] [ <span class="command"><strong>key</strong></span> <em class="replaceable"><code>key_name</code></em>] ) ;
- ...
- <span class="command"><strong>}</strong></span> ]
- [ <span class="command"><strong>zone-directory</strong></span> <em class="replaceable"><code>path_name</code></em> ]
- [ <span class="command"><strong>in-memory</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ]
- [ <span class="command"><strong>min-update-interval</strong></span> <em class="replaceable"><code>interval</code></em> ] ;
- ...
- <span class="command"><strong>}</strong></span> ; ]
- [ <span class="command"><strong>v6-bias</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-<span class="command"><strong>}</strong></span> ; ]
-</pre>
-
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="options"></a><span class="command"><strong>options</strong></span> Statement Definition and
- Usage</h3></div></div></div>
-
- <p>
- The <span class="command"><strong>options</strong></span> statement sets up global
- options
- to be used by <acronym class="acronym">BIND</acronym>. This statement
- may appear only
- once in a configuration file. If there is no <span class="command"><strong>options</strong></span>
- statement, an options block with each option set to its default will
- be used.
- </p>
-
- <div class="variablelist"><dl class="variablelist">
-<dt><span class="term"><span class="command"><strong>attach-cache</strong></span></span></dt>
-<dd>
- <p>
- Allows multiple views to share a single cache
- database.
- Each view has its own cache database by default, but
- if multiple views have the same operational policy
- for name resolution and caching, those views can
- share a single cache to save memory and possibly
- improve resolution efficiency by using this option.
- </p>
-
- <p>
- The <span class="command"><strong>attach-cache</strong></span> option
- may also be specified in <span class="command"><strong>view</strong></span>
- statements, in which case it overrides the
- global <span class="command"><strong>attach-cache</strong></span> option.
- </p>
-
- <p>
- The <em class="replaceable"><code>cache_name</code></em> specifies
- the cache to be shared.
- When the <span class="command"><strong>named</strong></span> server configures
- views which are supposed to share a cache, it
- creates a cache with the specified name for the
- first view of these sharing views.
- The rest of the views will simply refer to the
- already created cache.
- </p>
-
- <p>
- One common configuration to share a cache would be to
- allow all views to share a single cache.
- This can be done by specifying
- the <span class="command"><strong>attach-cache</strong></span> as a global
- option with an arbitrary name.
- </p>
-
- <p>
- Another possible operation is to allow a subset of
- all views to share a cache while the others to
- retain their own caches.
- For example, if there are three views A, B, and C,
- and only A and B should share a cache, specify the
- <span class="command"><strong>attach-cache</strong></span> option as a view A (or
- B)'s option, referring to the other view name:
- </p>
-
-<pre class="programlisting">
- view "A" {
- // this view has its own cache
- ...
- };
- view "B" {
- // this view refers to A's cache
- attach-cache "A";
- };
- view "C" {
- // this view has its own cache
- ...
- };
-</pre>
-
- <p>
- Views that share a cache must have the same policy
- on configurable parameters that may affect caching.
- The current implementation requires the following
- configurable options be consistent among these
- views:
- <span class="command"><strong>check-names</strong></span>,
- <span class="command"><strong>cleaning-interval</strong></span>,
- <span class="command"><strong>dnssec-accept-expired</strong></span>,
- <span class="command"><strong>dnssec-validation</strong></span>,
- <span class="command"><strong>max-cache-ttl</strong></span>,
- <span class="command"><strong>max-ncache-ttl</strong></span>,
- <span class="command"><strong>max-stale-ttl</strong></span>,
- <span class="command"><strong>max-cache-size</strong></span>, and
- <span class="command"><strong>zero-no-soa-ttl</strong></span>.
- </p>
-
- <p>
- Note that there may be other parameters that may
- cause confusion if they are inconsistent for
- different views that share a single cache.
- For example, if these views define different sets of
- forwarders that can return different answers for the
- same question, sharing the answer does not make
- sense or could even be harmful.
- It is administrator's responsibility to ensure
- configuration differences in different views do
- not cause disruption with a shared cache.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>directory</strong></span></span></dt>
-<dd>
- <p>
- The working directory of the server.
- Any non-absolute pathnames in the configuration file will be
- taken
- as relative to this directory. The default location for most
- server
- output files (e.g. <code class="filename">named.run</code>)
- is this directory.
- If a directory is not specified, the working directory
- defaults to `<code class="filename">.</code>', the directory from
- which the server
- was started. The directory specified should be an absolute
- path.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>dnstap</strong></span></span></dt>
-<dd>
- <p>
- <span class="command"><strong>dnstap</strong></span> is a fast, flexible method
- for capturing and logging DNS traffic. Developed by
- Robert Edmonds at Farsight Security, Inc., and supported
- by multiple DNS implementations, <span class="command"><strong>dnstap</strong></span>
- uses
- <span class="command"><strong>libfstrm</strong></span> (a lightweight high-speed
- framing library, see
- <a class="link" href="https://github.com/farsightsec/fstrm" target="_top">https://github.com/farsightsec/fstrm</a>) to send
- event payloads which are encoded using Protocol Buffers
- (<span class="command"><strong>libprotobuf-c</strong></span>, a mechanism for
- serializing structured data developed
- by Google, Inc.; see
- <a class="link" href="https://developers.google.com/protocol-buffers/" target="_top">https://developers.google.com/protocol-buffers</a>).
- </p>
- <p>
- To enable <span class="command"><strong>dnstap</strong></span> at compile time,
- the <span class="command"><strong>fstrm</strong></span> and <span class="command"><strong>protobuf-c</strong></span>
- libraries must be available, and BIND must be configured with
- <code class="option">--enable-dnstap</code>.
- </p>
- <p>
- The <span class="command"><strong>dnstap</strong></span> option is a bracketed list
- of message types to be logged. These may be set differently
- for each view. Supported types are <code class="literal">client</code>,
- <code class="literal">auth</code>, <code class="literal">resolver</code>, and
- <code class="literal">forwarder</code>. Specifying type
- <code class="literal">all</code> will cause all <span class="command"><strong>dnstap</strong></span>
- messages to be logged, regardless of type.
- </p>
- <p>
- Each type may take an additional argument to indicate whether
- to log <code class="literal">query</code> messages or
- <code class="literal">response</code> messages; if not specified,
- both queries and responses are logged.
- </p>
- <p>
- Example: To log all authoritative queries and responses,
- recursive client responses, and upstream queries sent by
- the resolver, use:
-</p>
-<pre class="programlisting">dnstap {
- auth;
- client response;
- resolver query;
-};
-</pre>
-<p>
- </p>
- <p>
- Logged <span class="command"><strong>dnstap</strong></span> messages can be parsed
- using the <span class="command"><strong>dnstap-read</strong></span> utility (see
- <a class="xref" href="man.dnstap-read.html" title="dnstap-read"><span class="refentrytitle"><span class="application">dnstap-read</span></span>(1)</a> for details).
- </p>
- <p>
- For more information on <span class="command"><strong>dnstap</strong></span>, see
- <a class="link" href="http://dnstap.info" target="_top">http://dnstap.info</a>.
- </p>
- <p>
- The fstrm library has a number of tunables that are exposed
- in <code class="filename">named.conf</code>, and can be modified
- if necessary to improve performance or prevent loss of data.
- These are:
- </p>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-
- <span class="command"><strong>fstrm-set-buffer-hint</strong></span>: The
- threshold number of bytes to accumulate in the output
- buffer before forcing a buffer flush. The minimum is
- 1024, the maximum is 65536, and the default is 8192.
-
- </li>
-<li class="listitem">
-
- <span class="command"><strong>fstrm-set-flush-timeout</strong></span>: The number
- of seconds to allow unflushed data to remain in the
- output buffer. The minimum is 1 second, the maximum is
- 600 seconds (10 minutes), and the default is 1 second.
-
- </li>
-<li class="listitem">
-
- <span class="command"><strong>fstrm-set-output-notify-threshold</strong></span>:
- The number of outstanding queue entries to allow on
- an input queue before waking the I/O thread.
- The minimum is 1 and the default is 32.
-
- </li>
-<li class="listitem">
-
- <span class="command"><strong>fstrm-set-output-queue-model</strong></span>:
- Controls the queuing semantics to use for queue
- objects. The default is <code class="literal">mpsc</code>
- (multiple producer, single consumer); the other
- option is <code class="literal">spsc</code> (single producer,
- single consumer).
-
- </li>
-<li class="listitem">
-
- <span class="command"><strong>fstrm-set-input-queue-size</strong></span>: The
- number of queue entries to allocate for each
- input queue. This value must be a power of 2.
- The minimum is 2, the maximum is 16384, and
- the default is 512.
-
- </li>
-<li class="listitem">
-
- <span class="command"><strong>fstrm-set-output-queue-size</strong></span>:
- The number of queue entries to allocate for each
- output queue. The minimum is 2, the maximum is
- system-dependent and based on <code class="option">IOV_MAX</code>,
- and the default is 64.
-
- </li>
-<li class="listitem">
-
- <span class="command"><strong>fstrm-set-reopen-interval</strong></span>:
- The number of seconds to wait between attempts to
- reopen a closed output stream. The minimum is 1 second,
- the maximum is 600 seconds (10 minutes), and the default
- is 5 seconds.
-
- </li>
-</ul></div>
- <p>
- Note that all of the above minimum, maximum, and default
- values are set by the <span class="command"><strong>libfstrm</strong></span> library,
- and may be subject to change in future versions of the
- library. See the <span class="command"><strong>libfstrm</strong></span> documentation
- for more information.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>dnstap-output</strong></span></span></dt>
-<dd>
- <p>
- Configures the path to which the <span class="command"><strong>dnstap</strong></span>
- frame stream will be sent if <span class="command"><strong>dnstap</strong></span>
- is enabled at compile time and active.
- </p>
- <p>
- The first argument is either <code class="literal">file</code> or
- <code class="literal">unix</code>, indicating whether the destination
- is a file or a UNIX domain socket. The second argument
- is the path of the file or socket. (Note: when using a
- socket, <span class="command"><strong>dnstap</strong></span> messages will
- only be sent if another process such as
- <span class="command"><strong>fstrm_capture</strong></span>
- (provided with <span class="command"><strong>libfstrm</strong></span>) is listening on
- the socket.)
- </p>
- <p>
- If the first argument is <code class="literal">file</code>, then
- up to three additional options can be added:
- <span class="command"><strong>size</strong></span> indicates the size to which a
- <span class="command"><strong>dnstap</strong></span> log file can grow before being
- rolled to a new file; <span class="command"><strong>versions</strong></span>
- specifies the number of rolled log files to retain; and
- <span class="command"><strong>suffix</strong></span> indicates whether to retain
- rolled log files with an incrementing counter as the
- suffix (<code class="literal">increment</code>) or with the
- current timestamp (<code class="literal">timestamp</code>).
- These are similar to the <span class="command"><strong>size</strong></span>,
- <span class="command"><strong>versions</strong></span>, and <span class="command"><strong>suffix</strong></span>
- options in a <span class="command"><strong>logging</strong></span> channel.
- The default is to allow <span class="command"><strong>dnstap</strong></span> log
- files to grow to any size without rolling.
- </p>
- <p>
- <span class="command"><strong>dnstap-output</strong></span> can only be set globally
- in <span class="command"><strong>options</strong></span>. Currently, it can only be
- set once while <span class="command"><strong>named</strong></span> is running;
- once set, it cannot be changed by
- <span class="command"><strong>rndc reload</strong></span> or
- <span class="command"><strong>rndc reconfig</strong></span>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>dnstap-identity</strong></span></span></dt>
-<dd>
- <p>
- Specifies an <span class="command"><strong>identity</strong></span> string to send in
- <span class="command"><strong>dnstap</strong></span> messages. If set to
- <code class="literal">hostname</code>, which is the default, the
- server's hostname will be sent. If set to
- <code class="literal">none</code>, no identity string will be sent.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>dnstap-version</strong></span></span></dt>
-<dd>
- <p>
- Specifies a <span class="command"><strong>version</strong></span> string to send in
- <span class="command"><strong>dnstap</strong></span> messages. The default is the
- version number of the BIND release. If set to
- <code class="literal">none</code>, no version string will be sent.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>geoip-directory</strong></span></span></dt>
-<dd>
- <p>
- Specifies the directory containing GeoIP
- <code class="filename">.dat</code> database files for GeoIP
- initialization. By default, this option is unset
- and the GeoIP support will use libGeoIP's
- built-in directory.
- (For details, see <a class="xref" href="Bv9ARM.ch06.html#acl" title="acl Statement Definition and Usage">the section called “<span class="command"><strong>acl</strong></span> Statement Definition and
- Usage”</a> about the
- <span class="command"><strong>geoip</strong></span> ACL.)
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>key-directory</strong></span></span></dt>
-<dd>
- <p>
- When performing dynamic update of secure zones, the
- directory where the public and private DNSSEC key files
- should be found, if different than the current working
- directory. (Note that this option has no effect on the
- paths for files containing non-DNSSEC keys such as
- <code class="filename">bind.keys</code>,
- <code class="filename">rndc.key</code> or
- <code class="filename">session.key</code>.)
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>lmdb-mapsize</strong></span></span></dt>
-<dd>
- <p>
- When <span class="command"><strong>named</strong></span> is built with liblmdb,
- this option sets a maximum size for the memory map of
- the new-zone database (NZD) in LMDB database format.
- This database is used to store configuration information
- for zones added using <span class="command"><strong>rndc addzone</strong></span>.
- Note that this is not the NZD database file size, but
- the largest size that the database may grow to.
- </p>
- <p>
- Because the database file is memory mapped, its size is
- limited by the address space of the named process. The
- default of 32 megabytes was chosen to be usable with
- 32-bit <span class="command"><strong>named</strong></span> builds. The largest
- permitted value is 1 terabyte. Given typical zone
- configurations without elaborate ACLs, a 32 MB NZD file
- ought to be able to hold configurations of about 100,000
- zones.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>managed-keys-directory</strong></span></span></dt>
-<dd>
- <p>
- Specifies the directory in which to store the files that
- track managed DNSSEC keys. By default, this is the working
- directory.
- </p>
- <p>
- If <span class="command"><strong>named</strong></span> is not configured to use views,
- then managed keys for the server will be tracked in a single
- file called <code class="filename">managed-keys.bind</code>.
- Otherwise, managed keys will be tracked in separate files,
- one file per view; each file name will be the view name
- (or, if it contains characters that are incompatible with
- use as a file name, the SHA256 hash of the view name),
- followed by the extension
- <code class="filename">.mkeys</code>.
- </p>
- <p>
- (Note: in previous releases, file names for views
- always used the SHA256 hash of the view name. To ensure
- compatibility after upgrade, if a file using the old
- name format is found to exist, it will be used instead
- of the new format.)
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>new-zones-directory</strong></span></span></dt>
-<dd>
- <p>
- Specifies the directory in which to store the configuration
- parameters for zones added via <span class="command"><strong>rndc addzone</strong></span>.
- By default, this is the working directory.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>named-xfer</strong></span></span></dt>
-<dd>
- <p>
- <span class="emphasis"><em>This option is obsolete.</em></span> It
- was used in <acronym class="acronym">BIND</acronym> 8 to specify
- the pathname to the <span class="command"><strong>named-xfer</strong></span>
- program. In <acronym class="acronym">BIND</acronym> 9, no separate
- <span class="command"><strong>named-xfer</strong></span> program is needed;
- its functionality is built into the name server.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>tkey-gssapi-keytab</strong></span></span></dt>
-<dd>
- <p>
- The KRB5 keytab file to use for GSS-TSIG updates. If
- this option is set and tkey-gssapi-credential is not
- set, then updates will be allowed with any key
- matching a principal in the specified keytab.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>tkey-gssapi-credential</strong></span></span></dt>
-<dd>
- <p>
- The security credential with which the server should
- authenticate keys requested by the GSS-TSIG protocol.
- Currently only Kerberos 5 authentication is available
- and the credential is a Kerberos principal which the
- server can acquire through the default system key
- file, normally <code class="filename">/etc/krb5.keytab</code>.
- The location keytab file can be overridden using the
- tkey-gssapi-keytab option. Normally this principal is
- of the form "<strong class="userinput"><code>DNS/</code></strong><code class="varname">server.domain</code>".
- To use GSS-TSIG, <span class="command"><strong>tkey-domain</strong></span> must
- also be set if a specific keytab is not set with
- tkey-gssapi-keytab.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>tkey-domain</strong></span></span></dt>
-<dd>
- <p>
- The domain appended to the names of all shared keys
- generated with <span class="command"><strong>TKEY</strong></span>. When a
- client requests a <span class="command"><strong>TKEY</strong></span> exchange,
- it may or may not specify the desired name for the
- key. If present, the name of the shared key will
- be <code class="varname">client specified part</code> +
- <code class="varname">tkey-domain</code>. Otherwise, the
- name of the shared key will be <code class="varname">random hex
- digits</code> + <code class="varname">tkey-domain</code>.
- In most cases, the <span class="command"><strong>domainname</strong></span>
- should be the server's domain name, or an otherwise
- non-existent subdomain like
- "_tkey.<code class="varname">domainname</code>". If you are
- using GSS-TSIG, this variable must be defined, unless
- you specify a specific keytab using tkey-gssapi-keytab.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>tkey-dhkey</strong></span></span></dt>
-<dd>
- <p>
- The Diffie-Hellman key used by the server
- to generate shared keys with clients using the Diffie-Hellman
- mode
- of <span class="command"><strong>TKEY</strong></span>. The server must be
- able to load the
- public and private keys from files in the working directory.
- In
- most cases, the <code class="varname">key_name</code> should be the server's host name.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>cache-file</strong></span></span></dt>
-<dd>
- <p>
- This is for testing only. Do not use.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>dump-file</strong></span></span></dt>
-<dd>
- <p>
- The pathname of the file the server dumps
- the database to when instructed to do so with
- <span class="command"><strong>rndc dumpdb</strong></span>.
- If not specified, the default is <code class="filename">named_dump.db</code>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>memstatistics-file</strong></span></span></dt>
-<dd>
- <p>
- The pathname of the file the server writes memory
- usage statistics to on exit. If not specified,
- the default is <code class="filename">named.memstats</code>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>lock-file</strong></span></span></dt>
-<dd>
- <p>
- The pathname of a file on which <span class="command"><strong>named</strong></span> will
- attempt to acquire a file lock when starting up for
- the first time; if unsuccessful, the server will
- will terminate, under the assumption that another
- server is already running. If not specified, the default is
- <code class="filename">/var/run/named/named.lock</code>.
- </p>
- <p>
- Specifying <span class="command"><strong>lock-file none</strong></span> disables the
- use of a lock file. <span class="command"><strong>lock-file</strong></span> is
- ignored if <span class="command"><strong>named</strong></span> was run using the <code class="option">-X</code>
- option, which overrides it. Changes to
- <span class="command"><strong>lock-file</strong></span> are ignored if
- <span class="command"><strong>named</strong></span> is being reloaded or
- reconfigured; it is only effective when the server is
- first started up.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>pid-file</strong></span></span></dt>
-<dd>
- <p>
- The pathname of the file the server writes its process ID
- in. If not specified, the default is
- <code class="filename">/var/run/named/named.pid</code>.
- The PID file is used by programs that want to send signals to
- the running
- name server. Specifying <span class="command"><strong>pid-file none</strong></span> disables the
- use of a PID file — no file will be written and any
- existing one will be removed. Note that <span class="command"><strong>none</strong></span>
- is a keyword, not a filename, and therefore is not enclosed
- in
- double quotes.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>recursing-file</strong></span></span></dt>
-<dd>
- <p>
- The pathname of the file the server dumps
- the queries that are currently recursing when instructed
- to do so with <span class="command"><strong>rndc recursing</strong></span>.
- If not specified, the default is <code class="filename">named.recursing</code>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>statistics-file</strong></span></span></dt>
-<dd>
- <p>
- The pathname of the file the server appends statistics
- to when instructed to do so using <span class="command"><strong>rndc stats</strong></span>.
- If not specified, the default is <code class="filename">named.stats</code> in the
- server's current directory. The format of the file is
- described
- in <a class="xref" href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called “The Statistics File”</a>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>bindkeys-file</strong></span></span></dt>
-<dd>
- <p>
- The pathname of a file to override the built-in trusted
- keys provided by <span class="command"><strong>named</strong></span>.
- See the discussion of <span class="command"><strong>dnssec-lookaside</strong></span>
- and <span class="command"><strong>dnssec-validation</strong></span> for details.
- If not specified, the default is
- <code class="filename">/etc/bind.keys</code>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>secroots-file</strong></span></span></dt>
-<dd>
- <p>
- The pathname of the file the server dumps
- security roots to when instructed to do so with
- <span class="command"><strong>rndc secroots</strong></span>.
- If not specified, the default is
- <code class="filename">named.secroots</code>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>session-keyfile</strong></span></span></dt>
-<dd>
- <p>
- The pathname of the file into which to write a TSIG
- session key generated by <span class="command"><strong>named</strong></span> for use by
- <span class="command"><strong>nsupdate -l</strong></span>. If not specified, the
- default is <code class="filename">/var/run/named/session.key</code>.
- (See <a class="xref" href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a>, and in
- particular the discussion of the
- <span class="command"><strong>update-policy</strong></span> statement's
- <strong class="userinput"><code>local</code></strong> option for more
- information about this feature.)
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>session-keyname</strong></span></span></dt>
-<dd>
- <p>
- The key name to use for the TSIG session key.
- If not specified, the default is "local-ddns".
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>session-keyalg</strong></span></span></dt>
-<dd>
- <p>
- The algorithm to use for the TSIG session key.
- Valid values are hmac-sha1, hmac-sha224, hmac-sha256,
- hmac-sha384, hmac-sha512 and hmac-md5. If not
- specified, the default is hmac-sha256.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>port</strong></span></span></dt>
-<dd>
- <p>
- The UDP/TCP port number the server uses for
- receiving and sending DNS protocol traffic.
- The default is 53. This option is mainly intended for server
- testing;
- a server using a port other than 53 will not be able to
- communicate with
- the global DNS.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>dscp</strong></span></span></dt>
-<dd>
- <p>
- The global Differentiated Services Code Point (DSCP)
- value to classify outgoing DNS traffic on operating
- systems that support DSCP. Valid values are 0 through 63.
- It is not configured by default.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>random-device</strong></span></span></dt>
-<dd>
- <p>
- The source of entropy to be used by the server. Entropy is
- primarily needed
- for DNSSEC operations, such as TKEY transactions and dynamic
- update of signed
- zones. This options specifies the device (or file) from which
- to read
- entropy. If this is a file, operations requiring entropy will
- fail when the
- file has been exhausted. If not specified, the default value
- is
- <code class="filename">/dev/random</code>
- (or equivalent) when present, and none otherwise. The
- <span class="command"><strong>random-device</strong></span> option takes
- effect during
- the initial configuration load at server startup time and
- is ignored on subsequent reloads.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>preferred-glue</strong></span></span></dt>
-<dd>
- <p>
- If specified, the listed type (A or AAAA) will be emitted
- before other glue
- in the additional section of a query response.
- The default is to prefer A records when responding
- to queries that arrived via IPv4 and AAAA when
- responding to queries that arrived via IPv6.
- </p>
- </dd>
-<dt>
-<a name="root_delegation_only"></a><span class="term"><span class="command"><strong>root-delegation-only</strong></span></span>
-</dt>
-<dd>
- <p>
- Turn on enforcement of delegation-only in TLDs
- (top level domains) and root zones with an optional
- exclude list.
- </p>
- <p>
- DS queries are expected to be made to and be answered by
- delegation only zones. Such queries and responses are
- treated as an exception to delegation-only processing
- and are not converted to NXDOMAIN responses provided
- a CNAME is not discovered at the query name.
- </p>
- <p>
- If a delegation only zone server also serves a child
- zone it is not always possible to determine whether
- an answer comes from the delegation only zone or the
- child zone. SOA NS and DNSKEY records are apex
- only records and a matching response that contains
- these records or DS is treated as coming from a
- child zone. RRSIG records are also examined to see
- if they are signed by a child zone or not. The
- authority section is also examined to see if there
- is evidence that the answer is from the child zone.
- Answers that are determined to be from a child zone
- are not converted to NXDOMAIN responses. Despite
- all these checks there is still a possibility of
- false negatives when a child zone is being served.
- </p>
- <p>
- Similarly false positives can arise from empty nodes
- (no records at the name) in the delegation only zone
- when the query type is not ANY.
- </p>
- <p>
- Note some TLDs are not delegation only (e.g. "DE", "LV",
- "US" and "MUSEUM"). This list is not exhaustive.
- </p>
-
-<pre class="programlisting">
-options {
- root-delegation-only exclude { "de"; "lv"; "us"; "museum"; };
-};
-</pre>
-
- </dd>
-<dt><span class="term"><span class="command"><strong>disable-algorithms</strong></span></span></dt>
-<dd>
- <p>
- Disable the specified DNSSEC algorithms at and below the
- specified name.
- Multiple <span class="command"><strong>disable-algorithms</strong></span>
- statements are allowed.
- Only the best match <span class="command"><strong>disable-algorithms</strong></span>
- clause will be used to determine which algorithms are used.
- </p>
- <p>
- If all supported algorithms are disabled, the zones covered
- by the <span class="command"><strong>disable-algorithms</strong></span> will be treated
- as insecure.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>disable-ds-digests</strong></span></span></dt>
-<dd>
- <p>
- Disable the specified DS/DLV digest types at and below the
- specified name.
- Multiple <span class="command"><strong>disable-ds-digests</strong></span>
- statements are allowed.
- Only the best match <span class="command"><strong>disable-ds-digests</strong></span>
- clause will be used to determine which digest types are used.
- </p>
- <p>
- If all supported digest types are disabled, the zones covered
- by the <span class="command"><strong>disable-ds-digests</strong></span> will be treated
- as insecure.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>dnssec-lookaside</strong></span></span></dt>
-<dd>
- <p>
- When set, <span class="command"><strong>dnssec-lookaside</strong></span> provides the
- validator with an alternate method to validate DNSKEY
- records at the top of a zone. When a DNSKEY is at or
- below a domain specified by the deepest
- <span class="command"><strong>dnssec-lookaside</strong></span>, and the normal DNSSEC
- validation has left the key untrusted, the trust-anchor
- will be appended to the key name and a DLV record will be
- looked up to see if it can validate the key. If the DLV
- record validates a DNSKEY (similarly to the way a DS
- record does) the DNSKEY RRset is deemed to be trusted.
- </p>
- <p>
- If <span class="command"><strong>dnssec-lookaside</strong></span> is set to
- <strong class="userinput"><code>auto</code></strong>, then built-in default
- values for the DLV domain and trust anchor will be
- used, along with a built-in key for validation.
- </p>
- <p>
- If <span class="command"><strong>dnssec-lookaside</strong></span> is set to
- <strong class="userinput"><code>no</code></strong>, then dnssec-lookaside
- is not used.
- </p>
- <p>
- The default DLV key is stored in the file
- <code class="filename">bind.keys</code>;
- <span class="command"><strong>named</strong></span> will load that key at
- startup if <span class="command"><strong>dnssec-lookaside</strong></span> is set to
- <code class="constant">auto</code>. A copy of the file is
- installed along with <acronym class="acronym">BIND</acronym> 9, and is
- current as of the release date. If the DLV key expires, a
- new copy of <code class="filename">bind.keys</code> can be downloaded
- from <a class="link" href="https://www.isc.org/solutions/dlv/" target="_top">https://www.isc.org/solutions/dlv/</a>.
- </p>
- <p>
- (To prevent problems if <code class="filename">bind.keys</code> is
- not found, the current key is also compiled in to
- <span class="command"><strong>named</strong></span>. Relying on this is not
- recommended, however, as it requires <span class="command"><strong>named</strong></span>
- to be recompiled with a new key when the DLV key expires.)
- </p>
- <p>
- NOTE: <span class="command"><strong>named</strong></span> only loads certain specific
- keys from <code class="filename">bind.keys</code>: those for the
- DLV zone and for the DNS root zone. The file cannot be
- used to store keys for other zones.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>dnssec-must-be-secure</strong></span></span></dt>
-<dd>
- <p>
- Specify hierarchies which must be or may not be secure
- (signed and validated). If <strong class="userinput"><code>yes</code></strong>,
- then <span class="command"><strong>named</strong></span> will only accept answers if
- they are secure. If <strong class="userinput"><code>no</code></strong>, then normal
- DNSSEC validation applies allowing for insecure answers to
- be accepted. The specified domain must be under a
- <span class="command"><strong>trusted-keys</strong></span> or
- <span class="command"><strong>managed-keys</strong></span> statement, or
- <span class="command"><strong>dnssec-lookaside</strong></span> must be active.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>dns64</strong></span></span></dt>
-<dd>
- <p>
- This directive instructs <span class="command"><strong>named</strong></span> to
- return mapped IPv4 addresses to AAAA queries when
- there are no AAAA records. It is intended to be
- used in conjunction with a NAT64. Each
- <span class="command"><strong>dns64</strong></span> defines one DNS64 prefix.
- Multiple DNS64 prefixes can be defined.
- </p>
- <p>
- Compatible IPv6 prefixes have lengths of 32, 40, 48, 56,
- 64 and 96 as per RFC 6052.
- </p>
- <p>
- Additionally a reverse IP6.ARPA zone will be created for
- the prefix to provide a mapping from the IP6.ARPA names
- to the corresponding IN-ADDR.ARPA names using synthesized
- CNAMEs. <span class="command"><strong>dns64-server</strong></span> and
- <span class="command"><strong>dns64-contact</strong></span> can be used to specify
- the name of the server and contact for the zones. These
- are settable at the view / options level. These are
- not settable on a per-prefix basis.
- </p>
- <p>
- Each <span class="command"><strong>dns64</strong></span> supports an optional
- <span class="command"><strong>clients</strong></span> ACL that determines which
- clients are affected by this directive. If not defined,
- it defaults to <strong class="userinput"><code>any;</code></strong>.
- </p>
- <p>
- Each <span class="command"><strong>dns64</strong></span> supports an optional
- <span class="command"><strong>mapped</strong></span> ACL that selects which
- IPv4 addresses are to be mapped in the corresponding
- A RRset. If not defined it defaults to
- <strong class="userinput"><code>any;</code></strong>.
- </p>
- <p>
- Normally, DNS64 won't apply to a domain name that
- owns one or more AAAA records; these records will
- simply be returned. The optional
- <span class="command"><strong>exclude</strong></span> ACL allows specification
- of a list of IPv6 addresses that will be ignored
- if they appear in a domain name's AAAA records, and
- DNS64 will be applied to any A records the domain
- name owns. If not defined, <span class="command"><strong>exclude</strong></span>
- defaults to ::ffff:0.0.0.0/96.
- </p>
- <p>
- A optional <span class="command"><strong>suffix</strong></span> can also
- be defined to set the bits trailing the mapped
- IPv4 address bits. By default these bits are
- set to <strong class="userinput"><code>::</code></strong>. The bits
- matching the prefix and mapped IPv4 address
- must be zero.
- </p>
- <p>
- If <span class="command"><strong>recursive-only</strong></span> is set to
- <span class="command"><strong>yes</strong></span> the DNS64 synthesis will
- only happen for recursive queries. The default
- is <span class="command"><strong>no</strong></span>.
- </p>
- <p>
- If <span class="command"><strong>break-dnssec</strong></span> is set to
- <span class="command"><strong>yes</strong></span> the DNS64 synthesis will
- happen even if the result, if validated, would
- cause a DNSSEC validation failure. If this option
- is set to <span class="command"><strong>no</strong></span> (the default), the DO
- is set on the incoming query, and there are RRSIGs on
- the applicable records, then synthesis will not happen.
- </p>
-<pre class="programlisting">
- acl rfc1918 { 10/8; 192.168/16; 172.16/12; };
-
- dns64 64:FF9B::/96 {
- clients { any; };
- mapped { !rfc1918; any; };
- exclude { 64:FF9B::/96; ::ffff:0000:0000/96; };
- suffix ::;
- };
-</pre>
- </dd>
-<dt><span class="term"><span class="command"><strong>dnssec-loadkeys-interval</strong></span></span></dt>
-<dd>
- <p>
- When a zone is configured with <span class="command"><strong>auto-dnssec
- maintain;</strong></span> its key repository must be checked
- periodically to see if any new keys have been added
- or any existing keys' timing metadata has been updated
- (see <a class="xref" href="man.dnssec-keygen.html" title="dnssec-keygen"><span class="refentrytitle"><span class="application">dnssec-keygen</span></span>(8)</a> and
- <a class="xref" href="man.dnssec-settime.html" title="dnssec-settime"><span class="refentrytitle"><span class="application">dnssec-settime</span></span>(8)</a>). The
- <span class="command"><strong>dnssec-loadkeys-interval</strong></span> option
- sets the frequency of automatic repository checks, in
- minutes. The default is <code class="literal">60</code> (1 hour),
- the minimum is <code class="literal">1</code> (1 minute), and the
- maximum is <code class="literal">1440</code> (24 hours); any higher
- value is silently reduced.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>dnssec-update-mode</strong></span></span></dt>
-<dd>
- <p>
- If this option is set to its default value of
- <code class="literal">maintain</code> in a zone of type
- <code class="literal">master</code> which is DNSSEC-signed
- and configured to allow dynamic updates (see
- <a class="xref" href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a>), and
- if <span class="command"><strong>named</strong></span> has access to the
- private signing key(s) for the zone, then
- <span class="command"><strong>named</strong></span> will automatically sign all new
- or changed records and maintain signatures for the zone
- by regenerating RRSIG records whenever they approach
- their expiration date.
- </p>
- <p>
- If the option is changed to <code class="literal">no-resign</code>,
- then <span class="command"><strong>named</strong></span> will sign all new or
- changed records, but scheduled maintenance of
- signatures is disabled.
- </p>
- <p>
- With either of these settings, <span class="command"><strong>named</strong></span>
- will reject updates to a DNSSEC-signed zone when the
- signing keys are inactive or unavailable to
- <span class="command"><strong>named</strong></span>. (A planned third option,
- <code class="literal">external</code>, will disable all automatic
- signing and allow DNSSEC data to be submitted into a zone
- via dynamic update; this is not yet implemented.)
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>nta-lifetime</strong></span></span></dt>
-<dd>
- <p>
- Species the default lifetime, in seconds,
- that will be used for negative trust anchors added
- via <span class="command"><strong>rndc nta</strong></span>.
- </p>
- <p>
- A negative trust anchor selectively disables
- DNSSEC validation for zones that are known to be
- failing because of misconfiguration rather than
- an attack. When data to be validated is
- at or below an active NTA (and above any other
- configured trust anchors), <span class="command"><strong>named</strong></span> will
- abort the DNSSEC validation process and treat the data as
- insecure rather than bogus. This continues until the
- NTA's lifetime is elapsed. NTAs persist
- across <span class="command"><strong>named</strong></span> restarts.
- </p>
- <p>
- For convenience, TTL-style time unit suffixes can be
- used to specify the NTA lifetime in seconds, minutes
- or hours. <code class="option">nta-lifetime</code> defaults to
- one hour. It cannot exceed one week.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>nta-recheck</strong></span></span></dt>
-<dd>
- <p>
- Species how often to check whether negative
- trust anchors added via <span class="command"><strong>rndc nta</strong></span>
- are still necessary.
- </p>
- <p>
- A negative trust anchor is normally used when a
- domain has stopped validating due to operator error;
- it temporarily disables DNSSEC validation for that
- domain. In the interest of ensuring that DNSSEC
- validation is turned back on as soon as possible,
- <span class="command"><strong>named</strong></span> will periodically send a
- query to the domain, ignoring negative trust anchors,
- to find out whether it can now be validated. If so,
- the negative trust anchor is allowed to expire early.
- </p>
- <p>
- Validity checks can be disabled for an individual
- NTA by using <span class="command"><strong>rndc nta -f</strong></span>, or
- for all NTAs by setting <code class="option">nta-recheck</code>
- to zero.
- </p>
- <p>
- For convenience, TTL-style time unit suffixes can be
- used to specify the NTA recheck interval in seconds,
- minutes or hours. The default is five minutes. It
- cannot be longer than <code class="option">nta-lifetime</code>
- (which cannot be longer than a week).
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>max-zone-ttl</strong></span></span></dt>
-<dd>
- <p>
- Specifies a maximum permissible TTL value in seconds.
- For convenience, TTL-style time unit suffixes may be
- used to specify the maximum value.
- When loading a zone file using a
- <code class="option">masterfile-format</code> of
- <code class="constant">text</code> or <code class="constant">raw</code>,
- any record encountered with a TTL higher than
- <code class="option">max-zone-ttl</code> will cause the zone to
- be rejected.
- </p>
- <p>
- This is useful in DNSSEC-signed zones because when
- rolling to a new DNSKEY, the old key needs to remain
- available until RRSIG records have expired from
- caches. The <code class="option">max-zone-ttl</code> option guarantees
- that the largest TTL in the zone will be no higher
- than the set value.
- </p>
- <p>
- (NOTE: Because <code class="constant">map</code>-format files
- load directly into memory, this option cannot be
- used with them.)
- </p>
- <p>
- The default value is <code class="constant">unlimited</code>.
- A <code class="option">max-zone-ttl</code> of zero is treated as
- <code class="constant">unlimited</code>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>stale-answer-ttl</strong></span></span></dt>
-<dd>
- <p>
- Specifies the TTL to be returned on stale answers.
- The default is 1 second. The minimal allowed is
- also 1 second; a value of 0 will be updated silently
- to 1 second. For stale answers to be returned
- <code class="option">max-stale-ttl</code> must be set to a
- non zero value and they must not have been disabled
- by <span class="command"><strong>rndc</strong></span>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>serial-update-method</strong></span></span></dt>
-<dd>
- <p>
- Zones configured for dynamic DNS may use this
- option to set the update method that will be used for
- the zone serial number in the SOA record.
- </p>
- <p>
- With the default setting of
- <span class="command"><strong>serial-update-method increment;</strong></span>, the
- SOA serial number will be incremented by one each time
- the zone is updated.
- </p>
- <p>
- When set to
- <span class="command"><strong>serial-update-method unixtime;</strong></span>, the
- SOA serial number will be set to the number of seconds
- since the UNIX epoch, unless the serial number is
- already greater than or equal to that value, in which
- case it is simply incremented by one.
- </p>
- <p>
- When set to
- <span class="command"><strong>serial-update-method date;</strong></span>, the
- new SOA serial number will be the current date
- in the form "YYYYMMDD", followed by two zeroes,
- unless the existing serial number is already greater
- than or equal to that value, in which case it is
- incremented by one.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>zone-statistics</strong></span></span></dt>
-<dd>
- <p>
- If <strong class="userinput"><code>full</code></strong>, the server will collect
- statistical data on all zones (unless specifically
- turned off on a per-zone basis by specifying
- <span class="command"><strong>zone-statistics terse</strong></span> or
- <span class="command"><strong>zone-statistics none</strong></span>
- in the <span class="command"><strong>zone</strong></span> statement).
- The default is <strong class="userinput"><code>terse</code></strong>, providing
- minimal statistics on zones (including name and
- current serial number, but not query type
- counters).
- </p>
- <p>
- These statistics may be accessed via the
- <span class="command"><strong>statistics-channel</strong></span> or
- using <span class="command"><strong>rndc stats</strong></span>, which
- will dump them to the file listed
- in the <span class="command"><strong>statistics-file</strong></span>. See
- also <a class="xref" href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called “The Statistics File”</a>.
- </p>
- <p>
- For backward compatibility with earlier versions
- of BIND 9, the <span class="command"><strong>zone-statistics</strong></span>
- option can also accept <strong class="userinput"><code>yes</code></strong>
- or <strong class="userinput"><code>no</code></strong>; <strong class="userinput"><code>yes</code></strong>
- has the same meaning as <strong class="userinput"><code>full</code></strong>.
- As of <acronym class="acronym">BIND</acronym> 9.10,
- <strong class="userinput"><code>no</code></strong> has the same meaning
- as <strong class="userinput"><code>none</code></strong>; previously, it
- was the same as <strong class="userinput"><code>terse</code></strong>.
- </p>
- </dd>
-</dl></div>
-
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="boolean_options"></a>Boolean Options</h4></div></div></div>
-
- <div class="variablelist"><dl class="variablelist">
-<dt><span class="term"><span class="command"><strong>automatic-interface-scan</strong></span></span></dt>
-<dd>
- <p>
- If <strong class="userinput"><code>yes</code></strong> and supported by the OS,
- automatically rescan network interfaces when the interface
- addresses are added or removed. The default is
- <strong class="userinput"><code>yes</code></strong>.
- </p>
- <p>
- Currently the OS needs to support routing sockets for
- <span class="command"><strong>automatic-interface-scan</strong></span> to be
- supported.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>allow-new-zones</strong></span></span></dt>
-<dd>
- <p>
- If <strong class="userinput"><code>yes</code></strong>, then zones can be
- added at runtime via <span class="command"><strong>rndc addzone</strong></span>.
- The default is <strong class="userinput"><code>no</code></strong>.
- </p>
- <p>
- Newly added zones' configuration parameters
- are stored so that they can persist after the
- server is restarted. The configuration information
- is saved in a file called
- <code class="filename"><em class="replaceable"><code>viewname</code></em>.nzf</code>
- (or, if <span class="command"><strong>named</strong></span> is compiled with
- liblmdb, in an LMDB database file called
- <code class="filename"><em class="replaceable"><code>viewname</code></em>.nzd</code>).
- <em class="replaceable"><code>viewname</code></em> is the name of the
- view, unless the view name contains characters that are
- incompatible with use as a file name, in which case a
- cryptographic hash of the view name is used instead.
- </p>
- <p>
- Zones added at runtime will have their configuration
- stored either in a new-zone file (NZF) or a new-zone
- database (NZD) depending on whether
- <span class="command"><strong>named</strong></span> was linked with
- liblmdb at compile time.
- See <a class="xref" href="man.rndc.html" title="rndc"><span class="refentrytitle"><span class="application">rndc</span></span>(8)</a> for further details
- about <span class="command"><strong>rndc addzone</strong></span>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>auth-nxdomain</strong></span></span></dt>
-<dd>
- <p>
- If <strong class="userinput"><code>yes</code></strong>, then the <span class="command"><strong>AA</strong></span> bit
- is always set on NXDOMAIN responses, even if the server is
- not actually
- authoritative. The default is <strong class="userinput"><code>no</code></strong>;
- this is
- a change from <acronym class="acronym">BIND</acronym> 8. If you
- are using very old DNS software, you
- may need to set it to <strong class="userinput"><code>yes</code></strong>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>deallocate-on-exit</strong></span></span></dt>
-<dd>
- <p>
- This option was used in <acronym class="acronym">BIND</acronym>
- 8 to enable checking
- for memory leaks on exit. <acronym class="acronym">BIND</acronym> 9 ignores the option and always performs
- the checks.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>memstatistics</strong></span></span></dt>
-<dd>
- <p>
- Write memory statistics to the file specified by
- <span class="command"><strong>memstatistics-file</strong></span> at exit.
- The default is <strong class="userinput"><code>no</code></strong> unless
- '-m record' is specified on the command line in
- which case it is <strong class="userinput"><code>yes</code></strong>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>dialup</strong></span></span></dt>
-<dd>
- <p>
- If <strong class="userinput"><code>yes</code></strong>, then the
- server treats all zones as if they are doing zone transfers
- across
- a dial-on-demand dialup link, which can be brought up by
- traffic
- originating from this server. This has different effects
- according
- to zone type and concentrates the zone maintenance so that
- it all
- happens in a short interval, once every <span class="command"><strong>heartbeat-interval</strong></span> and
- hopefully during the one call. It also suppresses some of
- the normal
- zone maintenance traffic. The default is <strong class="userinput"><code>no</code></strong>.
- </p>
- <p>
- The <span class="command"><strong>dialup</strong></span> option
- may also be specified in the <span class="command"><strong>view</strong></span> and
- <span class="command"><strong>zone</strong></span> statements,
- in which case it overrides the global <span class="command"><strong>dialup</strong></span>
- option.
- </p>
- <p>
- If the zone is a master zone, then the server will send out a
- NOTIFY
- request to all the slaves (default). This should trigger the
- zone serial
- number check in the slave (providing it supports NOTIFY)
- allowing the slave
- to verify the zone while the connection is active.
- The set of servers to which NOTIFY is sent can be controlled
- by
- <span class="command"><strong>notify</strong></span> and <span class="command"><strong>also-notify</strong></span>.
- </p>
- <p>
- If the
- zone is a slave or stub zone, then the server will suppress
- the regular
- "zone up to date" (refresh) queries and only perform them
- when the
- <span class="command"><strong>heartbeat-interval</strong></span> expires in
- addition to sending
- NOTIFY requests.
- </p>
- <p>
- Finer control can be achieved by using
- <strong class="userinput"><code>notify</code></strong> which only sends NOTIFY
- messages,
- <strong class="userinput"><code>notify-passive</code></strong> which sends NOTIFY
- messages and
- suppresses the normal refresh queries, <strong class="userinput"><code>refresh</code></strong>
- which suppresses normal refresh processing and sends refresh
- queries
- when the <span class="command"><strong>heartbeat-interval</strong></span>
- expires, and
- <strong class="userinput"><code>passive</code></strong> which just disables normal
- refresh
- processing.
- </p>
-
- <div class="informaltable">
- <table border="1">
-<colgroup>
-<col width="1.150in" class="1">
-<col width="1.150in" class="2">
-<col width="1.150in" class="3">
-<col width="1.150in" class="4">
-</colgroup>
-<tbody>
-<tr>
-<td>
- <p>
- dialup mode
- </p>
- </td>
-<td>
- <p>
- normal refresh
- </p>
- </td>
-<td>
- <p>
- heart-beat refresh
- </p>
- </td>
-<td>
- <p>
- heart-beat notify
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>no</strong></span> (default)</p>
- </td>
-<td>
- <p>
- yes
- </p>
- </td>
-<td>
- <p>
- no
- </p>
- </td>
-<td>
- <p>
- no
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>yes</strong></span></p>
- </td>
-<td>
- <p>
- no
- </p>
- </td>
-<td>
- <p>
- yes
- </p>
- </td>
-<td>
- <p>
- yes
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>notify</strong></span></p>
- </td>
-<td>
- <p>
- yes
- </p>
- </td>
-<td>
- <p>
- no
- </p>
- </td>
-<td>
- <p>
- yes
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>refresh</strong></span></p>
- </td>
-<td>
- <p>
- no
- </p>
- </td>
-<td>
- <p>
- yes
- </p>
- </td>
-<td>
- <p>
- no
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>passive</strong></span></p>
- </td>
-<td>
- <p>
- no
- </p>
- </td>
-<td>
- <p>
- no
- </p>
- </td>
-<td>
- <p>
- no
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>notify-passive</strong></span></p>
- </td>
-<td>
- <p>
- no
- </p>
- </td>
-<td>
- <p>
- no
- </p>
- </td>
-<td>
- <p>
- yes
- </p>
- </td>
-</tr>
-</tbody>
-</table>
- </div>
-
- <p>
- Note that normal NOTIFY processing is not affected by
- <span class="command"><strong>dialup</strong></span>.
- </p>
-
- </dd>
-<dt><span class="term"><span class="command"><strong>fake-iquery</strong></span></span></dt>
-<dd>
- <p>
- In <acronym class="acronym">BIND</acronym> 8, this option
- enabled simulating the obsolete DNS query type
- IQUERY. <acronym class="acronym">BIND</acronym> 9 never does
- IQUERY simulation.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>fetch-glue</strong></span></span></dt>
-<dd>
- <p>
- This option is obsolete.
- In BIND 8, <strong class="userinput"><code>fetch-glue yes</code></strong>
- caused the server to attempt to fetch glue resource records
- it
- didn't have when constructing the additional
- data section of a response. This is now considered a bad
- idea
- and BIND 9 never does it.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>flush-zones-on-shutdown</strong></span></span></dt>
-<dd>
- <p>
- When the nameserver exits due receiving SIGTERM,
- flush or do not flush any pending zone writes. The default
- is
- <span class="command"><strong>flush-zones-on-shutdown</strong></span> <strong class="userinput"><code>no</code></strong>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>geoip-use-ecs</strong></span></span></dt>
-<dd>
- <p>
- When BIND is compiled with GeoIP support and configured
- with "geoip" ACL elements, this option indicates whether
- the EDNS Client Subnet option, if present in a request,
- should be used for matching against the GeoIP database.
- The default is
- <span class="command"><strong>geoip-use-ecs</strong></span> <strong class="userinput"><code>yes</code></strong>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>has-old-clients</strong></span></span></dt>
-<dd>
- <p>
- This option was incorrectly implemented
- in <acronym class="acronym">BIND</acronym> 8, and is ignored by <acronym class="acronym">BIND</acronym> 9.
- To achieve the intended effect
- of
- <span class="command"><strong>has-old-clients</strong></span> <strong class="userinput"><code>yes</code></strong>, specify
- the two separate options <span class="command"><strong>auth-nxdomain</strong></span> <strong class="userinput"><code>yes</code></strong>
- and <span class="command"><strong>rfc2308-type1</strong></span> <strong class="userinput"><code>no</code></strong> instead.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>host-statistics</strong></span></span></dt>
-<dd>
- <p>
- In BIND 8, this enables keeping of
- statistics for every host that the name server interacts
- with.
- Not implemented in BIND 9.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>maintain-ixfr-base</strong></span></span></dt>
-<dd>
- <p>
- <span class="emphasis"><em>This option is obsolete</em></span>.
- It was used in <acronym class="acronym">BIND</acronym> 8 to
- determine whether a transaction log was
- kept for Incremental Zone Transfer. <acronym class="acronym">BIND</acronym> 9 maintains a transaction
- log whenever possible. If you need to disable outgoing
- incremental zone
- transfers, use <span class="command"><strong>provide-ixfr</strong></span> <strong class="userinput"><code>no</code></strong>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>message-compression</strong></span></span></dt>
-<dd>
- <p>
- If <strong class="userinput"><code>yes</code></strong>, DNS name compression is
- used in responses to regular queries (not including
- AXFR or IXFR, which always uses compression). Setting
- this option to <strong class="userinput"><code>no</code></strong> reduces CPU
- usage on servers and may improve throughput. However,
- it increases response size, which may cause more queries
- to be processed using TCP; a server with compression
- disabled is out of compliance with RFC 1123 Section
- 6.1.3.2. The default is <strong class="userinput"><code>yes</code></strong>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>minimal-responses</strong></span></span></dt>
-<dd>
- <p>
- If set to <strong class="userinput"><code>yes</code></strong>, then when generating
- responses the server will only add records to the authority
- and additional data sections when they are required (e.g.
- delegations, negative responses). This may improve the
- performance of the server.
- </p>
- <p>
- When set to <strong class="userinput"><code>no-auth</code></strong>, the
- server will omit records from the authority section
- unless they are required, but it may still add
- records to the additional section. When set to
- <strong class="userinput"><code>no-auth-recursive</code></strong>, this
- is only done if the query is recursive. These
- settings are useful when answering stub clients,
- which usually ignore the authority section.
- <strong class="userinput"><code>no-auth-recursive</code></strong> is
- designed for mixed-mode servers which handle
- both authoritative and recursive queries.
- </p>
- <p>
- The default is <strong class="userinput"><code>yes</code></strong>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>glue-cache</strong></span></span></dt>
-<dd>
- <p>
- When set to <strong class="userinput"><code>yes</code></strong>, a cache is
- used to improve query performance when adding
- address-type (A and AAAA) glue records to the
- additional section of DNS response messages that
- delegate to a child zone.
- </p>
- <p>
- The glue cache uses memory proportional to the number
- of delegations in the zone. The default setting is
- <strong class="userinput"><code>yes</code></strong>, which improves performance
- at the cost of increased memory usage for the zone. If
- you don't want this, set it to <strong class="userinput"><code>no</code></strong>.
- </p>
- <p>
- The glue cache is only used when
- <strong class="userinput"><code>minimal-responses</code></strong> is also set
- to <strong class="userinput"><code>yes</code></strong>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>minimal-any</strong></span></span></dt>
-<dd>
- <p>
- If set to <strong class="userinput"><code>yes</code></strong>, then when
- generating a positive response to a query of type
- ANY over UDP, the server will reply with only one
- of the RRsets for the query name, and its covering
- RRSIGs if any, instead of replying with all known
- RRsets for the name. Similarly, a query for type
- RRSIG will be answered with the RRSIG records covering
- only one type. This can reduce the impact of some kinds
- of attack traffic, without harming legitimate
- clients. (Note, however, that the RRset returned is the
- first one found in the database; it is not necessarily
- the smallest available RRset.)
- Additionally, <code class="option">minimal-responses</code> is
- turned on for these queries, so no unnecessary records
- will be added to the authority or additional sections.
- The default is <strong class="userinput"><code>no</code></strong>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>multiple-cnames</strong></span></span></dt>
-<dd>
- <p>
- This option was used in <acronym class="acronym">BIND</acronym> 8 to allow
- a domain name to have multiple CNAME records in violation of
- the DNS standards. <acronym class="acronym">BIND</acronym> 9.2 onwards
- always strictly enforces the CNAME rules both in master
- files and dynamic updates.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>notify</strong></span></span></dt>
-<dd>
- <p>
- If <strong class="userinput"><code>yes</code></strong> (the default),
- DNS NOTIFY messages are sent when a zone the server is
- authoritative for
- changes, see <a class="xref" href="Bv9ARM.ch04.html#notify" title="Notify">the section called “Notify”</a>. The messages are
- sent to the
- servers listed in the zone's NS records (except the master
- server identified
- in the SOA MNAME field), and to any servers listed in the
- <span class="command"><strong>also-notify</strong></span> option.
- </p>
- <p>
- If <strong class="userinput"><code>master-only</code></strong>, notifies are only
- sent
- for master zones.
- If <strong class="userinput"><code>explicit</code></strong>, notifies are sent only
- to
- servers explicitly listed using <span class="command"><strong>also-notify</strong></span>.
- If <strong class="userinput"><code>no</code></strong>, no notifies are sent.
- </p>
- <p>
- The <span class="command"><strong>notify</strong></span> option may also be
- specified in the <span class="command"><strong>zone</strong></span>
- statement,
- in which case it overrides the <span class="command"><strong>options notify</strong></span> statement.
- It would only be necessary to turn off this option if it
- caused slaves
- to crash.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>notify-to-soa</strong></span></span></dt>
-<dd>
- <p>
- If <strong class="userinput"><code>yes</code></strong> do not check the nameservers
- in the NS RRset against the SOA MNAME. Normally a NOTIFY
- message is not sent to the SOA MNAME (SOA ORIGIN) as it is
- supposed to contain the name of the ultimate master.
- Sometimes, however, a slave is listed as the SOA MNAME in
- hidden master configurations and in that case you would
- want the ultimate master to still send NOTIFY messages to
- all the nameservers listed in the NS RRset.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>recursion</strong></span></span></dt>
-<dd>
- <p>
- If <strong class="userinput"><code>yes</code></strong>, and a
- DNS query requests recursion, then the server will attempt
- to do
- all the work required to answer the query. If recursion is
- off
- and the server does not already know the answer, it will
- return a
- referral response. The default is
- <strong class="userinput"><code>yes</code></strong>.
- Note that setting <span class="command"><strong>recursion no</strong></span> does not prevent
- clients from getting data from the server's cache; it only
- prevents new data from being cached as an effect of client
- queries.
- Caching may still occur as an effect the server's internal
- operation, such as NOTIFY address lookups.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>request-nsid</strong></span></span></dt>
-<dd>
- <p>
- If <strong class="userinput"><code>yes</code></strong>, then an empty EDNS(0)
- NSID (Name Server Identifier) option is sent with all
- queries to authoritative name servers during iterative
- resolution. If the authoritative server returns an NSID
- option in its response, then its contents are logged in
- the <span class="command"><strong>resolver</strong></span> category at level
- <span class="command"><strong>info</strong></span>.
- The default is <strong class="userinput"><code>no</code></strong>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>request-sit</strong></span></span></dt>
-<dd>
- <p>
- This experimental option is obsolete.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>require-server-cookie</strong></span></span></dt>
-<dd>
- <p>
- Require a valid server cookie before sending a full
- response to a UDP request from a cookie aware client.
- BADCOOKIE is sent if there is a bad or no existent
- server cookie.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>send-cookie</strong></span></span></dt>
-<dd>
- <p>
- If <strong class="userinput"><code>yes</code></strong>, then a COOKIE EDNS
- option is sent along with the query. If the
- resolver has previously talked to the server, the
- COOKIE returned in the previous transaction is sent.
- This is used by the server to determine whether
- the resolver has talked to it before. A resolver
- sending the correct COOKIE is assumed not to be an
- off-path attacker sending a spoofed-source query;
- the query is therefore unlikely to be part of a
- reflection/amplification attack, so resolvers
- sending a correct COOKIE option are not subject to
- response rate limiting (RRL). Resolvers which
- do not send a correct COOKIE option may be limited
- to receiving smaller responses via the
- <span class="command"><strong>nocookie-udp-size</strong></span> option.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>serve-stale-enable</strong></span></span></dt>
-<dd>
- <p>
- Enable the returning of stale answers when the
- nameservers for the zone are not answering. This
- is off by default but can be enabled/disabled via
- <span class="command"><strong>rndc server-stale on</strong></span> and
- <span class="command"><strong>rndc server-stale off</strong></span> which
- override the named.conf setting. <span class="command"><strong>rndc
- server-stale reset</strong></span> will restore control
- via named.conf.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>nocookie-udp-size</strong></span></span></dt>
-<dd>
- <p>
- Sets the maximum size of UDP responses that will be
- sent to queries without a valid server COOKIE. A value
- below 128 will be silently raised to 128. The default
- value is 4096, but the <span class="command"><strong>max-udp-size</strong></span>
- option may further limit the response size.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>sit-secret</strong></span></span></dt>
-<dd>
- <p>
- This experimental option is obsolete.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>cookie-algorithm</strong></span></span></dt>
-<dd>
- <p>
- Set the algorithm to be used when generating the
- server cookie. One of "aes", "sha1" or "sha256".
- The default is "aes" if supported by the cryptographic
- library or otherwise "sha256".
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>cookie-secret</strong></span></span></dt>
-<dd>
- <p>
- If set, this is a shared secret used for generating
- and verifying EDNS COOKIE options
- within an anycast cluster. If not set, the system
- will generate a random secret at startup. The
- shared secret is encoded as a hex string and needs
- to be 128 bits for AES128, 160 bits for SHA1 and
- 256 bits for SHA256.
- </p>
- <p>
- If there are multiple secrets specified, the first
- one listed in <code class="filename">named.conf</code> is
- used to generate new server cookies. The others
- will only be used to verify returned cookies.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>response-padding</strong></span></span></dt>
-<dd>
- <p>
- The EDNS Padding option is intended to improve
- confidentiality when DNS queries are sent over an
- encrypted channel by reducing the variability in
- packet sizes. If a query:
- </p>
-<div class="orderedlist"><ol class="orderedlist" type="1">
-<li class="listitem">
- contains an EDNS Padding option,
- </li>
-<li class="listitem">
- includes a valid server cookie or uses TCP,
- </li>
-<li class="listitem">
- is <span class="emphasis"><em>not</em></span> signed using TSIG or
- SIG(0), and
- </li>
-<li class="listitem">
- is from a client whose address matches the specified ACL,
- </li>
-</ol></div>
-<p>
- then the response is padded with an EDNS Padding option
- to a multiple of <code class="varname">block-size</code> bytes.
- If these conditions are not met, the response is not
- padded.
- </p>
- <p>
- If <code class="varname">block-size</code> is 0 or the ACL is
- <span class="command"><strong>none;</strong></span>, then this feature is
- disabled and no padding will occur; this is the
- default. If <code class="varname">block-size</code> is greater
- than 512, a warning is logged and the value is truncated
- to 512. Block sizes are ordinarily expected to be powers
- of two (for instance, 128), but this is not mandatory.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>rfc2308-type1</strong></span></span></dt>
-<dd>
- <p>
- Setting this to <strong class="userinput"><code>yes</code></strong> will
- cause the server to send NS records along with the SOA
- record for negative
- answers. The default is <strong class="userinput"><code>no</code></strong>.
- </p>
- <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
- <p>
- Not yet implemented in <acronym class="acronym">BIND</acronym>
- 9.
- </p>
- </div>
- </dd>
-<dt><span class="term"><span class="command"><strong>trust-anchor-telemetry</strong></span></span></dt>
-<dd>
- <p>
- Causes <span class="command"><strong>named</strong></span> to send specially-formed
- queries once per day to domains for which trust anchors
- have been configured via <span class="command"><strong>trusted-keys</strong></span>,
- <span class="command"><strong>managed-keys</strong></span>,
- <span class="command"><strong>dnssec-validation auto</strong></span>, or
- <span class="command"><strong>dnssec-lookaside auto</strong></span>.
- </p>
- <p>
- The query name used for these queries has the
- form "_ta-xxxx(-xxxx)(...)".<domain>, where
- each "xxxx" is a group of four hexadecimal digits
- representing the key ID of a trusted DNSSEC key.
- The key IDs for each domain are sorted smallest
- to largest prior to encoding. The query type is NULL.
- </p>
- <p>
- By monitoring these queries, zone operators will
- be able to see which resolvers have been updated to
- trust a new key; this may help them decide when it
- is safe to remove an old one.
- </p>
- <p>
- The default is <strong class="userinput"><code>yes</code></strong>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>use-id-pool</strong></span></span></dt>
-<dd>
- <p>
- <span class="emphasis"><em>This option is obsolete</em></span>.
- <acronym class="acronym">BIND</acronym> 9 always allocates query
- IDs from a pool.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>use-ixfr</strong></span></span></dt>
-<dd>
- <p>
- <span class="emphasis"><em>This option is obsolete</em></span>.
- If you need to disable IXFR to a particular server or
- servers, see
- the information on the <span class="command"><strong>provide-ixfr</strong></span> option
- in <a class="xref" href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and Usage">the section called “<span class="command"><strong>server</strong></span> Statement Definition and
- Usage”</a>.
- See also
- <a class="xref" href="Bv9ARM.ch04.html#incremental_zone_transfers" title="Incremental Zone Transfers (IXFR)">the section called “Incremental Zone Transfers (IXFR)”</a>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>provide-ixfr</strong></span></span></dt>
-<dd>
- <p>
- See the description of
- <span class="command"><strong>provide-ixfr</strong></span> in
- <a class="xref" href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and Usage">the section called “<span class="command"><strong>server</strong></span> Statement Definition and
- Usage”</a>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>request-ixfr</strong></span></span></dt>
-<dd>
- <p>
- See the description of
- <span class="command"><strong>request-ixfr</strong></span> in
- <a class="xref" href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and Usage">the section called “<span class="command"><strong>server</strong></span> Statement Definition and
- Usage”</a>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>request-expire</strong></span></span></dt>
-<dd>
- <p>
- See the description of
- <span class="command"><strong>request-expire</strong></span> in
- <a class="xref" href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and Usage">the section called “<span class="command"><strong>server</strong></span> Statement Definition and
- Usage”</a>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>treat-cr-as-space</strong></span></span></dt>
-<dd>
- <p>
- This option was used in <acronym class="acronym">BIND</acronym>
- 8 to make
- the server treat carriage return ("<span class="command"><strong>\r</strong></span>") characters the same way
- as a space or tab character,
- to facilitate loading of zone files on a UNIX system that
- were generated
- on an NT or DOS machine. In <acronym class="acronym">BIND</acronym> 9, both UNIX "<span class="command"><strong>\n</strong></span>"
- and NT/DOS "<span class="command"><strong>\r\n</strong></span>" newlines
- are always accepted,
- and the option is ignored.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>match-mapped-addresses</strong></span></span></dt>
-<dd>
- <p>
- If <strong class="userinput"><code>yes</code></strong>, then an
- IPv4-mapped IPv6 address will match any address match
- list entries that match the corresponding IPv4 address.
- </p>
- <p>
- This option was introduced to work around a kernel quirk
- in some operating systems that causes IPv4 TCP
- connections, such as zone transfers, to be accepted on an
- IPv6 socket using mapped addresses. This caused address
- match lists designed for IPv4 to fail to match. However,
- <span class="command"><strong>named</strong></span> now solves this problem
- internally. The use of this option is discouraged.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>filter-aaaa-on-v4</strong></span></span></dt>
-<dd>
- <p>
- This option is only available when
- <acronym class="acronym">BIND</acronym> 9 is compiled with the
- <strong class="userinput"><code>--enable-filter-aaaa</code></strong> option on the
- "configure" command line. It is intended to help the
- transition from IPv4 to IPv6 by not giving IPv6 addresses
- to DNS clients unless they have connections to the IPv6
- Internet. This is not recommended unless absolutely
- necessary. The default is <strong class="userinput"><code>no</code></strong>.
- The <span class="command"><strong>filter-aaaa-on-v4</strong></span> option
- may also be specified in <span class="command"><strong>view</strong></span> statements
- to override the global <span class="command"><strong>filter-aaaa-on-v4</strong></span>
- option.
- </p>
- <p>
- If <strong class="userinput"><code>yes</code></strong>,
- the DNS client is at an IPv4 address, in <span class="command"><strong>filter-aaaa</strong></span>,
- and if the response does not include DNSSEC signatures,
- then all AAAA records are deleted from the response.
- This filtering applies to all responses and not only
- authoritative responses.
- </p>
- <p>
- If <strong class="userinput"><code>break-dnssec</code></strong>,
- then AAAA records are deleted even when DNSSEC is enabled.
- As suggested by the name, this makes the response not verify,
- because the DNSSEC protocol is designed detect deletions.
- </p>
- <p>
- This mechanism can erroneously cause other servers to
- not give AAAA records to their clients.
- A recursing server with both IPv6 and IPv4 network connections
- that queries an authoritative server using this mechanism
- via IPv4 will be denied AAAA records even if its client is
- using IPv6.
- </p>
- <p>
- This mechanism is applied to authoritative as well as
- non-authoritative records.
- A client using IPv4 that is not allowed recursion can
- erroneously be given AAAA records because the server is not
- allowed to check for A records.
- </p>
- <p>
- Some AAAA records are given to IPv4 clients in glue records.
- IPv4 clients that are servers can then erroneously
- answer requests for AAAA records received via IPv4.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>filter-aaaa-on-v6</strong></span></span></dt>
-<dd>
- <p>
- Identical to <span class="command"><strong>filter-aaaa-on-v4</strong></span>,
- except it filters AAAA responses to queries from IPv6
- clients instead of IPv4 clients. To filter all
- responses, set both options to <strong class="userinput"><code>yes</code></strong>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>ixfr-from-differences</strong></span></span></dt>
-<dd>
- <p>
- When <strong class="userinput"><code>yes</code></strong> and the server loads a new
- version of a master zone from its zone file or receives a
- new version of a slave file via zone transfer, it will
- compare the new version to the previous one and calculate
- a set of differences. The differences are then logged in
- the zone's journal file such that the changes can be
- transmitted to downstream slaves as an incremental zone
- transfer.
- </p>
- <p>
- By allowing incremental zone transfers to be used for
- non-dynamic zones, this option saves bandwidth at the
- expense of increased CPU and memory consumption at the
- master.
- In particular, if the new version of a zone is completely
- different from the previous one, the set of differences
- will be of a size comparable to the combined size of the
- old and new zone version, and the server will need to
- temporarily allocate memory to hold this complete
- difference set.
- </p>
- <p><span class="command"><strong>ixfr-from-differences</strong></span>
- also accepts <span class="command"><strong>master</strong></span> and
- <span class="command"><strong>slave</strong></span> at the view and options
- levels which causes
- <span class="command"><strong>ixfr-from-differences</strong></span> to be enabled for
- all <span class="command"><strong>master</strong></span> or
- <span class="command"><strong>slave</strong></span> zones respectively.
- It is off by default.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>multi-master</strong></span></span></dt>
-<dd>
- <p>
- This should be set when you have multiple masters for a zone
- and the
- addresses refer to different machines. If <strong class="userinput"><code>yes</code></strong>, <span class="command"><strong>named</strong></span> will
- not log
- when the serial number on the master is less than what <span class="command"><strong>named</strong></span>
- currently
- has. The default is <strong class="userinput"><code>no</code></strong>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>auto-dnssec</strong></span></span></dt>
-<dd>
- <p>
- Zones configured for dynamic DNS may use this
- option to allow varying levels of automatic DNSSEC key
- management. There are three possible settings:
- </p>
- <p>
- <span class="command"><strong>auto-dnssec allow;</strong></span> permits
- keys to be updated and the zone fully re-signed
- whenever the user issues the command <span class="command"><strong>rndc sign
- <em class="replaceable"><code>zonename</code></em></strong></span>.
- </p>
- <p>
- <span class="command"><strong>auto-dnssec maintain;</strong></span> includes the
- above, but also automatically adjusts the zone's DNSSEC
- keys on schedule, according to the keys' timing metadata
- (see <a class="xref" href="man.dnssec-keygen.html" title="dnssec-keygen"><span class="refentrytitle"><span class="application">dnssec-keygen</span></span>(8)</a> and
- <a class="xref" href="man.dnssec-settime.html" title="dnssec-settime"><span class="refentrytitle"><span class="application">dnssec-settime</span></span>(8)</a>). The command
- <span class="command"><strong>rndc sign
- <em class="replaceable"><code>zonename</code></em></strong></span> causes
- <span class="command"><strong>named</strong></span> to load keys from the key
- repository and sign the zone with all keys that are
- active.
- <span class="command"><strong>rndc loadkeys
- <em class="replaceable"><code>zonename</code></em></strong></span> causes
- <span class="command"><strong>named</strong></span> to load keys from the key
- repository and schedule key maintenance events to occur
- in the future, but it does not sign the full zone
- immediately. Note: once keys have been loaded for a
- zone the first time, the repository will be searched
- for changes periodically, regardless of whether
- <span class="command"><strong>rndc loadkeys</strong></span> is used. The recheck
- interval is defined by
- <span class="command"><strong>dnssec-loadkeys-interval</strong></span>.)
- </p>
- <p>
- The default setting is <span class="command"><strong>auto-dnssec off</strong></span>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>dnssec-enable</strong></span></span></dt>
-<dd>
- <p>
- This indicates whether DNSSEC-related resource
- records are to be returned by <span class="command"><strong>named</strong></span>.
- If set to <strong class="userinput"><code>no</code></strong>,
- <span class="command"><strong>named</strong></span> will not return DNSSEC-related
- resource records unless specifically queried for.
- The default is <strong class="userinput"><code>yes</code></strong>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>dnssec-validation</strong></span></span></dt>
-<dd>
- <p>
- Enable DNSSEC validation in <span class="command"><strong>named</strong></span>.
- Note <span class="command"><strong>dnssec-enable</strong></span> also needs to be
- set to <strong class="userinput"><code>yes</code></strong> to be effective.
- If set to <strong class="userinput"><code>no</code></strong>, DNSSEC validation
- is disabled. If set to <strong class="userinput"><code>auto</code></strong>,
- DNSSEC validation is enabled, and a default
- trust-anchor for the DNS root zone is used. If set to
- <strong class="userinput"><code>yes</code></strong>, DNSSEC validation is enabled,
- but a trust anchor must be manually configured using
- a <span class="command"><strong>trusted-keys</strong></span> or
- <span class="command"><strong>managed-keys</strong></span> statement. The default
- is <strong class="userinput"><code>yes</code></strong>.
- </p>
- <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
- <p>
- Whenever the resolver sends out queries to an
- EDNS-compliant server, it always sets the DO bit
- indicating it can support DNSSEC responses even if
- <span class="command"><strong>dnssec-validation</strong></span> is off.
- </p>
- </div>
- </dd>
-<dt><span class="term"><span class="command"><strong>dnssec-accept-expired</strong></span></span></dt>
-<dd>
- <p>
- Accept expired signatures when verifying DNSSEC signatures.
- The default is <strong class="userinput"><code>no</code></strong>.
- Setting this option to <strong class="userinput"><code>yes</code></strong>
- leaves <span class="command"><strong>named</strong></span> vulnerable to
- replay attacks.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>querylog</strong></span></span></dt>
-<dd>
- <p>
- Specify whether query logging should be started when <span class="command"><strong>named</strong></span>
- starts.
- If <span class="command"><strong>querylog</strong></span> is not specified,
- then the query logging
- is determined by the presence of the logging category <span class="command"><strong>queries</strong></span>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>check-names</strong></span></span></dt>
-<dd>
- <p>
- This option is used to restrict the character set and syntax
- of
- certain domain names in master files and/or DNS responses
- received
- from the network. The default varies according to usage
- area. For
- <span class="command"><strong>master</strong></span> zones the default is <span class="command"><strong>fail</strong></span>.
- For <span class="command"><strong>slave</strong></span> zones the default
- is <span class="command"><strong>warn</strong></span>.
- For answers received from the network (<span class="command"><strong>response</strong></span>)
- the default is <span class="command"><strong>ignore</strong></span>.
- </p>
- <p>
- The rules for legal hostnames and mail domains are derived
- from RFC 952 and RFC 821 as modified by RFC 1123.
- </p>
- <p><span class="command"><strong>check-names</strong></span>
- applies to the owner names of A, AAAA and MX records.
- It also applies to the domain names in the RDATA of NS, SOA,
- MX, and SRV records.
- It also applies to the RDATA of PTR records where the owner
- name indicated that it is a reverse lookup of a hostname
- (the owner name ends in IN-ADDR.ARPA, IP6.ARPA, or IP6.INT).
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>check-dup-records</strong></span></span></dt>
-<dd>
- <p>
- Check master zones for records that are treated as different
- by DNSSEC but are semantically equal in plain DNS. The
- default is to <span class="command"><strong>warn</strong></span>. Other possible
- values are <span class="command"><strong>fail</strong></span> and
- <span class="command"><strong>ignore</strong></span>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>check-mx</strong></span></span></dt>
-<dd>
- <p>
- Check whether the MX record appears to refer to a IP address.
- The default is to <span class="command"><strong>warn</strong></span>. Other possible
- values are <span class="command"><strong>fail</strong></span> and
- <span class="command"><strong>ignore</strong></span>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>check-wildcard</strong></span></span></dt>
-<dd>
- <p>
- This option is used to check for non-terminal wildcards.
- The use of non-terminal wildcards is almost always as a
- result of a failure
- to understand the wildcard matching algorithm (RFC 1034).
- This option
- affects master zones. The default (<span class="command"><strong>yes</strong></span>) is to check
- for non-terminal wildcards and issue a warning.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>check-integrity</strong></span></span></dt>
-<dd>
- <p>
- Perform post load zone integrity checks on master
- zones. This checks that MX and SRV records refer
- to address (A or AAAA) records and that glue
- address records exist for delegated zones. For
- MX and SRV records only in-zone hostnames are
- checked (for out-of-zone hostnames use
- <span class="command"><strong>named-checkzone</strong></span>).
- For NS records only names below top of zone are
- checked (for out-of-zone names and glue consistency
- checks use <span class="command"><strong>named-checkzone</strong></span>).
- The default is <span class="command"><strong>yes</strong></span>.
- </p>
- <p>
- The use of the SPF record for publishing Sender
- Policy Framework is deprecated as the migration
- from using TXT records to SPF records was abandoned.
- Enabling this option also checks that a TXT Sender
- Policy Framework record exists (starts with "v=spf1")
- if there is an SPF record. Warnings are emitted if the
- TXT record does not exist and can be suppressed with
- <span class="command"><strong>check-spf</strong></span>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>check-mx-cname</strong></span></span></dt>
-<dd>
- <p>
- If <span class="command"><strong>check-integrity</strong></span> is set then
- fail, warn or ignore MX records that refer
- to CNAMES. The default is to <span class="command"><strong>warn</strong></span>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>check-srv-cname</strong></span></span></dt>
-<dd>
- <p>
- If <span class="command"><strong>check-integrity</strong></span> is set then
- fail, warn or ignore SRV records that refer
- to CNAMES. The default is to <span class="command"><strong>warn</strong></span>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>check-sibling</strong></span></span></dt>
-<dd>
- <p>
- When performing integrity checks, also check that
- sibling glue exists. The default is <span class="command"><strong>yes</strong></span>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>check-spf</strong></span></span></dt>
-<dd>
- <p>
- If <span class="command"><strong>check-integrity</strong></span> is set then
- check that there is a TXT Sender Policy Framework
- record present (starts with "v=spf1") if there is an
- SPF record present. The default is
- <span class="command"><strong>warn</strong></span>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>zero-no-soa-ttl</strong></span></span></dt>
-<dd>
- <p>
- When returning authoritative negative responses to
- SOA queries set the TTL of the SOA record returned in
- the authority section to zero.
- The default is <span class="command"><strong>yes</strong></span>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>zero-no-soa-ttl-cache</strong></span></span></dt>
-<dd>
- <p>
- When caching a negative response to a SOA query
- set the TTL to zero.
- The default is <span class="command"><strong>no</strong></span>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>update-check-ksk</strong></span></span></dt>
-<dd>
- <p>
- When set to the default value of <code class="literal">yes</code>,
- check the KSK bit in each key to determine how the key
- should be used when generating RRSIGs for a secure zone.
- </p>
- <p>
- Ordinarily, zone-signing keys (that is, keys without the
- KSK bit set) are used to sign the entire zone, while
- key-signing keys (keys with the KSK bit set) are only
- used to sign the DNSKEY RRset at the zone apex.
- However, if this option is set to <code class="literal">no</code>,
- then the KSK bit is ignored; KSKs are treated as if they
- were ZSKs and are used to sign the entire zone. This is
- similar to the <span class="command"><strong>dnssec-signzone -z</strong></span>
- command line option.
- </p>
- <p>
- When this option is set to <code class="literal">yes</code>, there
- must be at least two active keys for every algorithm
- represented in the DNSKEY RRset: at least one KSK and one
- ZSK per algorithm. If there is any algorithm for which
- this requirement is not met, this option will be ignored
- for that algorithm.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>dnssec-dnskey-kskonly</strong></span></span></dt>
-<dd>
- <p>
- When this option and <span class="command"><strong>update-check-ksk</strong></span>
- are both set to <code class="literal">yes</code>, only key-signing
- keys (that is, keys with the KSK bit set) will be used
- to sign the DNSKEY RRset at the zone apex. Zone-signing
- keys (keys without the KSK bit set) will be used to sign
- the remainder of the zone, but not the DNSKEY RRset.
- This is similar to the
- <span class="command"><strong>dnssec-signzone -x</strong></span> command line option.
- </p>
- <p>
- The default is <span class="command"><strong>no</strong></span>. If
- <span class="command"><strong>update-check-ksk</strong></span> is set to
- <code class="literal">no</code>, this option is ignored.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>try-tcp-refresh</strong></span></span></dt>
-<dd>
- <p>
- Try to refresh the zone using TCP if UDP queries fail.
- For BIND 8 compatibility, the default is
- <span class="command"><strong>yes</strong></span>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>dnssec-secure-to-insecure</strong></span></span></dt>
-<dd>
- <p>
- Allow a dynamic zone to transition from secure to
- insecure (i.e., signed to unsigned) by deleting all
- of the DNSKEY records. The default is <span class="command"><strong>no</strong></span>.
- If set to <span class="command"><strong>yes</strong></span>, and if the DNSKEY RRset
- at the zone apex is deleted, all RRSIG and NSEC records
- will be removed from the zone as well.
- </p>
- <p>
- If the zone uses NSEC3, then it is also necessary to
- delete the NSEC3PARAM RRset from the zone apex; this will
- cause the removal of all corresponding NSEC3 records.
- (It is expected that this requirement will be eliminated
- in a future release.)
- </p>
- <p>
- Note that if a zone has been configured with
- <span class="command"><strong>auto-dnssec maintain</strong></span> and the
- private keys remain accessible in the key repository,
- then the zone will be automatically signed again the
- next time <span class="command"><strong>named</strong></span> is started.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>synth-from-dnssec</strong></span></span></dt>
-<dd>
- <p>
- Synthesize answers from cached NSEC, NSEC3 and
- other RRsets that have been proved to be correct
- using DNSSEC. The default is <span class="command"><strong>yes</strong></span>.
- </p>
- <p>
- Note:
- </p>
-<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
- <p>
- DNSSEC validation must be enabled for this
- option to be effective.
- </p>
- </li>
-<li class="listitem">
- <p>
- This initial implementation only covers
- NXDOMAIN synthesis from NSEC records.
- Synthesis of NODATA and wildcard responses
- is also planned, as is synthesis from NSEC3
- records. All of these will be controlled
- by <span class="command"><strong>synth-from-dnssec</strong></span>.
- </p>
- </li>
-</ul></div>
-<p>
- </p>
- </dd>
-</dl></div>
-
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="forwarding"></a>Forwarding</h4></div></div></div>
-
- <p>
- The forwarding facility can be used to create a large site-wide
- cache on a few servers, reducing traffic over links to external
- name servers. It can also be used to allow queries by servers that
- do not have direct access to the Internet, but wish to look up
- exterior
- names anyway. Forwarding occurs only on those queries for which
- the server is not authoritative and does not have the answer in
- its cache.
- </p>
-
- <div class="variablelist"><dl class="variablelist">
-<dt><span class="term"><span class="command"><strong>forward</strong></span></span></dt>
-<dd>
- <p>
- This option is only meaningful if the
- forwarders list is not empty. A value of <code class="varname">first</code>,
- the default, causes the server to query the forwarders
- first — and
- if that doesn't answer the question, the server will then
- look for
- the answer itself. If <code class="varname">only</code> is
- specified, the
- server will only query the forwarders.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>forwarders</strong></span></span></dt>
-<dd>
- <p>
- Specifies the IP addresses to be used
- for forwarding. The default is the empty list (no
- forwarding).
- </p>
- </dd>
-</dl></div>
-
- <p>
- Forwarding can also be configured on a per-domain basis, allowing
- for the global forwarding options to be overridden in a variety
- of ways. You can set particular domains to use different
- forwarders,
- or have a different <span class="command"><strong>forward only/first</strong></span> behavior,
- or not forward at all, see <a class="xref" href="Bv9ARM.ch06.html#zone_statement_grammar" title="zone Statement Grammar">the section called “<span class="command"><strong>zone</strong></span>
- Statement Grammar”</a>.
- </p>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="dual_stack"></a>Dual-stack Servers</h4></div></div></div>
-
- <p>
- Dual-stack servers are used as servers of last resort to work
- around
- problems in reachability due the lack of support for either IPv4
- or IPv6
- on the host machine.
- </p>
-
- <div class="variablelist"><dl class="variablelist">
-<dt><span class="term"><span class="command"><strong>dual-stack-servers</strong></span></span></dt>
-<dd>
- <p>
- Specifies host names or addresses of machines with access to
- both IPv4 and IPv6 transports. If a hostname is used, the
- server must be able
- to resolve the name using only the transport it has. If the
- machine is dual
- stacked, then the <span class="command"><strong>dual-stack-servers</strong></span> have no effect unless
- access to a transport has been disabled on the command line
- (e.g. <span class="command"><strong>named -4</strong></span>).
- </p>
- </dd>
-</dl></div>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="access_control"></a>Access Control</h4></div></div></div>
-
-
- <p>
- Access to the server can be restricted based on the IP address
- of the requesting system. See <a class="xref" href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called “Address Match Lists”</a> for
- details on how to specify IP address lists.
- </p>
-
- <div class="variablelist"><dl class="variablelist">
-<dt><span class="term"><span class="command"><strong>allow-notify</strong></span></span></dt>
-<dd>
- <p>
- Specifies which hosts are allowed to
- notify this server, a slave, of zone changes in addition
- to the zone masters.
- <span class="command"><strong>allow-notify</strong></span> may also be
- specified in the
- <span class="command"><strong>zone</strong></span> statement, in which case
- it overrides the
- <span class="command"><strong>options allow-notify</strong></span>
- statement. It is only meaningful
- for a slave zone. If not specified, the default is to
- process notify messages
- only from a zone's master.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>allow-query</strong></span></span></dt>
-<dd>
- <p>
- Specifies which hosts are allowed to ask ordinary
- DNS questions. <span class="command"><strong>allow-query</strong></span> may
- also be specified in the <span class="command"><strong>zone</strong></span>
- statement, in which case it overrides the
- <span class="command"><strong>options allow-query</strong></span> statement.
- If not specified, the default is to allow queries
- from all hosts.
- </p>
- <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
- <p>
- <span class="command"><strong>allow-query-cache</strong></span> is now
- used to specify access to the cache.
- </p>
- </div>
- </dd>
-<dt><span class="term"><span class="command"><strong>allow-query-on</strong></span></span></dt>
-<dd>
- <p>
- Specifies which local addresses can accept ordinary
- DNS questions. This makes it possible, for instance,
- to allow queries on internal-facing interfaces but
- disallow them on external-facing ones, without
- necessarily knowing the internal network's addresses.
- </p>
- <p>
- Note that <span class="command"><strong>allow-query-on</strong></span> is only
- checked for queries that are permitted by
- <span class="command"><strong>allow-query</strong></span>. A query must be
- allowed by both ACLs, or it will be refused.
- </p>
- <p>
- <span class="command"><strong>allow-query-on</strong></span> may
- also be specified in the <span class="command"><strong>zone</strong></span>
- statement, in which case it overrides the
- <span class="command"><strong>options allow-query-on</strong></span> statement.
- </p>
- <p>
- If not specified, the default is to allow queries
- on all addresses.
- </p>
- <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
- <p>
- <span class="command"><strong>allow-query-cache</strong></span> is
- used to specify access to the cache.
- </p>
- </div>
- </dd>
-<dt><span class="term"><span class="command"><strong>allow-query-cache</strong></span></span></dt>
-<dd>
- <p>
- Specifies which hosts are allowed to get answers
- from the cache. If <span class="command"><strong>allow-query-cache</strong></span>
- is not set then <span class="command"><strong>allow-recursion</strong></span>
- is used if set, otherwise <span class="command"><strong>allow-query</strong></span>
- is used if set unless <span class="command"><strong>recursion no;</strong></span> is
- set in which case <span class="command"><strong>none;</strong></span> is used,
- otherwise the default (<span class="command"><strong>localnets;</strong></span>
- <span class="command"><strong>localhost;</strong></span>) is used.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>allow-query-cache-on</strong></span></span></dt>
-<dd>
- <p>
- Specifies which local addresses can give answers
- from the cache. If not specified, the default is
- to allow cache queries on any address,
- <span class="command"><strong>localnets</strong></span> and
- <span class="command"><strong>localhost</strong></span>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>allow-recursion</strong></span></span></dt>
-<dd>
- <p>
- Specifies which hosts are allowed to make recursive
- queries through this server. If
- <span class="command"><strong>allow-recursion</strong></span> is not set
- then <span class="command"><strong>allow-query-cache</strong></span> is
- used if set, otherwise <span class="command"><strong>allow-query</strong></span>
- is used if set, otherwise the default
- (<span class="command"><strong>localnets;</strong></span>
- <span class="command"><strong>localhost;</strong></span>) is used.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>allow-recursion-on</strong></span></span></dt>
-<dd>
- <p>
- Specifies which local addresses can accept recursive
- queries. If not specified, the default is to allow
- recursive queries on all addresses.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>allow-update</strong></span></span></dt>
-<dd>
- <p>
- Specifies which hosts are allowed to
- submit Dynamic DNS updates for master zones. The default is
- to deny
- updates from all hosts. Note that allowing updates based
- on the requestor's IP address is insecure; see
- <a class="xref" href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called “Dynamic Update Security”</a> for details.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>allow-update-forwarding</strong></span></span></dt>
-<dd>
- <p>
- Specifies which hosts are allowed to
- submit Dynamic DNS updates to slave zones to be forwarded to
- the
- master. The default is <strong class="userinput"><code>{ none; }</code></strong>,
- which
- means that no update forwarding will be performed. To
- enable
- update forwarding, specify
- <strong class="userinput"><code>allow-update-forwarding { any; };</code></strong>.
- Specifying values other than <strong class="userinput"><code>{ none; }</code></strong> or
- <strong class="userinput"><code>{ any; }</code></strong> is usually
- counterproductive, since
- the responsibility for update access control should rest
- with the
- master server, not the slaves.
- </p>
- <p>
- Note that enabling the update forwarding feature on a slave
- server
- may expose master servers relying on insecure IP address
- based
- access control to attacks; see <a class="xref" href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called “Dynamic Update Security”</a>
- for more details.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>allow-v6-synthesis</strong></span></span></dt>
-<dd>
- <p>
- This option was introduced for the smooth transition from
- AAAA
- to A6 and from "nibble labels" to binary labels.
- However, since both A6 and binary labels were then
- deprecated,
- this option was also deprecated.
- It is now ignored with some warning messages.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>allow-transfer</strong></span></span></dt>
-<dd>
- <p>
- Specifies which hosts are allowed to
- receive zone transfers from the server. <span class="command"><strong>allow-transfer</strong></span> may
- also be specified in the <span class="command"><strong>zone</strong></span>
- statement, in which
- case it overrides the <span class="command"><strong>options allow-transfer</strong></span> statement.
- If not specified, the default is to allow transfers to all
- hosts.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>blackhole</strong></span></span></dt>
-<dd>
- <p>
- Specifies a list of addresses that the
- server will not accept queries from or use to resolve a
- query. Queries
- from these addresses will not be responded to. The default
- is <strong class="userinput"><code>none</code></strong>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>filter-aaaa</strong></span></span></dt>
-<dd>
- <p>
- Specifies a list of addresses to which
- <span class="command"><strong>filter-aaaa-on-v4</strong></span>
- and <span class="command"><strong>filter-aaaa-on-v6</strong></span>
- apply. The default is <strong class="userinput"><code>any</code></strong>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>keep-response-order</strong></span></span></dt>
-<dd>
- <p>
- Specifies a list of addresses to which the server
- will send responses to TCP queries in the same order
- in which they were received. This disables the
- processing of TCP queries in parallel. The default
- is <strong class="userinput"><code>none</code></strong>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>no-case-compress</strong></span></span></dt>
-<dd>
- <p>
- Specifies a list of addresses which require responses
- to use case-insensitive compression. This ACL can be
- used when <span class="command"><strong>named</strong></span> needs to work with
- clients that do not comply with the requirement in RFC
- 1034 to use case-insensitive name comparisons when
- checking for matching domain names.
- </p>
- <p>
- If left undefined, the ACL defaults to
- <span class="command"><strong>none</strong></span>: case-insensitive compression
- will be used for all clients. If the ACL is defined and
- matches a client, then case will be ignored when
- compressing domain names in DNS responses sent to that
- client.
- </p>
- <p>
- This can result in slightly smaller responses: if
- a response contains the names "example.com" and
- "example.COM", case-insensitive compression would treat
- the second one as a duplicate. It also ensures
- that the case of the query name exactly matches the
- case of the owner names of returned records, rather
- than matching the case of the records entered in
- the zone file. This allows responses to exactly
- match the query, which is required by some clients
- due to incorrect use of case-sensitive comparisons.
- </p>
- <p>
- Case-insensitive compression is <span class="emphasis"><em>always</em></span>
- used in AXFR and IXFR responses, regardless of whether
- the client matches this ACL.
- </p>
- <p>
- There are circumstances in which <span class="command"><strong>named</strong></span>
- will not preserve the case of owner names of records:
- if a zone file defines records of different types with
- the same name, but the capitalization of the name is
- different (e.g., "www.example.com/A" and
- "WWW.EXAMPLE.COM/AAAA"), then all responses for that
- name will use the <span class="emphasis"><em>first</em></span> version
- of the name that was used in the zone file. This
- limitation may be addressed in a future release. However,
- domain names specified in the rdata of resource records
- (i.e., records of type NS, MX, CNAME, etc) will always
- have their case preserved unless the client matches this
- ACL.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>resolver-query-timeout</strong></span></span></dt>
-<dd>
- <p>
- The amount of time in milliseconds that the resolver
- will spend attempting to resolve a recursive
- query before failing. The default and minimum
- is <code class="literal">10000</code> and the maximum is
- <code class="literal">30000</code>. Setting it to
- <code class="literal">0</code> will result in the default
- being used.
- </p>
- <p>
- This value was originally specified in seconds.
- Values less than or equal to 300 will be be treated
- as seconds and converted to milliseconds before
- applying the above limits.
- </p>
- </dd>
-</dl></div>
-
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="interfaces"></a>Interfaces</h4></div></div></div>
-
- <p>
- The interfaces and ports that the server will answer queries
- from may be specified using the <span class="command"><strong>listen-on</strong></span> option. <span class="command"><strong>listen-on</strong></span> takes
- an optional port and an <code class="varname">address_match_list</code>
- of IPv4 addresses. (IPv6 addresses are ignored, with a
- logged warning.)
- The server will listen on all interfaces allowed by the address
- match list. If a port is not specified, port 53 will be used.
- </p>
- <p>
- Multiple <span class="command"><strong>listen-on</strong></span> statements are
- allowed.
- For example,
- </p>
-
-<pre class="programlisting">listen-on { 5.6.7.8; };
-listen-on port 1234 { !1.2.3.4; 1.2/16; };
-</pre>
-
- <p>
- will enable the name server on port 53 for the IP address
- 5.6.7.8, and on port 1234 of an address on the machine in net
- 1.2 that is not 1.2.3.4.
- </p>
-
- <p>
- If no <span class="command"><strong>listen-on</strong></span> is specified, the
- server will listen on port 53 on all IPv4 interfaces.
- </p>
-
- <p>
- The <span class="command"><strong>listen-on-v6</strong></span> option is used to
- specify the interfaces and the ports on which the server will
- listen for incoming queries sent using IPv6. If not specified,
- the server will listen on port 53 on all IPv6 interfaces.
- </p>
-
- <p>
- When </p>
-<pre class="programlisting">{ any; }</pre>
-<p> is
- specified
- as the <code class="varname">address_match_list</code> for the
- <span class="command"><strong>listen-on-v6</strong></span> option,
- the server does not bind a separate socket to each IPv6 interface
- address as it does for IPv4 if the operating system has enough API
- support for IPv6 (specifically if it conforms to RFC 3493 and RFC
- 3542).
- Instead, it listens on the IPv6 wildcard address.
- If the system only has incomplete API support for IPv6, however,
- the behavior is the same as that for IPv4.
- </p>
-
- <p>
- A list of particular IPv6 addresses can also be specified, in
- which case
- the server listens on a separate socket for each specified
- address,
- regardless of whether the desired API is supported by the system.
- IPv4 addresses specified in <span class="command"><strong>listen-on-v6</strong></span>
- will be ignored, with a logged warning.
- </p>
-
- <p>
- Multiple <span class="command"><strong>listen-on-v6</strong></span> options can
- be used.
- For example,
- </p>
-
-<pre class="programlisting">listen-on-v6 { any; };
-listen-on-v6 port 1234 { !2001:db8::/32; any; };
-</pre>
-
- <p>
- will enable the name server on port 53 for any IPv6 addresses
- (with a single wildcard socket),
- and on port 1234 of IPv6 addresses that is not in the prefix
- 2001:db8::/32 (with separate sockets for each matched address.)
- </p>
-
- <p>
- To make the server not listen on any IPv6 address, use
- </p>
-
-<pre class="programlisting">listen-on-v6 { none; };
-</pre>
-
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="query_address"></a>Query Address</h4></div></div></div>
-
- <p>
- If the server doesn't know the answer to a question, it will
- query other name servers. <span class="command"><strong>query-source</strong></span> specifies
- the address and port used for such queries. For queries sent over
- IPv6, there is a separate <span class="command"><strong>query-source-v6</strong></span> option.
- If <span class="command"><strong>address</strong></span> is <span class="command"><strong>*</strong></span> (asterisk) or is omitted,
- a wildcard IP address (<span class="command"><strong>INADDR_ANY</strong></span>)
- will be used.
- </p>
-
- <p>
- If <span class="command"><strong>port</strong></span> is <span class="command"><strong>*</strong></span> or is omitted,
- a random port number from a pre-configured
- range is picked up and will be used for each query.
- The port range(s) is that specified in
- the <span class="command"><strong>use-v4-udp-ports</strong></span> (for IPv4)
- and <span class="command"><strong>use-v6-udp-ports</strong></span> (for IPv6)
- options, excluding the ranges specified in
- the <span class="command"><strong>avoid-v4-udp-ports</strong></span>
- and <span class="command"><strong>avoid-v6-udp-ports</strong></span> options, respectively.
- </p>
-
- <p>
- The defaults of the <span class="command"><strong>query-source</strong></span> and
- <span class="command"><strong>query-source-v6</strong></span> options
- are:
- </p>
-
-<pre class="programlisting">query-source address * port *;
-query-source-v6 address * port *;
-</pre>
-
- <p>
- If <span class="command"><strong>use-v4-udp-ports</strong></span> or
- <span class="command"><strong>use-v6-udp-ports</strong></span> is unspecified,
- <span class="command"><strong>named</strong></span> will check if the operating
- system provides a programming interface to retrieve the
- system's default range for ephemeral ports.
- If such an interface is available,
- <span class="command"><strong>named</strong></span> will use the corresponding system
- default range; otherwise, it will use its own defaults:
- </p>
-
-<pre class="programlisting">use-v4-udp-ports { range 1024 65535; };
-use-v6-udp-ports { range 1024 65535; };
-</pre>
-
- <p>
- Note: make sure the ranges be sufficiently large for
- security. A desirable size depends on various parameters,
- but we generally recommend it contain at least 16384 ports
- (14 bits of entropy).
- Note also that the system's default range when used may be
- too small for this purpose, and that the range may even be
- changed while <span class="command"><strong>named</strong></span> is running; the new
- range will automatically be applied when <span class="command"><strong>named</strong></span>
- is reloaded.
- It is encouraged to
- configure <span class="command"><strong>use-v4-udp-ports</strong></span> and
- <span class="command"><strong>use-v6-udp-ports</strong></span> explicitly so that the
- ranges are sufficiently large and are reasonably
- independent from the ranges used by other applications.
- </p>
-
- <p>
- Note: the operational configuration
- where <span class="command"><strong>named</strong></span> runs may prohibit the use
- of some ports. For example, UNIX systems will not allow
- <span class="command"><strong>named</strong></span> running without a root privilege
- to use ports less than 1024.
- If such ports are included in the specified (or detected)
- set of query ports, the corresponding query attempts will
- fail, resulting in resolution failures or delay.
- It is therefore important to configure the set of ports
- that can be safely used in the expected operational environment.
- </p>
-
- <p>
- The defaults of the <span class="command"><strong>avoid-v4-udp-ports</strong></span> and
- <span class="command"><strong>avoid-v6-udp-ports</strong></span> options
- are:
- </p>
-
-<pre class="programlisting">avoid-v4-udp-ports {};
-avoid-v6-udp-ports {};
-</pre>
-
- <p>
- Note: BIND 9.5.0 introduced
- the <span class="command"><strong>use-queryport-pool</strong></span>
- option to support a pool of such random ports, but this
- option is now obsolete because reusing the same ports in
- the pool may not be sufficiently secure.
- For the same reason, it is generally strongly discouraged to
- specify a particular port for the
- <span class="command"><strong>query-source</strong></span> or
- <span class="command"><strong>query-source-v6</strong></span> options;
- it implicitly disables the use of randomized port numbers.
- </p>
-
- <div class="variablelist"><dl class="variablelist">
-<dt><span class="term"><span class="command"><strong>use-queryport-pool</strong></span></span></dt>
-<dd>
- <p>
- This option is obsolete.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>queryport-pool-ports</strong></span></span></dt>
-<dd>
- <p>
- This option is obsolete.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>queryport-pool-updateinterval</strong></span></span></dt>
-<dd>
- <p>
- This option is obsolete.
- </p>
- </dd>
-</dl></div>
- <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
- <p>
- The address specified in the <span class="command"><strong>query-source</strong></span> option
- is used for both UDP and TCP queries, but the port applies only
- to UDP queries. TCP queries always use a random
- unprivileged port.
- </p>
- </div>
- <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
- <p>
- Solaris 2.5.1 and earlier does not support setting the source
- address for TCP sockets.
- </p>
- </div>
- <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
- <p>
- See also <span class="command"><strong>transfer-source</strong></span> and
- <span class="command"><strong>notify-source</strong></span>.
- </p>
- </div>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="zone_transfers"></a>Zone Transfers</h4></div></div></div>
-
- <p>
- <acronym class="acronym">BIND</acronym> has mechanisms in place to
- facilitate zone transfers
- and set limits on the amount of load that transfers place on the
- system. The following options apply to zone transfers.
- </p>
-
- <div class="variablelist"><dl class="variablelist">
-<dt><span class="term"><span class="command"><strong>also-notify</strong></span></span></dt>
-<dd>
- <p>
- Defines a global list of IP addresses of name servers
- that are also sent NOTIFY messages whenever a fresh copy of
- the
- zone is loaded, in addition to the servers listed in the
- zone's NS records.
- This helps to ensure that copies of the zones will
- quickly converge on stealth servers.
- Optionally, a port may be specified with each
- <span class="command"><strong>also-notify</strong></span> address to send
- the notify messages to a port other than the
- default of 53.
- An optional TSIG key can also be specified with each
- address to cause the notify messages to be signed; this
- can be useful when sending notifies to multiple views.
- In place of explicit addresses, one or more named
- <span class="command"><strong>masters</strong></span> lists can be used.
- </p>
- <p>
- If an <span class="command"><strong>also-notify</strong></span> list
- is given in a <span class="command"><strong>zone</strong></span> statement,
- it will override
- the <span class="command"><strong>options also-notify</strong></span>
- statement. When a <span class="command"><strong>zone notify</strong></span>
- statement
- is set to <span class="command"><strong>no</strong></span>, the IP
- addresses in the global <span class="command"><strong>also-notify</strong></span> list will
- not be sent NOTIFY messages for that zone. The default is
- the empty
- list (no global notification list).
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>max-transfer-time-in</strong></span></span></dt>
-<dd>
- <p>
- Inbound zone transfers running longer than
- this many minutes will be terminated. The default is 120
- minutes
- (2 hours). The maximum value is 28 days (40320 minutes).
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>max-transfer-idle-in</strong></span></span></dt>
-<dd>
- <p>
- Inbound zone transfers making no progress
- in this many minutes will be terminated. The default is 60
- minutes
- (1 hour). The maximum value is 28 days (40320 minutes).
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>max-transfer-time-out</strong></span></span></dt>
-<dd>
- <p>
- Outbound zone transfers running longer than
- this many minutes will be terminated. The default is 120
- minutes
- (2 hours). The maximum value is 28 days (40320 minutes).
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>max-transfer-idle-out</strong></span></span></dt>
-<dd>
- <p>
- Outbound zone transfers making no progress
- in this many minutes will be terminated. The default is 60
- minutes (1
- hour). The maximum value is 28 days (40320 minutes).
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>notify-rate</strong></span></span></dt>
-<dd>
- <p>
- The rate at which NOTIFY requests will be sent
- during normal zone maintenance operations. (NOTIFY
- requests due to initial zone loading are subject
- to a separate rate limit; see below.) The default is
- 20 per second.
- The lowest possible rate is one per second; when set
- to zero, it will be silently raised to one.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>startup-notify-rate</strong></span></span></dt>
-<dd>
- <p>
- The rate at which NOTIFY requests will be sent
- when the name server is first starting up, or when
- zones have been newly added to the nameserver.
- The default is 20 per second.
- The lowest possible rate is one per second; when set
- to zero, it will be silently raised to one.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>serial-query-rate</strong></span></span></dt>
-<dd>
- <p>
- Slave servers will periodically query master
- servers to find out if zone serial numbers have
- changed. Each such query uses a minute amount of
- the slave server's network bandwidth. To limit
- the amount of bandwidth used, BIND 9 limits the
- rate at which queries are sent. The value of the
- <span class="command"><strong>serial-query-rate</strong></span> option, an
- integer, is the maximum number of queries sent
- per second. The default is 20 per second.
- The lowest possible rate is one per second; when set
- to zero, it will be silently raised to one.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>serial-queries</strong></span></span></dt>
-<dd>
- <p>
- In BIND 8, the <span class="command"><strong>serial-queries</strong></span>
- option
- set the maximum number of concurrent serial number queries
- allowed to be outstanding at any given time.
- BIND 9 does not limit the number of outstanding
- serial queries and ignores the <span class="command"><strong>serial-queries</strong></span> option.
- Instead, it limits the rate at which the queries are sent
- as defined using the <span class="command"><strong>serial-query-rate</strong></span> option.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>transfer-format</strong></span></span></dt>
-<dd>
-
- <p>
- Zone transfers can be sent using two different formats,
- <span class="command"><strong>one-answer</strong></span> and
- <span class="command"><strong>many-answers</strong></span>.
- The <span class="command"><strong>transfer-format</strong></span> option is used
- on the master server to determine which format it sends.
- <span class="command"><strong>one-answer</strong></span> uses one DNS message per
- resource record transferred.
- <span class="command"><strong>many-answers</strong></span> packs as many resource
- records as possible into a message.
- <span class="command"><strong>many-answers</strong></span> is more efficient, but is
- only supported by relatively new slave servers,
- such as <acronym class="acronym">BIND</acronym> 9, <acronym class="acronym">BIND</acronym>
- 8.x and <acronym class="acronym">BIND</acronym> 4.9.5 onwards.
- The <span class="command"><strong>many-answers</strong></span> format is also supported by
- recent Microsoft Windows nameservers.
- The default is <span class="command"><strong>many-answers</strong></span>.
- <span class="command"><strong>transfer-format</strong></span> may be overridden on a
- per-server basis by using the <span class="command"><strong>server</strong></span>
- statement.
- </p>
-
- </dd>
-<dt><span class="term"><span class="command"><strong>transfer-message-size</strong></span></span></dt>
-<dd>
- <p>
- This is an upper bound on the uncompressed size of DNS
- messages used in zone transfers over TCP. If a message
- grows larger than this size, additional messages will be
- used to complete the zone transfer. (Note, however,
- that this is a hint, not a hard limit; if a message
- contains a single resource record whose RDATA does not
- fit within the size limit, a larger message will be
- permitted so the record can be transferred.)
- </p>
- <p>
- Valid values are between 512 and 65535 octets, and any
- values outside that range will be adjusted to the nearest
- value within it. The default is <code class="literal">20480</code>,
- which was selected to improve message compression:
- most DNS messages of this size will compress to less
- than 16536 bytes. Larger messages cannot be compressed
- as effectively, because 16536 is the largest permissible
- compression offset pointer in a DNS message.
- </p>
- <p>
- This option is mainly intended for server testing;
- there is rarely any benefit in setting a value other
- than the default.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>transfers-in</strong></span></span></dt>
-<dd>
- <p>
- The maximum number of inbound zone transfers
- that can be running concurrently. The default value is <code class="literal">10</code>.
- Increasing <span class="command"><strong>transfers-in</strong></span> may
- speed up the convergence
- of slave zones, but it also may increase the load on the
- local system.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>transfers-out</strong></span></span></dt>
-<dd>
- <p>
- The maximum number of outbound zone transfers
- that can be running concurrently. Zone transfer requests in
- excess
- of the limit will be refused. The default value is <code class="literal">10</code>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>transfers-per-ns</strong></span></span></dt>
-<dd>
- <p>
- The maximum number of inbound zone transfers
- that can be concurrently transferring from a given remote
- name server.
- The default value is <code class="literal">2</code>.
- Increasing <span class="command"><strong>transfers-per-ns</strong></span>
- may
- speed up the convergence of slave zones, but it also may
- increase
- the load on the remote name server. <span class="command"><strong>transfers-per-ns</strong></span> may
- be overridden on a per-server basis by using the <span class="command"><strong>transfers</strong></span> phrase
- of the <span class="command"><strong>server</strong></span> statement.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>transfer-source</strong></span></span></dt>
-<dd>
- <p><span class="command"><strong>transfer-source</strong></span>
- determines which local address will be bound to IPv4
- TCP connections used to fetch zones transferred
- inbound by the server. It also determines the
- source IPv4 address, and optionally the UDP port,
- used for the refresh queries and forwarded dynamic
- updates. If not set, it defaults to a system
- controlled value which will usually be the address
- of the interface "closest to" the remote end. This
- address must appear in the remote end's
- <span class="command"><strong>allow-transfer</strong></span> option for the
- zone being transferred, if one is specified. This
- statement sets the
- <span class="command"><strong>transfer-source</strong></span> for all zones,
- but can be overridden on a per-view or per-zone
- basis by including a
- <span class="command"><strong>transfer-source</strong></span> statement within
- the <span class="command"><strong>view</strong></span> or
- <span class="command"><strong>zone</strong></span> block in the configuration
- file.
- </p>
- <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
- <p>
- Solaris 2.5.1 and earlier does not support setting the
- source address for TCP sockets.
- </p>
- </div>
- </dd>
-<dt><span class="term"><span class="command"><strong>transfer-source-v6</strong></span></span></dt>
-<dd>
- <p>
- The same as <span class="command"><strong>transfer-source</strong></span>,
- except zone transfers are performed using IPv6.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>alt-transfer-source</strong></span></span></dt>
-<dd>
- <p>
- An alternate transfer source if the one listed in
- <span class="command"><strong>transfer-source</strong></span> fails and
- <span class="command"><strong>use-alt-transfer-source</strong></span> is
- set.
- </p>
- <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p>
- If you do not wish the alternate transfer source
- to be used, you should set
- <span class="command"><strong>use-alt-transfer-source</strong></span>
- appropriately and you should not depend upon
- getting an answer back to the first refresh
- query.
- </p>
-</div>
- </dd>
-<dt><span class="term"><span class="command"><strong>alt-transfer-source-v6</strong></span></span></dt>
-<dd>
- <p>
- An alternate transfer source if the one listed in
- <span class="command"><strong>transfer-source-v6</strong></span> fails and
- <span class="command"><strong>use-alt-transfer-source</strong></span> is
- set.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>use-alt-transfer-source</strong></span></span></dt>
-<dd>
- <p>
- Use the alternate transfer sources or not. If views are
- specified this defaults to <span class="command"><strong>no</strong></span>
- otherwise it defaults to
- <span class="command"><strong>yes</strong></span> (for BIND 8
- compatibility).
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>notify-source</strong></span></span></dt>
-<dd>
- <p><span class="command"><strong>notify-source</strong></span>
- determines which local source address, and
- optionally UDP port, will be used to send NOTIFY
- messages. This address must appear in the slave
- server's <span class="command"><strong>masters</strong></span> zone clause or
- in an <span class="command"><strong>allow-notify</strong></span> clause. This
- statement sets the <span class="command"><strong>notify-source</strong></span>
- for all zones, but can be overridden on a per-zone or
- per-view basis by including a
- <span class="command"><strong>notify-source</strong></span> statement within
- the <span class="command"><strong>zone</strong></span> or
- <span class="command"><strong>view</strong></span> block in the configuration
- file.
- </p>
- <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
- <p>
- Solaris 2.5.1 and earlier does not support setting the
- source address for TCP sockets.
- </p>
- </div>
- </dd>
-<dt><span class="term"><span class="command"><strong>notify-source-v6</strong></span></span></dt>
-<dd>
- <p>
- Like <span class="command"><strong>notify-source</strong></span>,
- but applies to notify messages sent to IPv6 addresses.
- </p>
- </dd>
-</dl></div>
-
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="port_lists"></a>UDP Port Lists</h4></div></div></div>
-
- <p>
- <span class="command"><strong>use-v4-udp-ports</strong></span>,
- <span class="command"><strong>avoid-v4-udp-ports</strong></span>,
- <span class="command"><strong>use-v6-udp-ports</strong></span>, and
- <span class="command"><strong>avoid-v6-udp-ports</strong></span>
- specify a list of IPv4 and IPv6 UDP ports that will be
- used or not used as source ports for UDP messages.
- See <a class="xref" href="Bv9ARM.ch06.html#query_address" title="Query Address">the section called “Query Address”</a> about how the
- available ports are determined.
- For example, with the following configuration
- </p>
-
-<pre class="programlisting">
-use-v6-udp-ports { range 32768 65535; };
-avoid-v6-udp-ports { 40000; range 50000 60000; };
-</pre>
-
- <p>
- UDP ports of IPv6 messages sent
- from <span class="command"><strong>named</strong></span> will be in one
- of the following ranges: 32768 to 39999, 40001 to 49999,
- and 60001 to 65535.
- </p>
-
- <p>
- <span class="command"><strong>avoid-v4-udp-ports</strong></span> and
- <span class="command"><strong>avoid-v6-udp-ports</strong></span> can be used
- to prevent <span class="command"><strong>named</strong></span> from choosing as its random source port a
- port that is blocked by your firewall or a port that is
- used by other applications;
- if a query went out with a source port blocked by a
- firewall, the
- answer would not get by the firewall and the name server would
- have to query again.
- Note: the desired range can also be represented only with
- <span class="command"><strong>use-v4-udp-ports</strong></span> and
- <span class="command"><strong>use-v6-udp-ports</strong></span>, and the
- <span class="command"><strong>avoid-</strong></span> options are redundant in that
- sense; they are provided for backward compatibility and
- to possibly simplify the port specification.
- </p>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="resource_limits"></a>Operating System Resource Limits</h4></div></div></div>
-
- <p>
- The server's usage of many system resources can be limited.
- Scaled values are allowed when specifying resource limits. For
- example, <span class="command"><strong>1G</strong></span> can be used instead of
- <span class="command"><strong>1073741824</strong></span> to specify a limit of
- one
- gigabyte. <span class="command"><strong>unlimited</strong></span> requests
- unlimited use, or the
- maximum available amount. <span class="command"><strong>default</strong></span>
- uses the limit
- that was in force when the server was started. See the description
- of <span class="command"><strong>size_spec</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#configuration_file_elements" title="Configuration File Elements">the section called “Configuration File Elements”</a>.
- </p>
-
- <p>
- The following options set operating system resource limits for
- the name server process. Some operating systems don't support
- some or
- any of the limits. On such systems, a warning will be issued if
- the
- unsupported limit is used.
- </p>
-
- <div class="variablelist"><dl class="variablelist">
-<dt><span class="term"><span class="command"><strong>coresize</strong></span></span></dt>
-<dd>
- <p>
- The maximum size of a core dump. The default
- is <code class="literal">default</code>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>datasize</strong></span></span></dt>
-<dd>
- <p>
- The maximum amount of data memory the server
- may use. The default is <code class="literal">default</code>.
- This is a hard limit on server memory usage.
- If the server attempts to allocate memory in excess of this
- limit, the allocation will fail, which may in turn leave
- the server unable to perform DNS service. Therefore,
- this option is rarely useful as a way of limiting the
- amount of memory used by the server, but it can be used
- to raise an operating system data size limit that is
- too small by default. If you wish to limit the amount
- of memory used by the server, use the
- <span class="command"><strong>max-cache-size</strong></span> and
- <span class="command"><strong>recursive-clients</strong></span>
- options instead.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>files</strong></span></span></dt>
-<dd>
- <p>
- The maximum number of files the server
- may have open concurrently. The default is <code class="literal">unlimited</code>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>stacksize</strong></span></span></dt>
-<dd>
- <p>
- The maximum amount of stack memory the server
- may use. The default is <code class="literal">default</code>.
- </p>
- </dd>
-</dl></div>
-
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="server_resource_limits"></a>Server Resource Limits</h4></div></div></div>
-
- <p>
- The following options set limits on the server's
- resource consumption that are enforced internally by the
- server rather than the operating system.
- </p>
-
- <div class="variablelist"><dl class="variablelist">
-<dt><span class="term"><span class="command"><strong>max-ixfr-log-size</strong></span></span></dt>
-<dd>
- <p>
- This option is obsolete; it is accepted
- and ignored for BIND 8 compatibility. The option
- <span class="command"><strong>max-journal-size</strong></span> performs a
- similar function in BIND 9.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>max-journal-size</strong></span></span></dt>
-<dd>
- <p>
- Sets a maximum size for each journal file (see
- <a class="xref" href="Bv9ARM.ch04.html#journal" title="The journal file">the section called “The journal file”</a>), expressed in bytes
- or, if followed by an optional unit suffix ('k',
- 'm', or 'g'), in kilobytes, megabytes, or gigabytes.
- When the journal file approaches the specified size,
- some of the oldest transactions in the journal
- will be automatically removed. The largest
- permitted value is 2 gigabytes. Very small
- values are rounded up to 4096 bytes. You
- can specify <code class="literal">unlimited</code>, which
- also means 2 gigabytes. If you set the limit to
- <code class="literal">default</code> or leave it unset, the
- journal is allowed to grow up to twice as large as
- the zone. (There is little benefit in storing
- larger journals.)
- </p>
- <p>
- This option may also be set on a per-zone basis.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>max-records</strong></span></span></dt>
-<dd>
- <p>
- The maximum number of records permitted in a zone.
- The default is zero which means unlimited.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>host-statistics-max</strong></span></span></dt>
-<dd>
- <p>
- In BIND 8, specifies the maximum number of host statistics
- entries to be kept.
- Not implemented in BIND 9.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>recursive-clients</strong></span></span></dt>
-<dd>
- <p>
- The maximum number ("hard quota") of simultaneous
- recursive lookups the server will perform on behalf
- of clients. The default is
- <code class="literal">1000</code>. Because each recursing
- client uses a fair
- bit of memory (on the order of 20 kilobytes), the
- value of the
- <span class="command"><strong>recursive-clients</strong></span> option may
- have to be decreased on hosts with limited memory.
- </p>
- <p>
- <code class="option">recursive-clients</code> defines a "hard
- quota" limit for pending recursive clients: when more
- clients than this are pending, new incoming requests
- will not be accepted, and for each incoming request
- a previous pending request will also be dropped.
- </p>
- <p>
- A "soft quota" is also set. When this lower
- quota is exceeded, incoming requests are accepted, but
- for each one, a pending request will be dropped.
- If <code class="option">recursive-clients</code> is greater than
- 1000, the soft quota is set to
- <code class="option">recursive-clients</code> minus 100;
- otherwise it is set to 90% of
- <code class="option">recursive-clients</code>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>tcp-clients</strong></span></span></dt>
-<dd>
- <p>
- The maximum number of simultaneous client TCP
- connections that the server will accept.
- The default is <code class="literal">150</code>.
- </p>
- </dd>
-<dt>
-<a name="clients-per-query"></a><span class="term"><a name="cpq_term"></a><span class="command"><strong>clients-per-query</strong></span>, </span><span class="term"><span class="command"><strong>max-clients-per-query</strong></span></span>
-</dt>
-<dd>
- <p>These set the
- initial value (minimum) and maximum number of recursive
- simultaneous clients for any given query
- (<qname,qtype,qclass>) that the server will accept
- before dropping additional clients. <span class="command"><strong>named</strong></span> will attempt to
- self tune this value and changes will be logged. The
- default values are 10 and 100.
- </p>
- <p>
- This value should reflect how many queries come in for
- a given name in the time it takes to resolve that name.
- If the number of queries exceed this value, <span class="command"><strong>named</strong></span> will
- assume that it is dealing with a non-responsive zone
- and will drop additional queries. If it gets a response
- after dropping queries, it will raise the estimate. The
- estimate will then be lowered in 20 minutes if it has
- remained unchanged.
- </p>
- <p>
- If <span class="command"><strong>clients-per-query</strong></span> is set to zero,
- then there is no limit on the number of clients per query
- and no queries will be dropped.
- </p>
- <p>
- If <span class="command"><strong>max-clients-per-query</strong></span> is set to zero,
- then there is no upper bound other than imposed by
- <span class="command"><strong>recursive-clients</strong></span>.
- </p>
- </dd>
-<dt>
-<a name="fetches-per-zone"></a><span class="term"><span class="command"><strong>fetches-per-zone</strong></span></span>
-</dt>
-<dd>
- <p>
- The maximum number of simultaneous iterative
- queries to any one domain that the server will
- permit before blocking new queries for data
- in or beneath that zone.
- This value should reflect how many fetches would
- normally be sent to any one zone in the time it
- would take to resolve them. It should be smaller
- than <code class="option">recursive-clients</code>.
- </p>
- <p>
- When many clients simultaneously query for the
- same name and type, the clients will all be attached
- to the same fetch, up to the
- <code class="option">max-clients-per-query</code> limit,
- and only one iterative query will be sent.
- However, when clients are simultaneously
- querying for <span class="emphasis"><em>different</em></span> names
- or types, multiple queries will be sent and
- <code class="option">max-clients-per-query</code> is not
- effective as a limit.
- </p>
- <p>
- Optionally, this value may be followed by the keyword
- <code class="literal">drop</code> or <code class="literal">fail</code>,
- indicating whether queries which exceed the fetch
- quota for a zone will be dropped with no response,
- or answered with SERVFAIL. The default is
- <code class="literal">drop</code>.
- </p>
- <p>
- If <span class="command"><strong>fetches-per-zone</strong></span> is set to zero,
- then there is no limit on the number of fetches per query
- and no queries will be dropped. The default is zero.
- </p>
- <p>
- The current list of active fetches can be dumped by
- running <span class="command"><strong>rndc recursing</strong></span>. The list
- includes the number of active fetches for each
- domain and the number of queries that have been
- passed or dropped as a result of the
- <code class="option">fetches-per-zone</code> limit. (Note:
- these counters are not cumulative over time; whenever
- the number of active fetches for a domain drops to
- zero, the counter for that domain is deleted, and the
- next time a fetch is sent to that domain, it is
- recreated with the counters set to zero.)
- </p>
- </dd>
-<dt>
-<a name="fetches-per-server"></a><span class="term"><span class="command"><strong>fetches-per-server</strong></span></span>
-</dt>
-<dd>
- <p>
- The maximum number of simultaneous iterative
- queries that the server will allow to be sent to
- a single upstream name server before blocking
- additional queries.
- This value should reflect how many fetches would
- normally be sent to any one server in the time it
- would take to resolve them. It should be smaller
- than <code class="option">recursive-clients</code>.
- </p>
- <p>
- Optionally, this value may be followed by the keyword
- <code class="literal">drop</code> or <code class="literal">fail</code>,
- indicating whether queries will be dropped with no
- response, or answered with SERVFAIL, when all of the
- servers authoritative for a zone are found to have
- exceeded the per-server quota. The default is
- <code class="literal">fail</code>.
- </p>
- <p>
- If <span class="command"><strong>fetches-per-server</strong></span> is set to zero,
- then there is no limit on the number of fetches per query
- and no queries will be dropped. The default is zero.
- </p>
- <p>
- The <span class="command"><strong>fetches-per-server</strong></span> quota is
- dynamically adjusted in response to detected
- congestion. As queries are sent to a server
- and are either answered or time out, an
- exponentially weighted moving average is calculated
- of the ratio of timeouts to responses. If the
- current average timeout ratio rises above a "high"
- threshold, then <span class="command"><strong>fetches-per-server</strong></span>
- is reduced for that server. If the timeout ratio
- drops below a "low" threshold, then
- <span class="command"><strong>fetches-per-server</strong></span> is increased.
- The <span class="command"><strong>fetch-quota-params</strong></span> options
- can be used to adjust the parameters for this
- calculation.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>fetch-quota-params</strong></span></span></dt>
-<dd>
- <p>
- Sets the parameters to use for dynamic resizing of
- the <code class="option">fetches-per-server</code> quota in
- response to detected congestion.
- </p>
- <p>
- The first argument is an integer value indicating
- how frequently to recalculate the moving average
- of the ratio of timeouts to responses for each
- server. The default is 100, meaning we recalculate
- the average ratio after every 100 queries have either
- been answered or timed out.
- </p>
- <p>
- The remaining three arguments represent the "low"
- threshold (defaulting to a timeout ratio of 0.1),
- the "high" threshold (defaulting to a timeout
- ratio of 0.3), and the discount rate for
- the moving average (defaulting to 0.7).
- A higher discount rate causes recent events to
- weigh more heavily when calculating the moving
- average; a lower discount rate causes past
- events to weigh more heavily, smoothing out
- short-term blips in the timeout ratio.
- These arguments are all fixed-point numbers with
- precision of 1/100: at most two places after
- the decimal point are significant.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>reserved-sockets</strong></span></span></dt>
-<dd>
- <p>
- The number of file descriptors reserved for TCP, stdio,
- etc. This needs to be big enough to cover the number of
- interfaces <span class="command"><strong>named</strong></span> listens on, <span class="command"><strong>tcp-clients</strong></span> as well as
- to provide room for outgoing TCP queries and incoming zone
- transfers. The default is <code class="literal">512</code>.
- The minimum value is <code class="literal">128</code> and the
- maximum value is <code class="literal">128</code> less than
- maxsockets (-S). This option may be removed in the future.
- </p>
- <p>
- This option has little effect on Windows.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>max-cache-size</strong></span></span></dt>
-<dd>
- <p>
- The maximum amount of memory to use for the
- server's cache, in bytes or % of total physical memory.
- When the amount of data in the cache
- reaches this limit, the server will cause records to
- expire prematurely based on an LRU based strategy so
- that the limit is not exceeded.
- The keyword <strong class="userinput"><code>unlimited</code></strong>,
- or the value 0, will place no limit on cache size;
- records will be purged from the cache only when their
- TTLs expire.
- Any positive values less than 2MB will be ignored
- and reset to 2MB.
- In a server with multiple views, the limit applies
- separately to the cache of each view.
- The default is <strong class="userinput"><code>90%</code></strong>.
- On systems where detection of amount of physical
- memory is not supported values represented as %
- fall back to unlimited.
- Note that the detection of physical memory is done only
- once at startup, so <span class="command"><strong>named</strong></span> will not
- adjust the cache size if the amount of physical memory
- is changed during runtime.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>tcp-listen-queue</strong></span></span></dt>
-<dd>
- <p>
- The listen queue depth. The default and minimum is 10.
- If the kernel supports the accept filter "dataready" this
- also controls how
- many TCP connections that will be queued in kernel space
- waiting for
- some data before being passed to accept. Nonzero values
- less than 10 will be silently raised. A value of 0 may also
- be used; on most platforms this sets the listen queue
- length to a system-defined default value.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>tcp-initial-timeout</strong></span></span></dt>
-<dd>
- <p>
- The amount of time (in units of 100 milliseconds) the
- server waits on a new TCP connection for the first message
- from the client. The default is 300 (30 seconds),
- the minimum is 25 (2.5 seconds), and the maximum is
- 1200 (two minutes). Values above the maximum or below
- the minimum will be adjusted with a logged warning.
- (Note: This value must be greater than the expected
- round trip delay time; otherwise no client will ever
- have enough time to submit a message.)
- This value can be updated at runtime by using
- <span class="command"><strong>rndc tcp-timeouts</strong></span>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>tcp-idle-timeout</strong></span></span></dt>
-<dd>
- <p>
- The amount of time (in units of 100 milliseconds) the
- server waits on an idle TCP conenction before closing
- it when the client is not using the EDNS TCP keepalive
- option. The default is 300 (30 seconds), the maximum
- is 1200 (two minutes), and the minimum is 1 (one tenth
- of a second). Values above the maximum or below the minimum
- will be adjusted with a logged warning.
- See <span class="command"><strong>tcp-keepalive-timeout</strong></span>
- for clients using the EDNS TCP keepalive option.
- This value can be updated at runtime by using
- <span class="command"><strong>rndc tcp-timeouts</strong></span>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>tcp-keepalive-timeout</strong></span></span></dt>
-<dd>
- <p>
- The amount of time (in units of 100 milliseconds) the
- server waits on an idle TCP conenction before closing
- it when the client is using the EDNS TCP keepalive
- option. The default is 300 (30 seconds), the maximum
- is 1200 (two minutes), and the minimum is 1 (one tenth
- of a second). Values above the maximum or below the minimum
- will be adjusted with a logged warning.
- This value may be greater than
- <span class="command"><strong>tcp-idle-timeout</strong></span>, because
- clients using the EDNS TCP keepalive option are expected
- to use TCP connections for more than one message.
- This value can be updated at runtime by using
- <span class="command"><strong>rndc tcp-timeouts</strong></span>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>tcp-advertised-timeout</strong></span></span></dt>
-<dd>
- <p>
- The timeout value (in units of 100 milliseconds) the
- server will send in respones containing the EDNS TCP
- keepalive option. This informs a client of the
- amount of time it may keep the session open.
- The default is 300 (30 seconds), the maximum is
- 1200 (two minutes), and the minimum is 0, which
- signals that the clients must close TCP connections
- immediately. Ordinarily this should be set to the
- same value as <span class="command"><strong>tcp-keepalive-timeout</strong></span>.
- This value can be updated at runtime by using
- <span class="command"><strong>rndc tcp-timeouts</strong></span>.
- </p>
- </dd>
-</dl></div>
-
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="intervals"></a>Periodic Task Intervals</h4></div></div></div>
-
- <div class="variablelist"><dl class="variablelist">
-<dt><span class="term"><span class="command"><strong>cleaning-interval</strong></span></span></dt>
-<dd>
- <p>
- This interval is effectively obsolete. Previously,
- the server would remove expired resource records
- from the cache every <span class="command"><strong>cleaning-interval</strong></span> minutes.
- <acronym class="acronym">BIND</acronym> 9 now manages cache
- memory in a more sophisticated manner and does not
- rely on the periodic cleaning any more.
- Specifying this option therefore has no effect on
- the server's behavior.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>heartbeat-interval</strong></span></span></dt>
-<dd>
- <p>
- The server will perform zone maintenance tasks
- for all zones marked as <span class="command"><strong>dialup</strong></span> whenever this
- interval expires. The default is 60 minutes. Reasonable
- values are up
- to 1 day (1440 minutes). The maximum value is 28 days
- (40320 minutes).
- If set to 0, no zone maintenance for these zones will occur.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>interface-interval</strong></span></span></dt>
-<dd>
- <p>
- The server will scan the network interface list
- every <span class="command"><strong>interface-interval</strong></span>
- minutes. The default
- is 60 minutes. The maximum value is 28 days (40320 minutes).
- If set to 0, interface scanning will only occur when
- the configuration file is loaded. After the scan, the
- server will
- begin listening for queries on any newly discovered
- interfaces (provided they are allowed by the
- <span class="command"><strong>listen-on</strong></span> configuration), and
- will
- stop listening on interfaces that have gone away.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>statistics-interval</strong></span></span></dt>
-<dd>
- <p>
- Name server statistics will be logged
- every <span class="command"><strong>statistics-interval</strong></span>
- minutes. The default is
- 60. The maximum value is 28 days (40320 minutes).
- If set to 0, no statistics will be logged.
- </p>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
- <p>
- Not yet implemented in
- <acronym class="acronym">BIND</acronym> 9.
- </p>
- </div>
- </dd>
-</dl></div>
-
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="topology"></a>Topology</h4></div></div></div>
-
- <p>
- All other things being equal, when the server chooses a name
- server
- to query from a list of name servers, it prefers the one that is
- topologically closest to itself. The <span class="command"><strong>topology</strong></span> statement
- takes an <span class="command"><strong>address_match_list</strong></span> and
- interprets it
- in a special way. Each top-level list element is assigned a
- distance.
- Non-negated elements get a distance based on their position in the
- list, where the closer the match is to the start of the list, the
- shorter the distance is between it and the server. A negated match
- will be assigned the maximum distance from the server. If there
- is no match, the address will get a distance which is further than
- any non-negated list element, and closer than any negated element.
- For example,
- </p>
-
-<pre class="programlisting">topology {
- 10/8;
- !1.2.3/24;
- { 1.2/16; 3/8; };
-};</pre>
-
- <p>
- will prefer servers on network 10 the most, followed by hosts
- on network 1.2.0.0 (netmask 255.255.0.0) and network 3, with the
- exception of hosts on network 1.2.3 (netmask 255.255.255.0), which
- is preferred least of all.
- </p>
- <p>
- The default topology is
- </p>
-
-<pre class="programlisting"> topology { localhost; localnets; };
-</pre>
-
- <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
- <p>
- The <span class="command"><strong>topology</strong></span> option
- is not implemented in <acronym class="acronym">BIND</acronym> 9.
- </p>
- </div>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="the_sortlist_statement"></a>The <span class="command"><strong>sortlist</strong></span> Statement</h4></div></div></div>
-
- <p>
- The response to a DNS query may consist of multiple resource
- records (RRs) forming a resource record set (RRset).
- The name server will normally return the
- RRs within the RRset in an indeterminate order
- (but see the <span class="command"><strong>rrset-order</strong></span>
- statement in <a class="xref" href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called “RRset Ordering”</a>).
- The client resolver code should rearrange the RRs as appropriate,
- that is, using any addresses on the local net in preference to
- other addresses.
- However, not all resolvers can do this or are correctly
- configured.
- When a client is using a local server, the sorting can be performed
- in the server, based on the client's address. This only requires
- configuring the name servers, not all the clients.
- </p>
-
- <p>
- The <span class="command"><strong>sortlist</strong></span> statement (see below)
- takes
- an <span class="command"><strong>address_match_list</strong></span> and
- interprets it even
- more specifically than the <span class="command"><strong>topology</strong></span>
- statement
- does (<a class="xref" href="Bv9ARM.ch06.html#topology" title="Topology">the section called “Topology”</a>).
- Each top level statement in the <span class="command"><strong>sortlist</strong></span> must
- itself be an explicit <span class="command"><strong>address_match_list</strong></span> with
- one or two elements. The first element (which may be an IP
- address,
- an IP prefix, an ACL name or a nested <span class="command"><strong>address_match_list</strong></span>)
- of each top level list is checked against the source address of
- the query until a match is found.
- </p>
- <p>
- Once the source address of the query has been matched, if
- the top level statement contains only one element, the actual
- primitive
- element that matched the source address is used to select the
- address
- in the response to move to the beginning of the response. If the
- statement is a list of two elements, then the second element is
- treated the same as the <span class="command"><strong>address_match_list</strong></span> in
- a <span class="command"><strong>topology</strong></span> statement. Each top
- level element
- is assigned a distance and the address in the response with the
- minimum
- distance is moved to the beginning of the response.
- </p>
- <p>
- In the following example, any queries received from any of
- the addresses of the host itself will get responses preferring
- addresses
- on any of the locally connected networks. Next most preferred are
- addresses
- on the 192.168.1/24 network, and after that either the
- 192.168.2/24
- or
- 192.168.3/24 network with no preference shown between these two
- networks. Queries received from a host on the 192.168.1/24 network
- will prefer other addresses on that network to the 192.168.2/24
- and
- 192.168.3/24 networks. Queries received from a host on the
- 192.168.4/24
- or the 192.168.5/24 network will only prefer other addresses on
- their directly connected networks.
- </p>
-
-<pre class="programlisting">sortlist {
- // IF the local host
- // THEN first fit on the following nets
- { localhost;
- { localnets;
- 192.168.1/24;
- { 192.168.2/24; 192.168.3/24; }; }; };
- // IF on class C 192.168.1 THEN use .1, or .2 or .3
- { 192.168.1/24;
- { 192.168.1/24;
- { 192.168.2/24; 192.168.3/24; }; }; };
- // IF on class C 192.168.2 THEN use .2, or .1 or .3
- { 192.168.2/24;
- { 192.168.2/24;
- { 192.168.1/24; 192.168.3/24; }; }; };
- // IF on class C 192.168.3 THEN use .3, or .1 or .2
- { 192.168.3/24;
- { 192.168.3/24;
- { 192.168.1/24; 192.168.2/24; }; }; };
- // IF .4 or .5 THEN prefer that net
- { { 192.168.4/24; 192.168.5/24; };
- };
-};</pre>
-
- <p>
- The following example will give reasonable behavior for the
- local host and hosts on directly connected networks. It is similar
- to the behavior of the address sort in <acronym class="acronym">BIND</acronym> 4.9.x. Responses sent
- to queries from the local host will favor any of the directly
- connected
- networks. Responses sent to queries from any other hosts on a
- directly
- connected network will prefer addresses on that same network.
- Responses
- to other queries will not be sorted.
- </p>
-
-<pre class="programlisting">sortlist {
- { localhost; localnets; };
- { localnets; };
-};
-</pre>
-
- </div>
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="rrset_ordering"></a>RRset Ordering</h4></div></div></div>
-
- <p>
- When multiple records are returned in an answer it may be
- useful to configure the order of the records placed into the
- response. The <span class="command"><strong>rrset-order</strong></span> statement permits
- configuration of the ordering of the records in a
- multiple-record response.
- See also the <span class="command"><strong>sortlist</strong></span> statement,
- <a class="xref" href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called “The <span class="command"><strong>sortlist</strong></span> Statement”</a>.
- </p>
- <p>
- An <span class="command"><strong>order_spec</strong></span> is defined as follows:
- </p>
- <p>
- [<span class="optional">class <em class="replaceable"><code>class_name</code></em></span>]
- [<span class="optional">type <em class="replaceable"><code>type_name</code></em></span>]
- [<span class="optional">name <em class="replaceable"><code>"domain_name"</code></em></span>]
- order <em class="replaceable"><code>ordering</code></em>
- </p>
- <p>
- If no class is specified, the default is <span class="command"><strong>ANY</strong></span>.
- If no type is specified, the default is <span class="command"><strong>ANY</strong></span>.
- If no name is specified, the default is "<span class="command"><strong>*</strong></span>" (asterisk).
- </p>
- <p>
- The legal values for <span class="command"><strong>ordering</strong></span> are:
- </p>
- <div class="informaltable">
- <table border="1">
-<colgroup>
-<col width="0.750in" class="1">
-<col width="3.750in" class="2">
-</colgroup>
-<tbody>
-<tr>
-<td>
- <p><span class="command"><strong>fixed</strong></span></p>
- </td>
-<td>
- <p>
- Records are returned in the order they
- are defined in the zone file. This option
- is only available if <acronym class="acronym">BIND</acronym>
- is configured with "--enable-fixed-rrset" at
- compile time.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>random</strong></span></p>
- </td>
-<td>
- <p>
- Records are returned in some random order.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>cyclic</strong></span></p>
- </td>
-<td>
- <p>
- Records are returned in a cyclic round-robin order,
- rotating by one record per query.
- </p>
- <p>
- If <acronym class="acronym">BIND</acronym> is configured with
- "--enable-fixed-rrset" at compile time, then
- the initial ordering of the RRset will match the
- one specified in the zone file; otherwise the
- initial ordering is indeterminate.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>none</strong></span></p>
- </td>
-<td>
- <p>
- Records are returned in whatever order they were
- retrieved from the database. This order is
- indeterminate, but will be consistent as long as the
- database is not modified. When no ordering is
- specified, this is the default.
- </p>
- </td>
-</tr>
-</tbody>
-</table>
- </div>
- <p>
- </p>
- <p>
- For example:
- </p>
-<pre class="programlisting">rrset-order {
- class IN type A name "host.example.com" order random;
- order cyclic;
-};
-</pre>
- <p>
- will cause any responses for type A records in class IN that
- have "<code class="literal">host.example.com</code>" as a
- suffix, to always be returned
- in random order. All other records are returned in cyclic order.
- </p>
- <p>
- If multiple <span class="command"><strong>rrset-order</strong></span> statements
- appear, they are not combined — the last one applies.
- </p>
- <p>
- By default, records are returned in indeterminate but
- consistent order (see <span class="command"><strong>none</strong></span> above).
- </p>
-
- <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
- <p>
- In this release of <acronym class="acronym">BIND</acronym> 9, the
- <span class="command"><strong>rrset-order</strong></span> statement does not support
- "fixed" ordering by default. Fixed ordering can be enabled
- at compile time by specifying "--enable-fixed-rrset" on
- the "configure" command line.
- </p>
- </div>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="tuning"></a>Tuning</h4></div></div></div>
-
- <div class="variablelist"><dl class="variablelist">
-<dt><span class="term"><span class="command"><strong>lame-ttl</strong></span></span></dt>
-<dd>
- <p>
- Sets the number of seconds to cache a
- lame server indication. 0 disables caching. (This is
- <span class="bold"><strong>NOT</strong></span> recommended.)
- The default is <code class="literal">600</code> (10 minutes) and the
- maximum value is
- <code class="literal">1800</code> (30 minutes).
- </p>
-
- </dd>
-<dt><span class="term"><span class="command"><strong>servfail-ttl</strong></span></span></dt>
-<dd>
- <p>
- Sets the number of seconds to cache a
- SERVFAIL response due to DNSSEC validation failure or
- other general server failure. If set to
- <code class="literal">0</code>, SERVFAIL caching is disabled.
- The SERVFAIL cache is not consulted if a query has
- the CD (Checking Disabled) bit set; this allows a
- query that failed due to DNSSEC validation to be retried
- without waiting for the SERVFAIL TTL to expire.
- </p>
- <p>
- The maximum value is <code class="literal">30</code>
- seconds; any higher value will be silently
- reduced. The default is <code class="literal">1</code>
- second.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>max-ncache-ttl</strong></span></span></dt>
-<dd>
- <p>
- To reduce network traffic and increase performance,
- the server stores negative answers. <span class="command"><strong>max-ncache-ttl</strong></span> is
- used to set a maximum retention time for these answers in
- the server
- in seconds. The default
- <span class="command"><strong>max-ncache-ttl</strong></span> is <code class="literal">10800</code> seconds (3 hours).
- <span class="command"><strong>max-ncache-ttl</strong></span> cannot exceed
- 7 days and will
- be silently truncated to 7 days if set to a greater value.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>max-cache-ttl</strong></span></span></dt>
-<dd>
- <p>
- Sets the maximum time for which the server will
- cache ordinary (positive) answers in seconds.
- The default is 604800 (one week).
- A value of zero may cause all queries to return
- SERVFAIL, because of lost caches of intermediate
- RRsets (such as NS and glue AAAA/A records) in the
- resolution process.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>max-stale-ttl</strong></span></span></dt>
-<dd>
- <p>
- Sets the maximum time for which the server will
- retain records past their normal expiry to
- return them as stale records when the servers
- for those records are not reachable. The default
- is to not retain the record.
- </p>
- <p>
- <span class="command"><strong>rndc serve-stale</strong></span> can be used
- to disable and re-enable the serving of stale
- records at runtime. Reloading or reconfiguring
- <span class="command"><strong>named</strong></span> will not re-enable serving
- of stale records if they have been disabled via
- <span class="command"><strong>rndc</strong></span>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>min-roots</strong></span></span></dt>
-<dd>
- <p>
- The minimum number of root servers that
- is required for a request for the root servers to be
- accepted. The default
- is <strong class="userinput"><code>2</code></strong>.
- </p>
- <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
- <p>
- Not implemented in <acronym class="acronym">BIND</acronym> 9.
- </p>
- </div>
- </dd>
-<dt><span class="term"><span class="command"><strong>sig-validity-interval</strong></span></span></dt>
-<dd>
- <p>
- Specifies the number of days into the future when
- DNSSEC signatures automatically generated as a
- result of dynamic updates (<a class="xref" href="Bv9ARM.ch04.html#dynamic_update" title="Dynamic Update">the section called “Dynamic Update”</a>) will expire. There
- is an optional second field which specifies how
- long before expiry that the signatures will be
- regenerated. If not specified, the signatures will
- be regenerated at 1/4 of base interval. The second
- field is specified in days if the base interval is
- greater than 7 days otherwise it is specified in hours.
- The default base interval is <code class="literal">30</code> days
- giving a re-signing interval of 7 1/2 days. The maximum
- values are 10 years (3660 days).
- </p>
- <p>
- The signature inception time is unconditionally
- set to one hour before the current time to allow
- for a limited amount of clock skew.
- </p>
- <p>
- The <span class="command"><strong>sig-validity-interval</strong></span>
- should be, at least, several multiples of the SOA
- expire interval to allow for reasonable interaction
- between the various timer and expiry dates.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>sig-signing-nodes</strong></span></span></dt>
-<dd>
- <p>
- Specify the maximum number of nodes to be
- examined in each quantum when signing a zone with
- a new DNSKEY. The default is
- <code class="literal">100</code>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>sig-signing-signatures</strong></span></span></dt>
-<dd>
- <p>
- Specify a threshold number of signatures that
- will terminate processing a quantum when signing
- a zone with a new DNSKEY. The default is
- <code class="literal">10</code>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>sig-signing-type</strong></span></span></dt>
-<dd>
- <p>
- Specify a private RDATA type to be used when generating
- signing state records. The default is
- <code class="literal">65534</code>.
- </p>
- <p>
- It is expected that this parameter may be removed
- in a future version once there is a standard type.
- </p>
- <p>
- Signing state records are used to internally by
- <span class="command"><strong>named</strong></span> to track the current state of
- a zone-signing process, i.e., whether it is still active
- or has been completed. The records can be inspected
- using the command
- <span class="command"><strong>rndc signing -list <em class="replaceable"><code>zone</code></em></strong></span>.
- Once <span class="command"><strong>named</strong></span> has finished signing
- a zone with a particular key, the signing state
- record associated with that key can be removed from
- the zone by running
- <span class="command"><strong>rndc signing -clear <em class="replaceable"><code>keyid/algorithm</code></em> <em class="replaceable"><code>zone</code></em></strong></span>.
- To clear all of the completed signing state
- records for a zone, use
- <span class="command"><strong>rndc signing -clear all <em class="replaceable"><code>zone</code></em></strong></span>.
- </p>
- </dd>
-<dt>
-<span class="term"><span class="command"><strong>min-refresh-time</strong></span>, </span><span class="term"><span class="command"><strong>max-refresh-time</strong></span>, </span><span class="term"><span class="command"><strong>min-retry-time</strong></span>, </span><span class="term"><span class="command"><strong>max-retry-time</strong></span></span>
-</dt>
-<dd>
- <p>
- These options control the server's behavior on refreshing a
- zone
- (querying for SOA changes) or retrying failed transfers.
- Usually the SOA values for the zone are used, but these
- values
- are set by the master, giving slave server administrators
- little
- control over their contents.
- </p>
- <p>
- These options allow the administrator to set a minimum and
- maximum refresh and retry time in seconds per-zone,
- per-view, or globally.
- These options are valid for slave and stub zones,
- and clamp the SOA refresh and retry times to the specified
- values.
- </p>
- <p>
- The following defaults apply.
- <span class="command"><strong>min-refresh-time</strong></span> 300 seconds,
- <span class="command"><strong>max-refresh-time</strong></span> 2419200 seconds
- (4 weeks), <span class="command"><strong>min-retry-time</strong></span> 500 seconds,
- and <span class="command"><strong>max-retry-time</strong></span> 1209600 seconds
- (2 weeks).
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>edns-udp-size</strong></span></span></dt>
-<dd>
- <p>
- Sets the maximum advertised EDNS UDP buffer size in
- bytes, to control the size of packets received from
- authoritative servers in response to recursive queries.
- Valid values are 512 to 4096 (values outside this range
- will be silently adjusted to the nearest value within
- it). The default value is 4096.
- </p>
- <p>
- The usual reason for setting
- <span class="command"><strong>edns-udp-size</strong></span> to a non-default value
- is to get UDP answers to pass through broken firewalls
- that block fragmented packets and/or block UDP DNS
- packets that are greater than 512 bytes.
- </p>
- <p>
- When <span class="command"><strong>named</strong></span> first queries a remote
- server, it will advertise a UDP buffer size of 512, as
- this has the greatest chance of success on the first try.
- </p>
- <p>
- If the initial response times out, <span class="command"><strong>named</strong></span>
- will try again with plain DNS, and if that is successful,
- it will be taken as evidence that the server does not
- support EDNS. After enough failures using EDNS and
- successes using plain DNS, <span class="command"><strong>named</strong></span>
- will default to plain DNS for future communications
- with that server. (Periodically, <span class="command"><strong>named</strong></span>
- will send an EDNS query to see if the situation has
- improved.)
- </p>
- <p>
- However, if the initial query is successful with
- EDNS advertising a buffer size of 512, then
- <span class="command"><strong>named</strong></span> will advertise progressively
- larger buffer sizes on successive queries, until
- responses begin timing out or
- <span class="command"><strong>edns-udp-size</strong></span> is reached.
- </p>
- <p>
- The default buffer sizes used by <span class="command"><strong>named</strong></span>
- are 512, 1232, 1432, and 4096, but never exceeding
- <span class="command"><strong>edns-udp-size</strong></span>. (The values 1232 and
- 1432 are chosen to allow for an IPv4/IPv6 encapsulated
- UDP message to be sent without fragmentation at the
- minimum MTU sizes for Ethernet and IPv6 networks.)
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>max-udp-size</strong></span></span></dt>
-<dd>
- <p>
- Sets the maximum EDNS UDP message size
- <span class="command"><strong>named</strong></span> will send in bytes.
- Valid values are 512 to 4096 (values outside this
- range will be silently adjusted to the nearest
- value within it). The default value is 4096.
- </p>
- <p>
- This value applies to responses sent by a server; to
- set the advertised buffer size in queries, see
- <span class="command"><strong>edns-udp-size</strong></span>.
- </p>
- <p>
- The usual reason for setting
- <span class="command"><strong>max-udp-size</strong></span> to a non-default
- value is to get UDP answers to pass through broken
- firewalls that block fragmented packets and/or
- block UDP packets that are greater than 512 bytes.
- This is independent of the advertised receive
- buffer (<span class="command"><strong>edns-udp-size</strong></span>).
- </p>
- <p>
- Setting this to a low value will encourage additional
- TCP traffic to the nameserver.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>masterfile-format</strong></span></span></dt>
-<dd>
- <p>Specifies
- the file format of zone files (see
- <a class="xref" href="Bv9ARM.ch06.html#zonefile_format" title="Additional File Formats">the section called “Additional File Formats”</a>).
- The default value is <code class="constant">text</code>, which is the
- standard textual representation, except for slave zones,
- in which the default value is <code class="constant">raw</code>.
- Files in other formats than <code class="constant">text</code> are
- typically expected to be generated by the
- <span class="command"><strong>named-compilezone</strong></span> tool, or dumped by
- <span class="command"><strong>named</strong></span>.
- </p>
- <p>
- Note that when a zone file in a different format than
- <code class="constant">text</code> is loaded, <span class="command"><strong>named</strong></span>
- may omit some of the checks which would be performed for a
- file in the <code class="constant">text</code> format. In particular,
- <span class="command"><strong>check-names</strong></span> checks do not apply
- for the <code class="constant">raw</code> format. This means
- a zone file in the <code class="constant">raw</code> format
- must be generated with the same check level as that
- specified in the <span class="command"><strong>named</strong></span> configuration
- file. Also, <code class="constant">map</code> format files are
- loaded directly into memory via memory mapping, with only
- minimal checking.
- </p>
- <p>
- This statement sets the
- <span class="command"><strong>masterfile-format</strong></span> for all zones,
- but can be overridden on a per-zone or per-view basis
- by including a <span class="command"><strong>masterfile-format</strong></span>
- statement within the <span class="command"><strong>zone</strong></span> or
- <span class="command"><strong>view</strong></span> block in the configuration
- file.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>masterfile-style</strong></span></span></dt>
-<dd>
- <p>
- Specifies the formatting of zone files during dump
- when the <code class="option">masterfile-format</code> is
- <code class="constant">text</code>. (This option is ignored
- with any other <code class="option">masterfile-format</code>.)
- </p>
- <p>
- When set to <code class="constant">relative</code>,
- records are printed in a multi-line format with owner
- names expressed relative to a shared origin. When set
- to <code class="constant">full</code>, records are printed in
- a single-line format with absolute owner names.
- The <code class="constant">full</code> format is most suitable
- when a zone file needs to be processed automatically
- by a script. The <code class="constant">relative</code> format
- is more human-readable, and is thus suitable when a
- zone is to be edited by hand. The default is
- <code class="constant">relative</code>.
- </p>
- </dd>
-<dt>
-<a name="max-recursion-depth"></a><span class="term"><span class="command"><strong>max-recursion-depth</strong></span></span>
-</dt>
-<dd>
- <p>
- Sets the maximum number of levels of recursion
- that are permitted at any one time while servicing
- a recursive query. Resolving a name may require
- looking up a name server address, which in turn
- requires resolving another name, etc; if the number
- of indirections exceeds this value, the recursive
- query is terminated and returns SERVFAIL. The
- default is 7.
- </p>
- </dd>
-<dt>
-<a name="max-recursion-queries"></a><span class="term"><span class="command"><strong>max-recursion-queries</strong></span></span>
-</dt>
-<dd>
- <p>
- Sets the maximum number of iterative queries that
- may be sent while servicing a recursive query.
- If more queries are sent, the recursive query
- is terminated and returns SERVFAIL. Queries to
- look up top level domains such as "com" and "net"
- and the DNS root zone are exempt from this limitation.
- The default is 75.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>notify-delay</strong></span></span></dt>
-<dd>
- <p>
- The delay, in seconds, between sending sets of notify
- messages for a zone. The default is five (5) seconds.
- </p>
- <p>
- The overall rate that NOTIFY messages are sent for all
- zones is controlled by <span class="command"><strong>serial-query-rate</strong></span>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>max-rsa-exponent-size</strong></span></span></dt>
-<dd>
- <p>
- The maximum RSA exponent size, in bits, that will
- be accepted when validating. Valid values are 35
- to 4096 bits. The default zero (0) is also accepted
- and is equivalent to 4096.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>prefetch</strong></span></span></dt>
-<dd>
- <p>
- When a query is received for cached data which
- is to expire shortly, <span class="command"><strong>named</strong></span> can
- refresh the data from the authoritative server
- immediately, ensuring that the cache always has an
- answer available.
- </p>
- <p>
- The <code class="option">prefetch</code> specifies the
- "trigger" TTL value at which prefetch of the current
- query will take place: when a cache record with a
- lower TTL value is encountered during query processing,
- it will be refreshed. Valid trigger TTL values are 1 to
- 10 seconds. Values larger than 10 seconds will be silently
- reduced to 10.
- Setting a trigger TTL to zero (0) causes
- prefetch to be disabled.
- The default trigger TTL is <code class="literal">2</code>.
- </p>
- <p>
- An optional second argument specifies the "eligibility"
- TTL: the smallest <span class="emphasis"><em>original</em></span>
- TTL value that will be accepted for a record to be
- eligible for prefetching. The eligibility TTL must
- be at least six seconds longer than the trigger TTL;
- if it isn't, <span class="command"><strong>named</strong></span> will silently
- adjust it upward.
- The default eligibility TTL is <code class="literal">9</code>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>v6-bias</strong></span></span></dt>
-<dd>
- <p>
- When determining the next nameserver to try
- preference IPv6 nameservers by this many milliseconds.
- The default is <code class="literal">50</code> milliseconds.
- </p>
- </dd>
-</dl></div>
-
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="builtin"></a>Built-in server information zones</h4></div></div></div>
-
- <p>
- The server provides some helpful diagnostic information
- through a number of built-in zones under the
- pseudo-top-level-domain <code class="literal">bind</code> in the
- <span class="command"><strong>CHAOS</strong></span> class. These zones are part
- of a
- built-in view (see <a class="xref" href="Bv9ARM.ch06.html#view_statement_grammar" title="view Statement Grammar">the section called “<span class="command"><strong>view</strong></span> Statement Grammar”</a>) of
- class
- <span class="command"><strong>CHAOS</strong></span> which is separate from the
- default view of class <span class="command"><strong>IN</strong></span>. Most global
- configuration options (<span class="command"><strong>allow-query</strong></span>,
- etc) will apply to this view, but some are locally
- overridden: <span class="command"><strong>notify</strong></span>,
- <span class="command"><strong>recursion</strong></span> and
- <span class="command"><strong>allow-new-zones</strong></span> are
- always set to <strong class="userinput"><code>no</code></strong>, and
- <span class="command"><strong>rate-limit</strong></span> is set to allow
- three responses per second.
- </p>
- <p>
- If you need to disable these zones, use the options
- below, or hide the built-in <span class="command"><strong>CHAOS</strong></span>
- view by
- defining an explicit view of class <span class="command"><strong>CHAOS</strong></span>
- that matches all clients.
- </p>
-
- <div class="variablelist"><dl class="variablelist">
-<dt><span class="term"><span class="command"><strong>version</strong></span></span></dt>
-<dd>
- <p>
- The version the server should report
- via a query of the name <code class="literal">version.bind</code>
- with type <span class="command"><strong>TXT</strong></span>, class <span class="command"><strong>CHAOS</strong></span>.
- The default is the real version number of this server.
- Specifying <span class="command"><strong>version none</strong></span>
- disables processing of the queries.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>hostname</strong></span></span></dt>
-<dd>
- <p>
- The hostname the server should report via a query of
- the name <code class="filename">hostname.bind</code>
- with type <span class="command"><strong>TXT</strong></span>, class <span class="command"><strong>CHAOS</strong></span>.
- This defaults to the hostname of the machine hosting the
- name server as
- found by the gethostname() function. The primary purpose of such queries
- is to
- identify which of a group of anycast servers is actually
- answering your queries. Specifying <span class="command"><strong>hostname none;</strong></span>
- disables processing of the queries.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>server-id</strong></span></span></dt>
-<dd>
- <p>
- The ID the server should report when receiving a Name
- Server Identifier (NSID) query, or a query of the name
- <code class="filename">ID.SERVER</code> with type
- <span class="command"><strong>TXT</strong></span>, class <span class="command"><strong>CHAOS</strong></span>.
- The primary purpose of such queries is to
- identify which of a group of anycast servers is actually
- answering your queries. Specifying <span class="command"><strong>server-id none;</strong></span>
- disables processing of the queries.
- Specifying <span class="command"><strong>server-id hostname;</strong></span> will cause <span class="command"><strong>named</strong></span> to
- use the hostname as found by the gethostname() function.
- The default <span class="command"><strong>server-id</strong></span> is <span class="command"><strong>none</strong></span>.
- </p>
- </dd>
-</dl></div>
-
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="empty"></a>Built-in Empty Zones</h4></div></div></div>
-
- <p>
- The <span class="command"><strong>named</strong></span> server has some built-in
- empty zones (SOA and NS records only).
- These are for zones that should normally be answered locally
- and which queries should not be sent to the Internet's root
- servers. The official servers which cover these namespaces
- return NXDOMAIN responses to these queries. In particular,
- these cover the reverse namespaces for addresses from
- RFC 1918, RFC 4193, RFC 5737 and RFC 6598. They also include the
- reverse namespace for IPv6 local address (locally assigned),
- IPv6 link local addresses, the IPv6 loopback address and the
- IPv6 unknown address.
- </p>
- <p>
- The server will attempt to determine if a built-in zone
- already exists or is active (covered by a forward-only
- forwarding declaration) and will not create an empty
- zone in that case.
- </p>
- <p>
- The current list of empty zones is:
- </p>
-<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">10.IN-ADDR.ARPA</li>
-<li class="listitem">16.172.IN-ADDR.ARPA</li>
-<li class="listitem">17.172.IN-ADDR.ARPA</li>
-<li class="listitem">18.172.IN-ADDR.ARPA</li>
-<li class="listitem">19.172.IN-ADDR.ARPA</li>
-<li class="listitem">20.172.IN-ADDR.ARPA</li>
-<li class="listitem">21.172.IN-ADDR.ARPA</li>
-<li class="listitem">22.172.IN-ADDR.ARPA</li>
-<li class="listitem">23.172.IN-ADDR.ARPA</li>
-<li class="listitem">24.172.IN-ADDR.ARPA</li>
-<li class="listitem">25.172.IN-ADDR.ARPA</li>
-<li class="listitem">26.172.IN-ADDR.ARPA</li>
-<li class="listitem">27.172.IN-ADDR.ARPA</li>
-<li class="listitem">28.172.IN-ADDR.ARPA</li>
-<li class="listitem">29.172.IN-ADDR.ARPA</li>
-<li class="listitem">30.172.IN-ADDR.ARPA</li>
-<li class="listitem">31.172.IN-ADDR.ARPA</li>
-<li class="listitem">168.192.IN-ADDR.ARPA</li>
-<li class="listitem">64.100.IN-ADDR.ARPA</li>
-<li class="listitem">65.100.IN-ADDR.ARPA</li>
-<li class="listitem">66.100.IN-ADDR.ARPA</li>
-<li class="listitem">67.100.IN-ADDR.ARPA</li>
-<li class="listitem">68.100.IN-ADDR.ARPA</li>
-<li class="listitem">69.100.IN-ADDR.ARPA</li>
-<li class="listitem">70.100.IN-ADDR.ARPA</li>
-<li class="listitem">71.100.IN-ADDR.ARPA</li>
-<li class="listitem">72.100.IN-ADDR.ARPA</li>
-<li class="listitem">73.100.IN-ADDR.ARPA</li>
-<li class="listitem">74.100.IN-ADDR.ARPA</li>
-<li class="listitem">75.100.IN-ADDR.ARPA</li>
-<li class="listitem">76.100.IN-ADDR.ARPA</li>
-<li class="listitem">77.100.IN-ADDR.ARPA</li>
-<li class="listitem">78.100.IN-ADDR.ARPA</li>
-<li class="listitem">79.100.IN-ADDR.ARPA</li>
-<li class="listitem">80.100.IN-ADDR.ARPA</li>
-<li class="listitem">81.100.IN-ADDR.ARPA</li>
-<li class="listitem">82.100.IN-ADDR.ARPA</li>
-<li class="listitem">83.100.IN-ADDR.ARPA</li>
-<li class="listitem">84.100.IN-ADDR.ARPA</li>
-<li class="listitem">85.100.IN-ADDR.ARPA</li>
-<li class="listitem">86.100.IN-ADDR.ARPA</li>
-<li class="listitem">87.100.IN-ADDR.ARPA</li>
-<li class="listitem">88.100.IN-ADDR.ARPA</li>
-<li class="listitem">89.100.IN-ADDR.ARPA</li>
-<li class="listitem">90.100.IN-ADDR.ARPA</li>
-<li class="listitem">91.100.IN-ADDR.ARPA</li>
-<li class="listitem">92.100.IN-ADDR.ARPA</li>
-<li class="listitem">93.100.IN-ADDR.ARPA</li>
-<li class="listitem">94.100.IN-ADDR.ARPA</li>
-<li class="listitem">95.100.IN-ADDR.ARPA</li>
-<li class="listitem">96.100.IN-ADDR.ARPA</li>
-<li class="listitem">97.100.IN-ADDR.ARPA</li>
-<li class="listitem">98.100.IN-ADDR.ARPA</li>
-<li class="listitem">99.100.IN-ADDR.ARPA</li>
-<li class="listitem">100.100.IN-ADDR.ARPA</li>
-<li class="listitem">101.100.IN-ADDR.ARPA</li>
-<li class="listitem">102.100.IN-ADDR.ARPA</li>
-<li class="listitem">103.100.IN-ADDR.ARPA</li>
-<li class="listitem">104.100.IN-ADDR.ARPA</li>
-<li class="listitem">105.100.IN-ADDR.ARPA</li>
-<li class="listitem">106.100.IN-ADDR.ARPA</li>
-<li class="listitem">107.100.IN-ADDR.ARPA</li>
-<li class="listitem">108.100.IN-ADDR.ARPA</li>
-<li class="listitem">109.100.IN-ADDR.ARPA</li>
-<li class="listitem">110.100.IN-ADDR.ARPA</li>
-<li class="listitem">111.100.IN-ADDR.ARPA</li>
-<li class="listitem">112.100.IN-ADDR.ARPA</li>
-<li class="listitem">113.100.IN-ADDR.ARPA</li>
-<li class="listitem">114.100.IN-ADDR.ARPA</li>
-<li class="listitem">115.100.IN-ADDR.ARPA</li>
-<li class="listitem">116.100.IN-ADDR.ARPA</li>
-<li class="listitem">117.100.IN-ADDR.ARPA</li>
-<li class="listitem">118.100.IN-ADDR.ARPA</li>
-<li class="listitem">119.100.IN-ADDR.ARPA</li>
-<li class="listitem">120.100.IN-ADDR.ARPA</li>
-<li class="listitem">121.100.IN-ADDR.ARPA</li>
-<li class="listitem">122.100.IN-ADDR.ARPA</li>
-<li class="listitem">123.100.IN-ADDR.ARPA</li>
-<li class="listitem">124.100.IN-ADDR.ARPA</li>
-<li class="listitem">125.100.IN-ADDR.ARPA</li>
-<li class="listitem">126.100.IN-ADDR.ARPA</li>
-<li class="listitem">127.100.IN-ADDR.ARPA</li>
-<li class="listitem">0.IN-ADDR.ARPA</li>
-<li class="listitem">127.IN-ADDR.ARPA</li>
-<li class="listitem">254.169.IN-ADDR.ARPA</li>
-<li class="listitem">2.0.192.IN-ADDR.ARPA</li>
-<li class="listitem">100.51.198.IN-ADDR.ARPA</li>
-<li class="listitem">113.0.203.IN-ADDR.ARPA</li>
-<li class="listitem">255.255.255.255.IN-ADDR.ARPA</li>
-<li class="listitem">0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA</li>
-<li class="listitem">1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA</li>
-<li class="listitem">8.B.D.0.1.0.0.2.IP6.ARPA</li>
-<li class="listitem">D.F.IP6.ARPA</li>
-<li class="listitem">8.E.F.IP6.ARPA</li>
-<li class="listitem">9.E.F.IP6.ARPA</li>
-<li class="listitem">A.E.F.IP6.ARPA</li>
-<li class="listitem">B.E.F.IP6.ARPA</li>
-</ul></div>
-<p>
- </p>
- <p>
- Empty zones are settable at the view level and only apply to
- views of class IN. Disabled empty zones are only inherited
- from options if there are no disabled empty zones specified
- at the view level. To override the options list of disabled
- zones, you can disable the root zone at the view level, for example:
-</p>
-<pre class="programlisting">
- disable-empty-zone ".";
-</pre>
-<p>
- </p>
- <p>
- If you are using the address ranges covered here, you should
- already have reverse zones covering the addresses you use.
- In practice this appears to not be the case with many queries
- being made to the infrastructure servers for names in these
- spaces. So many in fact that sacrificial servers were needed
- to be deployed to channel the query load away from the
- infrastructure servers.
- </p>
- <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p>
- The real parent servers for these zones should disable all
- empty zone under the parent zone they serve. For the real
- root servers, this is all built-in empty zones. This will
- enable them to return referrals to deeper in the tree.
- </p>
-</div>
- <div class="variablelist"><dl class="variablelist">
-<dt><span class="term"><span class="command"><strong>empty-server</strong></span></span></dt>
-<dd>
- <p>
- Specify what server name will appear in the returned
- SOA record for empty zones. If none is specified, then
- the zone's name will be used.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>empty-contact</strong></span></span></dt>
-<dd>
- <p>
- Specify what contact name will appear in the returned
- SOA record for empty zones. If none is specified, then
- "." will be used.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>empty-zones-enable</strong></span></span></dt>
-<dd>
- <p>
- Enable or disable all empty zones. By default, they
- are enabled.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>disable-empty-zone</strong></span></span></dt>
-<dd>
- <p>
- Disable individual empty zones. By default, none are
- disabled. This option can be specified multiple times.
- </p>
- </dd>
-</dl></div>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="content_filtering"></a>Content Filtering</h4></div></div></div>
-
- <p>
- <acronym class="acronym">BIND</acronym> 9 provides the ability to filter
- out DNS responses from external DNS servers containing
- certain types of data in the answer section.
- Specifically, it can reject address (A or AAAA) records if
- the corresponding IPv4 or IPv6 addresses match the given
- <code class="varname">address_match_list</code> of the
- <span class="command"><strong>deny-answer-addresses</strong></span> option.
- It can also reject CNAME or DNAME records if the "alias"
- name (i.e., the CNAME alias or the substituted query name
- due to DNAME) matches the
- given <code class="varname">namelist</code> of the
- <span class="command"><strong>deny-answer-aliases</strong></span> option, where
- "match" means the alias name is a subdomain of one of
- the <code class="varname">name_list</code> elements.
- If the optional <code class="varname">namelist</code> is specified
- with <span class="command"><strong>except-from</strong></span>, records whose query name
- matches the list will be accepted regardless of the filter
- setting.
- Likewise, if the alias name is a subdomain of the
- corresponding zone, the <span class="command"><strong>deny-answer-aliases</strong></span>
- filter will not apply;
- for example, even if "example.com" is specified for
- <span class="command"><strong>deny-answer-aliases</strong></span>,
- </p>
-<pre class="programlisting">www.example.com. CNAME xxx.example.com.</pre>
-
- <p>
- returned by an "example.com" server will be accepted.
- </p>
-
- <p>
- In the <code class="varname">address_match_list</code> of the
- <span class="command"><strong>deny-answer-addresses</strong></span> option, only
- <code class="varname">ip_addr</code>
- and <code class="varname">ip_prefix</code>
- are meaningful;
- any <code class="varname">key_id</code> will be silently ignored.
- </p>
-
- <p>
- If a response message is rejected due to the filtering,
- the entire message is discarded without being cached, and
- a SERVFAIL error will be returned to the client.
- </p>
-
- <p>
- This filtering is intended to prevent "DNS rebinding attacks," in
- which an attacker, in response to a query for a domain name the
- attacker controls, returns an IP address within your own network or
- an alias name within your own domain.
- A naive web browser or script could then serve as an
- unintended proxy, allowing the attacker
- to get access to an internal node of your local network
- that couldn't be externally accessed otherwise.
- See the paper available at
- <a class="link" href="http://portal.acm.org/citation.cfm?id=1315245.1315298" target="_top">
- http://portal.acm.org/citation.cfm?id=1315245.1315298
- </a>
- for more details about the attacks.
- </p>
-
- <p>
- For example, if you own a domain named "example.net" and
- your internal network uses an IPv4 prefix 192.0.2.0/24,
- you might specify the following rules:
- </p>
-
-<pre class="programlisting">deny-answer-addresses { 192.0.2.0/24; } except-from { "example.net"; };
-deny-answer-aliases { "example.net"; };
-</pre>
-
- <p>
- If an external attacker lets a web browser in your local
- network look up an IPv4 address of "attacker.example.com",
- the attacker's DNS server would return a response like this:
- </p>
-
-<pre class="programlisting">attacker.example.com. A 192.0.2.1</pre>
-
- <p>
- in the answer section.
- Since the rdata of this record (the IPv4 address) matches
- the specified prefix 192.0.2.0/24, this response will be
- ignored.
- </p>
-
- <p>
- On the other hand, if the browser looks up a legitimate
- internal web server "www.example.net" and the
- following response is returned to
- the <acronym class="acronym">BIND</acronym> 9 server
- </p>
-
-<pre class="programlisting">www.example.net. A 192.0.2.2</pre>
-
- <p>
- it will be accepted since the owner name "www.example.net"
- matches the <span class="command"><strong>except-from</strong></span> element,
- "example.net".
- </p>
-
- <p>
- Note that this is not really an attack on the DNS per se.
- In fact, there is nothing wrong for an "external" name to
- be mapped to your "internal" IP address or domain name
- from the DNS point of view.
- It might actually be provided for a legitimate purpose,
- such as for debugging.
- As long as the mapping is provided by the correct owner,
- it is not possible or does not make sense to detect
- whether the intent of the mapping is legitimate or not
- within the DNS.
- The "rebinding" attack must primarily be protected at the
- application that uses the DNS.
- For a large site, however, it may be difficult to protect
- all possible applications at once.
- This filtering feature is provided only to help such an
- operational environment;
- it is generally discouraged to turn it on unless you are
- very sure you have no other choice and the attack is a
- real threat for your applications.
- </p>
-
- <p>
- Care should be particularly taken if you want to use this
- option for addresses within 127.0.0.0/8.
- These addresses are obviously "internal", but many
- applications conventionally rely on a DNS mapping from
- some name to such an address.
- Filtering out DNS records containing this address
- spuriously can break such applications.
- </p>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="rpz"></a>Response Policy Zone (RPZ) Rewriting</h4></div></div></div>
-
- <p>
- <acronym class="acronym">BIND</acronym> 9 includes a limited
- mechanism to modify DNS responses for requests
- analogous to email anti-spam DNS blacklists.
- Responses can be changed to deny the existence of domains (NXDOMAIN),
- deny the existence of IP addresses for domains (NODATA),
- or contain other IP addresses or data.
- </p>
-
- <p>
- Response policy zones are named in the
- <span class="command"><strong>response-policy</strong></span> option for the view or among the
- global options if there is no response-policy option for the view.
- Response policy zones are ordinary DNS zones containing RRsets
- that can be queried normally if allowed.
- It is usually best to restrict those queries with something like
- <span class="command"><strong>allow-query { localhost; };</strong></span>.
- Note that zones using <span class="command"><strong>masterfile-format map</strong></span>
- cannot be used as policy zones.
- </p>
-
- <p>
- A <span class="command"><strong>response-policy</strong></span> option can support
- multiple policy zones. To maximize performance, a radix
- tree is used to quickly identify response policy zones
- containing triggers that match the current query. This
- imposes an upper limit of 32 on the number of policy zones
- in a single <span class="command"><strong>response-policy</strong></span> option; more
- than that is a configuration error.
- </p>
-
- <p>
- Five policy triggers can be encoded in RPZ records.
- </p>
-<div class="variablelist"><dl class="variablelist">
-<dt><span class="term"><span class="command"><strong>RPZ-CLIENT-IP</strong></span></span></dt>
-<dd>
- <p>
- IP records are triggered by the IP address of the
- DNS client.
- Client IP address triggers are encoded in records that have
- owner names that are subdomains of
- <span class="command"><strong>rpz-client-ip</strong></span> relativized to the
- policy zone origin name
- and encode an address or address block.
- IPv4 addresses are represented as
- <strong class="userinput"><code>prefixlength.B4.B3.B2.B1.rpz-client-ip</code></strong>.
- The IPv4 prefix length must be between 1 and 32.
- All four bytes, B4, B3, B2, and B1, must be present.
- B4 is the decimal value of the least significant byte of the
- IPv4 address as in IN-ADDR.ARPA.
- </p>
-
- <p>
- IPv6 addresses are encoded in a format similar
- to the standard IPv6 text representation,
- <strong class="userinput"><code>prefixlength.W8.W7.W6.W5.W4.W3.W2.W1.rpz-client-ip</code></strong>.
- Each of W8,...,W1 is a one to four digit hexadecimal number
- representing 16 bits of the IPv6 address as in the standard
- text representation of IPv6 addresses, but reversed as in
- IP6.ARPA. (Note that this representation of IPv6
- address is different from IP6.ARPA where each hex
- digit occupies a label.)
- All 8 words must be present except when one set of consecutive
- zero words is replaced with <strong class="userinput"><code>.zz.</code></strong>
- analogous to double colons (::) in standard IPv6 text
- encodings.
- The IPv6 prefix length must be between 1 and 128.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>QNAME</strong></span></span></dt>
-<dd>
- <p>
- QNAME policy records are triggered by query names of
- requests and targets of CNAME records resolved to generate
- the response.
- The owner name of a QNAME policy record is
- the query name relativized to the policy zone.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>RPZ-IP</strong></span></span></dt>
-<dd>
- <p>
- IP triggers are IP addresses in an
- A or AAAA record in the ANSWER section of a response.
- They are encoded like client-IP triggers except as
- subdomains of <span class="command"><strong>rpz-ip</strong></span>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>RPZ-NSDNAME</strong></span></span></dt>
-<dd>
- <p>
- NSDNAME triggers match names of authoritative servers
- for the query name, a parent of the query name, a CNAME for
- query name, or a parent of a CNAME.
- They are encoded as subdomains of
- <span class="command"><strong>rpz-nsdname</strong></span> relativized
- to the RPZ origin name.
- NSIP triggers match IP addresses in A and
- AAAA RRsets for domains that can be checked against NSDNAME
- policy records.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>RPZ-NSIP</strong></span></span></dt>
-<dd>
- <p>
- NSIP triggers match the IP addresses of authoritative
- servers. They are enncoded like IP triggers, except as
- subdomains of <span class="command"><strong>rpz-nsip</strong></span>.
- NSDNAME and NSIP triggers are checked only for names with at
- least <span class="command"><strong>min-ns-dots</strong></span> dots.
- The default value of <span class="command"><strong>min-ns-dots</strong></span> is
- 1, to exclude top level domains.
- </p>
- <p>
- If a name server's IP address is not yet known,
- <span class="command"><strong>named</strong></span> will recursively look up
- the IP address before applying an RPZ-NSIP rule.
- This can cause a processing delay. To speed up
- processing at the cost of precision, the
- <span class="command"><strong>nsip-wait-recurse</strong></span> option
- can be used: when set to <strong class="userinput"><code>no</code></strong>,
- RPZ-NSIP rules will only be applied when a name
- servers's IP address has already been looked up and
- cached. If a server's IP address is not in the
- cache, then the RPZ-NSIP rule will be ignored,
- but the address will be looked up in the
- background, and the rule will be applied
- to subsequent queries. The default is
- <strong class="userinput"><code>yes</code></strong>, meaning RPZ-NSIP
- rules should always be applied even if an
- address needs to be looked up first.
- </p>
- </dd>
-</dl></div>
-<p>
- </p>
-
- <p>
- The query response is checked against all response policy zones,
- so two or more policy records can be triggered by a response.
- Because DNS responses are rewritten according to at most one
- policy record, a single record encoding an action (other than
- <span class="command"><strong>DISABLED</strong></span> actions) must be chosen.
- Triggers or the records that encode them are chosen for the
- rewriting in the following order:
- </p>
-<div class="orderedlist"><ol class="orderedlist" type="1">
-<li class="listitem">Choose the triggered record in the zone that appears
- first in the <span class="command"><strong>response-policy</strong></span> option.
- </li>
-<li class="listitem">Prefer CLIENT-IP to QNAME to IP to NSDNAME to NSIP
- triggers in a single zone.
- </li>
-<li class="listitem">Among NSDNAME triggers, prefer the
- trigger that matches the smallest name under the DNSSEC ordering.
- </li>
-<li class="listitem">Among IP or NSIP triggers, prefer the trigger
- with the longest prefix.
- </li>
-<li class="listitem">Among triggers with the same prefix length,
- prefer the IP or NSIP trigger that matches
- the smallest IP address.
- </li>
-</ol></div>
-<p>
- </p>
-
- <p>
- When the processing of a response is restarted to resolve
- DNAME or CNAME records and a policy record set has
- not been triggered,
- all response policy zones are again consulted for the
- DNAME or CNAME names and addresses.
- </p>
-
- <p>
- RPZ record sets are any types of DNS record except
- DNAME or DNSSEC that encode actions or responses to
- individual queries.
- Any of the policies can be used with any of the triggers.
- For example, while the <span class="command"><strong>TCP-only</strong></span> policy is
- commonly used with <span class="command"><strong>client-IP</strong></span> triggers,
- it can be used with any type of trigger to force the use of
- TCP for responses with owner names in a zone.
- </p>
-<div class="variablelist"><dl class="variablelist">
-<dt><span class="term"><span class="command"><strong>PASSTHRU</strong></span></span></dt>
-<dd>
- <p>
- The whitelist policy is specified
- by a CNAME whose target is <span class="command"><strong>rpz-passthru</strong></span>.
- It causes the response to not be rewritten
- and is most often used to "poke holes" in policies for
- CIDR blocks.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>DROP</strong></span></span></dt>
-<dd>
- <p>
- The blacklist policy is specified
- by a CNAME whose target is <span class="command"><strong>rpz-drop</strong></span>.
- It causes the response to be discarded.
- Nothing is sent to the DNS client.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>TCP-Only</strong></span></span></dt>
-<dd>
- <p>
- The "slip" policy is specified
- by a CNAME whose target is <span class="command"><strong>rpz-tcp-only</strong></span>.
- It changes UDP responses to short, truncated DNS responses
- that require the DNS client to try again with TCP.
- It is used to mitigate distributed DNS reflection attacks.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>NXDOMAIN</strong></span></span></dt>
-<dd>
- <p>
- The domain undefined response is encoded
- by a CNAME whose target is the root domain (.)
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>NODATA</strong></span></span></dt>
-<dd>
- <p>
- The empty set of resource records is specified by
- CNAME whose target is the wildcard top-level
- domain (*.).
- It rewrites the response to NODATA or ANCOUNT=1.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>Local Data</strong></span></span></dt>
-<dd>
- <p>
- A set of ordinary DNS records can be used to answer queries.
- Queries for record types not the set are answered with
- NODATA.
- </p>
-
- <p>
- A special form of local data is a CNAME whose target is a
- wildcard such as *.example.com.
- It is used as if were an ordinary CNAME after the asterisk (*)
- has been replaced with the query name.
- The purpose for this special form is query logging in the
- walled garden's authority DNS server.
- </p>
- </dd>
-</dl></div>
-<p>
- </p>
-
- <p>
- All of the actions specified in all of the individual records
- in a policy zone
- can be overridden with a <span class="command"><strong>policy</strong></span> clause in the
- <span class="command"><strong>response-policy</strong></span> option.
- An organization using a policy zone provided by another
- organization might use this mechanism to redirect domains
- to its own walled garden.
- </p>
-<div class="variablelist"><dl class="variablelist">
-<dt><span class="term"><span class="command"><strong>GIVEN</strong></span></span></dt>
-<dd>
- <p>The placeholder policy says "do not override but
- perform the action specified in the zone."
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>DISABLED</strong></span></span></dt>
-<dd>
- <p>
- The testing override policy causes policy zone records to do
- nothing but log what they would have done if the
- policy zone were not disabled.
- The response to the DNS query will be written (or not)
- according to any triggered policy records that are not
- disabled.
- Disabled policy zones should appear first,
- because they will often not be logged
- if a higher precedence trigger is found first.
- </p>
- </dd>
-<dt>
-<span class="term"><span class="command"><strong>PASSTHRU</strong></span>, </span><span class="term"><span class="command"><strong>DROP</strong></span>, </span><span class="term"><span class="command"><strong>TCP-Only</strong></span>, </span><span class="term"><span class="command"><strong>NXDOMAIN</strong></span>, </span><span class="term"><span class="command"><strong>NODATA</strong></span></span>
-</dt>
-<dd>
- <p>
- override with the corresponding per-record policy.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>CNAME domain</strong></span></span></dt>
-<dd>
- <p>
- causes all RPZ policy records to act as if they were
- "cname domain" records.
- </p>
- </dd>
-</dl></div>
-<p>
- </p>
-
- <p>
- By default, the actions encoded in a response policy zone
- are applied only to queries that ask for recursion (RD=1).
- That default can be changed for a single policy zone or
- all response policy zones in a view
- with a <span class="command"><strong>recursive-only no</strong></span> clause.
- This feature is useful for serving the same zone files
- both inside and outside an RFC 1918 cloud and using RPZ to
- delete answers that would otherwise contain RFC 1918 values
- on the externally visible name server or view.
- </p>
-
- <p>
- Also by default, RPZ actions are applied only to DNS requests
- that either do not request DNSSEC metadata (DO=0) or when no
- DNSSEC records are available for request name in the original
- zone (not the response policy zone). This default can be
- changed for all response policy zones in a view with a
- <span class="command"><strong>break-dnssec yes</strong></span> clause. In that case, RPZ
- actions are applied regardless of DNSSEC. The name of the
- clause option reflects the fact that results rewritten by RPZ
- actions cannot verify.
- </p>
-
- <p>
- No DNS records are needed for a QNAME or Client-IP trigger.
- The name or IP address itself is sufficient,
- so in principle the query name need not be recursively resolved.
- However, not resolving the requested
- name can leak the fact that response policy rewriting is in use
- and that the name is listed in a policy zone to operators of
- servers for listed names. To prevent that information leak, by
- default any recursion needed for a request is done before any
- policy triggers are considered. Because listed domains often
- have slow authoritative servers, this default behavior can cost
- significant time.
- The <span class="command"><strong>qname-wait-recurse no</strong></span> option
- overrides that default behavior when recursion cannot
- change a non-error response.
- The option does not affect QNAME or client-IP triggers
- in policy zones listed
- after other zones containing IP, NSIP and NSDNAME triggers, because
- those may depend on the A, AAAA, and NS records that would be
- found during recursive resolution. It also does not affect
- DNSSEC requests (DO=1) unless <span class="command"><strong>break-dnssec yes</strong></span>
- is in use, because the response would depend on whether or not
- RRSIG records were found during resolution.
- Using this option can cause error responses such as SERVFAIL to
- appear to be rewritten, since no recursion is being done to
- discover problems at the authoritative server.
- </p>
-
- <p>
- The TTL of a record modified by RPZ policies is set from the
- TTL of the relevant record in policy zone. It is then limited
- to a maximum value.
- The <span class="command"><strong>max-policy-ttl</strong></span> clause changes the
- maximum seconds from its default of 5.
- </p>
-
- <p>
- For example, you might use this option statement
- </p>
-<pre class="programlisting"> response-policy { zone "badlist"; };</pre>
- <p>
- and this zone statement
- </p>
-<pre class="programlisting"> zone "badlist" {type master; file "master/badlist"; allow-query {none;}; };</pre>
- <p>
- with this zone file
- </p>
-<pre class="programlisting">$TTL 1H
-@ SOA LOCALHOST. named-mgr.example.com (1 1h 15m 30d 2h)
- NS LOCALHOST.
-
-; QNAME policy records. There are no periods (.) after the owner names.
-nxdomain.domain.com CNAME . ; NXDOMAIN policy
-*.nxdomain.domain.com CNAME . ; NXDOMAIN policy
-nodata.domain.com CNAME *. ; NODATA policy
-*.nodata.domain.com CNAME *. ; NODATA policy
-bad.domain.com A 10.0.0.1 ; redirect to a walled garden
- AAAA 2001:2::1
-bzone.domain.com CNAME garden.example.com.
-
-; do not rewrite (PASSTHRU) OK.DOMAIN.COM
-ok.domain.com CNAME rpz-passthru.
-
-; redirect x.bzone.domain.com to x.bzone.domain.com.garden.example.com
-*.bzone.domain.com CNAME *.garden.example.com.
-
-
-; IP policy records that rewrite all responses containing A records in 127/8
-; except 127.0.0.1
-8.0.0.0.127.rpz-ip CNAME .
-32.1.0.0.127.rpz-ip CNAME rpz-passthru.
-
-; NSDNAME and NSIP policy records
-ns.domain.com.rpz-nsdname CNAME .
-48.zz.2.2001.rpz-nsip CNAME .
-
-; blacklist and whitelist some DNS clients
-112.zz.2001.rpz-client-ip CNAME rpz-drop.
-8.0.0.0.127.rpz-client-ip CNAME rpz-drop.
-
-; force some DNS clients and responses in the example.com zone to TCP
-16.0.0.1.10.rpz-client-ip CNAME rpz-tcp-only.
-example.com CNAME rpz-tcp-only.
-*.example.com CNAME rpz-tcp-only.
-
-</pre>
- <p>
- RPZ can affect server performance.
- Each configured response policy zone requires the server to
- perform one to four additional database lookups before a
- query can be answered.
- For example, a DNS server with four policy zones, each with all
- four kinds of response triggers, QNAME, IP, NSIP, and
- NSDNAME, requires a total of 17 times as many database
- lookups as a similar DNS server with no response policy zones.
- A <acronym class="acronym">BIND9</acronym> server with adequate memory and one
- response policy zone with QNAME and IP triggers might achieve a
- maximum queries-per-second rate about 20% lower.
- A server with four response policy zones with QNAME and IP
- triggers might have a maximum QPS rate about 50% lower.
- </p>
-
- <p>
- Responses rewritten by RPZ are counted in the
- <span class="command"><strong>RPZRewrites</strong></span> statistics.
- </p>
-
- <p>
- The <span class="command"><strong>log</strong></span> clause can be used to optionally
- turn off rewrite logging for a particular response policy
- zone. By default, all rewrites are logged.
- </p>
-
- <p>
- Updates to RPZ zones are processed asynchronously; if there
- is more than one update pending they are bundled together.
- If an update to a RPZ zone (for example, via IXFR) happens less
- than <code class="option">min-update-interval</code> seconds after the most
- recent update, then the changes will not be carried out until this
- interval has elapsed. The default is <code class="literal">5</code> seconds.
- </p>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="rrl"></a>Response Rate Limiting</h4></div></div></div>
-
- <p>
- Excessive almost identical UDP <span class="emphasis"><em>responses</em></span>
- can be controlled by configuring a
- <span class="command"><strong>rate-limit</strong></span> clause in an
- <span class="command"><strong>options</strong></span> or <span class="command"><strong>view</strong></span> statement.
- This mechanism keeps authoritative BIND 9 from being used
- in amplifying reflection denial of service (DoS) attacks.
- Short truncated (TC=1) responses can be sent to provide
- rate-limited responses to legitimate clients within
- a range of forged, attacked IP addresses.
- Legitimate clients react to dropped or truncated response
- by retrying with UDP or with TCP respectively.
- </p>
-
- <p>
- This mechanism is intended for authoritative DNS servers.
- It can be used on recursive servers but can slow
- applications such as SMTP servers (mail receivers) and
- HTTP clients (web browsers) that repeatedly request the
- same domains.
- When possible, closing "open" recursive servers is better.
- </p>
-
- <p>
- Response rate limiting uses a "credit" or "token bucket" scheme.
- Each combination of identical response and client
- has a conceptual account that earns a specified number
- of credits every second.
- A prospective response debits its account by one.
- Responses are dropped or truncated
- while the account is negative.
- Responses are tracked within a rolling window of time
- which defaults to 15 seconds, but can be configured with
- the <span class="command"><strong>window</strong></span> option to any value from
- 1 to 3600 seconds (1 hour).
- The account cannot become more positive than
- the per-second limit
- or more negative than <span class="command"><strong>window</strong></span>
- times the per-second limit.
- When the specified number of credits for a class of
- responses is set to 0, those responses are not rate limited.
- </p>
-
- <p>
- The notions of "identical response" and "DNS client"
- for rate limiting are not simplistic.
- All responses to an address block are counted as if to a
- single client.
- The prefix lengths of addresses blocks are
- specified with <span class="command"><strong>ipv4-prefix-length</strong></span> (default 24)
- and <span class="command"><strong>ipv6-prefix-length</strong></span> (default 56).
- </p>
-
- <p>
- All non-empty responses for a valid domain name (qname)
- and record type (qtype) are identical and have a limit specified
- with <span class="command"><strong>responses-per-second</strong></span>
- (default 0 or no limit).
- All empty (NODATA) responses for a valid domain,
- regardless of query type, are identical.
- Responses in the NODATA class are limited by
- <span class="command"><strong>nodata-per-second</strong></span>
- (default <span class="command"><strong>responses-per-second</strong></span>).
- Requests for any and all undefined subdomains of a given
- valid domain result in NXDOMAIN errors, and are identical
- regardless of query type.
- They are limited by <span class="command"><strong>nxdomains-per-second</strong></span>
- (default <span class="command"><strong>responses-per-second</strong></span>).
- This controls some attacks using random names, but
- can be relaxed or turned off (set to 0)
- on servers that expect many legitimate
- NXDOMAIN responses, such as from anti-spam blacklists.
- Referrals or delegations to the server of a given
- domain are identical and are limited by
- <span class="command"><strong>referrals-per-second</strong></span>
- (default <span class="command"><strong>responses-per-second</strong></span>).
- </p>
-
- <p>
- Responses generated from local wildcards are counted and limited
- as if they were for the parent domain name.
- This controls flooding using random.wild.example.com.
- </p>
-
- <p>
- All requests that result in DNS errors other
- than NXDOMAIN, such as SERVFAIL and FORMERR, are identical
- regardless of requested name (qname) or record type (qtype).
- This controls attacks using invalid requests or distant,
- broken authoritative servers.
- By default the limit on errors is the same as the
- <span class="command"><strong>responses-per-second</strong></span> value,
- but it can be set separately with
- <span class="command"><strong>errors-per-second</strong></span>.
- </p>
-
- <p>
- Many attacks using DNS involve UDP requests with forged source
- addresses.
- Rate limiting prevents the use of BIND 9 to flood a network
- with responses to requests with forged source addresses,
- but could let a third party block responses to legitimate requests.
- There is a mechanism that can answer some legitimate
- requests from a client whose address is being forged in a flood.
- Setting <span class="command"><strong>slip</strong></span> to 2 (its default) causes every
- other UDP request to be answered with a small truncated (TC=1)
- response.
- The small size and reduced frequency, and so lack of
- amplification, of "slipped" responses make them unattractive
- for reflection DoS attacks.
- <span class="command"><strong>slip</strong></span> must be between 0 and 10.
- A value of 0 does not "slip":
- no truncated responses are sent due to rate limiting,
- all responses are dropped.
- A value of 1 causes every response to slip;
- values between 2 and 10 cause every n'th response to slip.
- Some error responses including REFUSED and SERVFAIL
- cannot be replaced with truncated responses and are instead
- leaked at the <span class="command"><strong>slip</strong></span> rate.
- </p>
-
- <p>
- (NOTE: Dropped responses from an authoritative server may
- reduce the difficulty of a third party successfully forging
- a response to a recursive resolver. The best security
- against forged responses is for authoritative operators
- to sign their zones using DNSSEC and for resolver operators
- to validate the responses. When this is not an option,
- operators who are more concerned with response integrity
- than with flood mitigation may consider setting
- <span class="command"><strong>slip</strong></span> to 1, causing all rate-limited
- responses to be truncated rather than dropped. This reduces
- the effectiveness of rate-limiting against reflection attacks.)
- </p>
-
- <p>
- When the approximate query per second rate exceeds
- the <span class="command"><strong>qps-scale</strong></span> value,
- then the <span class="command"><strong>responses-per-second</strong></span>,
- <span class="command"><strong>errors-per-second</strong></span>,
- <span class="command"><strong>nxdomains-per-second</strong></span> and
- <span class="command"><strong>all-per-second</strong></span> values are reduced by the
- ratio of the current rate to the <span class="command"><strong>qps-scale</strong></span> value.
- This feature can tighten defenses during attacks.
- For example, with
- <span class="command"><strong>qps-scale 250; responses-per-second 20;</strong></span> and
- a total query rate of 1000 queries/second for all queries from
- all DNS clients including via TCP,
- then the effective responses/second limit changes to
- (250/1000)*20 or 5.
- Responses sent via TCP are not limited
- but are counted to compute the query per second rate.
- </p>
-
- <p>
- The optional <span class="command"><strong>domain</strong></span> clause specifies
- the namespace to which rate limits will apply. It
- is possible to use different rate limits for different names
- by specifying multiple <span class="command"><strong>rate-limit</strong></span> blocks
- with different <span class="command"><strong>domain</strong></span> clauses.
- The <span class="command"><strong>rate-limit</strong></span> statement's
- <span class="command"><strong>domain</strong></span> most closely matches the query
- name will be the one applied to a given query.
- </p>
-
- <p>
- Rate limiters for different name spaces maintain
- separate counters: If, for example, there is a
- <span class="command"><strong>rate-limit</strong></span> statement for "com" and
- another for "example.com", queries matching "example.com"
- will not be debited against the rate limiter for "com".
- </p>
-
- <p>
- If a <span class="command"><strong>rate-limit</strong></span> statement does not specify a
- <span class="command"><strong>domain</strong></span>, then it applies to the root domain
- (".") and thus affects the entire DNS namespace, except those
- portions covered by other <span class="command"><strong>rate-limit</strong></span>
- statements.
- </p>
-
- <p>
- Communities of DNS clients can be given their own parameters or no
- rate limiting by putting
- <span class="command"><strong>rate-limit</strong></span> statements in <span class="command"><strong>view</strong></span>
- statements instead of the global <span class="command"><strong>option</strong></span>
- statement.
- A <span class="command"><strong>rate-limit</strong></span> statement in a view replaces,
- rather than supplementing, a <span class="command"><strong>rate-limit</strong></span>
- statement among the main options.
- DNS clients within a view can be exempted from rate limits
- with the <span class="command"><strong>exempt-clients</strong></span> clause.
- </p>
-
- <p>
- UDP responses of all kinds can be limited with the
- <span class="command"><strong>all-per-second</strong></span> phrase. This rate
- limiting is unlike the rate limiting provided by
- <span class="command"><strong>responses-per-second</strong></span>,
- <span class="command"><strong>errors-per-second</strong></span>, and
- <span class="command"><strong>nxdomains-per-second</strong></span> on a DNS server
- which are often invisible to the victim of a DNS
- reflection attack. Unless the forged requests of the
- attack are the same as the legitimate requests of the
- victim, the victim's requests are not affected. Responses
- affected by an <span class="command"><strong>all-per-second</strong></span> limit
- are always dropped; the <span class="command"><strong>slip</strong></span> value
- has no effect. An <span class="command"><strong>all-per-second</strong></span>
- limit should be at least 4 times as large as the other
- limits, because single DNS clients often send bursts
- of legitimate requests. For example, the receipt of a
- single mail message can prompt requests from an SMTP
- server for NS, PTR, A, and AAAA records as the incoming
- SMTP/TCP/IP connection is considered. The SMTP server
- can need additional NS, A, AAAA, MX, TXT, and SPF records
- as it considers the STMP <span class="command"><strong>Mail From</strong></span>
- command. Web browsers often repeatedly resolve the
- same names that are repeated in HTML <IMG> tags
- in a page. <span class="command"><strong>all-per-second</strong></span> is similar
- to the rate limiting offered by firewalls but often
- inferior. Attacks that justify ignoring the contents
- of DNS responses are likely to be attacks on the DNS
- server itself. They usually should be discarded before
- the DNS server spends resources make TCP connections
- or parsing DNS requests, but that rate limiting must
- be done before the DNS server sees the requests.
- </p>
-
- <p>
- The maximum size of the table used to track requests and
- rate limit responses is set with <span class="command"><strong>max-table-size</strong></span>.
- Each entry in the table is between 40 and 80 bytes.
- The table needs approximately as many entries as the number
- of requests received per second.
- The default is 20,000.
- To reduce the cold start of growing the table,
- <span class="command"><strong>min-table-size</strong></span> (default 500)
- can set the minimum table size.
- Enable <span class="command"><strong>rate-limit</strong></span> category logging to monitor
- expansions of the table and inform
- choices for the initial and maximum table size.
- </p>
-
- <p>
- Use <span class="command"><strong>log-only yes</strong></span> to test rate limiting parameters
- without actually dropping any requests.
- </p>
-
- <p>
- Responses dropped by rate limits are included in the
- <span class="command"><strong>RateDropped</strong></span> and <span class="command"><strong>QryDropped</strong></span>
- statistics.
- Responses that truncated by rate limits are included in
- <span class="command"><strong>RateSlipped</strong></span> and <span class="command"><strong>RespTruncated</strong></span>.
- </p>
- </div>
-
- <div class="section">
-<div class="titlepage"></div>
- <p>
- Named supports NXDOMAIN redirection via two methods:
- </p>
-<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">Redirect zone <a class="xref" href="Bv9ARM.ch06.html#zone_statement_grammar" title="zone Statement Grammar">the section called “<span class="command"><strong>zone</strong></span>
- Statement Grammar”</a>
-</li>
-<li class="listitem">Redirect namespace</li>
-</ul></div>
-<p>
- </p>
- <p>
- With both methods when named gets a NXDOMAIN response
- it examines a separate namespace to see if the NXDOMAIN
- response should be replaced with an alternative response.
- </p>
- <p>
- With a redirect zone (<span class="command"><strong>zone "." { type redirect; };</strong></span>), the
- data used to replace the NXDOMAIN is held in a single
- zone which is not part of the normal namespace. All the
- redirect information is contained in the zone; there are
- no delegations.
- </p>
- <p>
- With a redirect namespace (<span class="command"><strong>option { nxdomain-redirect
- <suffix> };</strong></span>) the data used to replace the
- NXDOMAIN is part of the normal namespace and is looked up by
- appending the specified suffix to the original query name.
- This roughly doubles the cache required to process NXDOMAIN
- responses as you have the original NXDOMAIN response and
- the replacement data or a NXDOMAIN indicating that there
- is no replacement.
- </p>
- <p>
- If both a redirect zone and a redirect namespace are configured,
- the redirect zone is tried first.
- </p>
- </div>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="server_statement_grammar"></a><span class="command"><strong>server</strong></span> Statement Grammar</h3></div></div></div>
-
-<pre class="programlisting"><span class="command"><strong>server</strong></span> ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>ip_prefix</code></em> ) <span class="command"><strong>{</strong></span>
- [ <span class="command"><strong>bogus</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>provide-ixfr</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>request-ixfr</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>request-expire</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>request-nsid</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>send-cookie</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>edns</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>edns-udp-size</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>edns-version</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>max-udp-size</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>padding</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>tcp-only</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>tcp-keepalive</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>transfers</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>transfer-format</strong></span> ( one-answer | many-answers ) ; ]
- [ <span class="command"><strong>keys</strong></span> <span class="command"><strong>{</strong></span> <em class="replaceable"><code>key_id</code></em> <span class="command"><strong>}</strong></span> ; ]
- [ <span class="command"><strong>transfer-source</strong></span> ( <em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code> )
- [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] ; ]
- [ <span class="command"><strong>transfer-source-v6</strong></span> ( <em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code> )
- [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] ; ]
- [ <span class="command"><strong>notify-source</strong></span> ( <em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code> )
- [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] ; ]
- [ <span class="command"><strong>notify-source-v6</strong></span> ( <em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code> )
- [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] ; ]
- [ <span class="command"><strong>query-source</strong></span> ( [ <span class="command"><strong>address</strong></span> ] ( <em class="replaceable"><code>ip_addr</code></em> | <code class="constant">*</code> ) )
- [ <span class="command"><strong>port</strong></span> ( <em class="replaceable"><code>ip_port</code></em> | <code class="constant">*</code> ) ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] ; ]
- [ <span class="command"><strong>query-source-v6</strong></span> ( [ <span class="command"><strong>address</strong></span> ] ( <em class="replaceable"><code>ip_addr</code></em> | <code class="constant">*</code> ) )
- [ <span class="command"><strong>port</strong></span> ( <em class="replaceable"><code>ip_port</code></em> | <code class="constant">*</code> ) ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] ; ]
- [ <span class="command"><strong>use-queryport-pool</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>queryport-pool-ports</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>queryport-pool-updateinterval</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-<span class="command"><strong>}</strong></span> ;
-</pre>
-
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="server_statement_definition_and_usage"></a><span class="command"><strong>server</strong></span> Statement Definition and
- Usage</h3></div></div></div>
-
- <p>
- The <span class="command"><strong>server</strong></span> statement defines
- characteristics
- to be associated with a remote name server. If a prefix length is
- specified, then a range of servers is covered. Only the most
- specific
- server clause applies regardless of the order in
- <code class="filename">named.conf</code>.
- </p>
-
- <p>
- The <span class="command"><strong>server</strong></span> statement can occur at
- the top level of the
- configuration file or inside a <span class="command"><strong>view</strong></span>
- statement.
- If a <span class="command"><strong>view</strong></span> statement contains
- one or more <span class="command"><strong>server</strong></span> statements, only
- those
- apply to the view and any top-level ones are ignored.
- If a view contains no <span class="command"><strong>server</strong></span>
- statements,
- any top-level <span class="command"><strong>server</strong></span> statements are
- used as
- defaults.
- </p>
-
- <p>
- If you discover that a remote server is giving out bad data,
- marking it as bogus will prevent further queries to it. The
- default
- value of <span class="command"><strong>bogus</strong></span> is <span class="command"><strong>no</strong></span>.
- </p>
- <p>
- The <span class="command"><strong>provide-ixfr</strong></span> clause determines
- whether
- the local server, acting as master, will respond with an
- incremental
- zone transfer when the given remote server, a slave, requests it.
- If set to <span class="command"><strong>yes</strong></span>, incremental transfer
- will be provided
- whenever possible. If set to <span class="command"><strong>no</strong></span>,
- all transfers
- to the remote server will be non-incremental. If not set, the
- value
- of the <span class="command"><strong>provide-ixfr</strong></span> option in the
- view or
- global options block is used as a default.
- </p>
-
- <p>
- The <span class="command"><strong>request-ixfr</strong></span> clause determines
- whether
- the local server, acting as a slave, will request incremental zone
- transfers from the given remote server, a master. If not set, the
- value of the <span class="command"><strong>request-ixfr</strong></span> option in
- the view or global options block is used as a default. It may
- also be set in the zone block and, if set there, it will
- override the global or view setting for that zone.
- </p>
-
- <p>
- IXFR requests to servers that do not support IXFR will
- automatically
- fall back to AXFR. Therefore, there is no need to manually list
- which servers support IXFR and which ones do not; the global
- default
- of <span class="command"><strong>yes</strong></span> should always work.
- The purpose of the <span class="command"><strong>provide-ixfr</strong></span> and
- <span class="command"><strong>request-ixfr</strong></span> clauses is
- to make it possible to disable the use of IXFR even when both
- master
- and slave claim to support it, for example if one of the servers
- is buggy and crashes or corrupts data when IXFR is used.
- </p>
-
- <p>
- The <span class="command"><strong>request-expire</strong></span> clause determines
- whether the local server, when acting as a slave, will
- request the EDNS EXPIRE value. The EDNS EXPIRE value
- indicates the remaining time before the zone data will
- expire and need to be be refreshed. This is used
- when a secondary server transfers a zone from another
- secondary server; when transferring from the primary, the
- expiration timer is set from the EXPIRE field of the SOA
- record instead.
- The default is <span class="command"><strong>yes</strong></span>.
- </p>
-
- <p>
- The <span class="command"><strong>edns</strong></span> clause determines whether
- the local server will attempt to use EDNS when communicating
- with the remote server. The default is <span class="command"><strong>yes</strong></span>.
- </p>
-
- <p>
- The <span class="command"><strong>edns-udp-size</strong></span> option sets the
- EDNS UDP size that is advertised by <span class="command"><strong>named</strong></span>
- when querying the remote server. Valid values are 512
- to 4096 bytes (values outside this range will be silently
- adjusted to the nearest value within it). This option
- is useful when you wish to advertise a different value
- to this server than the value you advertise globally,
- for example, when there is a firewall at the remote
- site that is blocking large replies. (Note: Currently,
- this sets a single UDP size for all packets sent to the
- server; <span class="command"><strong>named</strong></span> will not deviate from
- this value. This differs from the behavior of
- <span class="command"><strong>edns-udp-size</strong></span> in <span class="command"><strong>options</strong></span>
- or <span class="command"><strong>view</strong></span> statements, where it specifies
- a maximum value. The <span class="command"><strong>server</strong></span> statement
- behavior may be brought into conformance with the
- <span class="command"><strong>options/view</strong></span> behavior in future releases.)
- </p>
-
- <p>
- The <span class="command"><strong>edns-version</strong></span> option sets the
- maximum EDNS VERSION that will be sent to the server(s)
- by the resolver. The actual EDNS version sent is still
- subject to normal EDNS version negotiation rules (see
- RFC 6891), the maximum EDNS version supported by the
- server, and any other heuristics that indicate that a
- lower version should be sent. This option is intended
- to be used when a remote server reacts badly to a given
- EDNS version or higher; it should be set to the highest
- version the remote server is known to support. Valid
- values are 0 to 255; higher values will be silently
- adjusted. This option will not be needed until higher
- EDNS versions than 0 are in use.
- </p>
-
- <p>
- The <span class="command"><strong>max-udp-size</strong></span> option sets the
- maximum EDNS UDP message size <span class="command"><strong>named</strong></span>
- will send. Valid values are 512 to 4096 bytes (values
- outside this range will be silently adjusted). This
- option is useful when you know that there is a firewall
- that is blocking large replies from <span class="command"><strong>named</strong></span>.
- </p>
-
- <p>
- The <span class="command"><strong>padding</strong></span> option adds EDNS Padding
- options to outgoing messages, increasing the packet size to
- a multiple of the specified block size. Valid block sizes
- range from 0 (the default, which disables the use of
- EDNS Padding) to 512 bytes. Larger values will be reduced
- to 512, with a logged warning.
- Note: This option is not currently compatible with no TSIG
- or SIG(0), as the EDNS OPT record containing the padding
- would have to be added to the packet after it had already
- been signed.
- </p>
-
- <p>
- The <span class="command"><strong>tcp-only</strong></span> option sets the transport
- protocol to TCP. The default is to use the UDP transport
- and to fallback on TCP only when a truncated response
- is received.
- </p>
-
- <p>
- The <span class="command"><strong>tcp-keepalive</strong></span> option adds EDNS
- TCP keepalive to messages sent over TCP. Note currently
- idle timeouts in responses are ignored.
- </p>
-
- <p>
- The server supports two zone transfer methods. The first, <span class="command"><strong>one-answer</strong></span>,
- uses one DNS message per resource record transferred. <span class="command"><strong>many-answers</strong></span> packs
- as many resource records as possible into a message. <span class="command"><strong>many-answers</strong></span> is
- more efficient, but is only known to be understood by <acronym class="acronym">BIND</acronym> 9, <acronym class="acronym">BIND</acronym>
- 8.x, and patched versions of <acronym class="acronym">BIND</acronym>
- 4.9.5. You can specify which method
- to use for a server with the <span class="command"><strong>transfer-format</strong></span> option.
- If <span class="command"><strong>transfer-format</strong></span> is not
- specified, the <span class="command"><strong>transfer-format</strong></span>
- specified
- by the <span class="command"><strong>options</strong></span> statement will be
- used.
- </p>
-
- <p><span class="command"><strong>transfers</strong></span>
- is used to limit the number of concurrent inbound zone
- transfers from the specified server. If no
- <span class="command"><strong>transfers</strong></span> clause is specified, the
- limit is set according to the
- <span class="command"><strong>transfers-per-ns</strong></span> option.
- </p>
-
- <p>
- The <span class="command"><strong>keys</strong></span> clause identifies a
- <span class="command"><strong>key_id</strong></span> defined by the <span class="command"><strong>key</strong></span> statement,
- to be used for transaction security (TSIG, <a class="xref" href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called “TSIG”</a>)
- when talking to the remote server.
- When a request is sent to the remote server, a request signature
- will be generated using the key specified here and appended to the
- message. A request originating from the remote server is not
- required
- to be signed by this key.
- </p>
-
- <p>
- Only a single key per server is currently supported.
- </p>
-
- <p>
- The <span class="command"><strong>transfer-source</strong></span> and
- <span class="command"><strong>transfer-source-v6</strong></span> clauses specify
- the IPv4 and IPv6 source
- address to be used for zone transfer with the remote server,
- respectively.
- For an IPv4 remote server, only <span class="command"><strong>transfer-source</strong></span> can
- be specified.
- Similarly, for an IPv6 remote server, only
- <span class="command"><strong>transfer-source-v6</strong></span> can be
- specified.
- For more details, see the description of
- <span class="command"><strong>transfer-source</strong></span> and
- <span class="command"><strong>transfer-source-v6</strong></span> in
- <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
- </p>
-
- <p>
- The <span class="command"><strong>notify-source</strong></span> and
- <span class="command"><strong>notify-source-v6</strong></span> clauses specify the
- IPv4 and IPv6 source address to be used for notify
- messages sent to remote servers, respectively. For an
- IPv4 remote server, only <span class="command"><strong>notify-source</strong></span>
- can be specified. Similarly, for an IPv6 remote server,
- only <span class="command"><strong>notify-source-v6</strong></span> can be specified.
- </p>
-
- <p>
- The <span class="command"><strong>query-source</strong></span> and
- <span class="command"><strong>query-source-v6</strong></span> clauses specify the
- IPv4 and IPv6 source address to be used for queries
- sent to remote servers, respectively. For an IPv4
- remote server, only <span class="command"><strong>query-source</strong></span> can
- be specified. Similarly, for an IPv6 remote server,
- only <span class="command"><strong>query-source-v6</strong></span> can be specified.
- </p>
-
- <p>
- The <span class="command"><strong>request-nsid</strong></span> clause determines
- whether the local server will add a NSID EDNS option
- to requests sent to the server. This overrides
- <span class="command"><strong>request-nsid</strong></span> set at the view or
- option level.
- </p>
-
- <p>
- The <span class="command"><strong>send-cookie</strong></span> clause determines
- whether the local server will add a COOKIE EDNS option
- to requests sent to the server. This overrides
- <span class="command"><strong>send-cookie</strong></span> set at the view or
- option level. The <span class="command"><strong>named</strong></span> server may
- determine that COOKIE is not supported by the remote server
- and not add a COOKIE EDNS option to requests.
- </p>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="statschannels"></a><span class="command"><strong>statistics-channels</strong></span> Statement Grammar</h3></div></div></div>
-
-<pre class="programlisting"><span class="command"><strong>statistics-channels {</strong></span>
- [ <span class="command"><strong>inet</strong></span> ( <em class="replaceable"><code>ip_addr</code></em> | <code class="constant">*</code> ) [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ]
- [ <span class="command"><strong>allow { </strong></span><em class="replaceable"><code> address_match_list </code></em> <span class="command"><strong>}</strong></span> ] ; ]
- ...
-<span class="command"><strong>}</strong></span>;
-</pre>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="statistics_channels"></a><span class="command"><strong>statistics-channels</strong></span> Statement Definition and
- Usage</h3></div></div></div>
-
- <p>
- The <span class="command"><strong>statistics-channels</strong></span> statement
- declares communication channels to be used by system
- administrators to get access to statistics information of
- the name server.
- </p>
-
- <p>
- This statement intends to be flexible to support multiple
- communication protocols in the future, but currently only
- HTTP access is supported.
- It requires that BIND 9 be compiled with libxml2 and/or
- json-c (also known as libjson0); the
- <span class="command"><strong>statistics-channels</strong></span> statement is
- still accepted even if it is built without the library,
- but any HTTP access will fail with an error.
- </p>
-
- <p>
- An <span class="command"><strong>inet</strong></span> control channel is a TCP socket
- listening at the specified <span class="command"><strong>ip_port</strong></span> on the
- specified <span class="command"><strong>ip_addr</strong></span>, which can be an IPv4 or IPv6
- address. An <span class="command"><strong>ip_addr</strong></span> of <code class="literal">*</code>
- (asterisk) is
- interpreted as the IPv4 wildcard address; connections will be
- accepted on any of the system's IPv4 addresses.
- To listen on the IPv6 wildcard address,
- use an <span class="command"><strong>ip_addr</strong></span> of <code class="literal">::</code>.
- </p>
-
- <p>
- If no port is specified, port 80 is used for HTTP channels.
- The asterisk "<code class="literal">*</code>" cannot be used for
- <span class="command"><strong>ip_port</strong></span>.
- </p>
-
- <p>
- The attempt of opening a statistics channel is
- restricted by the optional <span class="command"><strong>allow</strong></span> clause.
- Connections to the statistics channel are permitted based on the
- <span class="command"><strong>address_match_list</strong></span>.
- If no <span class="command"><strong>allow</strong></span> clause is present,
- <span class="command"><strong>named</strong></span> accepts connection
- attempts from any address; since the statistics may
- contain sensitive internal information, it is highly
- recommended to restrict the source of connection requests
- appropriately.
- </p>
-
- <p>
- If no <span class="command"><strong>statistics-channels</strong></span> statement is present,
- <span class="command"><strong>named</strong></span> will not open any communication channels.
- </p>
-
- <p>
- The statistics are available in various formats and views
- depending on the URI used to access them. For example, if
- the statistics channel is configured to listen on 127.0.0.1
- port 8888, then the statistics are accessible in XML format at
- <a class="link" href="http://127.0.0.1:8888/" target="_top">http://127.0.0.1:8888/</a> or
- <a class="link" href="http://127.0.0.1:8888/xml" target="_top">http://127.0.0.1:8888/xml</a>. A CSS file is
- included which can format the XML statistics into tables
- when viewed with a stylesheet-capable browser, and into
- charts and graphs using the Google Charts API when using a
- javascript-capable browser.
- </p>
-
- <p>
- Applications that depend on a particular XML schema
- can request
- <a class="link" href="http://127.0.0.1:8888/xml/v2" target="_top">http://127.0.0.1:8888/xml/v2</a> for version 2
- of the statistics XML schema or
- <a class="link" href="http://127.0.0.1:8888/xml/v3" target="_top">http://127.0.0.1:8888/xml/v3</a> for version 3.
- If the requested schema is supported by the server, then
- it will respond; if not, it will return a "page not found"
- error.
- </p>
-
- <p>
- Broken-out subsets of the statistics can be viewed at
- <a class="link" href="http://127.0.0.1:8888/xml/v3/status" target="_top">http://127.0.0.1:8888/xml/v3/status</a>
- (server uptime and last reconfiguration time),
- <a class="link" href="http://127.0.0.1:8888/xml/v3/server" target="_top">http://127.0.0.1:8888/xml/v3/server</a>
- (server and resolver statistics),
- <a class="link" href="http://127.0.0.1:8888/xml/v3/zones" target="_top">http://127.0.0.1:8888/xml/v3/zones</a>
- (zone statistics),
- <a class="link" href="http://127.0.0.1:8888/xml/v3/net" target="_top">http://127.0.0.1:8888/xml/v3/net</a>
- (network status and socket statistics),
- <a class="link" href="http://127.0.0.1:8888/xml/v3/mem" target="_top">http://127.0.0.1:8888/xml/v3/mem</a>
- (memory manager statistics),
- <a class="link" href="http://127.0.0.1:8888/xml/v3/tasks" target="_top">http://127.0.0.1:8888/xml/v3/tasks</a>
- (task manager statistics), and
- <a class="link" href="http://127.0.0.1:8888/xml/v3/traffic" target="_top">http://127.0.0.1:8888/xml/v3/traffic</a>
- (traffic sizes).
- </p>
-
- <p>
- The full set of statistics can also be read in JSON format at
- <a class="link" href="http://127.0.0.1:8888/json" target="_top">http://127.0.0.1:8888/json</a>,
- with the broken-out subsets at
- <a class="link" href="http://127.0.0.1:8888/json/v1/status" target="_top">http://127.0.0.1:8888/json/v1/status</a>
- (server uptime and last reconfiguration time),
- <a class="link" href="http://127.0.0.1:8888/json/v1/server" target="_top">http://127.0.0.1:8888/json/v1/server</a>
- (server and resolver statistics),
- <a class="link" href="http://127.0.0.1:8888/json/v1/zones" target="_top">http://127.0.0.1:8888/json/v1/zones</a>
- (zone statistics),
- <a class="link" href="http://127.0.0.1:8888/json/v1/net" target="_top">http://127.0.0.1:8888/json/v1/net</a>
- (network status and socket statistics),
- <a class="link" href="http://127.0.0.1:8888/json/v1/mem" target="_top">http://127.0.0.1:8888/json/v1/mem</a>
- (memory manager statistics),
- <a class="link" href="http://127.0.0.1:8888/json/v1/tasks" target="_top">http://127.0.0.1:8888/json/v1/tasks</a>
- (task manager statistics), and
- <a class="link" href="http://127.0.0.1:8888/json/v1/traffic" target="_top">http://127.0.0.1:8888/json/v1/traffic</a>
- (traffic sizes).
- </p>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="trusted-keys"></a><span class="command"><strong>trusted-keys</strong></span> Statement Grammar</h3></div></div></div>
-
-<pre class="programlisting"><span class="command"><strong>trusted-keys {</strong></span>
- ( <em class="replaceable"><code>domain_name</code></em> <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key_data</code></em> ; )
- ...
-<span class="command"><strong>}</strong></span> ;
-</pre>
-
- </div>
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="trusted_keys"></a><span class="command"><strong>trusted-keys</strong></span> Statement Definition
- and Usage</h3></div></div></div>
-
- <p>
- The <span class="command"><strong>trusted-keys</strong></span> statement defines
- DNSSEC security roots. DNSSEC is described in <a class="xref" href="Bv9ARM.ch04.html#DNSSEC" title="DNSSEC">the section called “DNSSEC”</a>. A security root is defined when the
- public key for a non-authoritative zone is known, but
- cannot be securely obtained through DNS, either because
- it is the DNS root zone or because its parent zone is
- unsigned. Once a key has been configured as a trusted
- key, it is treated as if it had been validated and
- proven secure. The resolver attempts DNSSEC validation
- on all DNS data in subdomains of a security root.
- </p>
- <p>
- All keys (and corresponding zones) listed in
- <span class="command"><strong>trusted-keys</strong></span> are deemed to exist regardless
- of what parent zones say. Similarly for all keys listed in
- <span class="command"><strong>trusted-keys</strong></span> only those keys are
- used to validate the DNSKEY RRset. The parent's DS RRset
- will not be used.
- </p>
- <p>
- The <span class="command"><strong>trusted-keys</strong></span> statement can contain
- multiple key entries, each consisting of the key's
- domain name, flags, protocol, algorithm, and the Base-64
- representation of the key data.
- Spaces, tabs, newlines and carriage returns are ignored
- in the key data, so the configuration may be split up into
- multiple lines.
- </p>
- <p>
- <span class="command"><strong>trusted-keys</strong></span> may be set at the top level
- of <code class="filename">named.conf</code> or within a view. If it is
- set in both places, they are additive: keys defined at the top
- level are inherited by all views, but keys defined in a view
- are only used within that view.
- </p>
- <p>
- Validation below specified names can be temporarily disabled
- by using <span class="command"><strong>rndc nta</strong></span>.
- </p>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="managed_keys"></a><span class="command"><strong>managed-keys</strong></span> Statement Grammar</h3></div></div></div>
-
-<pre class="programlisting"><span class="command"><strong>managed-keys {</strong></span>
- ( <em class="replaceable"><code>domain_name</code></em> <em class="replaceable"><code>initial_key</code></em> <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key_data</code></em> ; )
- ...
-<span class="command"><strong>}</strong></span> ;
-</pre>
-
- </div>
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="managed-keys"></a><span class="command"><strong>managed-keys</strong></span> Statement Definition
- and Usage</h3></div></div></div>
-
- <p>
- The <span class="command"><strong>managed-keys</strong></span> statement, like
- <span class="command"><strong>trusted-keys</strong></span>, defines DNSSEC
- security roots. The difference is that
- <span class="command"><strong>managed-keys</strong></span> can be kept up to date
- automatically, without intervention from the resolver
- operator.
- </p>
- <p>
- Suppose, for example, that a zone's key-signing
- key was compromised, and the zone owner had to revoke and
- replace the key. A resolver which had the old key in a
- <span class="command"><strong>trusted-keys</strong></span> statement would be
- unable to validate this zone any longer; it would
- reply with a SERVFAIL response code. This would
- continue until the resolver operator had updated the
- <span class="command"><strong>trusted-keys</strong></span> statement with the new key.
- </p>
- <p>
- If, however, the zone were listed in a
- <span class="command"><strong>managed-keys</strong></span> statement instead, then the
- zone owner could add a "stand-by" key to the zone in advance.
- <span class="command"><strong>named</strong></span> would store the stand-by key, and
- when the original key was revoked, <span class="command"><strong>named</strong></span>
- would be able to transition smoothly to the new key. It would
- also recognize that the old key had been revoked, and cease
- using that key to validate answers, minimizing the damage that
- the compromised key could do.
- </p>
- <p>
- A <span class="command"><strong>managed-keys</strong></span> statement contains a list of
- the keys to be managed, along with information about how the
- keys are to be initialized for the first time. The only
- initialization method currently supported (as of
- <acronym class="acronym">BIND</acronym> 9.7.0) is <code class="literal">initial-key</code>.
- This means the <span class="command"><strong>managed-keys</strong></span> statement must
- contain a copy of the initializing key. (Future releases may
- allow keys to be initialized by other methods, eliminating this
- requirement.)
- </p>
- <p>
- Consequently, a <span class="command"><strong>managed-keys</strong></span> statement
- appears similar to a <span class="command"><strong>trusted-keys</strong></span>, differing
- in the presence of the second field, containing the keyword
- <code class="literal">initial-key</code>. The difference is, whereas the
- keys listed in a <span class="command"><strong>trusted-keys</strong></span> continue to be
- trusted until they are removed from
- <code class="filename">named.conf</code>, an initializing key listed
- in a <span class="command"><strong>managed-keys</strong></span> statement is only trusted
- <span class="emphasis"><em>once</em></span>: for as long as it takes to load the
- managed key database and start the RFC 5011 key maintenance
- process.
- </p>
- <p>
- The first time <span class="command"><strong>named</strong></span> runs with a managed key
- configured in <code class="filename">named.conf</code>, it fetches the
- DNSKEY RRset directly from the zone apex, and validates it
- using the key specified in the <span class="command"><strong>managed-keys</strong></span>
- statement. If the DNSKEY RRset is validly signed, then it is
- used as the basis for a new managed keys database.
- </p>
- <p>
- From that point on, whenever <span class="command"><strong>named</strong></span> runs, it
- sees the <span class="command"><strong>managed-keys</strong></span> statement, checks to
- make sure RFC 5011 key maintenance has already been initialized
- for the specified domain, and if so, it simply moves on. The
- key specified in the <span class="command"><strong>managed-keys</strong></span>
- statement is not used to validate answers; it has been
- superseded by the key or keys stored in the managed keys database.
- </p>
- <p>
- The next time <span class="command"><strong>named</strong></span> runs after a name
- has been <span class="emphasis"><em>removed</em></span> from the
- <span class="command"><strong>managed-keys</strong></span> statement, the corresponding
- zone will be removed from the managed keys database,
- and RFC 5011 key maintenance will no longer be used for that
- domain.
- </p>
- <p>
- In the current implementation, the managed keys database
- is stored as a master-format zone file.
- </p>
- <p>
- On servers which do not use views, this file is named
- <code class="filename">managed-keys.bind</code>. When views are in
- use, there will be a separate managed keys database for each
- view; the filename will be the view name (or, if a view name
- contains characters which would make it illegal as a filename,
- a hash of the view name), followed by
- the suffix <code class="filename">.mkeys</code>.
- </p>
- <p>
- When the key database is changed, the zone is updated.
- As with any other dynamic zone, changes will be written
- into a journal file, e.g.,
- <code class="filename">managed-keys.bind.jnl</code> or
- <code class="filename">internal.mkeys.jnl</code>.
- Changes are committed to the master file as soon as
- possible afterward; this will usually occur within 30
- seconds. So, whenever <span class="command"><strong>named</strong></span> is using
- automatic key maintenance, the zone file and journal file
- can be expected to exist in the working directory.
- (For this reason among others, the working directory
- should be always be writable by <span class="command"><strong>named</strong></span>.)
- </p>
- <p>
- If the <span class="command"><strong>dnssec-validation</strong></span> option is
- set to <strong class="userinput"><code>auto</code></strong>, <span class="command"><strong>named</strong></span>
- will automatically initialize a managed key for the
- root zone. Similarly, if the <span class="command"><strong>dnssec-lookaside</strong></span>
- option is set to <strong class="userinput"><code>auto</code></strong>,
- <span class="command"><strong>named</strong></span> will automatically initialize
- a managed key for the zone <code class="literal">dlv.isc.org</code>.
- (Note: The ISC DLV service is expected to cease operation by
- the end of 2017.) In both cases, the key that is used to
- initialize the key maintenance process is built into
- <span class="command"><strong>named</strong></span>, and can be overridden from
- <span class="command"><strong>bindkeys-file</strong></span>.
- </p>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="view_statement_grammar"></a><span class="command"><strong>view</strong></span> Statement Grammar</h3></div></div></div>
-
-<pre class="programlisting"><span class="command"><strong>view</strong></span> <em class="replaceable"><code>view_name</code></em> [ <em class="replaceable"><code>class</code></em> ] <span class="command"><strong>{</strong></span>
- <span class="command"><strong>match-clients {</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ;
- <span class="command"><strong>match-destinations {</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ;
- <span class="command"><strong>match-recursive-only</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ;
- [ <em class="replaceable"><code>view_option</code></em> ; ... ]
- [ <em class="replaceable"><code>zone_statement</code></em> ; ... ]
-<span class="command"><strong>} </strong></span>;
-</pre>
-
- </div>
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="view_statement"></a><span class="command"><strong>view</strong></span> Statement Definition and Usage</h3></div></div></div>
-
- <p>
- The <span class="command"><strong>view</strong></span> statement is a powerful
- feature
- of <acronym class="acronym">BIND</acronym> 9 that lets a name server
- answer a DNS query differently
- depending on who is asking. It is particularly useful for
- implementing
- split DNS setups without having to run multiple servers.
- </p>
-
- <p>
- Each <span class="command"><strong>view</strong></span> statement defines a view
- of the
- DNS namespace that will be seen by a subset of clients. A client
- matches
- a view if its source IP address matches the
- <code class="varname">address_match_list</code> of the view's
- <span class="command"><strong>match-clients</strong></span> clause and its
- destination IP address matches
- the <code class="varname">address_match_list</code> of the
- view's
- <span class="command"><strong>match-destinations</strong></span> clause. If not
- specified, both
- <span class="command"><strong>match-clients</strong></span> and <span class="command"><strong>match-destinations</strong></span>
- default to matching all addresses. In addition to checking IP
- addresses
- <span class="command"><strong>match-clients</strong></span> and <span class="command"><strong>match-destinations</strong></span>
- can also take <span class="command"><strong>keys</strong></span> which provide an
- mechanism for the
- client to select the view. A view can also be specified
- as <span class="command"><strong>match-recursive-only</strong></span>, which
- means that only recursive
- requests from matching clients will match that view.
- The order of the <span class="command"><strong>view</strong></span> statements is
- significant —
- a client request will be resolved in the context of the first
- <span class="command"><strong>view</strong></span> that it matches.
- </p>
-
- <p>
- Zones defined within a <span class="command"><strong>view</strong></span>
- statement will
- only be accessible to clients that match the <span class="command"><strong>view</strong></span>.
- By defining a zone of the same name in multiple views, different
- zone data can be given to different clients, for example,
- "internal"
- and "external" clients in a split DNS setup.
- </p>
-
- <p>
- Many of the options given in the <span class="command"><strong>options</strong></span> statement
- can also be used within a <span class="command"><strong>view</strong></span>
- statement, and then
- apply only when resolving queries with that view. When no
- view-specific
- value is given, the value in the <span class="command"><strong>options</strong></span> statement
- is used as a default. Also, zone options can have default values
- specified
- in the <span class="command"><strong>view</strong></span> statement; these
- view-specific defaults
- take precedence over those in the <span class="command"><strong>options</strong></span> statement.
- </p>
-
- <p>
- Views are class specific. If no class is given, class IN
- is assumed. Note that all non-IN views must contain a hint zone,
- since only the IN class has compiled-in default hints.
- </p>
-
- <p>
- If there are no <span class="command"><strong>view</strong></span> statements in
- the config
- file, a default view that matches any client is automatically
- created
- in class IN. Any <span class="command"><strong>zone</strong></span> statements
- specified on
- the top level of the configuration file are considered to be part
- of
- this default view, and the <span class="command"><strong>options</strong></span>
- statement will
- apply to the default view. If any explicit <span class="command"><strong>view</strong></span>
- statements are present, all <span class="command"><strong>zone</strong></span>
- statements must
- occur inside <span class="command"><strong>view</strong></span> statements.
- </p>
-
- <p>
- Here is an example of a typical split DNS setup implemented
- using <span class="command"><strong>view</strong></span> statements:
- </p>
-
-<pre class="programlisting">view "internal" {
- // This should match our internal networks.
- match-clients { 10.0.0.0/8; };
-
- // Provide recursive service to internal
- // clients only.
- recursion yes;
-
- // Provide a complete view of the example.com
- // zone including addresses of internal hosts.
- zone "example.com" {
- type master;
- file "example-internal.db";
- };
-};
-
-view "external" {
- // Match all clients not matched by the
- // previous view.
- match-clients { any; };
-
- // Refuse recursive service to external clients.
- recursion no;
-
- // Provide a restricted view of the example.com
- // zone containing only publicly accessible hosts.
- zone "example.com" {
- type master;
- file "example-external.db";
- };
-};
-</pre>
-
- </div>
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="zone_statement_grammar"></a><span class="command"><strong>zone</strong></span>
- Statement Grammar</h3></div></div></div>
-
-<pre class="programlisting"><span class="command"><strong>zone</strong></span> <em class="replaceable"><code>zone_name</code></em> [ <em class="replaceable"><code>class</code></em> ] <span class="command"><strong>{</strong></span>
- <span class="command"><strong>type</strong></span> master ;
- [ <span class="command"><strong>allow-query</strong></span> <span class="command"><strong>{</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
- [ <span class="command"><strong>allow-query-on</strong></span> <span class="command"><strong>{</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
- [ <span class="command"><strong>allow-transfer</strong></span> <span class="command"><strong>{</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
- [ <span class="command"><strong>allow-update</strong></span> <span class="command"><strong>{</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
- [ <span class="command"><strong>update-check-ksk</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>dnssec-dnskey-kskonly</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>dnssec-loadkeys-interval</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>update-policy</strong></span> <code class="option">local</code> | <span class="command"><strong>{</strong></span> <em class="replaceable"><code>update_policy_rule</code></em> ; ... <span class="command"><strong>}</strong></span> ; ]
- [ <span class="command"><strong>also-notify</strong></span> [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] <span class="command"><strong>{</strong></span>
- ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] ) [ <span class="command"><strong>key</strong></span> <em class="replaceable"><code>key_name</code></em> ] ;
- ...
- <span class="command"><strong>}</strong></span> ; ]
- [ <span class="command"><strong>check-names</strong></span> ( <code class="option">warn</code> | <code class="option">fail</code> | <code class="option">ignore</code> ) ; ]
- [ <span class="command"><strong>check-mx</strong></span> ( <code class="option">warn</code> | <code class="option">fail</code> | <code class="option">ignore</code> ) ; ]
- [ <span class="command"><strong>check-wildcard</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>check-spf</strong></span> ( <code class="option">warn</code> | <code class="option">ignore</code> ); ]
- [ <span class="command"><strong>check-integrity</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>dialup</strong></span> <em class="replaceable"><code>dialup_option</code></em> ; ]
- [ <span class="command"><strong>file</strong></span> <em class="replaceable"><code>string</code></em> ; ]
- [ <span class="command"><strong>masterfile-format</strong></span> ( <code class="option">text</code> | <code class="option">raw</code> | <code class="option">map</code> ) ; ]
- [ <span class="command"><strong>journal</strong></span> <em class="replaceable"><code>string</code></em> ; ]
- [ <span class="command"><strong>max-journal-size</strong></span> <em class="replaceable"><code>size_spec</code></em> ; ]
- [ <span class="command"><strong>forward</strong></span> ( <code class="option">only</code> | <code class="option">first</code> ) ; ]
- [ <span class="command"><strong>forwarders</strong></span> <span class="command"><strong>{</strong></span> [ <em class="replaceable"><code>ip_addr</code></em> [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] ; ... ] <span class="command"><strong>}</strong></span> ; ]
- [ <span class="command"><strong>ixfr-base</strong></span> <em class="replaceable"><code>string</code></em> ; ]
- [ <span class="command"><strong>ixfr-from-differences</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>ixfr-tmp-file</strong></span> <em class="replaceable"><code>string</code></em> ; ]
- [ <span class="command"><strong>maintain-ixfr-base</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>max-ixfr-log-size</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>max-transfer-idle-out</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>max-transfer-time-out</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>notify</strong></span> <em class="replaceable"><code>yes_or_no</code></em> | <code class="option">explicit</code> | <code class="option">master-only</code> ; ]
- [ <span class="command"><strong>notify-delay</strong></span> <em class="replaceable"><code>seconds</code></em> ; ]
- [ <span class="command"><strong>notify-to-soa</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>pubkey</strong></span> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; ]
- [ <span class="command"><strong>notify-source</strong></span> ( <em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code> )
- [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] ; ]
- [ <span class="command"><strong>notify-source-v6</strong></span> ( <em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code> )
- [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] ; ]
- [ <span class="command"><strong>zone-statistics</strong></span> ( <code class="option">full</code> | <code class="option">terse</code> | <code class="option">none</code> ) ; ]
- [ <span class="command"><strong>sig-validity-interval</strong></span> <em class="replaceable"><code>number</code></em> [ <em class="replaceable"><code>number</code></em> ] ; ]
- [ <span class="command"><strong>sig-signing-nodes</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>sig-signing-signatures</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>sig-signing-type</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>database</strong></span> <em class="replaceable"><code>string</code></em> ; ]
- [ <span class="command"><strong>min-refresh-time</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>max-refresh-time</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>min-retry-time</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>max-retry-time</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong></strong></span><span class="command"><strong>key-directory</strong></span> <em class="replaceable"><code>path_name</code></em> ; ]
- [ <span class="command"><strong>auto-dnssec</strong></span> ( <code class="option">allow</code> | <code class="option">maintain</code> | <code class="option">off</code> ) ; ]
- [ <span class="command"><strong>inline-signing</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>zero-no-soa-ttl</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>serial-update-method</strong></span> ( <code class="option">increment</code> | <code class="option">unixtime</code> | <code class="option">date</code> ) ; ]
- [ <span class="command"><strong>max-zone-ttl</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-<span class="command"><strong>}</strong></span> ;
-
-<span class="command"><strong>zone</strong></span> <em class="replaceable"><code>zone_name</code></em> [ <em class="replaceable"><code>class</code></em> ] <span class="command"><strong>{</strong></span>
- <span class="command"><strong>type</strong></span> slave ;
- [ <span class="command"><strong>allow-notify</strong></span> <span class="command"><strong>{</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
- [ <span class="command"><strong>allow-query</strong></span> <span class="command"><strong>{</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
- [ <span class="command"><strong>allow-query-on</strong></span> <span class="command"><strong>{</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
- [ <span class="command"><strong>allow-transfer</strong></span> <span class="command"><strong>{</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
- [ <span class="command"><strong>allow-update-forwarding</strong></span> <span class="command"><strong>{</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
- [ <span class="command"><strong>dnssec-update-mode</strong></span> ( <code class="option">maintain</code> | <code class="option">no-resign</code> ); ]
- [ <span class="command"><strong>update-check-ksk</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>dnssec-dnskey-kskonly</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>dnssec-loadkeys-interval</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>dnssec-secure-to-insecure</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>try-tcp-refresh</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>also-notify</strong></span> [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] <span class="command"><strong>{</strong></span>
- ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] ) [ <span class="command"><strong>key</strong></span> <em class="replaceable"><code>key_name</code></em> ] ;
- ...
- <span class="command"><strong>}</strong></span> ; ]
- [ <span class="command"><strong>check-names</strong></span> ( <code class="option">warn</code> | <code class="option">fail</code> | <code class="option">ignore</code> ) ; ]
- [ <span class="command"><strong>dialup</strong></span> <em class="replaceable"><code>dialup_option</code></em> ; ]
- [ <span class="command"><strong>file</strong></span> <em class="replaceable"><code>string</code></em> ; ]
- [ <span class="command"><strong>masterfile-format</strong></span> ( <code class="option">text</code> | <code class="option">raw</code> | <code class="option">map</code> ) ; ]
- [ <span class="command"><strong>journal</strong></span> <em class="replaceable"><code>string</code></em> ; ]
- [ <span class="command"><strong>max-journal-size</strong></span> <em class="replaceable"><code>size_spec</code></em> ; ]
- [ <span class="command"><strong>forward</strong></span> ( <code class="option">only</code> | <code class="option">first</code> ) ; ]
- [ <span class="command"><strong>forwarders</strong></span> <span class="command"><strong>{</strong></span> [ <em class="replaceable"><code>ip_addr</code></em> [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] ; ... <span class="command"><strong>}</strong></span> ; ]
- [ <span class="command"><strong>ixfr-base</strong></span> <em class="replaceable"><code>string</code></em> ; ]
- [ <span class="command"><strong>ixfr-from-differences</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>ixfr-tmp-file</strong></span> <em class="replaceable"><code>string</code></em> ; ]
- [ <span class="command"><strong>request-ixfr</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>maintain-ixfr-base</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>masters</strong></span> [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] <span class="command"><strong>{</strong></span>
- ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] ) [ <span class="command"><strong>key</strong></span> <em class="replaceable"><code>key_name</code></em> ] ;
- ...
- <span class="command"><strong>}</strong></span> ; ]
- [ <span class="command"><strong>max-ixfr-log-size</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>max-transfer-idle-in</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>max-transfer-idle-out</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>max-transfer-time-in</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>max-transfer-time-out</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>notify</strong></span> ( <em class="replaceable"><code>yes_or_no</code></em> | <code class="option">explicit</code> | <code class="option">master-only</code> ) ; ]
- [ <span class="command"><strong>notify-delay</strong></span> <em class="replaceable"><code>seconds</code></em> ; ]
- [ <span class="command"><strong>notify-to-soa</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>pubkey</strong></span> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; ]
- [ <span class="command"><strong>transfer-source</strong></span> ( <em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code> )
- [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] ; ]
- [ <span class="command"><strong>transfer-source-v6</strong></span> ( <em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code> )
- [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] ; ]
- [ <span class="command"><strong>alt-transfer-source</strong></span> ( <em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code> )
- [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] ; ]
- [ <span class="command"><strong>alt-transfer-source-v6</strong></span> ( <em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code> )
- [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] ; ]
- [ <span class="command"><strong>use-alt-transfer-source</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>notify-source</strong></span> ( <em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code> )
- [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] ; ]
- [ <span class="command"><strong>notify-source-v6</strong></span> ( <em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code> )
- [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] ; ]
- [ <span class="command"><strong>zone-statistics</strong></span> ( <code class="option">full</code> | <code class="option">terse</code> | <code class="option">none</code> ) ; ]
- [ <span class="command"><strong>sig-validity-interval</strong></span> <em class="replaceable"><code>number</code></em> [ <em class="replaceable"><code>number</code></em> ] ; ]
- [ <span class="command"><strong>sig-signing-nodes</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>sig-signing-signatures</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>sig-signing-type</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>database</strong></span> <em class="replaceable"><code>string</code></em> ; ]
- [ <span class="command"><strong>min-refresh-time</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>max-refresh-time</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>min-retry-time</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>max-retry-time</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong></strong></span><span class="command"><strong>key-directory</strong></span> <em class="replaceable"><code>path_name</code></em> ; ]
- [ <span class="command"><strong>auto-dnssec</strong></span> ( <code class="option">allow</code> | <code class="option">maintain</code> | <code class="option">off</code> ) ; ]
- [ <span class="command"><strong>inline-signing</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>multi-master</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>zero-no-soa-ttl</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-<span class="command"><strong>}</strong></span> ;
-
-<span class="command"><strong>zone</strong></span> <em class="replaceable"><code>zone_name</code></em> [ <em class="replaceable"><code>class</code></em> ] <span class="command"><strong>{</strong></span>
- <span class="command"><strong>type</strong></span> hint;
- <span class="command"><strong>file</strong></span> <em class="replaceable"><code>string</code></em> ;
- [ <span class="command"><strong>delegation-only</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>check-names</strong></span> ( <code class="option">warn</code> | <code class="option">fail</code> | <code class="option">ignore</code> ) ; ] // Not Implemented.
-<span class="command"><strong>}</strong></span> ;
-
-<span class="command"><strong>zone</strong></span> <em class="replaceable"><code>zone_name</code></em> [ <em class="replaceable"><code>class</code></em> ] <span class="command"><strong>{</strong></span>
- <span class="command"><strong>type</strong></span> stub;
- [ <span class="command"><strong>allow-query</strong></span> <span class="command"><strong>{</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
- [ <span class="command"><strong>allow-query-on</strong></span> <span class="command"><strong>{</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
- [ <span class="command"><strong>check-names</strong></span> ( <code class="option">warn</code> | <code class="option">fail</code> | <code class="option">ignore</code> ) ; ]
- [ <span class="command"><strong>dialup</strong></span> <em class="replaceable"><code>dialup_option</code></em> ; ]
- [ <span class="command"><strong>delegation-only</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>file</strong></span> <em class="replaceable"><code>string</code></em> ; ]
- [ <span class="command"><strong>masterfile-format</strong></span> ( <code class="option">text</code> | <code class="option">raw</code> | <code class="option">map</code> ) ; ]
- [ <span class="command"><strong>forward</strong></span> ( <code class="option">only</code> | <code class="option">first</code> ) ; ]
- [ <span class="command"><strong>forwarders</strong></span> <span class="command"><strong>{</strong></span> [ <em class="replaceable"><code>ip_addr</code></em> [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] ; ... ] <span class="command"><strong>}</strong></span> ; ]
- [ <span class="command"><strong>masters</strong></span> [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] <span class="command"><strong>{</strong></span>
- ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] ) [ <span class="command"><strong>key</strong></span> <em class="replaceable"><code>key_name</code></em> ] ;
- ...
- <span class="command"><strong>}</strong></span> ; ]
- [ <span class="command"><strong>max-transfer-idle-in</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>max-transfer-time-in</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>pubkey</strong></span> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; ]
- [ <span class="command"><strong>transfer-source</strong></span> ( <em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code> )
- [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] ; ]
- [ <span class="command"><strong>transfer-source-v6</strong></span> ( <em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code> )
- [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] ; ]
- [ <span class="command"><strong>alt-transfer-source</strong></span> ( <em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code> )
- [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] ; ]
- [ <span class="command"><strong>alt-transfer-source-v6</strong></span> ( <em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code> )
- [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] ; ]
- [ <span class="command"><strong>use-alt-transfer-source</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
- [ <span class="command"><strong>zone-statistics</strong></span> ( <code class="option">full</code> | <code class="option">terse</code> | <code class="option">none</code> ) ; ]
- [ <span class="command"><strong>database</strong></span> <em class="replaceable"><code>string</code></em> ; ]
- [ <span class="command"><strong>min-refresh-time</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>max-refresh-time</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>min-retry-time</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>max-retry-time</strong></span> <em class="replaceable"><code>number</code></em> ; ]
- [ <span class="command"><strong>multi-master</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-<span class="command"><strong>}</strong></span> ;
-
-<span class="command"><strong>zone</strong></span> <em class="replaceable"><code>zone_name</code></em> [ <em class="replaceable"><code>class</code></em> ] <span class="command"><strong>{</strong></span>
- <span class="command"><strong>type</strong></span> static-stub;
- [ <span class="command"><strong>allow-query</strong></span> <span class="command"><strong>{</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
- [ <span class="command"><strong>server-addresses</strong></span> <span class="command"><strong>{</strong></span> [ <em class="replaceable"><code>ip_addr</code></em> ; ... <span class="command"><strong>}</strong></span> ; ]
- [ <span class="command"><strong>server-names</strong></span> <span class="command"><strong>{</strong></span> [ <em class="replaceable"><code>namelist</code></em> ] <span class="command"><strong>}</strong></span> ; ]
- [ <span class="command"><strong>zone-statistics</strong></span> ( <code class="option">full</code> | <code class="option">terse</code> | <code class="option">none</code> ) ; ]
-<span class="command"><strong>}</strong></span> ;
-
-<span class="command"><strong>zone</strong></span> <em class="replaceable"><code>zone_name</code></em> [ <em class="replaceable"><code>class</code></em> ] <span class="command"><strong>{</strong></span>
- <span class="command"><strong>type</strong></span> forward;
- [ <span class="command"><strong>forward</strong></span> ( <code class="option">only</code> | <code class="option">first</code> ) ; ]
- [ <span class="command"><strong>forwarders</strong></span> <span class="command"><strong>{</strong></span> [ <em class="replaceable"><code>ip_addr</code></em> [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] ; ... <span class="command"><strong>}</strong></span> ; ]
- [ <span class="command"><strong>delegation-only</strong></span> <em class="replaceable"><code>yes_or_no</code></em> ; ]
-<span class="command"><strong>}</strong></span> ;
-
-<span class="command"><strong>zone</strong></span> <em class="replaceable"><code>"."</code></em> [ <em class="replaceable"><code>class</code></em> ] <span class="command"><strong>{</strong></span>
- <span class="command"><strong>type</strong></span> redirect;
- [ <span class="command"><strong>file</strong></span> <em class="replaceable"><code>string</code></em> ; ]
- [ <span class="command"><strong>masters</strong></span> [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] [ <span class="command"><strong>dscp</strong></span> <em class="replaceable"><code>ip_dscp</code></em> ] <span class="command"><strong>{</strong></span>
- ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> [ <span class="command"><strong>port</strong></span> <em class="replaceable"><code>ip_port</code></em> ] ) [ <span class="command"><strong>key</strong></span> <em class="replaceable"><code>key_name</code></em> ] ;
- ...
- <span class="command"><strong>}</strong></span> ; ]
- [ <span class="command"><strong>masterfile-format</strong></span> ( <code class="option">text</code> | <code class="option">raw</code> | <code class="option">map</code> ) ; ]
- [ <span class="command"><strong>allow-query</strong></span> <span class="command"><strong>{</strong></span> <em class="replaceable"><code>address_match_list</code></em> <span class="command"><strong>}</strong></span> ; ]
- [ <span class="command"><strong>max-zone-ttl</strong></span> <em class="replaceable"><code>number</code></em> ; ]
-<span class="command"><strong>}</strong></span> ;
-
-<span class="command"><strong>zone</strong></span> <em class="replaceable"><code>zone_name</code></em> [ <em class="replaceable"><code>class</code></em> ] <span class="command"><strong>{</strong></span>
- <span class="command"><strong>type</strong></span> delegation-only;
-<span class="command"><strong>}</strong></span> ;
-
-<span class="command"><strong>zone</strong></span> <em class="replaceable"><code>zone_name</code></em> [ <em class="replaceable"><code>class</code></em> ] <span class="command"><strong>{</strong></span>
- [ <span class="command"><strong>in-view</strong></span> <em class="replaceable"><code>string</code></em> ; ]
-<span class="command"><strong>}</strong></span> ;
-
-</pre>
-
- </div>
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="zone_statement"></a><span class="command"><strong>zone</strong></span> Statement Definition and Usage</h3></div></div></div>
-
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="zone_types"></a>Zone Types</h4></div></div></div>
- <p>
- The <span class="command"><strong>type</strong></span> keyword is required
- for the <span class="command"><strong>zone</strong></span> configuration unless
- it is an <span class="command"><strong>in-view</strong></span> configuration. Its
- acceptable values include: <code class="varname">delegation-only</code>,
- <code class="varname">forward</code>, <code class="varname">hint</code>,
- <code class="varname">master</code>, <code class="varname">redirect</code>,
- <code class="varname">slave</code>, <code class="varname">static-stub</code>,
- and <code class="varname">stub</code>.
- </p>
-
- <div class="informaltable">
- <table border="1">
-<colgroup>
-<col class="1">
-<col width="4.017in" class="2">
-</colgroup>
-<tbody>
-<tr>
-<td>
- <p>
- <code class="varname">master</code>
- </p>
- </td>
-<td>
- <p>
- The server has a master copy of the data
- for the zone and will be able to provide authoritative
- answers for
- it.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- <code class="varname">slave</code>
- </p>
- </td>
-<td>
- <p>
- A slave zone is a replica of a master
- zone. The <span class="command"><strong>masters</strong></span> list
- specifies one or more IP addresses
- of master servers that the slave contacts to update
- its copy of the zone.
- Masters list elements can also be names of other
- masters lists.
- By default, transfers are made from port 53 on the
- servers; this can
- be changed for all servers by specifying a port number
- before the
- list of IP addresses, or on a per-server basis after
- the IP address.
- Authentication to the master can also be done with
- per-server TSIG keys.
- If a file is specified, then the
- replica will be written to this file whenever the zone
- is changed,
- and reloaded from this file on a server restart. Use
- of a file is
- recommended, since it often speeds server startup and
- eliminates
- a needless waste of bandwidth. Note that for large
- numbers (in the
- tens or hundreds of thousands) of zones per server, it
- is best to
- use a two-level naming scheme for zone filenames. For
- example,
- a slave server for the zone <code class="literal">example.com</code> might place
- the zone contents into a file called
- <code class="filename">ex/example.com</code> where <code class="filename">ex/</code> is
- just the first two letters of the zone name. (Most
- operating systems
- behave very slowly if you put 100000 files into
- a single directory.)
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- <code class="varname">stub</code>
- </p>
- </td>
-<td>
- <p>
- A stub zone is similar to a slave zone,
- except that it replicates only the NS records of a
- master zone instead
- of the entire zone. Stub zones are not a standard part
- of the DNS;
- they are a feature specific to the <acronym class="acronym">BIND</acronym> implementation.
- </p>
-
- <p>
- Stub zones can be used to eliminate the need for glue
- NS record
- in a parent zone at the expense of maintaining a stub
- zone entry and
- a set of name server addresses in <code class="filename">named.conf</code>.
- This usage is not recommended for new configurations,
- and BIND 9
- supports it only in a limited way.
- In <acronym class="acronym">BIND</acronym> 4/8, zone
- transfers of a parent zone
- included the NS records from stub children of that
- zone. This meant
- that, in some cases, users could get away with
- configuring child stubs
- only in the master server for the parent zone. <acronym class="acronym">BIND</acronym>
- 9 never mixes together zone data from different zones
- in this
- way. Therefore, if a <acronym class="acronym">BIND</acronym> 9 master serving a parent
- zone has child stub zones configured, all the slave
- servers for the
- parent zone also need to have the same child stub
- zones
- configured.
- </p>
-
- <p>
- Stub zones can also be used as a way of forcing the
- resolution
- of a given domain to use a particular set of
- authoritative servers.
- For example, the caching name servers on a private
- network using
- RFC1918 addressing may be configured with stub zones
- for
- <code class="literal">10.in-addr.arpa</code>
- to use a set of internal name servers as the
- authoritative
- servers for that domain.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- <code class="varname">static-stub</code>
- </p>
- </td>
-<td>
- <p>
- A static-stub zone is similar to a stub zone
- with the following exceptions:
- the zone data is statically configured, rather
- than transferred from a master server;
- when recursion is necessary for a query that
- matches a static-stub zone, the locally
- configured data (nameserver names and glue addresses)
- is always used even if different authoritative
- information is cached.
- </p>
- <p>
- Zone data is configured via the
- <span class="command"><strong>server-addresses</strong></span> and
- <span class="command"><strong>server-names</strong></span> zone options.
- </p>
- <p>
- The zone data is maintained in the form of NS
- and (if necessary) glue A or AAAA RRs
- internally, which can be seen by dumping zone
- databases by <span class="command"><strong>rndc dumpdb -all</strong></span>.
- The configured RRs are considered local configuration
- parameters rather than public data.
- Non recursive queries (i.e., those with the RD
- bit off) to a static-stub zone are therefore
- prohibited and will be responded with REFUSED.
- </p>
- <p>
- Since the data is statically configured, no
- zone maintenance action takes place for a static-stub
- zone.
- For example, there is no periodic refresh
- attempt, and an incoming notify message
- will be rejected with an rcode of NOTAUTH.
- </p>
- <p>
- Each static-stub zone is configured with
- internally generated NS and (if necessary)
- glue A or AAAA RRs
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- <code class="varname">forward</code>
- </p>
- </td>
-<td>
- <p>
- A "forward zone" is a way to configure
- forwarding on a per-domain basis. A <span class="command"><strong>zone</strong></span> statement
- of type <span class="command"><strong>forward</strong></span> can
- contain a <span class="command"><strong>forward</strong></span>
- and/or <span class="command"><strong>forwarders</strong></span>
- statement,
- which will apply to queries within the domain given by
- the zone
- name. If no <span class="command"><strong>forwarders</strong></span>
- statement is present or
- an empty list for <span class="command"><strong>forwarders</strong></span> is given, then no
- forwarding will be done for the domain, canceling the
- effects of
- any forwarders in the <span class="command"><strong>options</strong></span> statement. Thus
- if you want to use this type of zone to change the
- behavior of the
- global <span class="command"><strong>forward</strong></span> option
- (that is, "forward first"
- to, then "forward only", or vice versa, but want to
- use the same
- servers as set globally) you need to re-specify the
- global forwarders.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- <code class="varname">hint</code>
- </p>
- </td>
-<td>
- <p>
- The initial set of root name servers is
- specified using a "hint zone". When the server starts
- up, it uses
- the root hints to find a root name server and get the
- most recent
- list of root name servers. If no hint zone is
- specified for class
- IN, the server uses a compiled-in default set of root
- servers hints.
- Classes other than IN have no built-in defaults hints.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- <code class="varname">redirect</code>
- </p>
- </td>
-<td>
- <p>
- Redirect zones are used to provide answers to
- queries when normal resolution would result in
- NXDOMAIN being returned.
- Only one redirect zone is supported
- per view. <span class="command"><strong>allow-query</strong></span> can be
- used to restrict which clients see these answers.
- </p>
- <p>
- If the client has requested DNSSEC records (DO=1) and
- the NXDOMAIN response is signed then no substitution
- will occur.
- </p>
- <p>
- To redirect all NXDOMAIN responses to
- 100.100.100.2 and
- 2001:ffff:ffff::100.100.100.2, one would
- configure a type redirect zone named ".",
- with the zone file containing wildcard records
- that point to the desired addresses:
- <code class="literal">"*. IN A 100.100.100.2"</code>
- and
- <code class="literal">"*. IN AAAA 2001:ffff:ffff::100.100.100.2"</code>.
- </p>
- <p>
- To redirect all Spanish names (under .ES) one
- would use similar entries but with the names
- "*.ES." instead of "*.". To redirect all
- commercial Spanish names (under COM.ES) one
- would use wildcard entries called "*.COM.ES.".
- </p>
- <p>
- Note that the redirect zone supports all
- possible types; it is not limited to A and
- AAAA records.
- </p>
- <p>
- If a redirect zone is configured with a
- <code class="option">masters</code> option, then it is
- transfered in as if it were a slave zone.
- Otherwise, it is loaded from a file as if it
- were a master zone.
- </p>
- <p>
- Because redirect zones are not referenced
- directly by name, they are not kept in the
- zone lookup table with normal master and slave
- zones. To reload a redirect zone, use
- <span class="command"><strong>rndc reload -redirect</strong></span>,
- and to retransfer a redirect zone configured
- as slave, use
- <span class="command"><strong>rndc retransfer -redirect</strong></span>.
- When using <span class="command"><strong>rndc reload</strong></span>
- without specifying a zone name, redirect zones
- will be reloaded along with other zones.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- <code class="varname">delegation-only</code>
- </p>
- </td>
-<td>
- <p>
- This is used to enforce the delegation-only
- status of infrastructure zones (e.g. COM,
- NET, ORG). Any answer that is received
- without an explicit or implicit delegation
- in the authority section will be treated
- as NXDOMAIN. This does not apply to the
- zone apex. This should not be applied to
- leaf zones.
- </p>
- <p>
- <code class="varname">delegation-only</code> has no
- effect on answers received from forwarders.
- </p>
- <p>
- See caveats in <a class="xref" href="Bv9ARM.ch06.html#root_delegation_only"><span class="command"><strong>root-delegation-only</strong></span></a>.
- </p>
- </td>
-</tr>
-</tbody>
-</table>
- </div>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="class"></a>Class</h4></div></div></div>
-
- <p>
- The zone's name may optionally be followed by a class. If
- a class is not specified, class <code class="literal">IN</code> (for <code class="varname">Internet</code>),
- is assumed. This is correct for the vast majority of cases.
- </p>
- <p>
- The <code class="literal">hesiod</code> class is
- named for an information service from MIT's Project Athena. It
- is
- used to share information about various systems databases, such
- as users, groups, printers and so on. The keyword
- <code class="literal">HS</code> is
- a synonym for hesiod.
- </p>
- <p>
- Another MIT development is Chaosnet, a LAN protocol created
- in the mid-1970s. Zone data for it can be specified with the <code class="literal">CHAOS</code> class.
- </p>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="zone_options"></a>Zone Options</h4></div></div></div>
-
- <div class="variablelist"><dl class="variablelist">
-<dt><span class="term"><span class="command"><strong>allow-notify</strong></span></span></dt>
-<dd>
- <p>
- See the description of
- <span class="command"><strong>allow-notify</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>allow-query</strong></span></span></dt>
-<dd>
- <p>
- See the description of
- <span class="command"><strong>allow-query</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>allow-query-on</strong></span></span></dt>
-<dd>
- <p>
- See the description of
- <span class="command"><strong>allow-query-on</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>allow-transfer</strong></span></span></dt>
-<dd>
- <p>
- See the description of <span class="command"><strong>allow-transfer</strong></span>
- in <a class="xref" href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>allow-update</strong></span></span></dt>
-<dd>
- <p>
- See the description of <span class="command"><strong>allow-update</strong></span>
- in <a class="xref" href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>update-policy</strong></span></span></dt>
-<dd>
- <p>
- Specifies a "Simple Secure Update" policy. See
- <a class="xref" href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>allow-update-forwarding</strong></span></span></dt>
-<dd>
- <p>
- See the description of <span class="command"><strong>allow-update-forwarding</strong></span>
- in <a class="xref" href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>also-notify</strong></span></span></dt>
-<dd>
- <p>
- Only meaningful if <span class="command"><strong>notify</strong></span>
- is
- active for this zone. The set of machines that will
- receive a
- <code class="literal">DNS NOTIFY</code> message
- for this zone is made up of all the listed name servers
- (other than
- the primary master) for the zone plus any IP addresses
- specified
- with <span class="command"><strong>also-notify</strong></span>. A port
- may be specified
- with each <span class="command"><strong>also-notify</strong></span>
- address to send the notify
- messages to a port other than the default of 53.
- A TSIG key may also be specified to cause the
- <code class="literal">NOTIFY</code> to be signed by the
- given key.
- <span class="command"><strong>also-notify</strong></span> is not
- meaningful for stub zones.
- The default is the empty list.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>check-names</strong></span></span></dt>
-<dd>
- <p>
- This option is used to restrict the character set and
- syntax of
- certain domain names in master files and/or DNS responses
- received from the
- network. The default varies according to zone type. For <span class="command"><strong>master</strong></span> zones the default is <span class="command"><strong>fail</strong></span>. For <span class="command"><strong>slave</strong></span>
- zones the default is <span class="command"><strong>warn</strong></span>.
- It is not implemented for <span class="command"><strong>hint</strong></span> zones.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>check-mx</strong></span></span></dt>
-<dd>
- <p>
- See the description of
- <span class="command"><strong>check-mx</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>check-spf</strong></span></span></dt>
-<dd>
- <p>
- See the description of
- <span class="command"><strong>check-spf</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>check-wildcard</strong></span></span></dt>
-<dd>
- <p>
- See the description of
- <span class="command"><strong>check-wildcard</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>check-integrity</strong></span></span></dt>
-<dd>
- <p>
- See the description of
- <span class="command"><strong>check-integrity</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>check-sibling</strong></span></span></dt>
-<dd>
- <p>
- See the description of
- <span class="command"><strong>check-sibling</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>zero-no-soa-ttl</strong></span></span></dt>
-<dd>
- <p>
- See the description of
- <span class="command"><strong>zero-no-soa-ttl</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>update-check-ksk</strong></span></span></dt>
-<dd>
- <p>
- See the description of
- <span class="command"><strong>update-check-ksk</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>dnssec-loadkeys-interval</strong></span></span></dt>
-<dd>
- <p>
- See the description of
- <span class="command"><strong>dnssec-loadkeys-interval</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#options" title="options Statement Definition and Usage">the section called “<span class="command"><strong>options</strong></span> Statement Definition and
- Usage”</a>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>dnssec-update-mode</strong></span></span></dt>
-<dd>
- <p>
- See the description of
- <span class="command"><strong>dnssec-update-mode</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#options" title="options Statement Definition and Usage">the section called “<span class="command"><strong>options</strong></span> Statement Definition and
- Usage”</a>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>dnssec-dnskey-kskonly</strong></span></span></dt>
-<dd>
- <p>
- See the description of
- <span class="command"><strong>dnssec-dnskey-kskonly</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>try-tcp-refresh</strong></span></span></dt>
-<dd>
- <p>
- See the description of
- <span class="command"><strong>try-tcp-refresh</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>database</strong></span></span></dt>
-<dd>
- <p>
- Specify the type of database to be used for storing the
- zone data. The string following the <span class="command"><strong>database</strong></span> keyword
- is interpreted as a list of whitespace-delimited words.
- The first word
- identifies the database type, and any subsequent words are
- passed
- as arguments to the database to be interpreted in a way
- specific
- to the database type.
- </p>
- <p>
- The default is <strong class="userinput"><code>"rbt"</code></strong>, BIND 9's
- native in-memory
- red-black-tree database. This database does not take
- arguments.
- </p>
- <p>
- Other values are possible if additional database drivers
- have been linked into the server. Some sample drivers are
- included
- with the distribution but none are linked in by default.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>dialup</strong></span></span></dt>
-<dd>
- <p>
- See the description of
- <span class="command"><strong>dialup</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>delegation-only</strong></span></span></dt>
-<dd>
- <p>
- The flag only applies to forward, hint and stub
- zones. If set to <strong class="userinput"><code>yes</code></strong>,
- then the zone will also be treated as if it is
- also a delegation-only type zone.
- </p>
- <p>
- See caveats in <a class="xref" href="Bv9ARM.ch06.html#root_delegation_only"><span class="command"><strong>root-delegation-only</strong></span></a>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>forward</strong></span></span></dt>
-<dd>
- <p>
- Only meaningful if the zone has a forwarders
- list. The <span class="command"><strong>only</strong></span> value causes
- the lookup to fail
- after trying the forwarders and getting no answer, while <span class="command"><strong>first</strong></span> would
- allow a normal lookup to be tried.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>forwarders</strong></span></span></dt>
-<dd>
- <p>
- Used to override the list of global forwarders.
- If it is not specified in a zone of type <span class="command"><strong>forward</strong></span>,
- no forwarding is done for the zone and the global options are
- not used.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>ixfr-base</strong></span></span></dt>
-<dd>
- <p>
- Was used in <acronym class="acronym">BIND</acronym> 8 to
- specify the name
- of the transaction log (journal) file for dynamic update
- and IXFR.
- <acronym class="acronym">BIND</acronym> 9 ignores the option
- and constructs the name of the journal
- file by appending "<code class="filename">.jnl</code>"
- to the name of the
- zone file.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>ixfr-tmp-file</strong></span></span></dt>
-<dd>
- <p>
- Was an undocumented option in <acronym class="acronym">BIND</acronym> 8.
- Ignored in <acronym class="acronym">BIND</acronym> 9.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>journal</strong></span></span></dt>
-<dd>
- <p>
- Allow the default journal's filename to be overridden.
- The default is the zone's filename with "<code class="filename">.jnl</code>" appended.
- This is applicable to <span class="command"><strong>master</strong></span> and <span class="command"><strong>slave</strong></span> zones.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>max-journal-size</strong></span></span></dt>
-<dd>
- <p>
- See the description of
- <span class="command"><strong>max-journal-size</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#server_resource_limits" title="Server Resource Limits">the section called “Server Resource Limits”</a>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>max-records</strong></span></span></dt>
-<dd>
- <p>
- See the description of
- <span class="command"><strong>max-records</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#server_resource_limits" title="Server Resource Limits">the section called “Server Resource Limits”</a>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>max-transfer-time-in</strong></span></span></dt>
-<dd>
- <p>
- See the description of
- <span class="command"><strong>max-transfer-time-in</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>max-transfer-idle-in</strong></span></span></dt>
-<dd>
- <p>
- See the description of
- <span class="command"><strong>max-transfer-idle-in</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>max-transfer-time-out</strong></span></span></dt>
-<dd>
- <p>
- See the description of
- <span class="command"><strong>max-transfer-time-out</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>max-transfer-idle-out</strong></span></span></dt>
-<dd>
- <p>
- See the description of
- <span class="command"><strong>max-transfer-idle-out</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>notify</strong></span></span></dt>
-<dd>
- <p>
- See the description of
- <span class="command"><strong>notify</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>notify-delay</strong></span></span></dt>
-<dd>
- <p>
- See the description of
- <span class="command"><strong>notify-delay</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>notify-to-soa</strong></span></span></dt>
-<dd>
- <p>
- See the description of
- <span class="command"><strong>notify-to-soa</strong></span> in
- <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>pubkey</strong></span></span></dt>
-<dd>
- <p>
- In <acronym class="acronym">BIND</acronym> 8, this option was
- intended for specifying
- a public zone key for verification of signatures in DNSSEC
- signed
- zones when they are loaded from disk. <acronym class="acronym">BIND</acronym> 9 does not verify signatures
- on load and ignores the option.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>zone-statistics</strong></span></span></dt>
-<dd>
- <p>
- See the description of
- <span class="command"><strong>zone-statistics</strong></span> in
- <a class="xref" href="Bv9ARM.ch06.html#options" title="options Statement Definition and Usage">the section called “<span class="command"><strong>options</strong></span> Statement Definition and
- Usage”</a>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>server-addresses</strong></span></span></dt>
-<dd>
- <p>
- Only meaningful for static-stub zones.
- This is a list of IP addresses to which queries
- should be sent in recursive resolution for the
- zone.
- A non empty list for this option will internally
- configure the apex NS RR with associated glue A or
- AAAA RRs.
- </p>
- <p>
- For example, if "example.com" is configured as a
- static-stub zone with 192.0.2.1 and 2001:db8::1234
- in a <span class="command"><strong>server-addresses</strong></span> option,
- the following RRs will be internally configured.
- </p>
-<pre class="programlisting">example.com. NS example.com.
-example.com. A 192.0.2.1
-example.com. AAAA 2001:db8::1234</pre>
- <p>
- These records are internally used to resolve
- names under the static-stub zone.
- For instance, if the server receives a query for
- "www.example.com" with the RD bit on, the server
- will initiate recursive resolution and send
- queries to 192.0.2.1 and/or 2001:db8::1234.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>server-names</strong></span></span></dt>
-<dd>
- <p>
- Only meaningful for static-stub zones.
- This is a list of domain names of nameservers that
- act as authoritative servers of the static-stub
- zone.
- These names will be resolved to IP addresses when
- <span class="command"><strong>named</strong></span> needs to send queries to
- these servers.
- To make this supplemental resolution successful,
- these names must not be a subdomain of the origin
- name of static-stub zone.
- That is, when "example.net" is the origin of a
- static-stub zone, "ns.example" and
- "master.example.com" can be specified in the
- <span class="command"><strong>server-names</strong></span> option, but
- "ns.example.net" cannot, and will be rejected by
- the configuration parser.
- </p>
- <p>
- A non empty list for this option will internally
- configure the apex NS RR with the specified names.
- For example, if "example.com" is configured as a
- static-stub zone with "ns1.example.net" and
- "ns2.example.net"
- in a <span class="command"><strong>server-names</strong></span> option,
- the following RRs will be internally configured.
- </p>
-<pre class="programlisting">example.com. NS ns1.example.net.
-example.com. NS ns2.example.net.
-</pre>
- <p>
- These records are internally used to resolve
- names under the static-stub zone.
- For instance, if the server receives a query for
- "www.example.com" with the RD bit on, the server
- initiate recursive resolution,
- resolve "ns1.example.net" and/or
- "ns2.example.net" to IP addresses, and then send
- queries to (one or more of) these addresses.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>sig-validity-interval</strong></span></span></dt>
-<dd>
- <p>
- See the description of
- <span class="command"><strong>sig-validity-interval</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>sig-signing-nodes</strong></span></span></dt>
-<dd>
- <p>
- See the description of
- <span class="command"><strong>sig-signing-nodes</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>sig-signing-signatures</strong></span></span></dt>
-<dd>
- <p>
- See the description of
- <span class="command"><strong>sig-signing-signatures</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>sig-signing-type</strong></span></span></dt>
-<dd>
- <p>
- See the description of
- <span class="command"><strong>sig-signing-type</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>transfer-source</strong></span></span></dt>
-<dd>
- <p>
- See the description of
- <span class="command"><strong>transfer-source</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>transfer-source-v6</strong></span></span></dt>
-<dd>
- <p>
- See the description of
- <span class="command"><strong>transfer-source-v6</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>alt-transfer-source</strong></span></span></dt>
-<dd>
- <p>
- See the description of
- <span class="command"><strong>alt-transfer-source</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>alt-transfer-source-v6</strong></span></span></dt>
-<dd>
- <p>
- See the description of
- <span class="command"><strong>alt-transfer-source-v6</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>use-alt-transfer-source</strong></span></span></dt>
-<dd>
- <p>
- See the description of
- <span class="command"><strong>use-alt-transfer-source</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>notify-source</strong></span></span></dt>
-<dd>
- <p>
- See the description of
- <span class="command"><strong>notify-source</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>notify-source-v6</strong></span></span></dt>
-<dd>
- <p>
- See the description of
- <span class="command"><strong>notify-source-v6</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
- </p>
- </dd>
-<dt>
-<span class="term"><span class="command"><strong>min-refresh-time</strong></span>, </span><span class="term"><span class="command"><strong>max-refresh-time</strong></span>, </span><span class="term"><span class="command"><strong>min-retry-time</strong></span>, </span><span class="term"><span class="command"><strong>max-retry-time</strong></span></span>
-</dt>
-<dd>
- <p>
- See the description in <a class="xref" href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>ixfr-from-differences</strong></span></span></dt>
-<dd>
- <p>
- See the description of
- <span class="command"><strong>ixfr-from-differences</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
- (Note that the <span class="command"><strong>ixfr-from-differences</strong></span>
- <strong class="userinput"><code>master</code></strong> and
- <strong class="userinput"><code>slave</code></strong> choices are not
- available at the zone level.)
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>key-directory</strong></span></span></dt>
-<dd>
- <p>
- See the description of
- <span class="command"><strong>key-directory</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#options" title="options Statement Definition and Usage">the section called “<span class="command"><strong>options</strong></span> Statement Definition and
- Usage”</a>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>auto-dnssec</strong></span></span></dt>
-<dd>
- <p>
- See the description of
- <span class="command"><strong>auto-dnssec</strong></span> in
- <a class="xref" href="Bv9ARM.ch06.html#options" title="options Statement Definition and Usage">the section called “<span class="command"><strong>options</strong></span> Statement Definition and
- Usage”</a>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>serial-update-method</strong></span></span></dt>
-<dd>
- <p>
- See the description of
- <span class="command"><strong>serial-update-method</strong></span> in
- <a class="xref" href="Bv9ARM.ch06.html#options" title="options Statement Definition and Usage">the section called “<span class="command"><strong>options</strong></span> Statement Definition and
- Usage”</a>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>inline-signing</strong></span></span></dt>
-<dd>
- <p>
- If <code class="literal">yes</code>, this enables
- "bump in the wire" signing of a zone, where a
- unsigned zone is transferred in or loaded from
- disk and a signed version of the zone is served,
- with possibly, a different serial number. This
- behavior is disabled by default.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>multi-master</strong></span></span></dt>
-<dd>
- <p>
- See the description of <span class="command"><strong>multi-master</strong></span> in
- <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>masterfile-format</strong></span></span></dt>
-<dd>
- <p>
- See the description of <span class="command"><strong>masterfile-format</strong></span>
- in <a class="xref" href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>max-zone-ttl</strong></span></span></dt>
-<dd>
- <p>
- See the description of <span class="command"><strong>max-zone-ttl</strong></span>
- in <a class="xref" href="Bv9ARM.ch06.html#options" title="options Statement Definition and Usage">the section called “<span class="command"><strong>options</strong></span> Statement Definition and
- Usage”</a>.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>dnssec-secure-to-insecure</strong></span></span></dt>
-<dd>
- <p>
- See the description of
- <span class="command"><strong>dnssec-secure-to-insecure</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
- </p>
- </dd>
-</dl></div>
-
- </div>
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="dynamic_update_policies"></a>Dynamic Update Policies</h4></div></div></div>
-
- <p><acronym class="acronym">BIND</acronym> 9 supports two alternative
- methods of granting clients the right to perform
- dynamic updates to a zone, configured by the
- <span class="command"><strong>allow-update</strong></span> and
- <span class="command"><strong>update-policy</strong></span> option, respectively.
- </p>
- <p>
- The <span class="command"><strong>allow-update</strong></span> clause works the
- same way as in previous versions of <acronym class="acronym">BIND</acronym>.
- It grants given clients the permission to update any
- record of any name in the zone.
- </p>
- <p>
- The <span class="command"><strong>update-policy</strong></span> clause
- allows more fine-grained control over what updates are
- allowed. A set of rules is specified, where each rule
- either grants or denies permissions for one or more
- names to be updated by one or more identities. If
- the dynamic update request message is signed (that is,
- it includes either a TSIG or SIG(0) record), the
- identity of the signer can be determined.
- </p>
- <p>
- Rules are specified in the <span class="command"><strong>update-policy</strong></span>
- zone option, and are only meaningful for master zones.
- When the <span class="command"><strong>update-policy</strong></span> statement
- is present, it is a configuration error for the
- <span class="command"><strong>allow-update</strong></span> statement to be
- present. The <span class="command"><strong>update-policy</strong></span> statement
- only examines the signer of a message; the source
- address is not relevant.
- </p>
- <p>
- There is a pre-defined <span class="command"><strong>update-policy</strong></span>
- rule which can be switched on with the command
- <span class="command"><strong>update-policy local;</strong></span>.
- Switching on this rule in a zone causes
- <span class="command"><strong>named</strong></span> to generate a TSIG session
- key and place it in a file, and to allow that key
- to update the zone. (By default, the file is
- <code class="filename">/var/run/named/session.key</code>, the key
- name is "local-ddns" and the key algorithm is HMAC-SHA256,
- but these values are configurable with the
- <span class="command"><strong>session-keyfile</strong></span>,
- <span class="command"><strong>session-keyname</strong></span> and
- <span class="command"><strong>session-keyalg</strong></span> options, respectively).
- </p>
- <p>
- A client running on the local system, and with appropriate
- permissions, may read that file and use the key to sign update
- requests. The zone's update policy will be set to allow that
- key to change any record within the zone. Assuming the
- key name is "local-ddns", this policy is equivalent to:
- </p>
-
- <pre class="programlisting">update-policy { grant local-ddns zonesub any; };
- </pre>
-
- <p>
- The command <span class="command"><strong>nsupdate -l</strong></span> sends update
- requests to localhost, and signs them using the session key.
- </p>
-
- <p>
- Other rule definitions look like this:
- </p>
-
-<pre class="programlisting">
-( <span class="command"><strong>grant</strong></span> | <span class="command"><strong>deny</strong></span> ) <em class="replaceable"><code>identity</code></em> <em class="replaceable"><code>nametype</code></em> [<span class="optional"> <em class="replaceable"><code>name</code></em> </span>] [<span class="optional"> <em class="replaceable"><code>types</code></em> </span>]
-</pre>
-
- <p>
- Each rule grants or denies privileges. Once a message has
- successfully matched a rule, the operation is immediately
- granted or denied and no further rules are examined. A rule
- is matched when the signer matches the identity field, the
- name matches the name field in accordance with the nametype
- field, and the type matches the types specified in the type
- field.
- </p>
- <p>
- No signer is required for <em class="replaceable"><code>tcp-self</code></em>
- or <em class="replaceable"><code>6to4-self</code></em> however the standard
- reverse mapping / prefix conversion must match the identity
- field.
- </p>
- <p>
- The identity field specifies a name or a wildcard
- name. Normally, this is the name of the TSIG or
- SIG(0) key used to sign the update request. When a
- TKEY exchange has been used to create a shared secret,
- the identity of the shared secret is the same as the
- identity of the key used to authenticate the TKEY
- exchange. TKEY is also the negotiation method used
- by GSS-TSIG, which establishes an identity that is
- the Kerberos principal of the client, such as
- <strong class="userinput"><code>"user@host.domain"</code></strong>. When the
- <em class="replaceable"><code>identity</code></em> field specifies
- a wildcard name, it is subject to DNS wildcard
- expansion, so the rule will apply to multiple identities.
- The <em class="replaceable"><code>identity</code></em> field must
- contain a fully-qualified domain name.
- </p>
- <p>
- For nametypes <code class="varname">krb5-self</code>,
- <code class="varname">ms-self</code>, <code class="varname">krb5-subdomain</code>,
- and <code class="varname">ms-subdomain</code> the
- <em class="replaceable"><code>identity</code></em> field specifies
- the Windows or Kerberos realm of the machine belongs to.
- </p>
- <p>
- The <em class="replaceable"><code>nametype</code></em> field has 13
- values:
- <code class="varname">name</code>, <code class="varname">subdomain</code>,
- <code class="varname">wildcard</code>, <code class="varname">self</code>,
- <code class="varname">selfsub</code>, <code class="varname">selfwild</code>,
- <code class="varname">krb5-self</code>, <code class="varname">ms-self</code>,
- <code class="varname">krb5-subdomain</code>,
- <code class="varname">ms-subdomain</code>,
- <code class="varname">tcp-self</code>, <code class="varname">6to4-self</code>,
- <code class="varname">zonesub</code>, and <code class="varname">external</code>.
- </p>
- <div class="informaltable">
- <table border="1">
-<colgroup>
-<col width="0.819in" class="1">
-<col width="3.681in" class="2">
-</colgroup>
-<tbody>
-<tr>
-<td>
- <p>
- <code class="varname">name</code>
- </p>
- </td>
-<td>
- <p>
- Exact-match semantics. This rule matches
- when the name being updated is identical
- to the contents of the
- <em class="replaceable"><code>name</code></em> field.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- <code class="varname">subdomain</code>
- </p>
- </td>
-<td>
- <p>
- This rule matches when the name being updated
- is a subdomain of, or identical to, the
- contents of the <em class="replaceable"><code>name</code></em>
- field.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- <code class="varname">zonesub</code>
- </p>
- </td>
-<td>
- <p>
- This rule is similar to subdomain, except that
- it matches when the name being updated is a
- subdomain of the zone in which the
- <span class="command"><strong>update-policy</strong></span> statement
- appears. This obviates the need to type the zone
- name twice, and enables the use of a standard
- <span class="command"><strong>update-policy</strong></span> statement in
- multiple zones without modification.
- </p>
- <p>
- When this rule is used, the
- <em class="replaceable"><code>name</code></em> field is omitted.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- <code class="varname">wildcard</code>
- </p>
- </td>
-<td>
- <p>
- The <em class="replaceable"><code>name</code></em> field
- is subject to DNS wildcard expansion, and
- this rule matches when the name being updated
- is a valid expansion of the wildcard.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- <code class="varname">self</code>
- </p>
- </td>
-<td>
- <p>
- This rule matches when the name being updated
- matches the contents of the
- <em class="replaceable"><code>identity</code></em> field.
- The <em class="replaceable"><code>name</code></em> field
- is ignored, but should be the same as the
- <em class="replaceable"><code>identity</code></em> field.
- The <code class="varname">self</code> nametype is
- most useful when allowing using one key per
- name to update, where the key has the same
- name as the name to be updated. The
- <em class="replaceable"><code>identity</code></em> would
- be specified as <code class="constant">*</code> (an asterisk) in
- this case.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- <code class="varname">selfsub</code>
- </p>
- </td>
-<td>
- <p>
- This rule is similar to <code class="varname">self</code>
- except that subdomains of <code class="varname">self</code>
- can also be updated.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- <code class="varname">selfwild</code>
- </p>
- </td>
-<td>
- <p>
- This rule is similar to <code class="varname">self</code>
- except that only subdomains of
- <code class="varname">self</code> can be updated.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- <code class="varname">ms-self</code>
- </p>
- </td>
-<td>
- <p>
- This rule takes a Windows machine principal
- (machine$@REALM) for machine in REALM and
- and converts it machine.realm allowing the machine
- to update machine.realm. The REALM to be matched
- is specified in the <em class="replaceable"><code>identity</code></em>
- field.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- <code class="varname">ms-subdomain</code>
- </p>
- </td>
-<td>
- <p>
- This rule takes a Windows machine principal
- (machine$@REALM) for machine in REALM and
- converts it to machine.realm allowing the machine
- to update subdomains of machine.realm. The REALM
- to be matched is specified in the
- <em class="replaceable"><code>identity</code></em> field.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- <code class="varname">krb5-self</code>
- </p>
- </td>
-<td>
- <p>
- This rule takes a Kerberos machine principal
- (host/machine@REALM) for machine in REALM and
- and converts it machine.realm allowing the machine
- to update machine.realm. The REALM to be matched
- is specified in the <em class="replaceable"><code>identity</code></em>
- field.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- <code class="varname">krb5-subdomain</code>
- </p>
- </td>
-<td>
- <p>
- This rule takes a Kerberos machine principal
- (host/machine@REALM) for machine in REALM and
- converts it to machine.realm allowing the machine
- to update subdomains of machine.realm. The REALM
- to be matched is specified in the
- <em class="replaceable"><code>identity</code></em> field.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- <code class="varname">tcp-self</code>
- </p>
- </td>
-<td>
- <p>
- Allow updates that have been sent via TCP and
- for which the standard mapping from the initiating
- IP address into the IN-ADDR.ARPA and IP6.ARPA
- namespaces match the name to be updated.
- </p>
- <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
- It is theoretically possible to spoof these TCP
- sessions.
- </div>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- <code class="varname">6to4-self</code>
- </p>
- </td>
-<td>
- <p>
- Allow the 6to4 prefix to be update by any TCP
- connection from the 6to4 network or from the
- corresponding IPv4 address. This is intended
- to allow NS or DNAME RRsets to be added to the
- reverse tree.
- </p>
- <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
- It is theoretically possible to spoof these TCP
- sessions.
- </div>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- <code class="varname">external</code>
- </p>
- </td>
-<td>
- <p>
- This rule allows <span class="command"><strong>named</strong></span>
- to defer the decision of whether to allow a
- given update to an external daemon.
- </p>
- <p>
- The method of communicating with the daemon is
- specified in the <em class="replaceable"><code>identity</code></em>
- field, the format of which is
- "<code class="constant">local:</code><em class="replaceable"><code>path</code></em>",
- where <em class="replaceable"><code>path</code></em> is the location
- of a UNIX-domain socket. (Currently, "local" is the
- only supported mechanism.)
- </p>
- <p>
- Requests to the external daemon are sent over the
- UNIX-domain socket as datagrams with the following
- format:
- </p>
- <pre class="programlisting">
- Protocol version number (4 bytes, network byte order, currently 1)
- Request length (4 bytes, network byte order)
- Signer (null-terminated string)
- Name (null-terminated string)
- TCP source address (null-terminated string)
- Rdata type (null-terminated string)
- Key (null-terminated string)
- TKEY token length (4 bytes, network byte order)
- TKEY token (remainder of packet)</pre>
- <p>
- The daemon replies with a four-byte value in
- network byte order, containing either 0 or 1; 0
- indicates that the specified update is not
- permitted, and 1 indicates that it is.
- </p>
- </td>
-</tr>
-</tbody>
-</table>
- </div>
-
- <p>
- In all cases, the <em class="replaceable"><code>name</code></em>
- field must specify a fully-qualified domain name.
- </p>
-
- <p>
- If no types are explicitly specified, this rule matches
- all types except RRSIG, NS, SOA, NSEC and NSEC3. Types
- may be specified by name, including "ANY" (ANY matches
- all types except NSEC and NSEC3, which can never be
- updated). Note that when an attempt is made to delete
- all records associated with a name, the rules are
- checked for each existing record type.
- </p>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="multiple_views"></a>Multiple views</h4></div></div></div>
-
- <p>
- When multiple views are in use, a zone may be
- referenced by more than one of them. Often, the views
- will contain different zones with the same name, allowing
- different clients to receive different answers for the same
- queries. At times, however, it is desirable for multiple
- views to contain identical zones. The
- <span class="command"><strong>in-view</strong></span> zone option provides an efficient
- way to do this: it allows a view to reference a zone that
- was defined in a previously configured view. Example:
- </p>
- <pre class="programlisting">
-view internal {
- match-clients { 10/8; };
-
- zone example.com {
- type master;
- file "example-external.db";
- };
-};
-
-view external {
- match-clients { any; };
-
- zone example.com {
- in-view internal;
- };
-};
- </pre>
- <p>
- An <span class="command"><strong>in-view</strong></span> option cannot refer to a view
- that is configured later in the configuration file.
- </p>
- <p>
- A <span class="command"><strong>zone</strong></span> statement which uses the
- <span class="command"><strong>in-view</strong></span> option may not use any other
- options with the exception of <span class="command"><strong>forward</strong></span>
- and <span class="command"><strong>forwarders</strong></span>. (These options control
- the behavior of the containing view, rather than changing
- the zone object itself.)
- </p>
- <p>
- Zone level acls (e.g. allow-query, allow-transfer) and
- other configuration details of the zone are all set
- in the view the referenced zone is defined in. Care
- need to be taken to ensure that acls are wide enough
- for all views referencing the zone.
- </p>
- <p>
- An <span class="command"><strong>in-view</strong></span> zone cannot be used as a
- response policy zone.
- </p>
- <p>
- An <span class="command"><strong>in-view</strong></span> zone is not intended to reference
- a <span class="command"><strong>forward</strong></span> zone.
- </p>
- </div>
-
- </div>
- </div>
- <div class="section">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="zone_file"></a>Zone File</h2></div></div></div>
-
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="types_of_resource_records_and_when_to_use_them"></a>Types of Resource Records and When to Use Them</h3></div></div></div>
-
- <p>
- This section, largely borrowed from RFC 1034, describes the
- concept of a Resource Record (RR) and explains when each is used.
- Since the publication of RFC 1034, several new RRs have been
- identified
- and implemented in the DNS. These are also included.
- </p>
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id-1.7.6.2.3"></a>Resource Records</h4></div></div></div>
-
- <p>
- A domain name identifies a node. Each node has a set of
- resource information, which may be empty. The set of resource
- information associated with a particular name is composed of
- separate RRs. The order of RRs in a set is not significant and
- need not be preserved by name servers, resolvers, or other
- parts of the DNS. However, sorting of multiple RRs is
- permitted for optimization purposes, for example, to specify
- that a particular nearby server be tried first. See <a class="xref" href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called “The <span class="command"><strong>sortlist</strong></span> Statement”</a> and <a class="xref" href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called “RRset Ordering”</a>.
- </p>
-
- <p>
- The components of a Resource Record are:
- </p>
- <div class="informaltable">
- <table border="1">
-<colgroup>
-<col width="1.000in" class="1">
-<col width="3.500in" class="2">
-</colgroup>
-<tbody>
-<tr>
-<td>
- <p>
- owner name
- </p>
- </td>
-<td>
- <p>
- The domain name where the RR is found.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- type
- </p>
- </td>
-<td>
- <p>
- An encoded 16-bit value that specifies
- the type of the resource record.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- TTL
- </p>
- </td>
-<td>
- <p>
- The time-to-live of the RR. This field
- is a 32-bit integer in units of seconds, and is
- primarily used by
- resolvers when they cache RRs. The TTL describes how
- long a RR can
- be cached before it should be discarded.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- class
- </p>
- </td>
-<td>
- <p>
- An encoded 16-bit value that identifies
- a protocol family or instance of a protocol.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- RDATA
- </p>
- </td>
-<td>
- <p>
- The resource data. The format of the
- data is type (and sometimes class) specific.
- </p>
- </td>
-</tr>
-</tbody>
-</table>
- </div>
- <p>
- The following are <span class="emphasis"><em>types</em></span> of valid RRs:
- </p>
- <div class="informaltable">
- <table border="1">
-<colgroup>
-<col width="0.875in" class="1">
-<col width="3.625in" class="2">
-</colgroup>
-<tbody>
-<tr>
-<td>
- <p>
- A
- </p>
- </td>
-<td>
- <p>
- A host address. In the IN class, this is a
- 32-bit IP address. Described in RFC 1035.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- AAAA
- </p>
- </td>
-<td>
- <p>
- IPv6 address. Described in RFC 1886.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- A6
- </p>
- </td>
-<td>
- <p>
- IPv6 address. This can be a partial
- address (a suffix) and an indirection to the name
- where the rest of the
- address (the prefix) can be found. Experimental.
- Described in RFC 2874.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- AFSDB
- </p>
- </td>
-<td>
- <p>
- Location of AFS database servers.
- Experimental. Described in RFC 1183.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- APL
- </p>
- </td>
-<td>
- <p>
- Address prefix list. Experimental.
- Described in RFC 3123.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- ATMA
- </p>
- </td>
-<td>
- <p>
- ATM Address.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- AVC
- </p>
- </td>
-<td>
- <p>
- Application Visibility and Control record.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- CAA
- </p>
- </td>
-<td>
- <p>
- Identifies which Certificate Authorities can issue
- certificates for this domain and what rules they
- need to follow when doing so. Defined in RFC 6844.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- CDNSKEY
- </p>
- </td>
-<td>
- <p>
- Identifies which DNSKEY records should be published
- as DS records in the parent zone.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- CDS
- </p>
- </td>
-<td>
- <p>
- Contains the set of DS records that should be published
- by the parent zone.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- CERT
- </p>
- </td>
-<td>
- <p>
- Holds a digital certificate.
- Described in RFC 2538.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- CNAME
- </p>
- </td>
-<td>
- <p>
- Identifies the canonical name of an alias.
- Described in RFC 1035.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- CSYNC
- </p>
- </td>
-<td>
- <p>
- Child-to-Parent Synchronization in DNS as described
- in RFC 7477.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- DHCID
- </p>
- </td>
-<td>
- <p>
- Is used for identifying which DHCP client is
- associated with this name. Described in RFC 4701.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- DLV
- </p>
- </td>
-<td>
- <p>
- A DNS Look-aside Validation record which contains
- the records that are used as trust anchors for
- zones in a DLV namespace. Described in RFC 4431.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- DNAME
- </p>
- </td>
-<td>
- <p>
- Replaces the domain name specified with
- another name to be looked up, effectively aliasing an
- entire
- subtree of the domain name space rather than a single
- record
- as in the case of the CNAME RR.
- Described in RFC 2672.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- DNSKEY
- </p>
- </td>
-<td>
- <p>
- Stores a public key associated with a signed
- DNS zone. Described in RFC 4034.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- DS
- </p>
- </td>
-<td>
- <p>
- Stores the hash of a public key associated with a
- signed DNS zone. Described in RFC 4034.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- EID
- </p>
- </td>
-<td>
- <p>
- End Point Identifier.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- EUI48
- </p>
- </td>
-<td>
- <p>
- A 48-bit EUI address. Described in RFC 7043.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- EUI64
- </p>
- </td>
-<td>
- <p>
- A 64-bit EUI address. Described in RFC 7043.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- GID
- </p>
- </td>
-<td>
- <p>
- Reserved.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- GPOS
- </p>
- </td>
-<td>
- <p>
- Specifies the global position. Superseded by LOC.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- HINFO
- </p>
- </td>
-<td>
- <p>
- Identifies the CPU and OS used by a host.
- Described in RFC 1035.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- HIP
- </p>
- </td>
-<td>
- <p>
- Host Identity Protocol Address.
- Described in RFC 5205.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- IPSECKEY
- </p>
- </td>
-<td>
- <p>
- Provides a method for storing IPsec keying material in
- DNS. Described in RFC 4025.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- ISDN
- </p>
- </td>
-<td>
- <p>
- Representation of ISDN addresses.
- Experimental. Described in RFC 1183.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- KEY
- </p>
- </td>
-<td>
- <p>
- Stores a public key associated with a
- DNS name. Used in original DNSSEC; replaced
- by DNSKEY in DNSSECbis, but still used with
- SIG(0). Described in RFCs 2535 and 2931.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- KX
- </p>
- </td>
-<td>
- <p>
- Identifies a key exchanger for this
- DNS name. Described in RFC 2230.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- L32
- </p>
- </td>
-<td>
- <p>
- Holds 32-bit Locator values for
- Identifier-Locator Network Protocol. Described
- in RFC 6742.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- L64
- </p>
- </td>
-<td>
- <p>
- Holds 64-bit Locator values for
- Identifier-Locator Network Protocol. Described
- in RFC 6742.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- LOC
- </p>
- </td>
-<td>
- <p>
- For storing GPS info. Described in RFC 1876.
- Experimental.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- LP
- </p>
- </td>
-<td>
- <p>
- Identifier-Locator Network Protocol.
- Described in RFC 6742.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- MB
- </p>
- </td>
-<td>
- <p>
- Mail Box. Historical.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- MD
- </p>
- </td>
-<td>
- <p>
- Mail Destination. Historical.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- MF
- </p>
- </td>
-<td>
- <p>
- Mail Forwarder. Historical.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- MG
- </p>
- </td>
-<td>
- <p>
- Mail Group. Historical.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- MINFO
- </p>
- </td>
-<td>
- <p>
- Mail Information.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- MR
- </p>
- </td>
-<td>
- <p>
- Mail Rename. Historical.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- MX
- </p>
- </td>
-<td>
- <p>
- Identifies a mail exchange for the domain with
- a 16-bit preference value (lower is better)
- followed by the host name of the mail exchange.
- Described in RFC 974, RFC 1035.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- NAPTR
- </p>
- </td>
-<td>
- <p>
- Name authority pointer. Described in RFC 2915.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- NID
- </p>
- </td>
-<td>
- <p>
- Holds values for Node Identifiers in
- Identifier-Locator Network Protocol. Described
- in RFC 6742.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- NINFO
- </p>
- </td>
-<td>
- <p>
- Contains zone status information.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- NIMLOC
- </p>
- </td>
-<td>
- <p>
- Nimrod Locator.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- NSAP
- </p>
- </td>
-<td>
- <p>
- A network service access point.
- Described in RFC 1706.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- NSAP-PTR
- </p>
- </td>
-<td>
- <p>
- Historical.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- NS
- </p>
- </td>
-<td>
- <p>
- The authoritative name server for the
- domain. Described in RFC 1035.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- NSEC
- </p>
- </td>
-<td>
- <p>
- Used in DNSSECbis to securely indicate that
- RRs with an owner name in a certain name interval do
- not exist in
- a zone and indicate what RR types are present for an
- existing name.
- Described in RFC 4034.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- NSEC3
- </p>
- </td>
-<td>
- <p>
- Used in DNSSECbis to securely indicate that
- RRs with an owner name in a certain name
- interval do not exist in a zone and indicate
- what RR types are present for an existing
- name. NSEC3 differs from NSEC in that it
- prevents zone enumeration but is more
- computationally expensive on both the server
- and the client than NSEC. Described in RFC
- 5155.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- NSEC3PARAM
- </p>
- </td>
-<td>
- <p>
- Used in DNSSECbis to tell the authoritative
- server which NSEC3 chains are available to use.
- Described in RFC 5155.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- NULL
- </p>
- </td>
-<td>
- <p>
- This is an opaque container.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- NXT
- </p>
- </td>
-<td>
- <p>
- Used in DNSSEC to securely indicate that
- RRs with an owner name in a certain name interval do
- not exist in
- a zone and indicate what RR types are present for an
- existing name.
- Used in original DNSSEC; replaced by NSEC in
- DNSSECbis.
- Described in RFC 2535.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- OPENPGPKEY
- </p>
- </td>
-<td>
- <p>
- Used to hold an OPENPGPKEY.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- PTR
- </p>
- </td>
-<td>
- <p>
- A pointer to another part of the domain
- name space. Described in RFC 1035.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- PX
- </p>
- </td>
-<td>
- <p>
- Provides mappings between RFC 822 and X.400
- addresses. Described in RFC 2163.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- RKEY
- </p>
- </td>
-<td>
- <p>
- Resource key.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- RP
- </p>
- </td>
-<td>
- <p>
- Information on persons responsible
- for the domain. Experimental. Described in RFC 1183.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- RRSIG
- </p>
- </td>
-<td>
- <p>
- Contains DNSSECbis signature data. Described
- in RFC 4034.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- RT
- </p>
- </td>
-<td>
- <p>
- Route-through binding for hosts that
- do not have their own direct wide area network
- addresses.
- Experimental. Described in RFC 1183.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- SIG
- </p>
- </td>
-<td>
- <p>
- Contains DNSSEC signature data. Used in
- original DNSSEC; replaced by RRSIG in
- DNSSECbis, but still used for SIG(0).
- Described in RFCs 2535 and 2931.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- SINK
- </p>
- </td>
-<td>
- <p>
- The kitchen sink record.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- SMIMEA
- </p>
- </td>
-<td>
- <p>
- The S/MIME Security Certificate Association.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- SOA
- </p>
- </td>
-<td>
- <p>
- Identifies the start of a zone of authority.
- Described in RFC 1035.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- SPF
- </p>
- </td>
-<td>
- <p>
- Contains the Sender Policy Framework information
- for a given email domain. Described in RFC 4408.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- SRV
- </p>
- </td>
-<td>
- <p>
- Information about well known network
- services (replaces WKS). Described in RFC 2782.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- SSHFP
- </p>
- </td>
-<td>
- <p>
- Provides a way to securely publish a secure shell key's
- fingerprint. Described in RFC 4255.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- TA
- </p>
- </td>
-<td>
- <p>
- Trust Anchor. Experimental.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- TALINK
- </p>
- </td>
-<td>
- <p>
- Trust Anchor Link. Experimental.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- TLSA
- </p>
- </td>
-<td>
- <p>
- Transport Layer Security Certificate Association.
- Described in RFC 6698.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- TXT
- </p>
- </td>
-<td>
- <p>
- Text records. Described in RFC 1035.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- UID
- </p>
- </td>
-<td>
- <p>
- Reserved.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- UINFO
- </p>
- </td>
-<td>
- <p>
- Reserved.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- UNSPEC
- </p>
- </td>
-<td>
- <p>
- Reserved. Historical.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- URI
- </p>
- </td>
-<td>
- <p>
- Holds a URI. Described in RFC 7553.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- WKS
- </p>
- </td>
-<td>
- <p>
- Information about which well known
- network services, such as SMTP, that a domain
- supports. Historical.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- X25
- </p>
- </td>
-<td>
- <p>
- Representation of X.25 network addresses.
- Experimental. Described in RFC 1183.
- </p>
- </td>
-</tr>
-</tbody>
-</table>
- </div>
- <p>
- The following <span class="emphasis"><em>classes</em></span> of resource records
- are currently valid in the DNS:
- </p>
- <div class="informaltable">
-<table border="1">
-<colgroup>
-<col width="0.875in" class="1">
-<col width="3.625in" class="2">
-</colgroup>
-<tbody>
-<tr>
-<td>
- <p>
- IN
- </p>
- </td>
-<td>
- <p>
- The Internet.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- CH
- </p>
- </td>
-<td>
- <p>
- Chaosnet, a LAN protocol created at MIT in the
- mid-1970s.
- Rarely used for its historical purpose, but reused for
- BIND's
- built-in server information zones, e.g.,
- <code class="literal">version.bind</code>.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- HS
- </p>
- </td>
-<td>
- <p>
- Hesiod, an information service
- developed by MIT's Project Athena. It is used to share
- information
- about various systems databases, such as users,
- groups, printers
- and so on.
- </p>
- </td>
-</tr>
-</tbody>
-</table>
- </div>
-
- <p>
- The owner name is often implicit, rather than forming an
- integral
- part of the RR. For example, many name servers internally form
- tree
- or hash structures for the name space, and chain RRs off nodes.
- The remaining RR parts are the fixed header (type, class, TTL)
- which is consistent for all RRs, and a variable part (RDATA)
- that
- fits the needs of the resource being described.
- </p>
- <p>
- The meaning of the TTL field is a time limit on how long an
- RR can be kept in a cache. This limit does not apply to
- authoritative
- data in zones; it is also timed out, but by the refreshing
- policies
- for the zone. The TTL is assigned by the administrator for the
- zone where the data originates. While short TTLs can be used to
- minimize caching, and a zero TTL prohibits caching, the
- realities
- of Internet performance suggest that these times should be on
- the
- order of days for the typical host. If a change can be
- anticipated,
- the TTL can be reduced prior to the change to minimize
- inconsistency
- during the change, and then increased back to its former value
- following
- the change.
- </p>
- <p>
- The data in the RDATA section of RRs is carried as a combination
- of binary strings and domain names. The domain names are
- frequently
- used as "pointers" to other data in the DNS.
- </p>
- </div>
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="rr_text"></a>Textual expression of RRs</h4></div></div></div>
-
- <p>
- RRs are represented in binary form in the packets of the DNS
- protocol, and are usually represented in highly encoded form
- when
- stored in a name server or resolver. In the examples provided
- in
- RFC 1034, a style similar to that used in master files was
- employed
- in order to show the contents of RRs. In this format, most RRs
- are shown on a single line, although continuation lines are
- possible
- using parentheses.
- </p>
- <p>
- The start of the line gives the owner of the RR. If a line
- begins with a blank, then the owner is assumed to be the same as
- that of the previous RR. Blank lines are often included for
- readability.
- </p>
- <p>
- Following the owner, we list the TTL, type, and class of the
- RR. Class and type use the mnemonics defined above, and TTL is
- an integer before the type field. In order to avoid ambiguity
- in
- parsing, type and class mnemonics are disjoint, TTLs are
- integers,
- and the type mnemonic is always last. The IN class and TTL
- values
- are often omitted from examples in the interests of clarity.
- </p>
- <p>
- The resource data or RDATA section of the RR are given using
- knowledge of the typical representation for the data.
- </p>
- <p>
- For example, we might show the RRs carried in a message as:
- </p>
- <div class="informaltable">
-<table border="1">
-<colgroup>
-<col width="1.381in" class="1">
-<col width="1.020in" class="2">
-<col width="2.099in" class="3">
-</colgroup>
-<tbody>
-<tr>
-<td>
- <p>
- <code class="literal">ISI.EDU.</code>
- </p>
- </td>
-<td>
- <p>
- <code class="literal">MX</code>
- </p>
- </td>
-<td>
- <p>
- <code class="literal">10 VENERA.ISI.EDU.</code>
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p></p>
- </td>
-<td>
- <p>
- <code class="literal">MX</code>
- </p>
- </td>
-<td>
- <p>
- <code class="literal">10 VAXA.ISI.EDU</code>
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- <code class="literal">VENERA.ISI.EDU</code>
- </p>
- </td>
-<td>
- <p>
- <code class="literal">A</code>
- </p>
- </td>
-<td>
- <p>
- <code class="literal">128.9.0.32</code>
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p></p>
- </td>
-<td>
- <p>
- <code class="literal">A</code>
- </p>
- </td>
-<td>
- <p>
- <code class="literal">10.1.0.52</code>
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- <code class="literal">VAXA.ISI.EDU</code>
- </p>
- </td>
-<td>
- <p>
- <code class="literal">A</code>
- </p>
- </td>
-<td>
- <p>
- <code class="literal">10.2.0.27</code>
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p></p>
- </td>
-<td>
- <p>
- <code class="literal">A</code>
- </p>
- </td>
-<td>
- <p>
- <code class="literal">128.9.0.33</code>
- </p>
- </td>
-</tr>
-</tbody>
-</table>
- </div>
- <p>
- The MX RRs have an RDATA section which consists of a 16-bit
- number followed by a domain name. The address RRs use a
- standard
- IP address format to contain a 32-bit internet address.
- </p>
- <p>
- The above example shows six RRs, with two RRs at each of three
- domain names.
- </p>
- <p>
- Similarly we might see:
- </p>
- <div class="informaltable">
-<table border="1">
-<colgroup>
-<col width="1.491in" class="1">
-<col width="1.067in" class="2">
-<col width="2.067in" class="3">
-</colgroup>
-<tbody>
-<tr>
-<td>
- <p>
- <code class="literal">XX.LCS.MIT.EDU.</code>
- </p>
- </td>
-<td>
- <p>
- <code class="literal">IN A</code>
- </p>
- </td>
-<td>
- <p>
- <code class="literal">10.0.0.44</code>
- </p>
- </td>
-</tr>
-<tr>
-<td>Â </td>
-<td>
- <p>
- <code class="literal">CH A</code>
- </p>
- </td>
-<td>
- <p>
- <code class="literal">MIT.EDU. 2420</code>
- </p>
- </td>
-</tr>
-</tbody>
-</table>
- </div>
- <p>
- This example shows two addresses for
- <code class="literal">XX.LCS.MIT.EDU</code>, each of a different class.
- </p>
- </div>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="mx_records"></a>Discussion of MX Records</h3></div></div></div>
-
- <p>
- As described above, domain servers store information as a
- series of resource records, each of which contains a particular
- piece of information about a given domain name (which is usually,
- but not always, a host). The simplest way to think of a RR is as
- a typed pair of data, a domain name matched with a relevant datum,
- and stored with some additional type information to help systems
- determine when the RR is relevant.
- </p>
-
- <p>
- MX records are used to control delivery of email. The data
- specified in the record is a priority and a domain name. The
- priority
- controls the order in which email delivery is attempted, with the
- lowest number first. If two priorities are the same, a server is
- chosen randomly. If no servers at a given priority are responding,
- the mail transport agent will fall back to the next largest
- priority.
- Priority numbers do not have any absolute meaning — they are
- relevant
- only respective to other MX records for that domain name. The
- domain
- name given is the machine to which the mail will be delivered.
- It <span class="emphasis"><em>must</em></span> have an associated address record
- (A or AAAA) — CNAME is not sufficient.
- </p>
- <p>
- For a given domain, if there is both a CNAME record and an
- MX record, the MX record is in error, and will be ignored.
- Instead,
- the mail will be delivered to the server specified in the MX
- record
- pointed to by the CNAME.
- For example:
- </p>
- <div class="informaltable">
- <table border="1">
-<colgroup>
-<col width="1.708in" class="1">
-<col width="0.444in" class="2">
-<col width="0.444in" class="3">
-<col width="0.976in" class="4">
-<col width="1.553in" class="5">
-</colgroup>
-<tbody>
-<tr>
-<td>
- <p>
- <code class="literal">example.com.</code>
- </p>
- </td>
-<td>
- <p>
- <code class="literal">IN</code>
- </p>
- </td>
-<td>
- <p>
- <code class="literal">MX</code>
- </p>
- </td>
-<td>
- <p>
- <code class="literal">10</code>
- </p>
- </td>
-<td>
- <p>
- <code class="literal">mail.example.com.</code>
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p></p>
- </td>
-<td>
- <p>
- <code class="literal">IN</code>
- </p>
- </td>
-<td>
- <p>
- <code class="literal">MX</code>
- </p>
- </td>
-<td>
- <p>
- <code class="literal">10</code>
- </p>
- </td>
-<td>
- <p>
- <code class="literal">mail2.example.com.</code>
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p></p>
- </td>
-<td>
- <p>
- <code class="literal">IN</code>
- </p>
- </td>
-<td>
- <p>
- <code class="literal">MX</code>
- </p>
- </td>
-<td>
- <p>
- <code class="literal">20</code>
- </p>
- </td>
-<td>
- <p>
- <code class="literal">mail.backup.org.</code>
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- <code class="literal">mail.example.com.</code>
- </p>
- </td>
-<td>
- <p>
- <code class="literal">IN</code>
- </p>
- </td>
-<td>
- <p>
- <code class="literal">A</code>
- </p>
- </td>
-<td>
- <p>
- <code class="literal">10.0.0.1</code>
- </p>
- </td>
-<td>
- <p></p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- <code class="literal">mail2.example.com.</code>
- </p>
- </td>
-<td>
- <p>
- <code class="literal">IN</code>
- </p>
- </td>
-<td>
- <p>
- <code class="literal">A</code>
- </p>
- </td>
-<td>
- <p>
- <code class="literal">10.0.0.2</code>
- </p>
- </td>
-<td>
- <p></p>
- </td>
-</tr>
-</tbody>
-</table>
- </div>
-<p>
- Mail delivery will be attempted to <code class="literal">mail.example.com</code> and
- <code class="literal">mail2.example.com</code> (in
- any order), and if neither of those succeed, delivery to <code class="literal">mail.backup.org</code> will
- be attempted.
- </p>
- </div>
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="Setting_TTLs"></a>Setting TTLs</h3></div></div></div>
-
- <p>
- The time-to-live of the RR field is a 32-bit integer represented
- in units of seconds, and is primarily used by resolvers when they
- cache RRs. The TTL describes how long a RR can be cached before it
- should be discarded. The following three types of TTL are
- currently
- used in a zone file.
- </p>
- <div class="informaltable">
- <table border="1">
-<colgroup>
-<col width="0.750in" class="1">
-<col width="4.375in" class="2">
-</colgroup>
-<tbody>
-<tr>
-<td>
- <p>
- SOA
- </p>
- </td>
-<td>
- <p>
- The last field in the SOA is the negative
- caching TTL. This controls how long other servers will
- cache no-such-domain
- (NXDOMAIN) responses from you.
- </p>
- <p>
- The maximum time for
- negative caching is 3 hours (3h).
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- $TTL
- </p>
- </td>
-<td>
- <p>
- The $TTL directive at the top of the
- zone file (before the SOA) gives a default TTL for every
- RR without
- a specific TTL set.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- RR TTLs
- </p>
- </td>
-<td>
- <p>
- Each RR can have a TTL as the second
- field in the RR, which will control how long other
- servers can cache it.
- </p>
- </td>
-</tr>
-</tbody>
-</table>
- </div>
- <p>
- All of these TTLs default to units of seconds, though units
- can be explicitly specified, for example, <code class="literal">1h30m</code>.
- </p>
- </div>
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="ipv4_reverse"></a>Inverse Mapping in IPv4</h3></div></div></div>
-
- <p>
- Reverse name resolution (that is, translation from IP address
- to name) is achieved by means of the <span class="emphasis"><em>in-addr.arpa</em></span> domain
- and PTR records. Entries in the in-addr.arpa domain are made in
- least-to-most significant order, read left to right. This is the
- opposite order to the way IP addresses are usually written. Thus,
- a machine with an IP address of 10.1.2.3 would have a
- corresponding
- in-addr.arpa name of
- 3.2.1.10.in-addr.arpa. This name should have a PTR resource record
- whose data field is the name of the machine or, optionally,
- multiple
- PTR records if the machine has more than one name. For example,
- in the [<span class="optional">example.com</span>] domain:
- </p>
- <div class="informaltable">
- <table border="1">
-<colgroup>
-<col width="1.125in" class="1">
-<col width="4.000in" class="2">
-</colgroup>
-<tbody>
-<tr>
-<td>
- <p>
- <code class="literal">$ORIGIN</code>
- </p>
- </td>
-<td>
- <p>
- <code class="literal">2.1.10.in-addr.arpa</code>
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- <code class="literal">3</code>
- </p>
- </td>
-<td>
- <p>
- <code class="literal">IN PTR foo.example.com.</code>
- </p>
- </td>
-</tr>
-</tbody>
-</table>
- </div>
- <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
- <p>
- The <span class="command"><strong>$ORIGIN</strong></span> lines in the examples
- are for providing context to the examples only — they do not
- necessarily
- appear in the actual usage. They are only used here to indicate
- that the example is relative to the listed origin.
- </p>
- </div>
- </div>
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="zone_directives"></a>Other Zone File Directives</h3></div></div></div>
-
- <p>
- The Master File Format was initially defined in RFC 1035 and
- has subsequently been extended. While the Master File Format
- itself
- is class independent all records in a Master File must be of the
- same
- class.
- </p>
- <p>
- Master File Directives include <span class="command"><strong>$ORIGIN</strong></span>, <span class="command"><strong>$INCLUDE</strong></span>,
- and <span class="command"><strong>$TTL.</strong></span>
- </p>
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="atsign"></a>The <span class="command"><strong>@</strong></span> (at-sign)</h4></div></div></div>
-
- <p>
- When used in the label (or name) field, the asperand or
- at-sign (@) symbol represents the current origin.
- At the start of the zone file, it is the
- <<code class="varname">zone_name</code>> (followed by
- trailing dot).
- </p>
- </div>
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="origin_directive"></a>The <span class="command"><strong>$ORIGIN</strong></span> Directive</h4></div></div></div>
-
- <p>
- Syntax: <span class="command"><strong>$ORIGIN</strong></span>
- <em class="replaceable"><code>domain-name</code></em>
- [<span class="optional"><em class="replaceable"><code>comment</code></em></span>]
- </p>
- <p><span class="command"><strong>$ORIGIN</strong></span>
- sets the domain name that will be appended to any
- unqualified records. When a zone is first read in there
- is an implicit <span class="command"><strong>$ORIGIN</strong></span>
- <<code class="varname">zone_name</code>><span class="command"><strong>.</strong></span>
- (followed by trailing dot).
- The current <span class="command"><strong>$ORIGIN</strong></span> is appended to
- the domain specified in the <span class="command"><strong>$ORIGIN</strong></span>
- argument if it is not absolute.
- </p>
-
-<pre class="programlisting">
-$ORIGIN example.com.
-WWW CNAME MAIN-SERVER
-</pre>
-
- <p>
- is equivalent to
- </p>
-
-<pre class="programlisting">
-WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
-</pre>
-
- </div>
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="include_directive"></a>The <span class="command"><strong>$INCLUDE</strong></span> Directive</h4></div></div></div>
-
- <p>
- Syntax: <span class="command"><strong>$INCLUDE</strong></span>
- <em class="replaceable"><code>filename</code></em>
- [<span class="optional">
-<em class="replaceable"><code>origin</code></em> </span>]
- [<span class="optional"> <em class="replaceable"><code>comment</code></em> </span>]
- </p>
- <p>
- Read and process the file <code class="filename">filename</code> as
- if it were included into the file at this point. If <span class="command"><strong>origin</strong></span> is
- specified the file is processed with <span class="command"><strong>$ORIGIN</strong></span> set
- to that value, otherwise the current <span class="command"><strong>$ORIGIN</strong></span> is
- used.
- </p>
- <p>
- The origin and the current domain name
- revert to the values they had prior to the <span class="command"><strong>$INCLUDE</strong></span> once
- the file has been read.
- </p>
- <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
- <p>
- RFC 1035 specifies that the current origin should be restored
- after
- an <span class="command"><strong>$INCLUDE</strong></span>, but it is silent
- on whether the current
- domain name should also be restored. BIND 9 restores both of
- them.
- This could be construed as a deviation from RFC 1035, a
- feature, or both.
- </p>
- </div>
- </div>
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="ttl_directive"></a>The <span class="command"><strong>$TTL</strong></span> Directive</h4></div></div></div>
-
- <p>
- Syntax: <span class="command"><strong>$TTL</strong></span>
- <em class="replaceable"><code>default-ttl</code></em>
- [<span class="optional">
-<em class="replaceable"><code>comment</code></em> </span>]
- </p>
- <p>
- Set the default Time To Live (TTL) for subsequent records
- with undefined TTLs. Valid TTLs are of the range 0-2147483647
- seconds.
- </p>
- <p><span class="command"><strong>$TTL</strong></span>
- is defined in RFC 2308.
- </p>
- </div>
- </div>
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="generate_directive"></a><acronym class="acronym">BIND</acronym> Master File Extension: the <span class="command"><strong>$GENERATE</strong></span> Directive</h3></div></div></div>
-
- <p>
- Syntax: <span class="command"><strong>$GENERATE</strong></span>
- <em class="replaceable"><code>range</code></em>
- <em class="replaceable"><code>lhs</code></em>
- [<span class="optional"><em class="replaceable"><code>ttl</code></em></span>]
- [<span class="optional"><em class="replaceable"><code>class</code></em></span>]
- <em class="replaceable"><code>type</code></em>
- <em class="replaceable"><code>rhs</code></em>
- [<span class="optional"><em class="replaceable"><code>comment</code></em></span>]
- </p>
- <p><span class="command"><strong>$GENERATE</strong></span>
- is used to create a series of resource records that only
- differ from each other by an
- iterator. <span class="command"><strong>$GENERATE</strong></span> can be used to
- easily generate the sets of records required to support
- sub /24 reverse delegations described in RFC 2317:
- Classless IN-ADDR.ARPA delegation.
- </p>
-
-<pre class="programlisting">$ORIGIN 0.0.192.IN-ADDR.ARPA.
-$GENERATE 1-2 @ NS SERVER$.EXAMPLE.
-$GENERATE 1-127 $ CNAME $.0</pre>
-
- <p>
- is equivalent to
- </p>
-
-<pre class="programlisting">0.0.0.192.IN-ADDR.ARPA. NS SERVER1.EXAMPLE.
-0.0.0.192.IN-ADDR.ARPA. NS SERVER2.EXAMPLE.
-1.0.0.192.IN-ADDR.ARPA. CNAME 1.0.0.0.192.IN-ADDR.ARPA.
-2.0.0.192.IN-ADDR.ARPA. CNAME 2.0.0.0.192.IN-ADDR.ARPA.
-...
-127.0.0.192.IN-ADDR.ARPA. CNAME 127.0.0.0.192.IN-ADDR.ARPA.
-</pre>
-
- <p>
- Generate a set of A and MX records. Note the MX's right hand
- side is a quoted string. The quotes will be stripped when the
- right hand side is processed.
- </p>
-
-<pre class="programlisting">
-$ORIGIN EXAMPLE.
-$GENERATE 1-127 HOST-$ A 1.2.3.$
-$GENERATE 1-127 HOST-$ MX "0 ."</pre>
-
- <p>
- is equivalent to
- </p>
-
-<pre class="programlisting">HOST-1.EXAMPLE. A 1.2.3.1
-HOST-1.EXAMPLE. MX 0 .
-HOST-2.EXAMPLE. A 1.2.3.2
-HOST-2.EXAMPLE. MX 0 .
-HOST-3.EXAMPLE. A 1.2.3.3
-HOST-3.EXAMPLE. MX 0 .
-...
-HOST-127.EXAMPLE. A 1.2.3.127
-HOST-127.EXAMPLE. MX 0 .
-</pre>
-
- <div class="informaltable">
- <table border="1">
-<colgroup>
-<col width="0.875in" class="1">
-<col width="4.250in" class="2">
-</colgroup>
-<tbody>
-<tr>
-<td>
- <p><span class="command"><strong>range</strong></span></p>
- </td>
-<td>
- <p>
- This can be one of two forms: start-stop
- or start-stop/step. If the first form is used, then step
- is set to 1. start, stop and step must be positive
- integers between 0 and (2^31)-1. start must not be
- larger than stop.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>lhs</strong></span></p>
- </td>
-<td>
- <p>This
- describes the owner name of the resource records
- to be created. Any single <span class="command"><strong>$</strong></span>
- (dollar sign)
- symbols within the <span class="command"><strong>lhs</strong></span> string
- are replaced by the iterator value.
-
- To get a $ in the output, you need to escape the
- <span class="command"><strong>$</strong></span> using a backslash
- <span class="command"><strong>\</strong></span>,
- e.g. <span class="command"><strong>\$</strong></span>. The
- <span class="command"><strong>$</strong></span> may optionally be followed
- by modifiers which change the offset from the
- iterator, field width and base.
-
- Modifiers are introduced by a
- <span class="command"><strong>{</strong></span> (left brace) immediately following the
- <span class="command"><strong>$</strong></span> as
- <span class="command"><strong>${offset[,width[,base]]}</strong></span>.
- For example, <span class="command"><strong>${-20,3,d}</strong></span>
- subtracts 20 from the current value, prints the
- result as a decimal in a zero-padded field of
- width 3.
-
- Available output forms are decimal
- (<span class="command"><strong>d</strong></span>), octal
- (<span class="command"><strong>o</strong></span>), hexadecimal
- (<span class="command"><strong>x</strong></span> or <span class="command"><strong>X</strong></span>
- for uppercase) and nibble
- (<span class="command"><strong>n</strong></span> or <span class="command"><strong>N</strong></span>\
- for uppercase). The default modifier is
- <span class="command"><strong>${0,0,d}</strong></span>. If the
- <span class="command"><strong>lhs</strong></span> is not absolute, the
- current <span class="command"><strong>$ORIGIN</strong></span> is appended
- to the name.
- </p>
- <p>
- In nibble mode the value will be treated as
- if it was a reversed hexadecimal string
- with each hexadecimal digit as a separate
- label. The width field includes the label
- separator.
- </p>
- <p>
- For compatibility with earlier versions,
- <span class="command"><strong>$$</strong></span> is still recognized as
- indicating a literal $ in the output.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>ttl</strong></span></p>
- </td>
-<td>
- <p>
- Specifies the time-to-live of the generated records. If
- not specified this will be inherited using the
- normal TTL inheritance rules.
- </p>
- <p><span class="command"><strong>class</strong></span>
- and <span class="command"><strong>ttl</strong></span> can be
- entered in either order.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>class</strong></span></p>
- </td>
-<td>
- <p>
- Specifies the class of the generated records.
- This must match the zone class if it is
- specified.
- </p>
- <p><span class="command"><strong>class</strong></span>
- and <span class="command"><strong>ttl</strong></span> can be
- entered in either order.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>type</strong></span></p>
- </td>
-<td>
- <p>
- Any valid type.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>rhs</strong></span></p>
- </td>
-<td>
- <p>
- <span class="command"><strong>rhs</strong></span>, optionally, quoted string.
- </p>
- </td>
-</tr>
-</tbody>
-</table>
- </div>
- <p>
- The <span class="command"><strong>$GENERATE</strong></span> directive is a <acronym class="acronym">BIND</acronym> extension
- and not part of the standard zone file format.
- </p>
- <p>
- BIND 8 does not support the optional TTL and CLASS fields.
- </p>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="zonefile_format"></a>Additional File Formats</h3></div></div></div>
-
- <p>
- In addition to the standard textual format, BIND 9
- supports the ability to read or dump to zone files in
- other formats.
- </p>
- <p>
- The <code class="constant">raw</code> format is
- a binary representation of zone data in a manner similar
- to that used in zone transfers. Since it does not require
- parsing text, load time is significantly reduced.
- </p>
- <p>
- An even faster alternative is the <code class="constant">map</code>
- format, which is an image of a <acronym class="acronym">BIND</acronym> 9
- in-memory zone database; it is capable of being loaded
- directly into memory via the <span class="command"><strong>mmap()</strong></span>
- function; the zone can begin serving queries almost
- immediately.
- </p>
- <p>
- For a primary server, a zone file in
- <code class="constant">raw</code> or <code class="constant">map</code>
- format is expected to be generated from a textual zone
- file by the <span class="command"><strong>named-compilezone</strong></span> command.
- For a secondary server or for a dynamic zone, it is automatically
- generated (if this format is specified by the
- <span class="command"><strong>masterfile-format</strong></span> option) when
- <span class="command"><strong>named</strong></span> dumps the zone contents after
- zone transfer or when applying prior updates.
- </p>
- <p>
- If a zone file in a binary format needs manual modification,
- it first must be converted to a textual form by the
- <span class="command"><strong>named-compilezone</strong></span> command. All
- necessary modification should go to the text file, which
- should then be converted to the binary form by the
- <span class="command"><strong>named-compilezone</strong></span> command again.
- </p>
- <p>
- Note that <span class="command"><strong>map</strong></span> format is extremely
- architecture-specific. A <code class="constant">map</code>
- file <span class="emphasis"><em>cannot</em></span> be used on a system
- with different pointer size, endianness or data alignment
- than the system on which it was generated, and should in
- general be used only inside a single system.
- While <code class="constant">raw</code> format uses
- network byte order and avoids architecture-dependent
- data alignment so that it is as portable as
- possible, it is also primarily expected to be used
- inside the same single system. To export a
- zone file in either <code class="constant">raw</code> or
- <code class="constant">map</code> format, or make a
- portable backup of such a file, conversion to
- <code class="constant">text</code> format is recommended.
- </p>
- </div>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="statistics"></a>BIND9 Statistics</h2></div></div></div>
-
- <p>
- <acronym class="acronym">BIND</acronym> 9 maintains lots of statistics
- information and provides several interfaces for users to
- get access to the statistics.
- The available statistics include all statistics counters
- that were available in <acronym class="acronym">BIND</acronym> 8 and
- are meaningful in <acronym class="acronym">BIND</acronym> 9,
- and other information that is considered useful.
- </p>
-
- <p>
- The statistics information is categorized into the following
- sections.
- </p>
-
- <div class="informaltable">
- <table border="1">
-<colgroup>
-<col width="3.300in" class="1">
-<col width="2.625in" class="2">
-</colgroup>
-<tbody>
-<tr>
-<td>
- <p>Incoming Requests</p>
- </td>
-<td>
- <p>
- The number of incoming DNS requests for each OPCODE.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>Incoming Queries</p>
- </td>
-<td>
- <p>
- The number of incoming queries for each RR type.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>Outgoing Queries</p>
- </td>
-<td>
- <p>
- The number of outgoing queries for each RR
- type sent from the internal resolver.
- Maintained per view.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>Name Server Statistics</p>
- </td>
-<td>
- <p>
- Statistics counters about incoming request processing.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>Zone Maintenance Statistics</p>
- </td>
-<td>
- <p>
- Statistics counters regarding zone maintenance
- operations such as zone transfers.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>Resolver Statistics</p>
- </td>
-<td>
- <p>
- Statistics counters about name resolution
- performed in the internal resolver.
- Maintained per view.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>Cache DB RRsets</p>
- </td>
-<td>
- <p>
- The number of RRsets per RR type and nonexistent
- names stored in the cache database.
- If the exclamation mark (!) is printed for a RR
- type, it means that particular type of RRset is
- known to be nonexistent (this is also known as
- "NXRRSET"). If a hash mark (#) is present then
- the RRset is marked for garbage collection.
- Maintained per view.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>Socket I/O Statistics</p>
- </td>
-<td>
- <p>
- Statistics counters about network related events.
- </p>
- </td>
-</tr>
-</tbody>
-</table>
- </div>
-
- <p>
- A subset of Name Server Statistics is collected and shown
- per zone for which the server has the authority when
- <span class="command"><strong>zone-statistics</strong></span> is set to
- <strong class="userinput"><code>full</code></strong> (or <strong class="userinput"><code>yes</code></strong>
- for backward compatibility. See the description of
- <span class="command"><strong>zone-statistics</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#options" title="options Statement Definition and Usage">the section called “<span class="command"><strong>options</strong></span> Statement Definition and
- Usage”</a>
- for further details.
- </p>
-
- <p>
- These statistics counters are shown with their zone and
- view names. The view name is omitted when the server is
- not configured with explicit views.</p>
-
- <p>
- There are currently two user interfaces to get access to the
- statistics.
- One is in the plain text format dumped to the file specified
- by the <span class="command"><strong>statistics-file</strong></span> configuration option.
- The other is remotely accessible via a statistics channel
- when the <span class="command"><strong>statistics-channels</strong></span> statement
- is specified in the configuration file
- (see <a class="xref" href="Bv9ARM.ch06.html#statschannels" title="statistics-channels Statement Grammar">the section called “<span class="command"><strong>statistics-channels</strong></span> Statement Grammar”</a>.)
- </p>
-
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="statsfile"></a>The Statistics File</h3></div></div></div>
-
- <p>
- The text format statistics dump begins with a line, like:
- </p>
- <p>
- <span class="command"><strong>+++ Statistics Dump +++ (973798949)</strong></span>
- </p>
- <p>
- The number in parentheses is a standard
- Unix-style timestamp, measured as seconds since January 1, 1970.
-
- Following
- that line is a set of statistics information, which is categorized
- as described above.
- Each section begins with a line, like:
- </p>
-
- <p>
- <span class="command"><strong>++ Name Server Statistics ++</strong></span>
- </p>
-
- <p>
- Each section consists of lines, each containing the statistics
- counter value followed by its textual description.
- See below for available counters.
- For brevity, counters that have a value of 0 are not shown
- in the statistics file.
- </p>
-
- <p>
- The statistics dump ends with the line where the
- number is identical to the number in the beginning line; for example:
- </p>
- <p>
- <span class="command"><strong>--- Statistics Dump --- (973798949)</strong></span>
- </p>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="statistics_counters"></a>Statistics Counters</h3></div></div></div>
-
- <p>
- The following tables summarize statistics counters that
- <acronym class="acronym">BIND</acronym> 9 provides.
- For each row of the tables, the leftmost column is the
- abbreviated symbol name of that counter.
- These symbols are shown in the statistics information
- accessed via an HTTP statistics channel.
- The rightmost column gives the description of the counter,
- which is also shown in the statistics file
- (but, in this document, possibly with slight modification
- for better readability).
- Additional notes may also be provided in this column.
- When a middle column exists between these two columns,
- it gives the corresponding counter name of the
- <acronym class="acronym">BIND</acronym> 8 statistics, if applicable.
- </p>
-
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="stats_counters"></a>Name Server Statistics Counters</h4></div></div></div>
-
- <div class="informaltable">
- <table border="1">
-<colgroup>
-<col width="1.150in" class="1">
-<col width="1.150in" class="2">
-<col width="3.350in" class="3">
-</colgroup>
-<tbody>
-<tr>
-<td>
- <p>
- <span class="emphasis"><em>Symbol</em></span>
- </p>
- </td>
-<td>
- <p>
- <span class="emphasis"><em>BIND8 Symbol</em></span>
- </p>
- </td>
-<td>
- <p>
- <span class="emphasis"><em>Description</em></span>
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>Requestv4</strong></span></p>
- </td>
-<td>
- <p><span class="command"><strong>RQ</strong></span></p>
- </td>
-<td>
- <p>
- IPv4 requests received.
- Note: this also counts non query requests.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>Requestv6</strong></span></p>
- </td>
-<td>
- <p><span class="command"><strong>RQ</strong></span></p>
- </td>
-<td>
- <p>
- IPv6 requests received.
- Note: this also counts non query requests.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>ReqEdns0</strong></span></p>
- </td>
-<td>
- <p><span class="command"><strong></strong></span></p>
- </td>
-<td>
- <p>
- Requests with EDNS(0) received.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>ReqBadEDNSVer</strong></span></p>
- </td>
-<td>
- <p><span class="command"><strong></strong></span></p>
- </td>
-<td>
- <p>
- Requests with unsupported EDNS version received.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>ReqTSIG</strong></span></p>
- </td>
-<td>
- <p><span class="command"><strong></strong></span></p>
- </td>
-<td>
- <p>
- Requests with TSIG received.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>ReqSIG0</strong></span></p>
- </td>
-<td>
- <p><span class="command"><strong></strong></span></p>
- </td>
-<td>
- <p>
- Requests with SIG(0) received.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>ReqBadSIG</strong></span></p>
- </td>
-<td>
- <p><span class="command"><strong></strong></span></p>
- </td>
-<td>
- <p>
- Requests with invalid (TSIG or SIG(0)) signature.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>ReqTCP</strong></span></p>
- </td>
-<td>
- <p><span class="command"><strong>RTCP</strong></span></p>
- </td>
-<td>
- <p>
- TCP requests received.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>AuthQryRej</strong></span></p>
- </td>
-<td>
- <p><span class="command"><strong>RUQ</strong></span></p>
- </td>
-<td>
- <p>
- Authoritative (non recursive) queries rejected.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>RecQryRej</strong></span></p>
- </td>
-<td>
- <p><span class="command"><strong>RURQ</strong></span></p>
- </td>
-<td>
- <p>
- Recursive queries rejected.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>XfrRej</strong></span></p>
- </td>
-<td>
- <p><span class="command"><strong>RUXFR</strong></span></p>
- </td>
-<td>
- <p>
- Zone transfer requests rejected.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>UpdateRej</strong></span></p>
- </td>
-<td>
- <p><span class="command"><strong>RUUpd</strong></span></p>
- </td>
-<td>
- <p>
- Dynamic update requests rejected.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>Response</strong></span></p>
- </td>
-<td>
- <p><span class="command"><strong>SAns</strong></span></p>
- </td>
-<td>
- <p>
- Responses sent.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>RespTruncated</strong></span></p>
- </td>
-<td>
- <p><span class="command"><strong></strong></span></p>
- </td>
-<td>
- <p>
- Truncated responses sent.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>RespEDNS0</strong></span></p>
- </td>
-<td>
- <p><span class="command"><strong></strong></span></p>
- </td>
-<td>
- <p>
- Responses with EDNS(0) sent.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>RespTSIG</strong></span></p>
- </td>
-<td>
- <p><span class="command"><strong></strong></span></p>
- </td>
-<td>
- <p>
- Responses with TSIG sent.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>RespSIG0</strong></span></p>
- </td>
-<td>
- <p><span class="command"><strong></strong></span></p>
- </td>
-<td>
- <p>
- Responses with SIG(0) sent.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>QrySuccess</strong></span></p>
- </td>
-<td>
- <p><span class="command"><strong></strong></span></p>
- </td>
-<td>
- <p>
- Queries resulted in a successful answer.
- This means the query which returns a NOERROR response
- with at least one answer RR.
- This corresponds to the
- <span class="command"><strong>success</strong></span> counter
- of previous versions of
- <acronym class="acronym">BIND</acronym> 9.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>QryAuthAns</strong></span></p>
- </td>
-<td>
- <p><span class="command"><strong></strong></span></p>
- </td>
-<td>
- <p>
- Queries resulted in authoritative answer.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>QryNoauthAns</strong></span></p>
- </td>
-<td>
- <p><span class="command"><strong>SNaAns</strong></span></p>
- </td>
-<td>
- <p>
- Queries resulted in non authoritative answer.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>QryReferral</strong></span></p>
- </td>
-<td>
- <p><span class="command"><strong></strong></span></p>
- </td>
-<td>
- <p>
- Queries resulted in referral answer.
- This corresponds to the
- <span class="command"><strong>referral</strong></span> counter
- of previous versions of
- <acronym class="acronym">BIND</acronym> 9.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>QryNxrrset</strong></span></p>
- </td>
-<td>
- <p><span class="command"><strong></strong></span></p>
- </td>
-<td>
- <p>
- Queries resulted in NOERROR responses with no data.
- This corresponds to the
- <span class="command"><strong>nxrrset</strong></span> counter
- of previous versions of
- <acronym class="acronym">BIND</acronym> 9.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>QrySERVFAIL</strong></span></p>
- </td>
-<td>
- <p><span class="command"><strong>SFail</strong></span></p>
- </td>
-<td>
- <p>
- Queries resulted in SERVFAIL.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>QryFORMERR</strong></span></p>
- </td>
-<td>
- <p><span class="command"><strong>SFErr</strong></span></p>
- </td>
-<td>
- <p>
- Queries resulted in FORMERR.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>QryNXDOMAIN</strong></span></p>
- </td>
-<td>
- <p><span class="command"><strong>SNXD</strong></span></p>
- </td>
-<td>
- <p>
- Queries resulted in NXDOMAIN.
- This corresponds to the
- <span class="command"><strong>nxdomain</strong></span> counter
- of previous versions of
- <acronym class="acronym">BIND</acronym> 9.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>QryRecursion</strong></span></p>
- </td>
-<td>
- <p><span class="command"><strong>RFwdQ</strong></span></p>
- </td>
-<td>
- <p>
- Queries which caused the server
- to perform recursion in order to find the final answer.
- This corresponds to the
- <span class="command"><strong>recursion</strong></span> counter
- of previous versions of
- <acronym class="acronym">BIND</acronym> 9.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>QryDuplicate</strong></span></p>
- </td>
-<td>
- <p><span class="command"><strong>RDupQ</strong></span></p>
- </td>
-<td>
- <p>
- Queries which the server attempted to
- recurse but discovered an existing query with the same
- IP address, port, query ID, name, type and class
- already being processed.
- This corresponds to the
- <span class="command"><strong>duplicate</strong></span> counter
- of previous versions of
- <acronym class="acronym">BIND</acronym> 9.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>QryDropped</strong></span></p>
- </td>
-<td>
- <p><span class="command"><strong></strong></span></p>
- </td>
-<td>
- <p>
- Recursive queries for which the server
- discovered an excessive number of existing
- recursive queries for the same name, type and
- class and were subsequently dropped.
- This is the number of dropped queries due to
- the reason explained with the
- <span class="command"><strong>clients-per-query</strong></span>
- and
- <span class="command"><strong>max-clients-per-query</strong></span>
- options
- (see the description about
- <a class="xref" href="Bv9ARM.ch06.html#clients-per-query"><span class="command"><strong>clients-per-query</strong></span></a>.)
- This corresponds to the
- <span class="command"><strong>dropped</strong></span> counter
- of previous versions of
- <acronym class="acronym">BIND</acronym> 9.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>QryFailure</strong></span></p>
- </td>
-<td>
- <p><span class="command"><strong></strong></span></p>
- </td>
-<td>
- <p>
- Other query failures.
- This corresponds to the
- <span class="command"><strong>failure</strong></span> counter
- of previous versions of
- <acronym class="acronym">BIND</acronym> 9.
- Note: this counter is provided mainly for
- backward compatibility with the previous versions.
- Normally a more fine-grained counters such as
- <span class="command"><strong>AuthQryRej</strong></span> and
- <span class="command"><strong>RecQryRej</strong></span>
- that would also fall into this counter are provided,
- and so this counter would not be of much
- interest in practice.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>QryNXRedir</strong></span></p>
- </td>
-<td>
- <p><span class="command"><strong></strong></span></p>
- </td>
-<td>
- <p>
- Queries resulted in NXDOMAIN that were redirected.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>QryNXRedirRLookup</strong></span></p>
- </td>
-<td>
- <p><span class="command"><strong></strong></span></p>
- </td>
-<td>
- <p>
- Queries resulted in NXDOMAIN that were redirected
- and resulted in a successful remote lookup.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>XfrReqDone</strong></span></p>
- </td>
-<td>
- <p><span class="command"><strong></strong></span></p>
- </td>
-<td>
- <p>
- Requested zone transfers completed.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>UpdateReqFwd</strong></span></p>
- </td>
-<td>
- <p><span class="command"><strong></strong></span></p>
- </td>
-<td>
- <p>
- Update requests forwarded.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>UpdateRespFwd</strong></span></p>
- </td>
-<td>
- <p><span class="command"><strong></strong></span></p>
- </td>
-<td>
- <p>
- Update responses forwarded.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>UpdateFwdFail</strong></span></p>
- </td>
-<td>
- <p><span class="command"><strong></strong></span></p>
- </td>
-<td>
- <p>
- Dynamic update forward failed.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>UpdateDone</strong></span></p>
- </td>
-<td>
- <p><span class="command"><strong></strong></span></p>
- </td>
-<td>
- <p>
- Dynamic updates completed.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>UpdateFail</strong></span></p>
- </td>
-<td>
- <p><span class="command"><strong></strong></span></p>
- </td>
-<td>
- <p>
- Dynamic updates failed.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>UpdateBadPrereq</strong></span></p>
- </td>
-<td>
- <p><span class="command"><strong></strong></span></p>
- </td>
-<td>
- <p>
- Dynamic updates rejected due to prerequisite failure.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>RateDropped</strong></span></p>
- </td>
-<td>
- <p><span class="command"><strong></strong></span></p>
- </td>
-<td>
- <p>
- Responses dropped by rate limits.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>RateSlipped</strong></span></p>
- </td>
-<td>
- <p><span class="command"><strong></strong></span></p>
- </td>
-<td>
- <p>
- Responses truncated by rate limits.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>RPZRewrites</strong></span></p>
- </td>
-<td>
- <p><span class="command"><strong></strong></span></p>
- </td>
-<td>
- <p>
- Response policy zone rewrites.
- </p>
- </td>
-</tr>
-</tbody>
-</table>
- </div>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="zone_stats"></a>Zone Maintenance Statistics Counters</h4></div></div></div>
-
- <div class="informaltable">
- <table border="1">
-<colgroup>
-<col width="1.150in" class="1">
-<col width="3.350in" class="2">
-</colgroup>
-<tbody>
-<tr>
-<td>
- <p>
- <span class="emphasis"><em>Symbol</em></span>
- </p>
- </td>
-<td>
- <p>
- <span class="emphasis"><em>Description</em></span>
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>NotifyOutv4</strong></span></p>
- </td>
-<td>
- <p>
- IPv4 notifies sent.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>NotifyOutv6</strong></span></p>
- </td>
-<td>
- <p>
- IPv6 notifies sent.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>NotifyInv4</strong></span></p>
- </td>
-<td>
- <p>
- IPv4 notifies received.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>NotifyInv6</strong></span></p>
- </td>
-<td>
- <p>
- IPv6 notifies received.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>NotifyRej</strong></span></p>
- </td>
-<td>
- <p>
- Incoming notifies rejected.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>SOAOutv4</strong></span></p>
- </td>
-<td>
- <p>
- IPv4 SOA queries sent.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>SOAOutv6</strong></span></p>
- </td>
-<td>
- <p>
- IPv6 SOA queries sent.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>AXFRReqv4</strong></span></p>
- </td>
-<td>
- <p>
- IPv4 AXFR requested.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>AXFRReqv6</strong></span></p>
- </td>
-<td>
- <p>
- IPv6 AXFR requested.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>IXFRReqv4</strong></span></p>
- </td>
-<td>
- <p>
- IPv4 IXFR requested.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>IXFRReqv6</strong></span></p>
- </td>
-<td>
- <p>
- IPv6 IXFR requested.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>XfrSuccess</strong></span></p>
- </td>
-<td>
- <p>
- Zone transfer requests succeeded.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>XfrFail</strong></span></p>
- </td>
-<td>
- <p>
- Zone transfer requests failed.
- </p>
- </td>
-</tr>
-</tbody>
-</table>
- </div>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="resolver_stats"></a>Resolver Statistics Counters</h4></div></div></div>
-
- <div class="informaltable">
- <table border="1">
-<colgroup>
-<col width="1.150in" class="1">
-<col width="1.150in" class="2">
-<col width="3.350in" class="3">
-</colgroup>
-<tbody>
-<tr>
-<td>
- <p>
- <span class="emphasis"><em>Symbol</em></span>
- </p>
- </td>
-<td>
- <p>
- <span class="emphasis"><em>BIND8 Symbol</em></span>
- </p>
- </td>
-<td>
- <p>
- <span class="emphasis"><em>Description</em></span>
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>Queryv4</strong></span></p>
- </td>
-<td>
- <p><span class="command"><strong>SFwdQ</strong></span></p>
- </td>
-<td>
- <p>
- IPv4 queries sent.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>Queryv6</strong></span></p>
- </td>
-<td>
- <p><span class="command"><strong>SFwdQ</strong></span></p>
- </td>
-<td>
- <p>
- IPv6 queries sent.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>Responsev4</strong></span></p>
- </td>
-<td>
- <p><span class="command"><strong>RR</strong></span></p>
- </td>
-<td>
- <p>
- IPv4 responses received.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>Responsev6</strong></span></p>
- </td>
-<td>
- <p><span class="command"><strong>RR</strong></span></p>
- </td>
-<td>
- <p>
- IPv6 responses received.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>NXDOMAIN</strong></span></p>
- </td>
-<td>
- <p><span class="command"><strong>RNXD</strong></span></p>
- </td>
-<td>
- <p>
- NXDOMAIN received.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>SERVFAIL</strong></span></p>
- </td>
-<td>
- <p><span class="command"><strong>RFail</strong></span></p>
- </td>
-<td>
- <p>
- SERVFAIL received.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>FORMERR</strong></span></p>
- </td>
-<td>
- <p><span class="command"><strong>RFErr</strong></span></p>
- </td>
-<td>
- <p>
- FORMERR received.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>OtherError</strong></span></p>
- </td>
-<td>
- <p><span class="command"><strong>RErr</strong></span></p>
- </td>
-<td>
- <p>
- Other errors received.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>EDNS0Fail</strong></span></p>
- </td>
-<td>
- <p><span class="command"><strong></strong></span></p>
- </td>
-<td>
- <p>
- EDNS(0) query failures.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>Mismatch</strong></span></p>
- </td>
-<td>
- <p><span class="command"><strong>RDupR</strong></span></p>
- </td>
-<td>
- <p>
- Mismatch responses received.
- The DNS ID, response's source address,
- and/or the response's source port does not
- match what was expected.
- (The port must be 53 or as defined by
- the <span class="command"><strong>port</strong></span> option.)
- This may be an indication of a cache
- poisoning attempt.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>Truncated</strong></span></p>
- </td>
-<td>
- <p><span class="command"><strong></strong></span></p>
- </td>
-<td>
- <p>
- Truncated responses received.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>Lame</strong></span></p>
- </td>
-<td>
- <p><span class="command"><strong>RLame</strong></span></p>
- </td>
-<td>
- <p>
- Lame delegations received.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>Retry</strong></span></p>
- </td>
-<td>
- <p><span class="command"><strong>SDupQ</strong></span></p>
- </td>
-<td>
- <p>
- Query retries performed.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>QueryAbort</strong></span></p>
- </td>
-<td>
- <p><span class="command"><strong></strong></span></p>
- </td>
-<td>
- <p>
- Queries aborted due to quota control.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>QuerySockFail</strong></span></p>
- </td>
-<td>
- <p><span class="command"><strong></strong></span></p>
- </td>
-<td>
- <p>
- Failures in opening query sockets.
- One common reason for such failures is a
- failure of opening a new socket due to a
- limitation on file descriptors.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>QueryTimeout</strong></span></p>
- </td>
-<td>
- <p><span class="command"><strong></strong></span></p>
- </td>
-<td>
- <p>
- Query timeouts.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>GlueFetchv4</strong></span></p>
- </td>
-<td>
- <p><span class="command"><strong>SSysQ</strong></span></p>
- </td>
-<td>
- <p>
- IPv4 NS address fetches invoked.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>GlueFetchv6</strong></span></p>
- </td>
-<td>
- <p><span class="command"><strong>SSysQ</strong></span></p>
- </td>
-<td>
- <p>
- IPv6 NS address fetches invoked.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>GlueFetchv4Fail</strong></span></p>
- </td>
-<td>
- <p><span class="command"><strong></strong></span></p>
- </td>
-<td>
- <p>
- IPv4 NS address fetch failed.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>GlueFetchv6Fail</strong></span></p>
- </td>
-<td>
- <p><span class="command"><strong></strong></span></p>
- </td>
-<td>
- <p>
- IPv6 NS address fetch failed.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>ValAttempt</strong></span></p>
- </td>
-<td>
- <p><span class="command"><strong></strong></span></p>
- </td>
-<td>
- <p>
- DNSSEC validation attempted.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>ValOk</strong></span></p>
- </td>
-<td>
- <p><span class="command"><strong></strong></span></p>
- </td>
-<td>
- <p>
- DNSSEC validation succeeded.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>ValNegOk</strong></span></p>
- </td>
-<td>
- <p><span class="command"><strong></strong></span></p>
- </td>
-<td>
- <p>
- DNSSEC validation on negative information succeeded.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>ValFail</strong></span></p>
- </td>
-<td>
- <p><span class="command"><strong></strong></span></p>
- </td>
-<td>
- <p>
- DNSSEC validation failed.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong>QryRTTnn</strong></span></p>
- </td>
-<td>
- <p><span class="command"><strong></strong></span></p>
- </td>
-<td>
- <p>
- Frequency table on round trip times (RTTs) of
- queries.
- Each <span class="command"><strong>nn</strong></span> specifies the corresponding
- frequency.
- In the sequence of
- <span class="command"><strong>nn_1</strong></span>,
- <span class="command"><strong>nn_2</strong></span>,
- ...,
- <span class="command"><strong>nn_m</strong></span>,
- the value of <span class="command"><strong>nn_i</strong></span> is the
- number of queries whose RTTs are between
- <span class="command"><strong>nn_(i-1)</strong></span> (inclusive) and
- <span class="command"><strong>nn_i</strong></span> (exclusive) milliseconds.
- For the sake of convenience we define
- <span class="command"><strong>nn_0</strong></span> to be 0.
- The last entry should be represented as
- <span class="command"><strong>nn_m+</strong></span>, which means the
- number of queries whose RTTs are equal to or over
- <span class="command"><strong>nn_m</strong></span> milliseconds.
- </p>
- </td>
-</tr>
-</tbody>
-</table>
- </div>
-
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="socket_stats"></a>Socket I/O Statistics Counters</h4></div></div></div>
-
- <p>
- Socket I/O statistics counters are defined per socket
- types, which are
- <span class="command"><strong>UDP4</strong></span> (UDP/IPv4),
- <span class="command"><strong>UDP6</strong></span> (UDP/IPv6),
- <span class="command"><strong>TCP4</strong></span> (TCP/IPv4),
- <span class="command"><strong>TCP6</strong></span> (TCP/IPv6),
- <span class="command"><strong>Unix</strong></span> (Unix Domain), and
- <span class="command"><strong>FDwatch</strong></span> (sockets opened outside the
- socket module).
- In the following table <span class="command"><strong><TYPE></strong></span>
- represents a socket type.
- Not all counters are available for all socket types;
- exceptions are noted in the description field.
- </p>
-
- <div class="informaltable">
- <table border="1">
-<colgroup>
-<col width="1.150in" class="1">
-<col width="3.350in" class="2">
-</colgroup>
-<tbody>
-<tr>
-<td>
- <p>
- <span class="emphasis"><em>Symbol</em></span>
- </p>
- </td>
-<td>
- <p>
- <span class="emphasis"><em>Description</em></span>
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong><TYPE>Open</strong></span></p>
- </td>
-<td>
- <p>
- Sockets opened successfully.
- This counter is not applicable to the
- <span class="command"><strong>FDwatch</strong></span> type.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong><TYPE>OpenFail</strong></span></p>
- </td>
-<td>
- <p>
- Failures of opening sockets.
- This counter is not applicable to the
- <span class="command"><strong>FDwatch</strong></span> type.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong><TYPE>Close</strong></span></p>
- </td>
-<td>
- <p>
- Sockets closed.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong><TYPE>BindFail</strong></span></p>
- </td>
-<td>
- <p>
- Failures of binding sockets.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong><TYPE>ConnFail</strong></span></p>
- </td>
-<td>
- <p>
- Failures of connecting sockets.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong><TYPE>Conn</strong></span></p>
- </td>
-<td>
- <p>
- Connections established successfully.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong><TYPE>AcceptFail</strong></span></p>
- </td>
-<td>
- <p>
- Failures of accepting incoming connection requests.
- This counter is not applicable to the
- <span class="command"><strong>UDP</strong></span> and
- <span class="command"><strong>FDwatch</strong></span> types.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong><TYPE>Accept</strong></span></p>
- </td>
-<td>
- <p>
- Incoming connections successfully accepted.
- This counter is not applicable to the
- <span class="command"><strong>UDP</strong></span> and
- <span class="command"><strong>FDwatch</strong></span> types.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong><TYPE>SendErr</strong></span></p>
- </td>
-<td>
- <p>
- Errors in socket send operations.
- This counter corresponds
- to <span class="command"><strong>SErr</strong></span> counter of
- <span class="command"><strong>BIND</strong></span> 8.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span class="command"><strong><TYPE>RecvErr</strong></span></p>
- </td>
-<td>
- <p>
- Errors in socket receive operations.
- This includes errors of send operations on a
- connected UDP socket notified by an ICMP error
- message.
- </p>
- </td>
-</tr>
-</tbody>
-</table>
- </div>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="bind8_compatibility"></a>Compatibility with <span class="emphasis"><em>BIND</em></span> 8 Counters</h4></div></div></div>
-
- <p>
- Most statistics counters that were available
- in <span class="command"><strong>BIND</strong></span> 8 are also supported in
- <span class="command"><strong>BIND</strong></span> 9 as shown in the above tables.
- Here are notes about other counters that do not appear
- in these tables.
- </p>
-
- <div class="variablelist"><dl class="variablelist">
-<dt><span class="term"><span class="command"><strong>RFwdR,SFwdR</strong></span></span></dt>
-<dd>
- <p>
- These counters are not supported
- because <span class="command"><strong>BIND</strong></span> 9 does not adopt
- the notion of <span class="emphasis"><em>forwarding</em></span>
- as <span class="command"><strong>BIND</strong></span> 8 did.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>RAXFR</strong></span></span></dt>
-<dd>
- <p>
- This counter is accessible in the Incoming Queries section.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>RIQ</strong></span></span></dt>
-<dd>
- <p>
- This counter is accessible in the Incoming Requests section.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>ROpts</strong></span></span></dt>
-<dd>
- <p>
- This counter is not supported
- because <span class="command"><strong>BIND</strong></span> 9 does not care
- about IP options in the first place.
- </p>
- </dd>
-</dl></div>
- </div>
- </div>
- </div>
-
- </div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="Bv9ARM.ch05.html">Prev</a>Â </td>
-<td width="20%" align="center">Â </td>
-<td width="40%" align="right">Â <a accesskey="n" href="Bv9ARM.ch07.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">Chapter 5. The <acronym class="acronym">BIND</acronym> 9 Lightweight Resolver </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> Chapter 7. <acronym class="acronym">BIND</acronym> 9 Security Considerations</td>
-</tr>
-</table>
-</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.0-pre-alpha</p>
-</body>
-</html>
+++ /dev/null
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<!--
- - Copyright (C) 2000-2017 Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
--->
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>Chapter 7. BIND 9 Security Considerations</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
-<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="prev" href="Bv9ARM.ch06.html" title="Chapter 6. BIND 9 Configuration Reference">
-<link rel="next" href="Bv9ARM.ch08.html" title="Chapter 8. Troubleshooting">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center">Chapter 7. <acronym class="acronym">BIND</acronym> 9 Security Considerations</th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a>Â </td>
-<th width="60%" align="center">Â </th>
-<td width="20%" align="right">Â <a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="chapter">
-<div class="titlepage"><div><div><h1 class="title">
-<a name="Bv9ARM.ch07"></a>Chapter 7. <acronym class="acronym">BIND</acronym> 9 Security Considerations</h1></div></div></div>
-<div class="toc">
-<p><b>Table of Contents</b></p>
-<dl class="toc">
-<dt><span class="section"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch07.html#chroot_and_setuid"><span class="command"><strong>Chroot</strong></span> and <span class="command"><strong>Setuid</strong></span></a></span></dt>
-<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch07.html#chroot">The <span class="command"><strong>chroot</strong></span> Environment</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch07.html#setuid">Using the <span class="command"><strong>setuid</strong></span> Function</a></span></dt>
-</dl></dd>
-<dt><span class="section"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
-</dl>
-</div>
-
- <div class="section">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="Access_Control_Lists"></a>Access Control Lists</h2></div></div></div>
-
- <p>
- Access Control Lists (ACLs) are address match lists that
- you can set up and nickname for future use in
- <span class="command"><strong>allow-notify</strong></span>, <span class="command"><strong>allow-query</strong></span>,
- <span class="command"><strong>allow-query-on</strong></span>, <span class="command"><strong>allow-recursion</strong></span>,
- <span class="command"><strong>blackhole</strong></span>, <span class="command"><strong>allow-transfer</strong></span>,
- <span class="command"><strong>match-clients</strong></span>, etc.
- </p>
- <p>
- Using ACLs allows you to have finer control over who can access
- your name server, without cluttering up your config files with huge
- lists of IP addresses.
- </p>
- <p>
- It is a <span class="emphasis"><em>good idea</em></span> to use ACLs, and to
- control access to your server. Limiting access to your server by
- outside parties can help prevent spoofing and denial of service
- (DoS) attacks against your server.
- </p>
- <p>
- ACLs match clients on the basis of up to three characteristics:
- 1) The client's IP address; 2) the TSIG or SIG(0) key that was
- used to sign the request, if any; and 3) an address prefix
- encoded in an EDNS Client Subnet option, if any.
- </p>
- <p>
- Here is an example of ACLs based on client addresses:
- </p>
-
-<pre class="programlisting">
-// Set up an ACL named "bogusnets" that will block
-// RFC1918 space and some reserved space, which is
-// commonly used in spoofing attacks.
-acl bogusnets {
- 0.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3;
- 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16;
-};
-
-// Set up an ACL called our-nets. Replace this with the
-// real IP numbers.
-acl our-nets { x.x.x.x/24; x.x.x.x/21; };
-options {
- ...
- ...
- allow-query { our-nets; };
- allow-recursion { our-nets; };
- ...
- blackhole { bogusnets; };
- ...
-};
-
-zone "example.com" {
- type master;
- file "m/example.com";
- allow-query { any; };
-};
-</pre>
-
- <p>
- This allows authoritative queries for "example.com" from any
- address, but recursive queries only from the networks specified
- in "our-nets", and no queries at all from the networks
- specified in "bogusnets".
- </p>
- <p>
- In addition to network addresses and prefixes, which are
- matched against the source address of the DNS request, ACLs
- may include <code class="option">key</code> elements, which specify the
- name of a TSIG or SIG(0) key, or <code class="option">ecs</code>
- elements, which specify a network prefix but are only matched
- if that prefix matches an EDNS client subnet option included
- in the request.
- </p>
- <p>
- The EDNS Client Subnet (ECS) option is used by a recursive
- resolver to inform an authoritative name server of the network
- address block from which the original query was received, enabling
- authoritative servers to give different answers to the same
- resolver for different resolver clients. An ACL containing
- an element of the form
- <span class="command"><strong>ecs <em class="replaceable"><code>prefix</code></em></strong></span>
- will match if a request arrives in containing an ECS option
- encoding an address within that prefix. If the request has no
- ECS option, then "ecs" elements are simply ignored. Addresses
- in ACLs that are not prefixed with "ecs" are matched only
- against the source address.
- </p>
- <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
- <p>
- (Note: The authoritative ECS implementation in
- <span class="command"><strong>named</strong></span> is based on an early version of the
- specification, and is known to have incompatibilities with
- other implementations. It is also inefficient, requiring
- a separate view for each client subnet to be sent different
- answers, and it is unable to correct for overlapping subnets in
- the configuration. It can be used for testing purposes, but is
- not recommended for production use.)
- </p>
- </div>
- <p>
- When <acronym class="acronym">BIND</acronym> 9 is built with GeoIP support,
- ACLs can also be used for geographic access restrictions.
- This is done by specifying an ACL element of the form:
- <span class="command"><strong>geoip [<span class="optional">db <em class="replaceable"><code>database</code></em></span>] <em class="replaceable"><code>field</code></em> <em class="replaceable"><code>value</code></em></strong></span>
- </p>
- <p>
- The <em class="replaceable"><code>field</code></em> indicates which field
- to search for a match. Available fields are "country",
- "region", "city", "continent", "postal" (postal code),
- "metro" (metro code), "area" (area code), "tz" (timezone),
- "isp", "org", "asnum", "domain" and "netspeed".
- </p>
- <p>
- <em class="replaceable"><code>value</code></em> is the value to search
- for within the database. A string may be quoted if it
- contains spaces or other special characters. If this is
- an "asnum" search, then the leading "ASNNNN" string can be
- used, otherwise the full description must be used (e.g.
- "ASNNNN Example Company Name"). If this is a "country"
- search and the string is two characters long, then it must
- be a standard ISO-3166-1 two-letter country code, and if it
- is three characters long then it must be an ISO-3166-1
- three-letter country code; otherwise it is the full name
- of the country. Similarly, if this is a "region" search
- and the string is two characters long, then it must be a
- standard two-letter state or province abbreviation;
- otherwise it is the full name of the state or province.
- </p>
- <p>
- The <em class="replaceable"><code>database</code></em> field indicates which
- GeoIP database to search for a match. In most cases this is
- unnecessary, because most search fields can only be found in
- a single database. However, searches for country can be
- answered from the "city", "region", or "country" databases,
- and searches for region (i.e., state or province) can be
- answered from the "city" or "region" databases. For these
- search types, specifying a <em class="replaceable"><code>database</code></em>
- will force the query to be answered from that database and no
- other. If <em class="replaceable"><code>database</code></em> is not
- specified, then these queries will be answered from the "city",
- database if it is installed, or the "region" database if it is
- installed, or the "country" database, in that order.
- </p>
- <p>
- By default, if a DNS query includes an EDNS Client Subnet (ECS)
- option which encodes a non-zero address prefix, then GeoIP ACLs
- will be matched against that address prefix. Otherwise, they
- are matched against the source address of the query. To
- prevent GeoIP ACLs from matching against ECS options, set
- the <span class="command"><strong>geoip-use-ecs</strong></span> to <code class="literal">no</code>.
- </p>
- <p>
- Some example GeoIP ACLs:
- </p>
- <pre class="programlisting">geoip country US;
-geoip country JAP;
-geoip db country country Canada;
-geoip db region region WA;
-geoip city "San Francisco";
-geoip region Oklahoma;
-geoip postal 95062;
-geoip tz "America/Los_Angeles";
-geoip org "Internet Systems Consortium";
-</pre>
-
- <p>
- ACLs use a "first-match" logic rather than "best-match":
- if an address prefix matches an ACL element, then that ACL
- is considered to have matched even if a later element would
- have matched more specifically. For example, the ACL
- <span class="command"><strong> { 10/8; !10.0.0.1; }</strong></span> would actually
- match a query from 10.0.0.1, because the first element
- indicated that the query should be accepted, and the second
- element is ignored.
- </p>
- <p>
- When using "nested" ACLs (that is, ACLs included or referenced
- within other ACLs), a negative match of a nested ACL will
- the containing ACL to continue looking for matches. This
- enables complex ACLs to be constructed, in which multiple
- client characteristics can be checked at the same time. For
- example, to construct an ACL which allows queries only when
- it originates from a particular network <span class="emphasis"><em>and</em></span>
- only when it is signed with a particular key, use:
- </p>
- <pre class="programlisting">
-allow-query { !{ !10/8; any; }; key example; };
-</pre>
- <p>
- Within the nested ACL, any address that is
- <span class="emphasis"><em>not</em></span> in the 10/8 network prefix will
- be rejected, and this will terminate processing of the
- ACL. Any address that <span class="emphasis"><em>is</em></span> in the 10/8
- network prefix will be accepted, but this causes a negative
- match of the nested ACL, so the containing ACL continues
- processing. The query will then be accepted if it is signed
- by the key "example", and rejected otherwise. The ACL, then,
- will only matches when <span class="emphasis"><em>both</em></span> conditions
- are true.
- </p>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="chroot_and_setuid"></a><span class="command"><strong>Chroot</strong></span> and <span class="command"><strong>Setuid</strong></span>
-</h2></div></div></div>
-
- <p>
- On UNIX servers, it is possible to run <acronym class="acronym">BIND</acronym>
- in a <span class="emphasis"><em>chrooted</em></span> environment (using
- the <span class="command"><strong>chroot()</strong></span> function) by specifying
- the <code class="option">-t</code> option for <span class="command"><strong>named</strong></span>.
- This can help improve system security by placing
- <acronym class="acronym">BIND</acronym> in a "sandbox", which will limit
- the damage done if a server is compromised.
- </p>
- <p>
- Another useful feature in the UNIX version of <acronym class="acronym">BIND</acronym> is the
- ability to run the daemon as an unprivileged user ( <code class="option">-u</code> <em class="replaceable"><code>user</code></em> ).
- We suggest running as an unprivileged user when using the <span class="command"><strong>chroot</strong></span> feature.
- </p>
- <p>
- Here is an example command line to load <acronym class="acronym">BIND</acronym> in a <span class="command"><strong>chroot</strong></span> sandbox,
- <span class="command"><strong>/var/named</strong></span>, and to run <span class="command"><strong>named</strong></span> <span class="command"><strong>setuid</strong></span> to
- user 202:
- </p>
- <p>
- <strong class="userinput"><code>/usr/local/sbin/named -u 202 -t /var/named</code></strong>
- </p>
-
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="chroot"></a>The <span class="command"><strong>chroot</strong></span> Environment</h3></div></div></div>
-
- <p>
- In order for a <span class="command"><strong>chroot</strong></span> environment
- to work properly in a particular directory (for example,
- <code class="filename">/var/named</code>), you will need to set
- up an environment that includes everything
- <acronym class="acronym">BIND</acronym> needs to run. From
- <acronym class="acronym">BIND</acronym>'s point of view,
- <code class="filename">/var/named</code> is the root of the
- filesystem. You will need to adjust the values of
- options like <span class="command"><strong>directory</strong></span> and
- <span class="command"><strong>pid-file</strong></span> to account for this.
- </p>
- <p>
- Unlike with earlier versions of BIND, you typically will
- <span class="emphasis"><em>not</em></span> need to compile <span class="command"><strong>named</strong></span>
- statically nor install shared libraries under the new root.
- However, depending on your operating system, you may need
- to set up things like
- <code class="filename">/dev/zero</code>,
- <code class="filename">/dev/random</code>,
- <code class="filename">/dev/log</code>, and
- <code class="filename">/etc/localtime</code>.
- </p>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="setuid"></a>Using the <span class="command"><strong>setuid</strong></span> Function</h3></div></div></div>
-
- <p>
- Prior to running the <span class="command"><strong>named</strong></span> daemon,
- use
- the <span class="command"><strong>touch</strong></span> utility (to change file
- access and
- modification times) or the <span class="command"><strong>chown</strong></span>
- utility (to
- set the user id and/or group id) on files
- to which you want <acronym class="acronym">BIND</acronym>
- to write.
- </p>
- <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p>
- If the <span class="command"><strong>named</strong></span> daemon is running as an
- unprivileged user, it will not be able to bind to new restricted
- ports if the server is reloaded.
- </p>
-</div>
- </div>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="dynamic_update_security"></a>Dynamic Update Security</h2></div></div></div>
-
- <p>
- Access to the dynamic
- update facility should be strictly limited. In earlier versions of
- <acronym class="acronym">BIND</acronym>, the only way to do this was
- based on the IP
- address of the host requesting the update, by listing an IP address
- or
- network prefix in the <span class="command"><strong>allow-update</strong></span>
- zone option.
- This method is insecure since the source address of the update UDP
- packet
- is easily forged. Also note that if the IP addresses allowed by the
- <span class="command"><strong>allow-update</strong></span> option include the
- address of a slave
- server which performs forwarding of dynamic updates, the master can
- be
- trivially attacked by sending the update to the slave, which will
- forward it to the master with its own source IP address causing the
- master to approve it without question.
- </p>
-
- <p>
- For these reasons, we strongly recommend that updates be
- cryptographically authenticated by means of transaction signatures
- (TSIG). That is, the <span class="command"><strong>allow-update</strong></span>
- option should
- list only TSIG key names, not IP addresses or network
- prefixes. Alternatively, the new <span class="command"><strong>update-policy</strong></span>
- option can be used.
- </p>
-
- <p>
- Some sites choose to keep all dynamically-updated DNS data
- in a subdomain and delegate that subdomain to a separate zone. This
- way, the top-level zone containing critical data such as the IP
- addresses
- of public web and mail servers need not allow dynamic update at
- all.
- </p>
-
- </div>
- </div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a>Â </td>
-<td width="20%" align="center">Â </td>
-<td width="40%" align="right">Â <a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">Chapter 6. <acronym class="acronym">BIND</acronym> 9 Configuration Reference </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> Chapter 8. Troubleshooting</td>
-</tr>
-</table>
-</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.0-pre-alpha</p>
-</body>
-</html>
+++ /dev/null
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<!--
- - Copyright (C) 2000-2017 Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
--->
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>Chapter 8. Troubleshooting</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
-<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="prev" href="Bv9ARM.ch07.html" title="Chapter 7. BIND 9 Security Considerations">
-<link rel="next" href="Bv9ARM.ch09.html" title="Appendix A. Release Notes">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center">Chapter 8. Troubleshooting</th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="Bv9ARM.ch07.html">Prev</a>Â </td>
-<th width="60%" align="center">Â </th>
-<td width="20%" align="right">Â <a accesskey="n" href="Bv9ARM.ch09.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="chapter">
-<div class="titlepage"><div><div><h1 class="title">
-<a name="Bv9ARM.ch08"></a>Chapter 8. Troubleshooting</h1></div></div></div>
-<div class="toc">
-<p><b>Table of Contents</b></p>
-<dl class="toc">
-<dt><span class="section"><a href="Bv9ARM.ch08.html#common_problems">Common Problems</a></span></dt>
-<dd><dl><dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2.2">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.3">Incrementing and Changing the Serial Number</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#more_help">Where Can I Get Help?</a></span></dt>
-</dl>
-</div>
-
- <div class="section">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="common_problems"></a>Common Problems</h2></div></div></div>
-
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.9.2.2"></a>It's not working; how can I figure out what's wrong?</h3></div></div></div>
-
- <p>
- The best solution to solving installation and
- configuration issues is to take preventative measures by setting
- up logging files beforehand. The log files provide a
- source of hints and information that can be used to figure out
- what went wrong and how to fix the problem.
- </p>
-
- </div>
- </div>
- <div class="section">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.9.3"></a>Incrementing and Changing the Serial Number</h2></div></div></div>
-
- <p>
- Zone serial numbers are just numbers — they aren't
- date related. A lot of people set them to a number that
- represents a date, usually of the form YYYYMMDDRR.
- Occasionally they will make a mistake and set them to a
- "date in the future" then try to correct them by setting
- them to the "current date". This causes problems because
- serial numbers are used to indicate that a zone has been
- updated. If the serial number on the slave server is
- lower than the serial number on the master, the slave
- server will attempt to update its copy of the zone.
- </p>
-
- <p>
- Setting the serial number to a lower number on the master
- server than the slave server means that the slave will not perform
- updates to its copy of the zone.
- </p>
-
- <p>
- The solution to this is to add 2147483647 (2^31-1) to the
- number, reload the zone and make sure all slaves have updated to
- the new zone serial number, then reset the number to what you want
- it to be, and reload the zone again.
- </p>
-
- </div>
- <div class="section">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="more_help"></a>Where Can I Get Help?</h2></div></div></div>
-
- <p>
- The Internet Systems Consortium
- (<acronym class="acronym">ISC</acronym>) offers a wide range
- of support and service agreements for <acronym class="acronym">BIND</acronym> and <acronym class="acronym">DHCP</acronym> servers. Four
- levels of premium support are available and each level includes
- support for all <acronym class="acronym">ISC</acronym> programs,
- significant discounts on products
- and training, and a recognized priority on bug fixes and
- non-funded feature requests. In addition, <acronym class="acronym">ISC</acronym> offers a standard
- support agreement package which includes services ranging from bug
- fix announcements to remote support. It also includes training in
- <acronym class="acronym">BIND</acronym> and <acronym class="acronym">DHCP</acronym>.
- </p>
-
- <p>
- To discuss arrangements for support, contact
- <a class="link" href="mailto:info@isc.org" target="_top">info@isc.org</a> or visit the
- <acronym class="acronym">ISC</acronym> web page at
- <a class="link" href="http://www.isc.org/services/support/" target="_top">http://www.isc.org/services/support/</a>
- to read more.
- </p>
- </div>
- </div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="Bv9ARM.ch07.html">Prev</a>Â </td>
-<td width="20%" align="center">Â </td>
-<td width="40%" align="right">Â <a accesskey="n" href="Bv9ARM.ch09.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">Chapter 7. <acronym class="acronym">BIND</acronym> 9 Security Considerations </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> Appendix A. Release Notes</td>
-</tr>
-</table>
-</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.0-pre-alpha</p>
-</body>
-</html>
+++ /dev/null
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<!--
- - Copyright (C) 2000-2017 Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
--->
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>Appendix A. Release Notes</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
-<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="prev" href="Bv9ARM.ch08.html" title="Chapter 8. Troubleshooting">
-<link rel="next" href="Bv9ARM.ch10.html" title="Appendix B. A Brief History of the DNS and BIND">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center">Appendix A. Release Notes</th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="Bv9ARM.ch08.html">Prev</a>Â </td>
-<th width="60%" align="center">Â </th>
-<td width="20%" align="right">Â <a accesskey="n" href="Bv9ARM.ch10.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="appendix">
-<div class="titlepage"><div><div><h1 class="title">
-<a name="Bv9ARM.ch09"></a>Release Notes</h1></div></div></div>
-<div class="toc">
-<p><b>Table of Contents</b></p>
-<dl class="toc">
-<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.12.0-pre-alpha</a></span></dt>
-<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_license">License Change</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#win_support">Windows XP No Longer Supported</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_features">New Features</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#proto_changes">Protocol Changes</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_bugs">Bug Fixes</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#end_of_life">End of Life</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_thanks">Thank You</a></span></dt>
-</dl></dd>
-</dl>
-</div>
- <div class="section">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.10.2"></a>Release Notes for BIND Version 9.12.0-pre-alpha</h2></div></div></div>
-
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
- <p>
- BIND 9.12.0 is a new feature release of BIND, still under development.
- This document summarizes new features and functional changes that
- have been introduced on this branch. With each development
- release leading up to the final BIND 9.12.0 release, this document
- will be updated with additional features added and bugs fixed.
- </p>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_download"></a>Download</h3></div></div></div>
- <p>
- The latest versions of BIND 9 software can always be found at
- <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
- There you will find additional information about each release,
- source code, and pre-compiled versions for Microsoft Windows
- operating systems.
- </p>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_license"></a>License Change</h3></div></div></div>
- <p>
- With the release of BIND 9.11.0, ISC changed to the open
- source license for BIND from the ISC license to the Mozilla
- Public License (MPL 2.0).
- </p>
- <p>
- The MPL-2.0 license requires that if you make changes to
- licensed software (e.g. BIND) and distribute them outside
- your organization, that you publish those changes under that
- same license. It does not require that you publish or disclose
- anything other than the changes you made to our software.
- </p>
- <p>
- This new requirement will not affect anyone who is using BIND
- without redistributing it, nor anyone redistributing it without
- changes, therefore this change will be without consequence
- for most individuals and organizations who are using BIND.
- </p>
- <p>
- Those unsure whether or not the license change affects their
- use of BIND, or who wish to discuss how to comply with the
- license may contact ISC at <a class="link" href="https://www.isc.org/mission/contact/" target="_top">
- https://www.isc.org/mission/contact/</a>.
- </p>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="win_support"></a>Windows XP No Longer Supported</h3></div></div></div>
- <p>
- As of BIND 9.11.2, Windows XP is no longer a supported platform for
- BIND, and Windows XP binaries are no longer available for download
- from ISC.
- </p>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
- <p>
- An error in TSIG handling could permit unauthorized zone
- transfers or zone updates. These flaws are disclosed in
- CVE-2017-3142 and CVE-2017-3143. [RT #45383]
- </p>
- </li>
-<li class="listitem">
- <p>
- The BIND installer on Windows used an unquoted service path,
- which can enable privilege escalation. This flaw is disclosed
- in CVE-2017-3141. [RT #45229]
- </p>
- </li>
-<li class="listitem">
- <p>
- With certain RPZ configurations, a response with TTL 0
- could cause <span class="command"><strong>named</strong></span> to go into an infinite
- query loop. This flaw is disclosed in CVE-2017-3140.
- [RT #45181]
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>rndc ""</strong></span> could trigger an assertion failure
- in <span class="command"><strong>named</strong></span>. This flaw is disclosed in
- (CVE-2017-3138). [RT #44924]
- </p>
- </li>
-<li class="listitem">
- <p>
- Some chaining (i.e., type CNAME or DNAME) responses to upstream
- queries could trigger assertion failures. This flaw is disclosed
- in CVE-2017-3137. [RT #44734]
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>dns64</strong></span> with <span class="command"><strong>break-dnssec yes;</strong></span>
- can result in an assertion failure. This flaw is disclosed in
- CVE-2017-3136. [RT #44653]
- </p>
- </li>
-<li class="listitem">
- <p>
- If a server is configured with a response policy zone (RPZ)
- that rewrites an answer with local data, and is also configured
- for DNS64 address mapping, a NULL pointer can be read
- triggering a server crash. This flaw is disclosed in
- CVE-2017-3135. [RT #44434]
- </p>
- </li>
-<li class="listitem">
- <p>
- A coding error in the <code class="option">nxdomain-redirect</code>
- feature could lead to an assertion failure if the redirection
- namespace was served from a local authoritative data source
- such as a local zone or a DLZ instead of via recursive
- lookup. This flaw is disclosed in CVE-2016-9778. [RT #43837]
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>named</strong></span> could mishandle authority sections
- with missing RRSIGs, triggering an assertion failure. This
- flaw is disclosed in CVE-2016-9444. [RT #43632]
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>named</strong></span> mishandled some responses where
- covering RRSIG records were returned without the requested
- data, resulting in an assertion failure. This flaw is
- disclosed in CVE-2016-9147. [RT #43548]
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>named</strong></span> incorrectly tried to cache TKEY
- records which could trigger an assertion failure when there was
- a class mismatch. This flaw is disclosed in CVE-2016-9131.
- [RT #43522]
- </p>
- </li>
-<li class="listitem">
- <p>
- It was possible to trigger assertions when processing
- responses containing answers of type DNAME. This flaw is
- disclosed in CVE-2016-8864. [RT #43465]
- </p>
- </li>
-<li class="listitem">
- <p>
- Added the ability to specify the maximum number of records
- permitted in a zone (<code class="option">max-records #;</code>).
- This provides a mechanism to block overly large zone
- transfers, which is a potential risk with slave zones from
- other parties, as described in CVE-2016-6170.
- [RT #42143]
- </p>
- </li>
-</ul></div>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_features"></a>New Features</h3></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
- <p>
- Code implementing name server query processing has been moved
- from <span class="command"><strong>named</strong></span> to an external library,
- <span class="command"><strong>libns</strong></span>. This will make it easier to
- write unit tests for the code, or to link it into new tools.
- [RT #45186]
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>nsupdate</strong></span> and <span class="command"><strong>rndc</strong></span> now accept
- command line options <span class="command"><strong>-4</strong></span> and <span class="command"><strong>-6</strong></span>
- which force using only IPv4 or only IPv6, respectively. [RT #45632]
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>nsec3hash -r</strong></span> ("rdata order") takes arguments
- in the same order as they appear in NSEC3 or NSEC3PARAM records.
- This makes it easier to generate an NSEC3 hash using values cut
- and pasted from an existing record. Thanks to Tony Finch for
- the contribution. [RT #45183]
- </p>
- </li>
-<li class="listitem">
- <p>
- Setting <span class="command"><strong>max-journal-size</strong></span> to
- <code class="literal">default</code> limits journal sizes to twice the
- size of the zone contents. This can be overridden by setting
- <span class="command"><strong>max-journal-size</strong></span> to <code class="literal">unlimited</code>
- or to an explicit value up to 2G. Thanks to Tony Finch for
- the contribution. [RT #38324]
- </p>
- </li>
-<li class="listitem">
- <p>
- The <span class="command"><strong>new-zones-directory</strong></span> option allows
- <span class="command"><strong>named</strong></span> to store configuration parameters
- for zones added via <span class="command"><strong>rndc addzone</strong></span> in a
- location other than the working directory. Thanks to Petr
- MenšÃk of Red Hat for the contribution.
- [RT #44853]
- </p>
- </li>
-<li class="listitem">
- <p>
- Many aspects of <span class="command"><strong>named</strong></span> have been modified
- to improve query performance, and in particular, performance
- for delegation-heavy zones:
- </p>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">
-<li class="listitem">
- <p>
- The additional cache ("acache") was found not to
- significantly improve performance and has been removed;
- the <span class="command"><strong>acache-enable</strong></span> and
- <span class="command"><strong>acache-cleaning-interval</strong></span> options are now
- deprecated.
- </p>
- </li>
-<li class="listitem">
- <p>
- In place of the acache, <span class="command"><strong>named</strong></span> can now use
- a glue cache to speed up retrieval of glue records when sending
- delegation responses. Unlike acache, this feature is on by
- default; use <span class="command"><strong>glue-cache no;</strong></span> to disable it.
- </p>
- </li>
-<li class="listitem">
- <p>
- The <span class="command"><strong>additional-from-cache</strong></span>
- and <span class="command"><strong>additional-from-auth</strong></span> options have been
- deprecated.
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>minimal-responses</strong></span> is now set
- to <code class="literal">yes</code> by default.
- </p>
- </li>
-<li class="listitem">
- <p>
- Several functions have been refactored to improve
- performance, including name compression, owner name
- case restoration, hashing, and buffers.
- </p>
- </li>
-</ul></div>
- </li>
-<li class="listitem">
- <p>
- The <span class="command"><strong>dnstap-read -x</strong></span> option prints a hex
- dump of the wire format DNS message encapsulated in each
- <span class="command"><strong>dnstap</strong></span> log entry. [RT #44816]
- </p>
- </li>
-<li class="listitem">
- <p>
- The <span class="command"><strong>host -A</strong></span> option returns most
- records for a name, but omits types RRSIG, NSEC and NSEC3.
- </p>
- </li>
-<li class="listitem">
- <p>
- Several areas of code have been refactored for improved
- readability, maintainability, and testability:
- </p>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">
-<li class="listitem">
- <p>
- The <span class="command"><strong>named</strong></span> query logic implemented in
- <span class="command"><strong>query_find()</strong></span> has been split into
- smaller functions with a context structure to maintain state
- between them, and extensive comments have been added.
- [RT #43929]
- </p>
- </li>
-<li class="listitem">
- <p>
- Similarly the iterative query logic implemented in
- <span class="command"><strong>resquery_response()</strong></span> function has been
- split into smaller functions and comments added. [RT #45362]
- </p>
- </li>
-</ul></div>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>dnstap</strong></span> logfiles can now be configured to
- automatically roll when they reach a specified size. If
- <span class="command"><strong>dnstap-output</strong></span> is configured with mode
- <code class="literal">file</code>, then it can take optional
- <span class="command"><strong>size</strong></span> and <span class="command"><strong>versions</strong></span>
- key-value arguments to set the logfile rolling parameters.
- (These have the same semantics as the corresponding
- options in a <span class="command"><strong>logging</strong></span> channel statement.)
- [RT #44502]
- </p>
- </li>
-<li class="listitem">
- <p>
- Logging channels and <span class="command"><strong>dnstap-output</strong></span> files can
- now be configured with a <span class="command"><strong>suffix</strong></span> option,
- set to either <code class="literal">increment</code> or
- <code class="literal">timestamp</code>, indicating whether log files
- should be given incrementing suffixes when they roll
- over (e.g., <code class="filename">logfile.0</code>,
- <code class="filename">.1</code>, <code class="filename">.2</code>, etc)
- or suffixes indicating the time of the roll. The default
- is <code class="literal">increment</code>. [RT #42838]
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>dig +ednsopt</strong></span> now accepts the names
- for EDNS options in addition to numeric values. For example,
- an EDNS Client-Subnet option could be sent using
- <span class="command"><strong>dig +ednsopt=ecs:...</strong></span>. Thanks to
- John Worley of Secure64 for the contribution. [RT #44461]
- </p>
- </li>
-<li class="listitem">
- <p>
- Added support for the EDNS TCP Keepalive option (RFC 7828);
- this allows negotiation of longer-lived TCP sessions
- to reduce the overhead of setting up TCP for individual
- queries. [RT #42126]
- </p>
- </li>
-<li class="listitem">
- <p>
- Added support for the EDNS Padding option (RFC 7830),
- which obfuscates packet size analysis when DNS queries
- are sent over an encrypted channel. [RT #42094]
- </p>
- </li>
-<li class="listitem">
- <p>
- The <code class="option">print-time</code> option in the
- <code class="option">logging</code> configuration can now take arguments
- <strong class="userinput"><code>local</code></strong>, <strong class="userinput"><code>iso8601</code></strong> or
- <strong class="userinput"><code>iso8601-utc</code></strong> to indicate the format in
- which the date and time should be logged. For backward
- compatibility, <strong class="userinput"><code>yes</code></strong> is a synonym for
- <strong class="userinput"><code>local</code></strong>. [RT #42585]
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>rndc</strong></span> commands which refer to zone names
- can now reference a zone of type <span class="command"><strong>redirect</strong></span>
- by using the special zone name "-redirect". (Previously this
- was not possible because <span class="command"><strong>redirect</strong></span> zones
- always have the name ".", which can be ambiguous.)
- </p>
- <p>
- In the event you need to manipulate a zone actually
- called "-redirect", use a trailing dot: "-redirect."
- </p>
- <p>
- Note: This change does not appply to the
- <span class="command"><strong>rndc addzone</strong></span> or
- <span class="command"><strong>rndc modzone</strong></span> commands.
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>named-checkconf -l</strong></span> lists the zones found
- in <code class="filename">named.conf</code>. [RT #43154]
- </p>
- </li>
-<li class="listitem">
- <p>
- Query logging now includes the ECS option, if one was
- present in the query, in the format
- "[ECS <em class="replaceable"><code>address/source/scope</code></em>]".
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>named</strong></span> will now synthesize responses
- from cached DNSSEC-verified records. This will reduce
- query loads on authoritative servers for signed domains:
- if existing cached records can be used to determine
- the answer then no query needs to be sent.
- </p>
- <p>
- This behavior is controlled by the new
- <code class="filename">named.conf</code> option
- <span class="command"><strong>synth-from-dnssec</strong></span>. It is enabled by
- default.
- </p>
- </li>
-</ul></div>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="proto_changes"></a>Protocol Changes</h3></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
- <p>
- BIND can now use the Ed25519 and Ed448 Edwards Curve DNSSEC
- signing algorithms described in RFC 8080. Note, however, that
- these algorithms must be supported in OpenSSL;
- currently they are only available in the development branch
- of OpenSSL at
- <a class="link" href="https://github.com/openssl/openssl" target="_top">https://github.com/openssl/openssl</a>.
- [RT #44696]
- </p>
- </li>
-<li class="listitem">
- <p>
- EDNS KEY TAG options are verified and printed.
- </p>
- </li>
-</ul></div>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
- <p>
- The lightweight resolver daemon and library (<span class="command"><strong>lwresd</strong></span>
- and <span class="command"><strong>liblwres</strong></span>) have been removed. [RT #45186]
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>dnssec-keygen</strong></span> no longer has default
- algorithm settings. It is necessary to explicitly specify the
- algorithm on the command line with the <code class="option">-a</code> option
- when generating keys. This may cause errors with existing signing
- scripts if they rely on current defaults. The intent is to
- reduce the long-term cost of transitioning to newer algorithms in
- the event of RSASHA1 being deprecated. [RT #44755]
- </p>
- </li>
-<li class="listitem">
- <p>
- Threads in <span class="command"><strong>named</strong></span> are now set to human-readable
- names to assist debugging on operating systems that support that.
- Threads will have names such as "isc-timer", "isc-sockmgr",
- "isc-worker0001", and so on. This will affect the reporting of
- subsidiary thread names in <span class="command"><strong>ps</strong></span> and
- <span class="command"><strong>top</strong></span>, but not the main thread. [RT #43234]
- </p>
- </li>
-<li class="listitem">
- <p>
- The Response Policy Zone (RPZ) implementation has been
- substantially refactored: updates to the RPZ summary
- database are no longer directly performed by the zone
- database but by a separate function that is called when
- a policy zone is updated. This improves both performance
- and reliability when policy zones receive frequent updates.
- Summary database updates can be rate-limited by using the
- <span class="command"><strong>min-update-interval</strong></span> option in a
- <span class="command"><strong>response-policy</strong></span> statement. [RT #43449]
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>dnstap</strong></span> now stores both the local and remote
- addresses for all messages, instead of only the remote address.
- The default output format for <span class="command"><strong>dnstap-read</strong></span> has
- been updated to include these addresses, with the initiating
- address first and the responding address second, separated by
- "-%gt;" or "%lt;-" to indicate in which direction the message
- was sent. [RT #43595]
- </p>
- </li>
-<li class="listitem">
- <p>
- Expanded and improved the YAML output from
- <span class="command"><strong>dnstap-read -y</strong></span>: it now includes packet
- size and a detailed breakdown of message contents.
- [RT #43622] [RT #43642]
- </p>
- </li>
-<li class="listitem">
- <p>
- If an ACL is specified with an address prefix in which the
- prefix length is longer than the address portion (for example,
- 192.0.2.1/8), it will now be treated as a fatal error during
- configuration. [RT #43367]
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>dig</strong></span> now warns about .local queries which are
- reserved for Multicast DNS. [RT #44783]
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>dig +sigchase</strong></span> and related options
- <span class="command"><strong>+trusted-keys</strong></span> and <span class="command"><strong>+topdown</strong></span>
- have been removed. <span class="command"><strong>delv</strong></span> is now the recommended
- command for looking up records with DNSSEC validation.
- [RT #42793]
- </p>
- </li>
-<li class="listitem">
- <p>
- The view associated with the query is now logged unless it
- it is "_default/IN" or "_dnsclient/IN" when logging DNSSEC
- validator messages.
- </p>
- </li>
-<li class="listitem">
- <p>
- Multiple <span class="command"><strong>cookie-secret</strong></span> clause are now
- supported. The first <span class="command"><strong>cookie-secret</strong></span> in
- <code class="filename">named.conf</code> is used to generate new
- server cookies. Any others are used to accept old server
- cookies or those generated by other servers using the
- matching <span class="command"><strong>cookie-secret</strong></span>.
- </p>
- </li>
-</ul></div>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
- <p>
- Reloading or reconfiguring <span class="command"><strong>named</strong></span> could
- fail on some platforms when LMDB was in use. [RT #45203]
- </p>
- </li>
-<li class="listitem">
- <p>
- Due to some incorrectly deleted code, when BIND was
- built with LMDB, zones that were deleted via
- <span class="command"><strong>rndc delzone</strong></span> were removed from the
- running server but were not removed from the new zone
- database, so that deletion did not persist after a
- server restart. This has been corrected. [RT #45185]
- </p>
- </li>
-<li class="listitem">
- <p>
- Semicolons are no longer escaped when printing CAA and
- URI records. This may break applications that depend on the
- presence of the backslash before the semicolon. [RT #45216]
- </p>
- </li>
-<li class="listitem">
- <p>
- AD could be set on truncated answer with no records present
- in the answer and authority sections. [RT #45140]
- </p>
- </li>
-</ul></div>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="end_of_life"></a>End of Life</h3></div></div></div>
- <p>
- The end of life for BIND 9.12 is yet to be determined but
- will not be before BIND 9.14.0 has been released for 6 months.
- <a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>
- </p>
- </div>
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_thanks"></a>Thank You</h3></div></div></div>
-
- <p>
- Thank you to everyone who assisted us in making this release possible.
- If you would like to contribute to ISC to assist us in continuing to
- make quality open source software, please visit our donations page at
- <a class="link" href="http://www.isc.org/donate/" target="_top">http://www.isc.org/donate/</a>.
- </p>
- </div>
-</div>
- </div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="Bv9ARM.ch08.html">Prev</a>Â </td>
-<td width="20%" align="center">Â </td>
-<td width="40%" align="right">Â <a accesskey="n" href="Bv9ARM.ch10.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">Chapter 8. Troubleshooting </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> Appendix B. A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym>
-</td>
-</tr>
-</table>
-</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.0-pre-alpha</p>
-</body>
-</html>
+++ /dev/null
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<!--
- - Copyright (C) 2000-2017 Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
--->
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>Appendix B. A Brief History of the DNS and BIND</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
-<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="prev" href="Bv9ARM.ch09.html" title="Appendix A. Release Notes">
-<link rel="next" href="Bv9ARM.ch11.html" title="Appendix C. General DNS Reference Information">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center">Appendix B. A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym>
-</th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="Bv9ARM.ch09.html">Prev</a>Â </td>
-<th width="60%" align="center">Â </th>
-<td width="20%" align="right">Â <a accesskey="n" href="Bv9ARM.ch11.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="appendix">
-<div class="titlepage"><div><div><h1 class="title">
-<a name="Bv9ARM.ch10"></a>A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym>
-</h1></div></div></div>
- <p><a name="historical_dns_information"></a>
- Although the "official" beginning of the Domain Name
- System occurred in 1984 with the publication of RFC 920, the
- core of the new system was described in 1983 in RFCs 882 and
- 883. From 1984 to 1987, the ARPAnet (the precursor to today's
- Internet) became a testbed of experimentation for developing the
- new naming/addressing scheme in a rapidly expanding,
- operational network environment. New RFCs were written and
- published in 1987 that modified the original documents to
- incorporate improvements based on the working model. RFC 1034,
- "Domain Names-Concepts and Facilities", and RFC 1035, "Domain
- Names-Implementation and Specification" were published and
- became the standards upon which all <acronym class="acronym">DNS</acronym> implementations are
- built.
- </p>
-
- <p>
- The first working domain name server, called "Jeeves", was
- written in 1983-84 by Paul Mockapetris for operation on DEC
- Tops-20
- machines located at the University of Southern California's
- Information
- Sciences Institute (USC-ISI) and SRI International's Network
- Information
- Center (SRI-NIC). A <acronym class="acronym">DNS</acronym> server for
- Unix machines, the Berkeley Internet
- Name Domain (<acronym class="acronym">BIND</acronym>) package, was
- written soon after by a group of
- graduate students at the University of California at Berkeley
- under
- a grant from the US Defense Advanced Research Projects
- Administration
- (DARPA).
- </p>
- <p>
- Versions of <acronym class="acronym">BIND</acronym> through
- 4.8.3 were maintained by the Computer
- Systems Research Group (CSRG) at UC Berkeley. Douglas Terry, Mark
- Painter, David Riggle and Songnian Zhou made up the initial <acronym class="acronym">BIND</acronym>
- project team. After that, additional work on the software package
- was done by Ralph Campbell. Kevin Dunlap, a Digital Equipment
- Corporation
- employee on loan to the CSRG, worked on <acronym class="acronym">BIND</acronym> for 2 years, from 1985
- to 1987. Many other people also contributed to <acronym class="acronym">BIND</acronym> development
- during that time: Doug Kingston, Craig Partridge, Smoot
- Carl-Mitchell,
- Mike Muuss, Jim Bloom and Mike Schwartz. <acronym class="acronym">BIND</acronym> maintenance was subsequently
- handled by Mike Karels and Øivind Kure.
- </p>
- <p>
- <acronym class="acronym">BIND</acronym> versions 4.9 and 4.9.1 were
- released by Digital Equipment
- Corporation (now Compaq Computer Corporation). Paul Vixie, then
- a DEC employee, became <acronym class="acronym">BIND</acronym>'s
- primary caretaker. He was assisted
- by Phil Almquist, Robert Elz, Alan Barrett, Paul Albitz, Bryan
- Beecher, Andrew
- Partan, Andy Cherenson, Tom Limoncelli, Berthold Paffrath, Fuat
- Baran, Anant Kumar, Art Harkin, Win Treese, Don Lewis, Christophe
- Wolfhugel, and others.
- </p>
- <p>
- In 1994, <acronym class="acronym">BIND</acronym> version 4.9.2 was sponsored by
- Vixie Enterprises. Paul
- Vixie became <acronym class="acronym">BIND</acronym>'s principal
- architect/programmer.
- </p>
- <p>
- <acronym class="acronym">BIND</acronym> versions from 4.9.3 onward
- have been developed and maintained
- by the Internet Systems Consortium and its predecessor,
- the Internet Software Consortium, with support being provided
- by ISC's sponsors.
- </p>
- <p>
- As co-architects/programmers, Bob Halley and
- Paul Vixie released the first production-ready version of
- <acronym class="acronym">BIND</acronym> version 8 in May 1997.
- </p>
- <p>
- BIND version 9 was released in September 2000 and is a
- major rewrite of nearly all aspects of the underlying
- BIND architecture.
- </p>
- <p>
- BIND versions 4 and 8 are officially deprecated.
- No additional development is done
- on BIND version 4 or BIND version 8.
- </p>
- <p>
- <acronym class="acronym">BIND</acronym> development work is made
- possible today by the sponsorship
- of several corporations, and by the tireless work efforts of
- numerous individuals.
- </p>
- </div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="Bv9ARM.ch09.html">Prev</a>Â </td>
-<td width="20%" align="center">Â </td>
-<td width="40%" align="right">Â <a accesskey="n" href="Bv9ARM.ch11.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">Appendix A. Release Notes </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> Appendix C. General <acronym class="acronym">DNS</acronym> Reference Information</td>
-</tr>
-</table>
-</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.0-pre-alpha</p>
-</body>
-</html>
+++ /dev/null
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<!--
- - Copyright (C) 2000-2017 Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
--->
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>Appendix C. General DNS Reference Information</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
-<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="prev" href="Bv9ARM.ch10.html" title="Appendix B. A Brief History of the DNS and BIND">
-<link rel="next" href="Bv9ARM.ch12.html" title="Appendix D. BIND 9 DNS Library Support">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center">Appendix C. General <acronym class="acronym">DNS</acronym> Reference Information</th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="Bv9ARM.ch10.html">Prev</a>Â </td>
-<th width="60%" align="center">Â </th>
-<td width="20%" align="right">Â <a accesskey="n" href="Bv9ARM.ch12.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="appendix">
-<div class="titlepage"><div><div><h1 class="title">
-<a name="Bv9ARM.ch11"></a>General <acronym class="acronym">DNS</acronym> Reference Information</h1></div></div></div>
-<div class="toc">
-<p><b>Table of Contents</b></p>
-<dl class="toc">
-<dt><span class="section"><a href="Bv9ARM.ch11.html#ipv6addresses">IPv6 addresses (AAAA)</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch11.html#bibliography">Bibliography (and Suggested Reading)</a></span></dt>
-<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch11.html#rfcs">Request for Comments (RFCs)</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch11.html#internet_drafts">Internet Drafts</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch11.html#more_about_bind">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt>
-</dl></dd>
-</dl>
-</div>
-
- <div class="section">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="ipv6addresses"></a>IPv6 addresses (AAAA)</h2></div></div></div>
-
- <p>
- IPv6 addresses are 128-bit identifiers for interfaces and
- sets of interfaces which were introduced in the <acronym class="acronym">DNS</acronym> to facilitate
- scalable Internet routing. There are three types of addresses: <span class="emphasis"><em>Unicast</em></span>,
- an identifier for a single interface;
- <span class="emphasis"><em>Anycast</em></span>,
- an identifier for a set of interfaces; and <span class="emphasis"><em>Multicast</em></span>,
- an identifier for a set of interfaces. Here we describe the global
- Unicast address scheme. For more information, see RFC 3587,
- "Global Unicast Address Format."
- </p>
- <p>
- IPv6 unicast addresses consist of a
- <span class="emphasis"><em>global routing prefix</em></span>, a
- <span class="emphasis"><em>subnet identifier</em></span>, and an
- <span class="emphasis"><em>interface identifier</em></span>.
- </p>
- <p>
- The global routing prefix is provided by the
- upstream provider or ISP, and (roughly) corresponds to the
- IPv4 <span class="emphasis"><em>network</em></span> section
- of the address range.
-
- The subnet identifier is for local subnetting, much the
- same as subnetting an
- IPv4 /16 network into /24 subnets.
-
- The interface identifier is the address of an individual
- interface on a given network; in IPv6, addresses belong to
- interfaces rather than to machines.
- </p>
- <p>
- The subnetting capability of IPv6 is much more flexible than
- that of IPv4: subnetting can be carried out on bit boundaries,
- in much the same way as Classless InterDomain Routing
- (CIDR), and the DNS PTR representation ("nibble" format)
- makes setting up reverse zones easier.
- </p>
- <p>
- The Interface Identifier must be unique on the local link,
- and is usually generated automatically by the IPv6
- implementation, although it is usually possible to
- override the default setting if necessary. A typical IPv6
- address might look like:
- <span class="command"><strong>2001:db8:201:9:a00:20ff:fe81:2b32</strong></span>
- </p>
- <p>
- IPv6 address specifications often contain long strings
- of zeros, so the architects have included a shorthand for
- specifying
- them. The double colon (`::') indicates the longest possible
- string
- of zeros that can fit, and can be used only once in an address.
- </p>
- </div>
- <div class="section">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="bibliography"></a>Bibliography (and Suggested Reading)</h2></div></div></div>
-
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="rfcs"></a>Request for Comments (RFCs)</h3></div></div></div>
-
- <p>
- Specification documents for the Internet protocol suite, including
- the <acronym class="acronym">DNS</acronym>, are published as part of
- the Request for Comments (RFCs)
- series of technical notes. The standards themselves are defined
- by the Internet Engineering Task Force (IETF) and the Internet
- Engineering Steering Group (IESG). RFCs can be obtained online via FTP at:
- </p>
- <p>
- <a class="link" href="ftp://www.isi.edu/in-notes/" target="_top">
- ftp://www.isi.edu/in-notes/RFC<em class="replaceable"><code>xxxx</code></em>.txt
- </a>
- </p>
- <p>
- (where <em class="replaceable"><code>xxxx</code></em> is
- the number of the RFC). RFCs are also available via the Web at:
- </p>
- <p>
- <a class="link" href="http://www.ietf.org/rfc/" target="_top">http://www.ietf.org/rfc/</a>.
- </p>
- <div class="bibliography">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id-1.12.3.2.6"></a>Bibliography</h4></div></div></div>
- <div class="bibliodiv">
-
-
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.1.2"></a><p>[<abbr class="abbrev">RFC974</abbr>]
-
- <span class="author"><span class="firstname">C.</span> <span class="surname">Partridge</span>. </span>
- <span class="citetitle"><em class="citetitle">Mail Routing and the Domain System</em>. </span>
- <span class="pubdate">January 1986. </span>
- </p>
-</div>
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.1.3"></a><p>[<abbr class="abbrev">RFC1034</abbr>]
-
- <span class="author"><span class="firstname">P.V.</span> <span class="surname">Mockapetris</span>. </span>
- <span class="citetitle"><em class="citetitle">Domain Names — Concepts and Facilities</em>. </span>
- <span class="pubdate">November 1987. </span>
- </p>
-</div>
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.1.4"></a><p>[<abbr class="abbrev">RFC1035</abbr>]
-
- <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span> <span class="citetitle"><em class="citetitle">Domain Names — Implementation and
- Specification</em>. </span>
- <span class="pubdate">November 1987. </span>
- </p>
-</div>
- </div>
- <div class="bibliodiv">
-
-
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.2.2"></a><p>[<abbr class="abbrev">RFC2181</abbr>]
-
- <span class="author"><span class="firstname">R., R. Bush</span> <span class="surname">Elz</span>. </span>
- <span class="citetitle"><em class="citetitle">Clarifications to the <acronym class="acronym">DNS</acronym>
- Specification</em>. </span>
- <span class="pubdate">July 1997. </span>
- </p>
-</div>
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.2.3"></a><p>[<abbr class="abbrev">RFC2308</abbr>]
-
- <span class="author"><span class="firstname">M.</span> <span class="surname">Andrews</span>. </span>
- <span class="citetitle"><em class="citetitle">Negative Caching of <acronym class="acronym">DNS</acronym>
- Queries</em>. </span>
- <span class="pubdate">March 1998. </span>
- </p>
-</div>
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.2.4"></a><p>[<abbr class="abbrev">RFC1995</abbr>]
-
- <span class="author"><span class="firstname">M.</span> <span class="surname">Ohta</span>. </span>
- <span class="citetitle"><em class="citetitle">Incremental Zone Transfer in <acronym class="acronym">DNS</acronym></em>. </span>
- <span class="pubdate">August 1996. </span>
- </p>
-</div>
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.2.5"></a><p>[<abbr class="abbrev">RFC1996</abbr>]
-
- <span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span>
- <span class="citetitle"><em class="citetitle">A Mechanism for Prompt Notification of Zone Changes</em>. </span>
- <span class="pubdate">August 1996. </span>
- </p>
-</div>
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.2.6"></a><p>[<abbr class="abbrev">RFC2136</abbr>]
-
- <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">Y.</span> <span class="surname">Rekhter</span>, and <span class="firstname">J.</span> <span class="surname">Bound</span>. </span>
- <span class="citetitle"><em class="citetitle">Dynamic Updates in the Domain Name System</em>. </span>
- <span class="pubdate">April 1997. </span>
- </p>
-</div>
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.2.7"></a><p>[<abbr class="abbrev">RFC2671</abbr>]
-
- <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span>
- <span class="citetitle"><em class="citetitle">Extension Mechanisms for DNS (EDNS0)</em>. </span>
- <span class="pubdate">August 1997. </span>
- </p>
-</div>
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.2.8"></a><p>[<abbr class="abbrev">RFC2672</abbr>]
-
- <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span>. </span>
- <span class="citetitle"><em class="citetitle">Non-Terminal DNS Name Redirection</em>. </span>
- <span class="pubdate">August 1999. </span>
- </p>
-</div>
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.2.9"></a><p>[<abbr class="abbrev">RFC2845</abbr>]
-
- <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>, <span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, and <span class="firstname">B.</span> <span class="surname">Wellington</span>. </span>
- <span class="citetitle"><em class="citetitle">Secret Key Transaction Authentication for <acronym class="acronym">DNS</acronym> (TSIG)</em>. </span>
- <span class="pubdate">May 2000. </span>
- </p>
-</div>
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.2.10"></a><p>[<abbr class="abbrev">RFC2930</abbr>]
-
- <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span>
- <span class="citetitle"><em class="citetitle">Secret Key Establishment for DNS (TKEY RR)</em>. </span>
- <span class="pubdate">September 2000. </span>
- </p>
-</div>
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.2.11"></a><p>[<abbr class="abbrev">RFC2931</abbr>]
-
- <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span>
- <span class="citetitle"><em class="citetitle">DNS Request and Transaction Signatures (SIG(0)s)</em>. </span>
- <span class="pubdate">September 2000. </span>
- </p>
-</div>
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.2.12"></a><p>[<abbr class="abbrev">RFC3007</abbr>]
-
- <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span>. </span>
- <span class="citetitle"><em class="citetitle">Secure Domain Name System (DNS) Dynamic Update</em>. </span>
- <span class="pubdate">November 2000. </span>
- </p>
-</div>
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.2.13"></a><p>[<abbr class="abbrev">RFC3645</abbr>]
-
- <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Kwan</span>, <span class="firstname">P.</span> <span class="surname">Garg</span>, <span class="firstname">J.</span> <span class="surname">Gilroy</span>, <span class="firstname">L.</span> <span class="surname">Esibov</span>, <span class="firstname">J.</span> <span class="surname">Westhead</span>, and <span class="firstname">R.</span> <span class="surname">Hall</span>. </span>
- <span class="citetitle"><em class="citetitle">Generic Security Service Algorithm for Secret
- Key Transaction Authentication for DNS
- (GSS-TSIG)</em>. </span>
- <span class="pubdate">October 2003. </span>
- </p>
-</div>
- </div>
- <div class="bibliodiv">
-
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.3.2"></a><p>[<abbr class="abbrev">RFC3225</abbr>]
-
- <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Conrad</span>. </span>
- <span class="citetitle"><em class="citetitle">Indicating Resolver Support of DNSSEC</em>. </span>
- <span class="pubdate">December 2001. </span>
- </p>
-</div>
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.3.3"></a><p>[<abbr class="abbrev">RFC3833</abbr>]
-
- <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Atkins</span> and <span class="firstname">R.</span> <span class="surname">Austein</span>. </span>
- <span class="citetitle"><em class="citetitle">Threat Analysis of the Domain Name System (DNS)</em>. </span>
- <span class="pubdate">August 2004. </span>
- </p>
-</div>
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.3.4"></a><p>[<abbr class="abbrev">RFC4033</abbr>]
-
- <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span>
- <span class="citetitle"><em class="citetitle">DNS Security Introduction and Requirements</em>. </span>
- <span class="pubdate">March 2005. </span>
- </p>
-</div>
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.3.5"></a><p>[<abbr class="abbrev">RFC4034</abbr>]
-
- <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span>
- <span class="citetitle"><em class="citetitle">Resource Records for the DNS Security Extensions</em>. </span>
- <span class="pubdate">March 2005. </span>
- </p>
-</div>
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.3.6"></a><p>[<abbr class="abbrev">RFC4035</abbr>]
-
- <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span>
- <span class="citetitle"><em class="citetitle">Protocol Modifications for the DNS
- Security Extensions</em>. </span>
- <span class="pubdate">March 2005. </span>
- </p>
-</div>
- </div>
- <div class="bibliodiv">
-
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.4.2"></a><p>[<abbr class="abbrev">RFC1535</abbr>]
-
- <span class="author"><span class="firstname">E.</span> <span class="surname">Gavron</span>. </span>
- <span class="citetitle"><em class="citetitle">A Security Problem and Proposed Correction With Widely
- Deployed <acronym class="acronym">DNS</acronym> Software</em>. </span>
- <span class="pubdate">October 1993. </span>
- </p>
-</div>
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.4.3"></a><p>[<abbr class="abbrev">RFC1536</abbr>]
-
- <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Kumar</span>, <span class="firstname">J.</span> <span class="surname">Postel</span>, <span class="firstname">C.</span> <span class="surname">Neuman</span>, <span class="firstname">P.</span> <span class="surname">Danzig</span>, and <span class="firstname">S.</span> <span class="surname">Miller</span>. </span>
- <span class="citetitle"><em class="citetitle">Common <acronym class="acronym">DNS</acronym> Implementation
- Errors and Suggested Fixes</em>. </span>
- <span class="pubdate">October 1993. </span>
- </p>
-</div>
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.4.4"></a><p>[<abbr class="abbrev">RFC1982</abbr>]
-
- <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Elz</span> and <span class="firstname">R.</span> <span class="surname">Bush</span>. </span>
- <span class="citetitle"><em class="citetitle">Serial Number Arithmetic</em>. </span>
- <span class="pubdate">August 1996. </span>
- </p>
-</div>
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.4.5"></a><p>[<abbr class="abbrev">RFC4074</abbr>]
-
- <span class="authorgroup"><span class="firstname">Y.</span> <span class="surname">Morishita</span> and <span class="firstname">T.</span> <span class="surname">Jinmei</span>. </span>
- <span class="citetitle"><em class="citetitle">Common Misbehaviour Against <acronym class="acronym">DNS</acronym>
- Queries for IPv6 Addresses</em>. </span>
- <span class="pubdate">May 2005. </span>
- </p>
-</div>
- </div>
- <div class="bibliodiv">
-
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.5.2"></a><p>[<abbr class="abbrev">RFC1183</abbr>]
-
- <span class="authorgroup"><span class="firstname">C.F.</span> <span class="surname">Everhart</span>, <span class="firstname">L. A.</span> <span class="surname">Mamakos</span>, <span class="firstname">R.</span> <span class="surname">Ullmann</span>, and <span class="firstname">P.</span> <span class="surname">Mockapetris</span>. </span>
- <span class="citetitle"><em class="citetitle">New <acronym class="acronym">DNS</acronym> RR Definitions</em>. </span>
- <span class="pubdate">October 1990. </span>
- </p>
-</div>
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.5.3"></a><p>[<abbr class="abbrev">RFC1706</abbr>]
-
- <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">R.</span> <span class="surname">Colella</span>. </span>
- <span class="citetitle"><em class="citetitle"><acronym class="acronym">DNS</acronym> NSAP Resource Records</em>. </span>
- <span class="pubdate">October 1994. </span>
- </p>
-</div>
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.5.4"></a><p>[<abbr class="abbrev">RFC2168</abbr>]
-
- <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Daniel</span> and <span class="firstname">M.</span> <span class="surname">Mealling</span>. </span>
- <span class="citetitle"><em class="citetitle">Resolution of Uniform Resource Identifiers using
- the Domain Name System</em>. </span>
- <span class="pubdate">June 1997. </span>
- </p>
-</div>
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.5.5"></a><p>[<abbr class="abbrev">RFC1876</abbr>]
-
- <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Davis</span>, <span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">T.</span>, and <span class="firstname">I.</span> <span class="surname">Dickinson</span>. </span>
- <span class="citetitle"><em class="citetitle">A Means for Expressing Location Information in the
- Domain
- Name System</em>. </span>
- <span class="pubdate">January 1996. </span>
- </p>
-</div>
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.5.6"></a><p>[<abbr class="abbrev">RFC2052</abbr>]
-
- <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span>
- <span class="citetitle"><em class="citetitle">A <acronym class="acronym">DNS</acronym> RR for Specifying the
- Location of
- Services</em>. </span>
- <span class="pubdate">October 1996. </span>
- </p>
-</div>
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.5.7"></a><p>[<abbr class="abbrev">RFC2163</abbr>]
-
- <span class="author"><span class="firstname">A.</span> <span class="surname">Allocchio</span>. </span>
- <span class="citetitle"><em class="citetitle">Using the Internet <acronym class="acronym">DNS</acronym> to
- Distribute MIXER
- Conformant Global Address Mapping</em>. </span>
- <span class="pubdate">January 1998. </span>
- </p>
-</div>
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.5.8"></a><p>[<abbr class="abbrev">RFC2230</abbr>]
-
- <span class="author"><span class="firstname">R.</span> <span class="surname">Atkinson</span>. </span>
- <span class="citetitle"><em class="citetitle">Key Exchange Delegation Record for the <acronym class="acronym">DNS</acronym></em>. </span>
- <span class="pubdate">October 1997. </span>
- </p>
-</div>
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.5.9"></a><p>[<abbr class="abbrev">RFC2536</abbr>]
-
- <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span>
- <span class="citetitle"><em class="citetitle">DSA KEYs and SIGs in the Domain Name System (DNS)</em>. </span>
- <span class="pubdate">March 1999. </span>
- </p>
-</div>
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.5.10"></a><p>[<abbr class="abbrev">RFC2537</abbr>]
-
- <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span>
- <span class="citetitle"><em class="citetitle">RSA/MD5 KEYs and SIGs in the Domain Name System (DNS)</em>. </span>
- <span class="pubdate">March 1999. </span>
- </p>
-</div>
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.5.11"></a><p>[<abbr class="abbrev">RFC2538</abbr>]
-
- <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span>
- <span class="citetitle"><em class="citetitle">Storing Certificates in the Domain Name System (DNS)</em>. </span>
- <span class="pubdate">March 1999. </span>
- </p>
-</div>
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.5.12"></a><p>[<abbr class="abbrev">RFC2539</abbr>]
-
- <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span>
- <span class="citetitle"><em class="citetitle">Storage of Diffie-Hellman Keys in the Domain Name System (DNS)</em>. </span>
- <span class="pubdate">March 1999. </span>
- </p>
-</div>
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.5.13"></a><p>[<abbr class="abbrev">RFC2540</abbr>]
-
- <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span>
- <span class="citetitle"><em class="citetitle">Detached Domain Name System (DNS) Information</em>. </span>
- <span class="pubdate">March 1999. </span>
- </p>
-</div>
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.5.14"></a><p>[<abbr class="abbrev">RFC2782</abbr>]
-
- <span class="author"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span>. </span>
- <span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span>
- <span class="author"><span class="firstname">L.</span> <span class="surname">Esibov</span>. </span>
- <span class="citetitle"><em class="citetitle">A DNS RR for specifying the location of services (DNS SRV)</em>. </span>
- <span class="pubdate">February 2000. </span>
- </p>
-</div>
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.5.15"></a><p>[<abbr class="abbrev">RFC2915</abbr>]
-
- <span class="author"><span class="firstname">M.</span> <span class="surname">Mealling</span>. </span>
- <span class="author"><span class="firstname">R.</span> <span class="surname">Daniel</span>. </span>
- <span class="citetitle"><em class="citetitle">The Naming Authority Pointer (NAPTR) DNS Resource Record</em>. </span>
- <span class="pubdate">September 2000. </span>
- </p>
-</div>
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.5.16"></a><p>[<abbr class="abbrev">RFC3110</abbr>]
-
- <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span>
- <span class="citetitle"><em class="citetitle">RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)</em>. </span>
- <span class="pubdate">May 2001. </span>
- </p>
-</div>
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.5.17"></a><p>[<abbr class="abbrev">RFC3123</abbr>]
-
- <span class="author"><span class="firstname">P.</span> <span class="surname">Koch</span>. </span>
- <span class="citetitle"><em class="citetitle">A DNS RR Type for Lists of Address Prefixes (APL RR)</em>. </span>
- <span class="pubdate">June 2001. </span>
- </p>
-</div>
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.5.18"></a><p>[<abbr class="abbrev">RFC3596</abbr>]
-
- <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">C.</span> <span class="surname">Huitema</span>, <span class="firstname">V.</span> <span class="surname">Ksinant</span>, and <span class="firstname">M.</span> <span class="surname">Souissi</span>. </span>
- <span class="citetitle"><em class="citetitle"><acronym class="acronym">DNS</acronym> Extensions to support IP
- version 6</em>. </span>
- <span class="pubdate">October 2003. </span>
- </p>
-</div>
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.5.19"></a><p>[<abbr class="abbrev">RFC3597</abbr>]
-
- <span class="author"><span class="firstname">A.</span> <span class="surname">Gustafsson</span>. </span>
- <span class="citetitle"><em class="citetitle">Handling of Unknown DNS Resource Record (RR) Types</em>. </span>
- <span class="pubdate">September 2003. </span>
- </p>
-</div>
- </div>
- <div class="bibliodiv">
-
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.6.2"></a><p>[<abbr class="abbrev">RFC1101</abbr>]
-
- <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span>
- <span class="citetitle"><em class="citetitle"><acronym class="acronym">DNS</acronym> Encoding of Network Names
- and Other Types</em>. </span>
- <span class="pubdate">April 1989. </span>
- </p>
-</div>
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.6.3"></a><p>[<abbr class="abbrev">RFC1123</abbr>]
-
- <span class="author"><span class="surname">Braden</span>. </span>
- <span class="citetitle"><em class="citetitle">Requirements for Internet Hosts - Application and
- Support</em>. </span>
- <span class="pubdate">October 1989. </span>
- </p>
-</div>
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.6.4"></a><p>[<abbr class="abbrev">RFC1591</abbr>]
-
- <span class="author"><span class="firstname">J.</span> <span class="surname">Postel</span>. </span>
- <span class="citetitle"><em class="citetitle">Domain Name System Structure and Delegation</em>. </span>
- <span class="pubdate">March 1994. </span>
- </p>
-</div>
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.6.5"></a><p>[<abbr class="abbrev">RFC2317</abbr>]
-
- <span class="authorgroup"><span class="firstname">H.</span> <span class="surname">Eidnes</span>, <span class="firstname">G.</span> <span class="surname">de Groot</span>, and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span>
- <span class="citetitle"><em class="citetitle">Classless IN-ADDR.ARPA Delegation</em>. </span>
- <span class="pubdate">March 1998. </span>
- </p>
-</div>
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.6.6"></a><p>[<abbr class="abbrev">RFC2826</abbr>]
-
- <span class="authorgroup"><span class="surname">Internet Architecture Board</span>. </span>
- <span class="citetitle"><em class="citetitle">IAB Technical Comment on the Unique DNS Root</em>. </span>
- <span class="pubdate">May 2000. </span>
- </p>
-</div>
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.6.7"></a><p>[<abbr class="abbrev">RFC2929</abbr>]
-
- <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, <span class="firstname">E.</span> <span class="surname">Brunner-Williams</span>, and <span class="firstname">B.</span> <span class="surname">Manning</span>. </span>
- <span class="citetitle"><em class="citetitle">Domain Name System (DNS) IANA Considerations</em>. </span>
- <span class="pubdate">September 2000. </span>
- </p>
-</div>
- </div>
- <div class="bibliodiv">
-
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.7.2"></a><p>[<abbr class="abbrev">RFC1033</abbr>]
-
- <span class="author"><span class="firstname">M.</span> <span class="surname">Lottor</span>. </span>
- <span class="citetitle"><em class="citetitle">Domain administrators operations guide</em>. </span>
- <span class="pubdate">November 1987. </span>
- </p>
-</div>
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.7.3"></a><p>[<abbr class="abbrev">RFC1537</abbr>]
-
- <span class="author"><span class="firstname">P.</span> <span class="surname">Beertema</span>. </span>
- <span class="citetitle"><em class="citetitle">Common <acronym class="acronym">DNS</acronym> Data File
- Configuration Errors</em>. </span>
- <span class="pubdate">October 1993. </span>
- </p>
-</div>
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.7.4"></a><p>[<abbr class="abbrev">RFC1912</abbr>]
-
- <span class="author"><span class="firstname">D.</span> <span class="surname">Barr</span>. </span>
- <span class="citetitle"><em class="citetitle">Common <acronym class="acronym">DNS</acronym> Operational and
- Configuration Errors</em>. </span>
- <span class="pubdate">February 1996. </span>
- </p>
-</div>
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.7.5"></a><p>[<abbr class="abbrev">RFC2010</abbr>]
-
- <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span>
- <span class="citetitle"><em class="citetitle">Operational Criteria for Root Name Servers</em>. </span>
- <span class="pubdate">October 1996. </span>
- </p>
-</div>
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.7.6"></a><p>[<abbr class="abbrev">RFC2219</abbr>]
-
- <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Hamilton</span> and <span class="firstname">R.</span> <span class="surname">Wright</span>. </span>
- <span class="citetitle"><em class="citetitle">Use of <acronym class="acronym">DNS</acronym> Aliases for
- Network Services</em>. </span>
- <span class="pubdate">October 1997. </span>
- </p>
-</div>
- </div>
- <div class="bibliodiv">
-
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.8.2"></a><p>[<abbr class="abbrev">RFC2825</abbr>]
-
- <span class="authorgroup"><span class="surname">IAB</span> and <span class="firstname">R.</span> <span class="surname">Daigle</span>. </span>
- <span class="citetitle"><em class="citetitle">A Tangled Web: Issues of I18N, Domain Names,
- and the Other Internet protocols</em>. </span>
- <span class="pubdate">May 2000. </span>
- </p>
-</div>
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.8.3"></a><p>[<abbr class="abbrev">RFC3490</abbr>]
-
- <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Faltstrom</span>, <span class="firstname">P.</span> <span class="surname">Hoffman</span>, and <span class="firstname">A.</span> <span class="surname">Costello</span>. </span>
- <span class="citetitle"><em class="citetitle">Internationalizing Domain Names in Applications (IDNA)</em>. </span>
- <span class="pubdate">March 2003. </span>
- </p>
-</div>
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.8.4"></a><p>[<abbr class="abbrev">RFC3491</abbr>]
-
- <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Hoffman</span> and <span class="firstname">M.</span> <span class="surname">Blanchet</span>. </span>
- <span class="citetitle"><em class="citetitle">Nameprep: A Stringprep Profile for Internationalized Domain Names</em>. </span>
- <span class="pubdate">March 2003. </span>
- </p>
-</div>
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.8.5"></a><p>[<abbr class="abbrev">RFC3492</abbr>]
-
- <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Costello</span>. </span>
- <span class="citetitle"><em class="citetitle">Punycode: A Bootstring encoding of Unicode
- for Internationalized Domain Names in
- Applications (IDNA)</em>. </span>
- <span class="pubdate">March 2003. </span>
- </p>
-</div>
- </div>
- <div class="bibliodiv">
-
- <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
- <p>
- Note: the following list of RFCs, although
- <acronym class="acronym">DNS</acronym>-related, are not
- concerned with implementing software.
- </p>
- </div>
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.9.3"></a><p>[<abbr class="abbrev">RFC1464</abbr>]
-
- <span class="author"><span class="firstname">R.</span> <span class="surname">Rosenbaum</span>. </span>
- <span class="citetitle"><em class="citetitle">Using the Domain Name System To Store Arbitrary String
- Attributes</em>. </span>
- <span class="pubdate">May 1993. </span>
- </p>
-</div>
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.9.4"></a><p>[<abbr class="abbrev">RFC1713</abbr>]
-
- <span class="author"><span class="firstname">A.</span> <span class="surname">Romao</span>. </span>
- <span class="citetitle"><em class="citetitle">Tools for <acronym class="acronym">DNS</acronym> Debugging</em>. </span>
- <span class="pubdate">November 1994. </span>
- </p>
-</div>
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.9.5"></a><p>[<abbr class="abbrev">RFC1794</abbr>]
-
- <span class="author"><span class="firstname">T.</span> <span class="surname">Brisco</span>. </span>
- <span class="citetitle"><em class="citetitle"><acronym class="acronym">DNS</acronym> Support for Load
- Balancing</em>. </span>
- <span class="pubdate">April 1995. </span>
- </p>
-</div>
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.9.6"></a><p>[<abbr class="abbrev">RFC2240</abbr>]
-
- <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span>
- <span class="citetitle"><em class="citetitle">A Legal Basis for Domain Name Allocation</em>. </span>
- <span class="pubdate">November 1997. </span>
- </p>
-</div>
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.9.7"></a><p>[<abbr class="abbrev">RFC2345</abbr>]
-
- <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>, <span class="firstname">T.</span> <span class="surname">Wolf</span>, and <span class="firstname">G.</span> <span class="surname">Oglesby</span>. </span>
- <span class="citetitle"><em class="citetitle">Domain Names and Company Name Retrieval</em>. </span>
- <span class="pubdate">May 1998. </span>
- </p>
-</div>
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.9.8"></a><p>[<abbr class="abbrev">RFC2352</abbr>]
-
- <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span>
- <span class="citetitle"><em class="citetitle">A Convention For Using Legal Names as Domain Names</em>. </span>
- <span class="pubdate">May 1998. </span>
- </p>
-</div>
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.9.9"></a><p>[<abbr class="abbrev">RFC3071</abbr>]
-
- <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>. </span>
- <span class="citetitle"><em class="citetitle">Reflections on the DNS, RFC 1591, and Categories of Domains</em>. </span>
- <span class="pubdate">February 2001. </span>
- </p>
-</div>
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.9.10"></a><p>[<abbr class="abbrev">RFC3258</abbr>]
-
- <span class="authorgroup"><span class="firstname">T.</span> <span class="surname">Hardie</span>. </span>
- <span class="citetitle"><em class="citetitle">Distributing Authoritative Name Servers via
- Shared Unicast Addresses</em>. </span>
- <span class="pubdate">April 2002. </span>
- </p>
-</div>
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.9.11"></a><p>[<abbr class="abbrev">RFC3901</abbr>]
-
- <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Durand</span> and <span class="firstname">J.</span> <span class="surname">Ihren</span>. </span>
- <span class="citetitle"><em class="citetitle">DNS IPv6 Transport Operational Guidelines</em>. </span>
- <span class="pubdate">September 2004. </span>
- </p>
-</div>
- </div>
- <div class="bibliodiv">
-
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.10.2"></a><p>[<abbr class="abbrev">RFC1712</abbr>]
-
- <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Farrell</span>, <span class="firstname">M.</span> <span class="surname">Schulze</span>, <span class="firstname">S.</span> <span class="surname">Pleitner</span>, and <span class="firstname">D.</span> <span class="surname">Baldoni</span>. </span>
- <span class="citetitle"><em class="citetitle"><acronym class="acronym">DNS</acronym> Encoding of Geographical
- Location</em>. </span>
- <span class="pubdate">November 1994. </span>
- </p>
-</div>
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.10.3"></a><p>[<abbr class="abbrev">RFC2673</abbr>]
-
- <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span>. </span>
- <span class="citetitle"><em class="citetitle">Binary Labels in the Domain Name System</em>. </span>
- <span class="pubdate">August 1999. </span>
- </p>
-</div>
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.10.4"></a><p>[<abbr class="abbrev">RFC2874</abbr>]
-
- <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span> and <span class="firstname">C.</span> <span class="surname">Huitema</span>. </span>
- <span class="citetitle"><em class="citetitle">DNS Extensions to Support IPv6 Address Aggregation
- and Renumbering</em>. </span>
- <span class="pubdate">July 2000. </span>
- </p>
-</div>
- </div>
- <div class="bibliodiv">
-
- <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
- <p>
- Most of these have been consolidated into RFC4033,
- RFC4034 and RFC4035 which collectively describe DNSSECbis.
- </p>
- </div>
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.11.3"></a><p>[<abbr class="abbrev">RFC2065</abbr>]
-
- <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">C.</span> <span class="surname">Kaufman</span>. </span>
- <span class="citetitle"><em class="citetitle">Domain Name System Security Extensions</em>. </span>
- <span class="pubdate">January 1997. </span>
- </p>
-</div>
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.11.4"></a><p>[<abbr class="abbrev">RFC2137</abbr>]
-
- <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span>
- <span class="citetitle"><em class="citetitle">Secure Domain Name System Dynamic Update</em>. </span>
- <span class="pubdate">April 1997. </span>
- </p>
-</div>
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.11.5"></a><p>[<abbr class="abbrev">RFC2535</abbr>]
-
- <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span>
- <span class="citetitle"><em class="citetitle">Domain Name System Security Extensions</em>. </span>
- <span class="pubdate">March 1999. </span>
- </p>
-</div>
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.11.6"></a><p>[<abbr class="abbrev">RFC3008</abbr>]
-
- <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span>. </span>
- <span class="citetitle"><em class="citetitle">Domain Name System Security (DNSSEC)
- Signing Authority</em>. </span>
- <span class="pubdate">November 2000. </span>
- </p>
-</div>
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.11.7"></a><p>[<abbr class="abbrev">RFC3090</abbr>]
-
- <span class="authorgroup"><span class="firstname">E.</span> <span class="surname">Lewis</span>. </span>
- <span class="citetitle"><em class="citetitle">DNS Security Extension Clarification on Zone Status</em>. </span>
- <span class="pubdate">March 2001. </span>
- </p>
-</div>
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.11.8"></a><p>[<abbr class="abbrev">RFC3445</abbr>]
-
- <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Massey</span> and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span>
- <span class="citetitle"><em class="citetitle">Limiting the Scope of the KEY Resource Record (RR)</em>. </span>
- <span class="pubdate">December 2002. </span>
- </p>
-</div>
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.11.9"></a><p>[<abbr class="abbrev">RFC3655</abbr>]
-
- <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span> and <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span>
- <span class="citetitle"><em class="citetitle">Redefinition of DNS Authenticated Data (AD) bit</em>. </span>
- <span class="pubdate">November 2003. </span>
- </p>
-</div>
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.11.10"></a><p>[<abbr class="abbrev">RFC3658</abbr>]
-
- <span class="authorgroup"><span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span>
- <span class="citetitle"><em class="citetitle">Delegation Signer (DS) Resource Record (RR)</em>. </span>
- <span class="pubdate">December 2003. </span>
- </p>
-</div>
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.11.11"></a><p>[<abbr class="abbrev">RFC3755</abbr>]
-
- <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Weiler</span>. </span>
- <span class="citetitle"><em class="citetitle">Legacy Resolver Compatibility for Delegation Signer (DS)</em>. </span>
- <span class="pubdate">May 2004. </span>
- </p>
-</div>
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.11.12"></a><p>[<abbr class="abbrev">RFC3757</abbr>]
-
- <span class="authorgroup"><span class="firstname">O.</span> <span class="surname">Kolkman</span>, <span class="firstname">J.</span> <span class="surname">Schlyter</span>, and <span class="firstname">E.</span> <span class="surname">Lewis</span>. </span>
- <span class="citetitle"><em class="citetitle">Domain Name System KEY (DNSKEY) Resource Record
- (RR) Secure Entry Point (SEP) Flag</em>. </span>
- <span class="pubdate">April 2004. </span>
- </p>
-</div>
- <div class="biblioentry">
-<a name="id-1.12.3.2.6.11.13"></a><p>[<abbr class="abbrev">RFC3845</abbr>]
-
- <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Schlyter</span>. </span>
- <span class="citetitle"><em class="citetitle">DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format</em>. </span>
- <span class="pubdate">August 2004. </span>
- </p>
-</div>
- </div>
- </div>
- </div>
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="internet_drafts"></a>Internet Drafts</h3></div></div></div>
-
- <p>
- Internet Drafts (IDs) are rough-draft working documents of
- the Internet Engineering Task Force. They are, in essence, RFCs
- in the preliminary stages of development. Implementors are
- cautioned not
- to regard IDs as archival, and they should not be quoted or cited
- in any formal documents unless accompanied by the disclaimer that
- they are "works in progress." IDs have a lifespan of six months
- after which they are deleted unless updated by their authors.
- </p>
- </div>
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="more_about_bind"></a>Other Documents About <acronym class="acronym">BIND</acronym>
-</h3></div></div></div>
-
- <p></p>
- <div class="bibliography">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id-1.12.3.4.3"></a>Bibliography</h4></div></div></div>
- <div class="biblioentry">
-<a name="id-1.12.3.4.3.1"></a><p>
- <span class="authorgroup"><span class="firstname">Paul</span> <span class="surname">Albitz</span> and <span class="firstname">Cricket</span> <span class="surname">Liu</span>. </span>
- <span class="citetitle"><em class="citetitle"><acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></em>. </span>
- <span class="copyright">Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. </span>
- </p>
-</div>
- </div>
- </div>
- </div>
- </div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="Bv9ARM.ch10.html">Prev</a>Â </td>
-<td width="20%" align="center">Â </td>
-<td width="40%" align="right">Â <a accesskey="n" href="Bv9ARM.ch12.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">Appendix B. A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym> </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> Appendix D. BIND 9 DNS Library Support</td>
-</tr>
-</table>
-</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.0-pre-alpha</p>
-</body>
-</html>
+++ /dev/null
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<!--
- - Copyright (C) 2000-2017 Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
--->
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>Appendix D. BIND 9 DNS Library Support</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
-<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="prev" href="Bv9ARM.ch11.html" title="Appendix C. General DNS Reference Information">
-<link rel="next" href="Bv9ARM.ch13.html" title="Manual pages">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center">Appendix D. BIND 9 DNS Library Support</th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="Bv9ARM.ch11.html">Prev</a>Â </td>
-<th width="60%" align="center">Â </th>
-<td width="20%" align="right">Â <a accesskey="n" href="Bv9ARM.ch13.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="appendix">
-<div class="titlepage"><div><div><h1 class="title">
-<a name="Bv9ARM.ch12"></a>BIND 9 DNS Library Support</h1></div></div></div>
-<div class="toc">
-<p><b>Table of Contents</b></p>
-<dl class="toc">
-<dt><span class="section"><a href="Bv9ARM.ch12.html#bind9.library">BIND 9 DNS Library Support</a></span></dt>
-<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch12.html#id-1.13.2.4">Prerequisite</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch12.html#id-1.13.2.5">Compilation</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch12.html#id-1.13.2.6">Installation</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch12.html#id-1.13.2.7">Known Defects/Restrictions</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch12.html#id-1.13.2.8">The dns.conf File</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch12.html#id-1.13.2.9">Sample Applications</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch12.html#id-1.13.2.10">Library References</a></span></dt>
-</dl></dd>
-</dl>
-</div>
- <div class="section">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="bind9.library"></a>BIND 9 DNS Library Support</h2></div></div></div>
-
- <p>This version of BIND 9 "exports" its internal libraries so
- that they can be used by third-party applications more easily (we
- call them "export" libraries in this document). In addition to
- all major DNS-related APIs BIND 9 is currently using, the export
- libraries provide the following features:</p>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
- <p>The newly created "DNS client" module. This is a higher
- level API that provides an interface to name resolution,
- single DNS transaction with a particular server, and dynamic
- update. Regarding name resolution, it supports advanced
- features such as DNSSEC validation and caching. This module
- supports both synchronous and asynchronous mode.</p>
- </li>
-<li class="listitem">
- <p>The new "IRS" (Information Retrieval System) library.
- It provides an interface to parse the traditional resolv.conf
- file and more advanced, DNS-specific configuration file for
- the rest of this package (see the description for the
- dns.conf file below).</p>
- </li>
-<li class="listitem">
- <p>As part of the IRS library, newly implemented standard
- address-name mapping functions, getaddrinfo() and
- getnameinfo(), are provided. They use the DNSSEC-aware
- validating resolver backend, and could use other advanced
- features of the BIND 9 libraries such as caching. The
- getaddrinfo() function resolves both A and AAAA RRs
- concurrently (when the address family is unspecified).</p>
- </li>
-<li class="listitem">
- <p>An experimental framework to support other event
- libraries than BIND 9's internal event task system.</p>
- </li>
-</ul></div>
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.13.2.4"></a>Prerequisite</h3></div></div></div>
-
- <p>GNU make is required to build the export libraries (other
- part of BIND 9 can still be built with other types of make). In
- the reminder of this document, "make" means GNU make. Note that
- in some platforms you may need to invoke a different command name
- than "make" (e.g. "gmake") to indicate it's GNU make.</p>
- </div>
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.13.2.5"></a>Compilation</h3></div></div></div>
-
- <pre class="screen">
-$ <strong class="userinput"><code>./configure --enable-exportlib <em class="replaceable"><code>[other flags]</code></em></code></strong>
-$ <strong class="userinput"><code>make</code></strong>
-</pre>
- <p>
- This will create (in addition to usual BIND 9 programs) and a
- separate set of libraries under the lib/export directory. For
- example, <code class="filename">lib/export/dns/libdns.a</code> is the archive file of the
- export version of the BIND 9 DNS library. Sample application
- programs using the libraries will also be built under the
- lib/export/samples directory (see below).</p>
- </div>
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.13.2.6"></a>Installation</h3></div></div></div>
-
- <pre class="screen">
-$ <strong class="userinput"><code>cd lib/export</code></strong>
-$ <strong class="userinput"><code>make install</code></strong>
-</pre>
- <p>
- This will install library object files under the directory
- specified by the --with-export-libdir configure option (default:
- EPREFIX/lib/bind9), and header files under the directory
- specified by the --with-export-includedir configure option
- (default: PREFIX/include/bind9).
- Root privilege is normally required.
- "<span class="command"><strong>make install</strong></span>" at the top directory will do the
- same.
- </p>
- <p>
- To see how to build your own
- application after the installation, see
- <code class="filename">lib/export/samples/Makefile-postinstall.in</code>.</p>
- </div>
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.13.2.7"></a>Known Defects/Restrictions</h3></div></div></div>
-
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-
- <p>Currently, win32 is not supported for the export
- library. (Normal BIND 9 application can be built as
- before).</p>
- </li>
-<li class="listitem">
- <p>The "fixed" RRset order is not (currently) supported in
- the export library. If you want to use "fixed" RRset order
- for, e.g. <span class="command"><strong>named</strong></span> while still building the
- export library even without the fixed order support, build
- them separately:
- </p>
-<pre class="screen">
-$ <strong class="userinput"><code>./configure --enable-fixed-rrset <em class="replaceable"><code>[other flags, but not --enable-exportlib]</code></em></code></strong>
-$ <strong class="userinput"><code>make</code></strong>
-$ <strong class="userinput"><code>./configure --enable-exportlib <em class="replaceable"><code>[other flags, but not --enable-fixed-rrset]</code></em></code></strong>
-$ <strong class="userinput"><code>cd lib/export</code></strong>
-$ <strong class="userinput"><code>make</code></strong>
-</pre>
-<p>
- </p>
- </li>
-<li class="listitem">
- <p>The client module and the IRS library currently do not
- support DNSSEC validation using DLV (the underlying modules
- can handle it, but there is no tunable interface to enable
- the feature).</p>
- </li>
-<li class="listitem">
- <p>RFC 5011 is not supported in the validating stub
- resolver of the export library. In fact, it is not clear
- whether it should: trust anchors would be a system-wide
- configuration which would be managed by an administrator,
- while the stub resolver will be used by ordinary applications
- run by a normal user.</p>
- </li>
-<li class="listitem">
- <p>Not all common <code class="filename">/etc/resolv.conf</code>
- options are supported
- in the IRS library. The only available options in this
- version are "debug" and "ndots".</p>
- </li>
-</ul></div>
- </div>
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.13.2.8"></a>The dns.conf File</h3></div></div></div>
-
- <p>The IRS library supports an "advanced" configuration file
- related to the DNS library for configuration parameters that
- would be beyond the capability of the
- <code class="filename">resolv.conf</code> file.
- Specifically, it is intended to provide DNSSEC related
- configuration parameters. By default the path to this
- configuration file is <code class="filename">/etc/dns.conf</code>.
- This module is very
- experimental and the configuration syntax or library interfaces
- may change in future versions. Currently, only the
- <span class="command"><strong>trusted-keys</strong></span>
- statement is supported, whose syntax is the same as the same name
- of statement for <code class="filename">named.conf</code>. (See
- <a class="xref" href="Bv9ARM.ch06.html#trusted-keys" title="trusted-keys Statement Grammar">the section called “<span class="command"><strong>trusted-keys</strong></span> Statement Grammar”</a> for details.)</p>
- </div>
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.13.2.9"></a>Sample Applications</h3></div></div></div>
-
- <p>Some sample application programs using this API are
- provided for reference. The following is a brief description of
- these applications.
- </p>
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id-1.13.2.9.3"></a>sample: a simple stub resolver utility</h4></div></div></div>
-
- <p>
- It sends a query of a given name (of a given optional RR type) to a
- specified recursive server, and prints the result as a list of
- RRs. It can also act as a validating stub resolver if a trust
- anchor is given via a set of command line options.</p>
- <p>
- Usage: sample [options] server_address hostname
- </p>
- <p>
- Options and Arguments:
- </p>
- <div class="variablelist"><dl class="variablelist">
-<dt><span class="term">
- -t RRtype
- </span></dt>
-<dd><p>
- specify the RR type of the query. The default is the A RR.
- </p></dd>
-<dt><span class="term">
- [-a algorithm] [-e] -k keyname -K keystring
- </span></dt>
-<dd>
-<p>
- specify a command-line DNS key to validate the answer. For
- example, to specify the following DNSKEY of example.com:
-</p>
-<div class="literallayout"><p><br>
- example.com. 3600 IN DNSKEY 257 3 5 xxx<br>
-</p></div>
-<p>
- specify the options as follows:
-</p>
-<pre class="screen">
-<strong class="userinput"><code>
- -e -k example.com -K "xxx"
-</code></strong>
-</pre>
-<p>
- -e means that this key is a zone's "key signing key" (as known
- as "secure Entry point").
- When -a is omitted rsasha1 will be used by default.
- </p>
-</dd>
-<dt><span class="term">
- -s domain:alt_server_address
- </span></dt>
-<dd><p>
- specify a separate recursive server address for the specific
- "domain". Example: -s example.com:2001:db8::1234
- </p></dd>
-<dt><span class="term">server_address</span></dt>
-<dd><p>
- an IP(v4/v6) address of the recursive server to which queries
- are sent.
- </p></dd>
-<dt><span class="term">hostname</span></dt>
-<dd><p>
- the domain name for the query
- </p></dd>
-</dl></div>
- </div>
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id-1.13.2.9.4"></a>sample-async: a simple stub resolver, working asynchronously</h4></div></div></div>
-
- <p>
- Similar to "sample", but accepts a list
- of (query) domain names as a separate file and resolves the names
- asynchronously.</p>
- <p>
- Usage: sample-async [-s server_address] [-t RR_type] input_file</p>
- <p>
- Options and Arguments:
- </p>
- <div class="variablelist"><dl class="variablelist">
-<dt><span class="term">
- -s server_address
- </span></dt>
-<dd>
- an IPv4 address of the recursive server to which queries are sent.
- (IPv6 addresses are not supported in this implementation)
- </dd>
-<dt><span class="term">
- -t RR_type
- </span></dt>
-<dd>
- specify the RR type of the queries. The default is the A
- RR.
- </dd>
-<dt><span class="term">
- input_file
- </span></dt>
-<dd>
- a list of domain names to be resolved. each line
- consists of a single domain name. Example:
- <div class="literallayout"><p><br>
-Â Â www.example.com<br>
-Â Â mx.example.net<br>
-Â Â ns.xxx.example<br>
-</p></div>
- </dd>
-</dl></div>
- </div>
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id-1.13.2.9.5"></a>sample-request: a simple DNS transaction client</h4></div></div></div>
-
- <p>
- It sends a query to a specified server, and
- prints the response with minimal processing. It doesn't act as a
- "stub resolver": it stops the processing once it gets any
- response from the server, whether it's a referral or an alias
- (CNAME or DNAME) that would require further queries to get the
- ultimate answer. In other words, this utility acts as a very
- simplified <span class="command"><strong>dig</strong></span>.
- </p>
- <p>
- Usage: sample-request [-t RRtype] server_address hostname
- </p>
- <p>
- Options and Arguments:
- </p>
- <div class="variablelist"><dl class="variablelist">
-<dt><span class="term">
- -t RRtype
- </span></dt>
-<dd>
- <p>
- specify the RR type of
- the queries. The default is the A RR.
- </p>
- </dd>
-<dt><span class="term">
- server_address
- </span></dt>
-<dd>
- <p>
- an IP(v4/v6)
- address of the recursive server to which the query is sent.
- </p>
- </dd>
-<dt><span class="term">
- hostname
- </span></dt>
-<dd>
- <p>
- the domain name for the query
- </p>
- </dd>
-</dl></div>
- </div>
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id-1.13.2.9.6"></a>sample-gai: getaddrinfo() and getnameinfo() test code</h4></div></div></div>
-
- <p>
- This is a test program
- to check getaddrinfo() and getnameinfo() behavior. It takes a
- host name as an argument, calls getaddrinfo() with the given host
- name, and calls getnameinfo() with the resulting IP addresses
- returned by getaddrinfo(). If the dns.conf file exists and
- defines a trust anchor, the underlying resolver will act as a
- validating resolver, and getaddrinfo()/getnameinfo() will fail
- with an EAI_INSECUREDATA error when DNSSEC validation fails.
- </p>
- <p>
- Usage: sample-gai hostname
- </p>
- </div>
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id-1.13.2.9.7"></a>sample-update: a simple dynamic update client program</h4></div></div></div>
-
- <p>
- It accepts a single update command as a
- command-line argument, sends an update request message to the
- authoritative server, and shows the response from the server. In
- other words, this is a simplified <span class="command"><strong>nsupdate</strong></span>.
- </p>
- <p>
- Usage: sample-update [options] (add|delete) "update data"
- </p>
- <p>
- Options and Arguments:
- </p>
- <div class="variablelist"><dl class="variablelist">
-<dt><span class="term">
- -a auth_server
- </span></dt>
-<dd><p>
- An IP address of the authoritative server that has authority
- for the zone containing the update name. This should normally
- be the primary authoritative server that accepts dynamic
- updates. It can also be a secondary server that is configured
- to forward update requests to the primary server.
- </p></dd>
-<dt><span class="term">
- -k keyfile
- </span></dt>
-<dd><p>
- A TSIG key file to secure the update transaction. The keyfile
- format is the same as that for the nsupdate utility.
- </p></dd>
-<dt><span class="term">
- -p prerequisite
- </span></dt>
-<dd><p>
- A prerequisite for the update (only one prerequisite can be
- specified). The prerequisite format is the same as that is
- accepted by the nsupdate utility.
- </p></dd>
-<dt><span class="term">
- -r recursive_server
- </span></dt>
-<dd><p>
- An IP address of a recursive server that this utility will
- use. A recursive server may be necessary to identify the
- authoritative server address to which the update request is
- sent.
- </p></dd>
-<dt><span class="term">
- -z zonename
- </span></dt>
-<dd><p>
- The domain name of the zone that contains
- </p></dd>
-<dt><span class="term">
- (add|delete)
- </span></dt>
-<dd><p>
- Specify the type of update operation. Either "add" or "delete"
- must be specified.
- </p></dd>
-<dt><span class="term">
- "update data"
- </span></dt>
-<dd><p>
- Specify the data to be updated. A typical example of the data
- would look like "name TTL RRtype RDATA".
- </p></dd>
-</dl></div>
-
- <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p>
- In practice, either -a or -r must be specified. Others can
- be optional; the underlying library routine tries to identify the
- appropriate server and the zone name for the update.
- </p>
-</div>
-
- <p>
- Examples: assuming the primary authoritative server of the
- dynamic.example.com zone has an IPv6 address 2001:db8::1234,
- </p>
- <pre class="screen">
-$ <strong class="userinput"><code>sample-update -a sample-update -k Kxxx.+nnn+mmmm.key add "foo.dynamic.example.com 30 IN A 192.168.2.1"</code></strong></pre>
- <p>
- adds an A RR for foo.dynamic.example.com using the given key.
- </p>
- <pre class="screen">
-$ <strong class="userinput"><code>sample-update -a sample-update -k Kxxx.+nnn+mmmm.key delete "foo.dynamic.example.com 30 IN A"</code></strong></pre>
- <p>
- removes all A RRs for foo.dynamic.example.com using the given key.
- </p>
- <pre class="screen">
-$ <strong class="userinput"><code>sample-update -a sample-update -k Kxxx.+nnn+mmmm.key delete "foo.dynamic.example.com"</code></strong></pre>
- <p>
- removes all RRs for foo.dynamic.example.com using the given key.
- </p>
- </div>
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id-1.13.2.9.8"></a>nsprobe: domain/name server checker in terms of RFC 4074</h4></div></div></div>
-
- <p>
- It checks a set
- of domains to see the name servers of the domains behave
- correctly in terms of RFC 4074. This is included in the set of
- sample programs to show how the export library can be used in a
- DNS-related application.
- </p>
- <p>
- Usage: nsprobe [-d] [-v [-v...]] [-c cache_address] [input_file]
- </p>
- <p>
- Options
- </p>
-
- <div class="variablelist"><dl class="variablelist">
-<dt><span class="term">
- -d
- </span></dt>
-<dd><p>
- run in the "debug" mode. with this option nsprobe will dump
- every RRs it receives.
- </p></dd>
-<dt><span class="term">
- -v
- </span></dt>
-<dd><p>
- increase verbosity of other normal log messages. This can be
- specified multiple times
- </p></dd>
-<dt><span class="term">
- -c cache_address
- </span></dt>
-<dd><p>
- specify an IP address of a recursive (caching) name server.
- nsprobe uses this server to get the NS RRset of each domain and
- the A and/or AAAA RRsets for the name servers. The default
- value is 127.0.0.1.
- </p></dd>
-<dt><span class="term">
- input_file
- </span></dt>
-<dd><p>
- a file name containing a list of domain (zone) names to be
- probed. when omitted the standard input will be used. Each
- line of the input file specifies a single domain name such as
- "example.com". In general this domain name must be the apex
- name of some DNS zone (unlike normal "host names" such as
- "www.example.com"). nsprobe first identifies the NS RRsets for
- the given domain name, and sends A and AAAA queries to these
- servers for some "widely used" names under the zone;
- specifically, adding "www" and "ftp" to the zone name.
- </p></dd>
-</dl></div>
- </div>
- </div>
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id-1.13.2.10"></a>Library References</h3></div></div></div>
-
- <p>As of this writing, there is no formal "manual" of the
- libraries, except this document, header files (some of them
- provide pretty detailed explanations), and sample application
- programs.</p>
- </div>
-</div>
- </div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="Bv9ARM.ch11.html">Prev</a>Â </td>
-<td width="20%" align="center">Â </td>
-<td width="40%" align="right">Â <a accesskey="n" href="Bv9ARM.ch13.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">Appendix C. General <acronym class="acronym">DNS</acronym> Reference Information </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top">Â Manual pages</td>
-</tr>
-</table>
-</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.0-pre-alpha</p>
-</body>
-</html>
+++ /dev/null
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<!--
- - Copyright (C) 2000-2017 Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
--->
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>Manual pages</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
-<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="prev" href="Bv9ARM.ch12.html" title="Appendix D. BIND 9 DNS Library Support">
-<link rel="next" href="man.dig.html" title="dig">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center">Manual pages</th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="Bv9ARM.ch12.html">Prev</a>Â </td>
-<th width="60%" align="center">Â </th>
-<td width="20%" align="right">Â <a accesskey="n" href="man.dig.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="reference">
-<div class="titlepage">
-<div><div><h1 class="title">
-<a name="Bv9ARM.ch13"></a>Manual pages</h1></div></div>
-<hr>
-</div>
-<div class="toc">
-<p><b>Table of Contents</b></p>
-<dl class="toc">
-<dt>
-<span class="refentrytitle"><a href="man.dig.html">dig</a></span><span class="refpurpose"> — DNS lookup utility</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.mdig.html"><span class="application">mdig</span></a></span><span class="refpurpose"> — DNS pipelined lookup utility</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.host.html">host</a></span><span class="refpurpose"> — DNS lookup utility</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.delv.html">delv</a></span><span class="refpurpose"> — DNS lookup and validation utility</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.nslookup.html">nslookup</a></span><span class="refpurpose"> — query Internet name servers interactively</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.dnssec-checkds.html"><span class="application">dnssec-checkds</span></a></span><span class="refpurpose"> — DNSSEC delegation consistency checking tool</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.dnssec-coverage.html"><span class="application">dnssec-coverage</span></a></span><span class="refpurpose"> — checks future DNSKEY coverage for a zone</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.dnssec-dsfromkey.html"><span class="application">dnssec-dsfromkey</span></a></span><span class="refpurpose"> — DNSSEC DS RR generation tool</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.dnssec-importkey.html"><span class="application">dnssec-importkey</span></a></span><span class="refpurpose"> — import DNSKEY records from external systems so they can be managed</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.dnssec-keyfromlabel.html"><span class="application">dnssec-keyfromlabel</span></a></span><span class="refpurpose"> — DNSSEC key generation tool</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.dnssec-keygen.html"><span class="application">dnssec-keygen</span></a></span><span class="refpurpose"> — DNSSEC key generation tool</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.dnssec-keymgr.html"><span class="application">dnssec-keymgr</span></a></span><span class="refpurpose"> — Ensures correct DNSKEY coverage for a zone based on a defined policy</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.dnssec-revoke.html"><span class="application">dnssec-revoke</span></a></span><span class="refpurpose"> — set the REVOKED bit on a DNSSEC key</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.dnssec-settime.html"><span class="application">dnssec-settime</span></a></span><span class="refpurpose"> — set the key timing metadata for a DNSSEC key</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.dnssec-signzone.html"><span class="application">dnssec-signzone</span></a></span><span class="refpurpose"> — DNSSEC zone signing tool</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.dnssec-verify.html"><span class="application">dnssec-verify</span></a></span><span class="refpurpose"> — DNSSEC zone verification tool</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.named.html"><span class="application">named</span></a></span><span class="refpurpose"> — Internet domain name server</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.named.conf.html"><code class="filename">named.conf</code></a></span><span class="refpurpose"> — configuration file for <span class="command"><strong>named</strong></span></span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.named-checkconf.html"><span class="application">named-checkconf</span></a></span><span class="refpurpose"> — named configuration file syntax checking tool</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.named-checkzone.html"><span class="application">named-checkzone</span></a></span><span class="refpurpose"> — zone file validity checking or converting tool</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.named-journalprint.html"><span class="application">named-journalprint</span></a></span><span class="refpurpose"> — print zone journal in human-readable form</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.named-nzd2nzf.html"><span class="application">named-nzd2nzf</span></a></span><span class="refpurpose"> —
- Convert an NZD database to NZF text format
- </span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.named-rrchecker.html"><span class="application">named-rrchecker</span></a></span><span class="refpurpose"> — syntax checker for individual DNS resource records</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.nsupdate.html"><span class="application">nsupdate</span></a></span><span class="refpurpose"> — Dynamic DNS update utility</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.rndc.html"><span class="application">rndc</span></a></span><span class="refpurpose"> — name server control utility</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.rndc.conf.html"><code class="filename">rndc.conf</code></a></span><span class="refpurpose"> — rndc configuration file</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.rndc-confgen.html"><span class="application">rndc-confgen</span></a></span><span class="refpurpose"> — rndc key generation tool</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.ddns-confgen.html"><span class="application">ddns-confgen</span></a></span><span class="refpurpose"> — ddns key generation tool</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.arpaname.html"><span class="application">arpaname</span></a></span><span class="refpurpose"> — translate IP addresses to the corresponding ARPA names</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.dnstap-read.html"><span class="application">dnstap-read</span></a></span><span class="refpurpose"> — print dnstap data in human-readable form</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.genrandom.html"><span class="application">genrandom</span></a></span><span class="refpurpose"> — generate a file containing random data</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.isc-hmac-fixup.html"><span class="application">isc-hmac-fixup</span></a></span><span class="refpurpose"> — fixes HMAC keys generated by older versions of BIND</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.nsec3hash.html"><span class="application">nsec3hash</span></a></span><span class="refpurpose"> — generate NSEC3 hash</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.pkcs11-destroy.html"><span class="application">pkcs11-destroy</span></a></span><span class="refpurpose"> — destroy PKCS#11 objects</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.pkcs11-list.html"><span class="application">pkcs11-list</span></a></span><span class="refpurpose"> — list PKCS#11 objects</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.pkcs11-keygen.html"><span class="application">pkcs11-keygen</span></a></span><span class="refpurpose"> — generate keys on a PKCS#11 device</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.pkcs11-tokens.html"><span class="application">pkcs11-tokens</span></a></span><span class="refpurpose"> — list PKCS#11 available tokens</span>
-</dt>
-</dl>
-</div>
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- </div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="Bv9ARM.ch12.html">Prev</a>Â </td>
-<td width="20%" align="center">Â </td>
-<td width="40%" align="right">Â <a accesskey="n" href="man.dig.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">Appendix D. BIND 9 DNS Library Support </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top">Â dig</td>
-</tr>
-</table>
-</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.0-pre-alpha</p>
-</body>
-</html>
+++ /dev/null
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<!--
- - Copyright (C) 2000-2017 Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
--->
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>BIND 9 Administrator Reference Manual</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
-<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="next" href="Bv9ARM.ch01.html" title="Chapter 1. Introduction">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center">BIND 9 Administrator Reference Manual</th></tr>
-<tr>
-<td width="20%" align="left">Â </td>
-<th width="60%" align="center">Â </th>
-<td width="20%" align="right">Â <a accesskey="n" href="Bv9ARM.ch01.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="book">
-<div class="titlepage">
-<div>
-<div><h1 class="title">
-<a name="id-1"></a>BIND 9 Administrator Reference Manual</h1></div>
-<div><p class="releaseinfo">BIND Version 9.12.0-pre-alpha</p></div>
-<div><p class="copyright">Copyright © 2000-2017 Internet Systems Consortium, Inc. ("ISC")</p></div>
-</div>
-<hr>
-</div>
-<div class="toc">
-<p><b>Table of Contents</b></p>
-<dl class="toc">
-<dt><span class="chapter"><a href="Bv9ARM.ch01.html">1. Introduction</a></span></dt>
-<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch01.html#doc_scope">Scope of Document</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch01.html#organization">Organization of This Document</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch01.html#conventions">Conventions Used in This Document</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch01.html#dns_overview">The Domain Name System (<acronym class="acronym">DNS</acronym>)</a></span></dt>
-<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch01.html#dns_fundamentals">DNS Fundamentals</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch01.html#domain_names">Domains and Domain Names</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch01.html#zones">Zones</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch01.html#auth_servers">Authoritative Name Servers</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch01.html#cache_servers">Caching Name Servers</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch01.html#multi_role">Name Servers in Multiple Roles</a></span></dt>
-</dl></dd>
-</dl></dd>
-<dt><span class="chapter"><a href="Bv9ARM.ch02.html">2. <acronym class="acronym">BIND</acronym> Resource Requirements</a></span></dt>
-<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch02.html#hw_req">Hardware requirements</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch02.html#cpu_req">CPU Requirements</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch02.html#mem_req">Memory Requirements</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch02.html#intensive_env">Name Server Intensive Environment Issues</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch02.html#supported_os">Supported Operating Systems</a></span></dt>
-</dl></dd>
-<dt><span class="chapter"><a href="Bv9ARM.ch03.html">3. Name Server Configuration</a></span></dt>
-<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch03.html#sample_configuration">Sample Configurations</a></span></dt>
-<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch03.html#cache_only_sample">A Caching-only Name Server</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch03.html#auth_only_sample">An Authoritative-only Name Server</a></span></dt>
-</dl></dd>
-<dt><span class="section"><a href="Bv9ARM.ch03.html#load_balancing">Load Balancing</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch03.html#ns_operations">Name Server Operations</a></span></dt>
-<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch03.html#tools">Tools for Use With the Name Server Daemon</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch03.html#signals">Signals</a></span></dt>
-</dl></dd>
-</dl></dd>
-<dt><span class="chapter"><a href="Bv9ARM.ch04.html">4. Advanced DNS Features</a></span></dt>
-<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#notify">Notify</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#dynamic_update">Dynamic Update</a></span></dt>
-<dd><dl><dt><span class="section"><a href="Bv9ARM.ch04.html#journal">The journal file</a></span></dt></dl></dd>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#incremental_zone_transfers">Incremental Zone Transfers (IXFR)</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#split_dns">Split DNS</a></span></dt>
-<dd><dl><dt><span class="section"><a href="Bv9ARM.ch04.html#split_dns_sample">Example split DNS setup</a></span></dt></dl></dd>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#tsig">TSIG</a></span></dt>
-<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.6.5">Generating a Shared Key</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.6.6">Loading A New Key</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.6.7">Instructing the Server to Use a Key</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.6.8">TSIG-Based Access Control</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.6.9">Errors</a></span></dt>
-</dl></dd>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#tkey">TKEY</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#sig0">SIG(0)</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt>
-<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec_keys">Generating Keys</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec_signing">Signing the Zone</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec_config">Configuring Servers</a></span></dt>
-</dl></dd>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec.dynamic.zones">DNSSEC, Dynamic Zones, and Automatic Signing</a></span></dt>
-<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.3">Converting from insecure to secure</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.8">Dynamic DNS update method</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.16">Fully automatic zone signing</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.25">Private-type records</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.32">DNSKEY rollovers</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.34">Dynamic DNS update method</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.39">Automatic key rollovers</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.41">NSEC3PARAM rollovers via UPDATE</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.43">Converting from NSEC to NSEC3</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.45">Converting from NSEC3 to NSEC</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.47">Converting from secure to insecure</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.51">Periodic re-signing</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.10.53">NSEC3 and OPTOUT</a></span></dt>
-</dl></dd>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#rfc5011.support">Dynamic Trust Anchor Management</a></span></dt>
-<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.11.3">Validating Resolver</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.11.4">Authoritative Server</a></span></dt>
-</dl></dd>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#pkcs11">PKCS#11 (Cryptoki) support</a></span></dt>
-<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.6">Prerequisites</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.7">Native PKCS#11</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.8">OpenSSL-based PKCS#11</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.9">PKCS#11 Tools</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.10">Using the HSM</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.11">Specifying the engine on the command line</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.12.12">Running named with automatic zone re-signing</a></span></dt>
-</dl></dd>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#dlz-info">DLZ (Dynamically Loadable Zones)</a></span></dt>
-<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.13.6">Configuring DLZ</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.13.7">Sample DLZ Driver</a></span></dt>
-</dl></dd>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#dyndb-info">DynDB (Dynamic Database)</a></span></dt>
-<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.14.5">Configuring DynDB</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.14.6">Sample DynDB Module</a></span></dt>
-</dl></dd>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#catz-info">Catalog Zones</a></span></dt>
-<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.15.4">Principle of Operation</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.15.5">Configuring Catalog Zones</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.15.6">Catalog Zone format</a></span></dt>
-</dl></dd>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#ipv6">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
-<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.16.6">Address Lookups Using AAAA Records</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch04.html#id-1.5.16.7">Address to Name Lookups Using Nibble Format</a></span></dt>
-</dl></dd>
-</dl></dd>
-<dt><span class="chapter"><a href="Bv9ARM.ch05.html">5. The <acronym class="acronym">BIND</acronym> 9 Lightweight Resolver</a></span></dt>
-<dd><dl><dt><span class="section"><a href="Bv9ARM.ch05.html#lightweight_resolver">The Lightweight Resolver Library</a></span></dt></dl></dd>
-<dt><span class="chapter"><a href="Bv9ARM.ch06.html">6. <acronym class="acronym">BIND</acronym> 9 Configuration Reference</a></span></dt>
-<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt>
-<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#comment_syntax">Comment Syntax</a></span></dt>
-</dl></dd>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt>
-<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#acl_grammar"><span class="command"><strong>acl</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#acl"><span class="command"><strong>acl</strong></span> Statement Definition and
- Usage</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#controls_grammar"><span class="command"><strong>controls</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span class="command"><strong>controls</strong></span> Statement Definition and
- Usage</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#include_grammar"><span class="command"><strong>include</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#include_statement"><span class="command"><strong>include</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#key_grammar"><span class="command"><strong>key</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#key_statement"><span class="command"><strong>key</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#logging_grammar"><span class="command"><strong>logging</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#logging_statement"><span class="command"><strong>logging</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#masters_grammar"><span class="command"><strong>masters</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#masters_statement"><span class="command"><strong>masters</strong></span> Statement Definition and
- Usage</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#options_grammar"><span class="command"><strong>options</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#options"><span class="command"><strong>options</strong></span> Statement Definition and
- Usage</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span class="command"><strong>server</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span class="command"><strong>server</strong></span> Statement Definition and
- Usage</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#statschannels"><span class="command"><strong>statistics-channels</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#statistics_channels"><span class="command"><strong>statistics-channels</strong></span> Statement Definition and
- Usage</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#trusted-keys"><span class="command"><strong>trusted-keys</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#trusted_keys"><span class="command"><strong>trusted-keys</strong></span> Statement Definition
- and Usage</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#managed_keys"><span class="command"><strong>managed-keys</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#managed-keys"><span class="command"><strong>managed-keys</strong></span> Statement Definition
- and Usage</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#view_statement_grammar"><span class="command"><strong>view</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#view_statement"><span class="command"><strong>view</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span class="command"><strong>zone</strong></span>
- Statement Grammar</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#zone_statement"><span class="command"><strong>zone</strong></span> Statement Definition and Usage</a></span></dt>
-</dl></dd>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#zone_file">Zone File</a></span></dt>
-<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#mx_records">Discussion of MX Records</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#ipv4_reverse">Inverse Mapping in IPv4</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#zone_directives">Other Zone File Directives</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#generate_directive"><acronym class="acronym">BIND</acronym> Master File Extension: the <span class="command"><strong>$GENERATE</strong></span> Directive</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#zonefile_format">Additional File Formats</a></span></dt>
-</dl></dd>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#statistics">BIND9 Statistics</a></span></dt>
-<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#statsfile">The Statistics File</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch06.html#statistics_counters">Statistics Counters</a></span></dt>
-</dl></dd>
-</dl></dd>
-<dt><span class="chapter"><a href="Bv9ARM.ch07.html">7. <acronym class="acronym">BIND</acronym> 9 Security Considerations</a></span></dt>
-<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch07.html#chroot_and_setuid"><span class="command"><strong>Chroot</strong></span> and <span class="command"><strong>Setuid</strong></span></a></span></dt>
-<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch07.html#chroot">The <span class="command"><strong>chroot</strong></span> Environment</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch07.html#setuid">Using the <span class="command"><strong>setuid</strong></span> Function</a></span></dt>
-</dl></dd>
-<dt><span class="section"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
-</dl></dd>
-<dt><span class="chapter"><a href="Bv9ARM.ch08.html">8. Troubleshooting</a></span></dt>
-<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#common_problems">Common Problems</a></span></dt>
-<dd><dl><dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2.2">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.3">Incrementing and Changing the Serial Number</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#more_help">Where Can I Get Help?</a></span></dt>
-</dl></dd>
-<dt><span class="appendix"><a href="Bv9ARM.ch09.html">A. Release Notes</a></span></dt>
-<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.12.0-pre-alpha</a></span></dt>
-<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_license">License Change</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#win_support">Windows XP No Longer Supported</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_features">New Features</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#proto_changes">Protocol Changes</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_bugs">Bug Fixes</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#end_of_life">End of Life</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_thanks">Thank You</a></span></dt>
-</dl></dd>
-</dl></dd>
-<dt><span class="appendix"><a href="Bv9ARM.ch10.html">B. A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></a></span></dt>
-<dt><span class="appendix"><a href="Bv9ARM.ch11.html">C. General <acronym class="acronym">DNS</acronym> Reference Information</a></span></dt>
-<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch11.html#ipv6addresses">IPv6 addresses (AAAA)</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch11.html#bibliography">Bibliography (and Suggested Reading)</a></span></dt>
-<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch11.html#rfcs">Request for Comments (RFCs)</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch11.html#internet_drafts">Internet Drafts</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch11.html#more_about_bind">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt>
-</dl></dd>
-</dl></dd>
-<dt><span class="appendix"><a href="Bv9ARM.ch12.html">D. BIND 9 DNS Library Support</a></span></dt>
-<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch12.html#bind9.library">BIND 9 DNS Library Support</a></span></dt>
-<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch12.html#id-1.13.2.4">Prerequisite</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch12.html#id-1.13.2.5">Compilation</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch12.html#id-1.13.2.6">Installation</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch12.html#id-1.13.2.7">Known Defects/Restrictions</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch12.html#id-1.13.2.8">The dns.conf File</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch12.html#id-1.13.2.9">Sample Applications</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch12.html#id-1.13.2.10">Library References</a></span></dt>
-</dl></dd>
-</dl></dd>
-<dt><span class="reference"><a href="Bv9ARM.ch13.html">I. Manual pages</a></span></dt>
-<dd><dl>
-<dt>
-<span class="refentrytitle"><a href="man.dig.html">dig</a></span><span class="refpurpose"> — DNS lookup utility</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.mdig.html"><span class="application">mdig</span></a></span><span class="refpurpose"> — DNS pipelined lookup utility</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.host.html">host</a></span><span class="refpurpose"> — DNS lookup utility</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.delv.html">delv</a></span><span class="refpurpose"> — DNS lookup and validation utility</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.nslookup.html">nslookup</a></span><span class="refpurpose"> — query Internet name servers interactively</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.dnssec-checkds.html"><span class="application">dnssec-checkds</span></a></span><span class="refpurpose"> — DNSSEC delegation consistency checking tool</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.dnssec-coverage.html"><span class="application">dnssec-coverage</span></a></span><span class="refpurpose"> — checks future DNSKEY coverage for a zone</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.dnssec-dsfromkey.html"><span class="application">dnssec-dsfromkey</span></a></span><span class="refpurpose"> — DNSSEC DS RR generation tool</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.dnssec-importkey.html"><span class="application">dnssec-importkey</span></a></span><span class="refpurpose"> — import DNSKEY records from external systems so they can be managed</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.dnssec-keyfromlabel.html"><span class="application">dnssec-keyfromlabel</span></a></span><span class="refpurpose"> — DNSSEC key generation tool</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.dnssec-keygen.html"><span class="application">dnssec-keygen</span></a></span><span class="refpurpose"> — DNSSEC key generation tool</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.dnssec-keymgr.html"><span class="application">dnssec-keymgr</span></a></span><span class="refpurpose"> — Ensures correct DNSKEY coverage for a zone based on a defined policy</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.dnssec-revoke.html"><span class="application">dnssec-revoke</span></a></span><span class="refpurpose"> — set the REVOKED bit on a DNSSEC key</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.dnssec-settime.html"><span class="application">dnssec-settime</span></a></span><span class="refpurpose"> — set the key timing metadata for a DNSSEC key</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.dnssec-signzone.html"><span class="application">dnssec-signzone</span></a></span><span class="refpurpose"> — DNSSEC zone signing tool</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.dnssec-verify.html"><span class="application">dnssec-verify</span></a></span><span class="refpurpose"> — DNSSEC zone verification tool</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.named.html"><span class="application">named</span></a></span><span class="refpurpose"> — Internet domain name server</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.named.conf.html"><code class="filename">named.conf</code></a></span><span class="refpurpose"> — configuration file for <span class="command"><strong>named</strong></span></span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.named-checkconf.html"><span class="application">named-checkconf</span></a></span><span class="refpurpose"> — named configuration file syntax checking tool</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.named-checkzone.html"><span class="application">named-checkzone</span></a></span><span class="refpurpose"> — zone file validity checking or converting tool</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.named-journalprint.html"><span class="application">named-journalprint</span></a></span><span class="refpurpose"> — print zone journal in human-readable form</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.named-nzd2nzf.html"><span class="application">named-nzd2nzf</span></a></span><span class="refpurpose"> —
- Convert an NZD database to NZF text format
- </span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.named-rrchecker.html"><span class="application">named-rrchecker</span></a></span><span class="refpurpose"> — syntax checker for individual DNS resource records</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.nsupdate.html"><span class="application">nsupdate</span></a></span><span class="refpurpose"> — Dynamic DNS update utility</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.rndc.html"><span class="application">rndc</span></a></span><span class="refpurpose"> — name server control utility</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.rndc.conf.html"><code class="filename">rndc.conf</code></a></span><span class="refpurpose"> — rndc configuration file</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.rndc-confgen.html"><span class="application">rndc-confgen</span></a></span><span class="refpurpose"> — rndc key generation tool</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.ddns-confgen.html"><span class="application">ddns-confgen</span></a></span><span class="refpurpose"> — ddns key generation tool</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.arpaname.html"><span class="application">arpaname</span></a></span><span class="refpurpose"> — translate IP addresses to the corresponding ARPA names</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.dnstap-read.html"><span class="application">dnstap-read</span></a></span><span class="refpurpose"> — print dnstap data in human-readable form</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.genrandom.html"><span class="application">genrandom</span></a></span><span class="refpurpose"> — generate a file containing random data</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.isc-hmac-fixup.html"><span class="application">isc-hmac-fixup</span></a></span><span class="refpurpose"> — fixes HMAC keys generated by older versions of BIND</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.nsec3hash.html"><span class="application">nsec3hash</span></a></span><span class="refpurpose"> — generate NSEC3 hash</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.pkcs11-destroy.html"><span class="application">pkcs11-destroy</span></a></span><span class="refpurpose"> — destroy PKCS#11 objects</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.pkcs11-list.html"><span class="application">pkcs11-list</span></a></span><span class="refpurpose"> — list PKCS#11 objects</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.pkcs11-keygen.html"><span class="application">pkcs11-keygen</span></a></span><span class="refpurpose"> — generate keys on a PKCS#11 device</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.pkcs11-tokens.html"><span class="application">pkcs11-tokens</span></a></span><span class="refpurpose"> — list PKCS#11 available tokens</span>
-</dt>
-</dl></dd>
-</dl>
-</div>
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- </div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">Â </td>
-<td width="20%" align="center">Â </td>
-<td width="40%" align="right">Â <a accesskey="n" href="Bv9ARM.ch01.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">Â </td>
-<td width="20%" align="center">Â </td>
-<td width="40%" align="right" valign="top"> Chapter 1. Introduction</td>
-</tr>
-</table>
-</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.0-pre-alpha</p>
-</body>
-</html>
+++ /dev/null
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<!--
- - Copyright (C) 2000-2017 Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
--->
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>arpaname</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
-<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
-<link rel="prev" href="man.ddns-confgen.html" title="ddns-confgen">
-<link rel="next" href="man.dnstap-read.html" title="dnstap-read">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center"><span class="application">arpaname</span></th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="man.ddns-confgen.html">Prev</a>Â </td>
-<th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right">Â <a accesskey="n" href="man.dnstap-read.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="refentry">
-<a name="man.arpaname"></a><div class="titlepage"></div>
-
-
-
-
- <div class="refnamediv">
-<h2>Name</h2>
-<p>
- <span class="application">arpaname</span>
- — translate IP addresses to the corresponding ARPA names
- </p>
-</div>
-
-
-
- <div class="refsynopsisdiv">
-<h2>Synopsis</h2>
- <div class="cmdsynopsis"><p>
- <code class="command">arpaname</code>
- {<em class="replaceable"><code>ipaddress </code></em>...}
- </p></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.30.7"></a><h2>DESCRIPTION</h2>
-
- <p>
- <span class="command"><strong>arpaname</strong></span> translates IP addresses (IPv4 and
- IPv6) to the corresponding IN-ADDR.ARPA or IP6.ARPA names.
- </p>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.30.8"></a><h2>SEE ALSO</h2>
-
- <p>
- <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
- </p>
- </div>
-
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="man.ddns-confgen.html">Prev</a>Â </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
-<td width="40%" align="right">Â <a accesskey="n" href="man.dnstap-read.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">
-<span class="application">ddns-confgen</span>Â </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top">Â <span class="application">dnstap-read</span>
-</td>
-</tr>
-</table>
-</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.0-pre-alpha</p>
-</body>
-</html>
+++ /dev/null
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<!--
- - Copyright (C) 2000-2017 Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
--->
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>ddns-confgen</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
-<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
-<link rel="prev" href="man.rndc-confgen.html" title="rndc-confgen">
-<link rel="next" href="man.arpaname.html" title="arpaname">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center"><span class="application">ddns-confgen</span></th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="man.rndc-confgen.html">Prev</a>Â </td>
-<th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right">Â <a accesskey="n" href="man.arpaname.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="refentry">
-<a name="man.ddns-confgen"></a><div class="titlepage"></div>
-
-
-
-
-
- <div class="refnamediv">
-<h2>Name</h2>
-<p>
- <span class="application">ddns-confgen</span>
- — ddns key generation tool
- </p>
-</div>
-
-
-
- <div class="refsynopsisdiv">
-<h2>Synopsis</h2>
- <div class="cmdsynopsis"><p>
- <code class="command">tsig-keygen</code>
- [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>]
- [<code class="option">-h</code>]
- [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>]
- [name]
- </p></div>
- <div class="cmdsynopsis"><p>
- <code class="command">ddns-confgen</code>
- [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>]
- [<code class="option">-h</code>]
- [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>]
- [<code class="option">-q</code>]
- [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>]
- [
- -s <em class="replaceable"><code>name</code></em>
- | -z <em class="replaceable"><code>zone</code></em>
- ]
- </p></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.29.7"></a><h2>DESCRIPTION</h2>
-
- <p>
- <span class="command"><strong>tsig-keygen</strong></span> and <span class="command"><strong>ddns-confgen</strong></span>
- are invocation methods for a utility that generates keys for use
- in TSIG signing. The resulting keys can be used, for example,
- to secure dynamic DNS updates to a zone or for the
- <span class="command"><strong>rndc</strong></span> command channel.
- </p>
-
- <p>
- When run as <span class="command"><strong>tsig-keygen</strong></span>, a domain name
- can be specified on the command line which will be used as
- the name of the generated key. If no name is specified,
- the default is <code class="constant">tsig-key</code>.
- </p>
-
- <p>
- When run as <span class="command"><strong>ddns-confgen</strong></span>, the generated
- key is accompanied by configuration text and instructions
- that can be used with <span class="command"><strong>nsupdate</strong></span> and
- <span class="command"><strong>named</strong></span> when setting up dynamic DNS,
- including an example <span class="command"><strong>update-policy</strong></span>
- statement. (This usage similar to the
- <span class="command"><strong>rndc-confgen</strong></span> command for setting
- up command channel security.)
- </p>
-
- <p>
- Note that <span class="command"><strong>named</strong></span> itself can configure a
- local DDNS key for use with <span class="command"><strong>nsupdate -l</strong></span>:
- it does this when a zone is configured with
- <span class="command"><strong>update-policy local;</strong></span>.
- <span class="command"><strong>ddns-confgen</strong></span> is only needed when a
- more elaborate configuration is required: for instance,
- if <span class="command"><strong>nsupdate</strong></span> is to be used from a remote
- system.
- </p>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.29.8"></a><h2>OPTIONS</h2>
-
-
- <div class="variablelist"><dl class="variablelist">
-<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
-<dd>
- <p>
- Specifies the algorithm to use for the TSIG key. Available
- choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
- hmac-sha384 and hmac-sha512. The default is hmac-sha256.
- Options are case-insensitive, and the "hmac-" prefix
- may be omitted.
- </p>
- </dd>
-<dt><span class="term">-h</span></dt>
-<dd>
- <p>
- Prints a short summary of options and arguments.
- </p>
- </dd>
-<dt><span class="term">-k <em class="replaceable"><code>keyname</code></em></span></dt>
-<dd>
- <p>
- Specifies the key name of the DDNS authentication key.
- The default is <code class="constant">ddns-key</code> when neither
- the <code class="option">-s</code> nor <code class="option">-z</code> option is
- specified; otherwise, the default
- is <code class="constant">ddns-key</code> as a separate label
- followed by the argument of the option, e.g.,
- <code class="constant">ddns-key.example.com.</code>
- The key name must have the format of a valid domain name,
- consisting of letters, digits, hyphens and periods.
- </p>
- </dd>
-<dt><span class="term">-q</span></dt>
-<dd>
- <p>
- (<span class="command"><strong>ddns-confgen</strong></span> only.) Quiet mode: Print
- only the key, with no explanatory text or usage examples;
- This is essentially identical to <span class="command"><strong>tsig-keygen</strong></span>.
- </p>
- </dd>
-<dt><span class="term">-r <em class="replaceable"><code>randomfile</code></em></span></dt>
-<dd>
- <p>
- Specifies a source of random data for generating the
- authorization. If the operating system does not provide a
- <code class="filename">/dev/random</code> or equivalent device, the
- default source of randomness is keyboard input.
- <code class="filename">randomdev</code> specifies the name of a
- character device or file containing random data to be used
- instead of the default. The special value
- <code class="filename">keyboard</code> indicates that keyboard input
- should be used.
- </p>
- </dd>
-<dt><span class="term">-s <em class="replaceable"><code>name</code></em></span></dt>
-<dd>
- <p>
- (<span class="command"><strong>ddns-confgen</strong></span> only.)
- Generate configuration example to allow dynamic updates
- of a single hostname. The example <span class="command"><strong>named.conf</strong></span>
- text shows how to set an update policy for the specified
- <em class="replaceable"><code>name</code></em>
- using the "name" nametype. The default key name is
- ddns-key.<em class="replaceable"><code>name</code></em>.
- Note that the "self" nametype cannot be used, since
- the name to be updated may differ from the key name.
- This option cannot be used with the <code class="option">-z</code> option.
- </p>
- </dd>
-<dt><span class="term">-z <em class="replaceable"><code>zone</code></em></span></dt>
-<dd>
- <p>
- (<span class="command"><strong>ddns-confgen</strong></span> only.)
- Generate configuration example to allow dynamic updates
- of a zone: The example <span class="command"><strong>named.conf</strong></span> text
- shows how to set an update policy for the specified
- <em class="replaceable"><code>zone</code></em>
- using the "zonesub" nametype, allowing updates to
- all subdomain names within that
- <em class="replaceable"><code>zone</code></em>.
- This option cannot be used with the <code class="option">-s</code> option.
- </p>
- </dd>
-</dl></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.29.9"></a><h2>SEE ALSO</h2>
-
- <p><span class="citerefentry">
- <span class="refentrytitle">nsupdate</span>(1)
- </span>,
- <span class="citerefentry">
- <span class="refentrytitle">named.conf</span>(5)
- </span>,
- <span class="citerefentry">
- <span class="refentrytitle">named</span>(8)
- </span>,
- <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
- </p>
- </div>
-
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="man.rndc-confgen.html">Prev</a>Â </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
-<td width="40%" align="right">Â <a accesskey="n" href="man.arpaname.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">
-<span class="application">rndc-confgen</span>Â </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top">Â <span class="application">arpaname</span>
-</td>
-</tr>
-</table>
-</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.0-pre-alpha</p>
-</body>
-</html>
+++ /dev/null
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<!--
- - Copyright (C) 2000-2017 Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
--->
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>delv</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
-<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
-<link rel="prev" href="man.host.html" title="host">
-<link rel="next" href="man.nslookup.html" title="nslookup">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center">delv</th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="man.host.html">Prev</a>Â </td>
-<th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right">Â <a accesskey="n" href="man.nslookup.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="refentry">
-<a name="man.delv"></a><div class="titlepage"></div>
-
-
-
-
-
- <div class="refnamediv">
-<h2>Name</h2>
-<p>
- delv
- — DNS lookup and validation utility
- </p>
-</div>
-
-
-
- <div class="refsynopsisdiv">
-<h2>Synopsis</h2>
- <div class="cmdsynopsis"><p>
- <code class="command">delv</code>
- [@server]
- [
- [<code class="option">-4</code>]
- | [<code class="option">-6</code>]
- ]
- [<code class="option">-a <em class="replaceable"><code>anchor-file</code></em></code>]
- [<code class="option">-b <em class="replaceable"><code>address</code></em></code>]
- [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
- [<code class="option">-d <em class="replaceable"><code>level</code></em></code>]
- [<code class="option">-i</code>]
- [<code class="option">-m</code>]
- [<code class="option">-p <em class="replaceable"><code>port#</code></em></code>]
- [<code class="option">-q <em class="replaceable"><code>name</code></em></code>]
- [<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
- [<code class="option">-x <em class="replaceable"><code>addr</code></em></code>]
- [name]
- [type]
- [class]
- [queryopt...]
- </p></div>
-
- <div class="cmdsynopsis"><p>
- <code class="command">delv</code>
- [<code class="option">-h</code>]
- </p></div>
-
- <div class="cmdsynopsis"><p>
- <code class="command">delv</code>
- [<code class="option">-v</code>]
- </p></div>
-
- <div class="cmdsynopsis"><p>
- <code class="command">delv</code>
- [queryopt...]
- [query...]
- </p></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.5.7"></a><h2>DESCRIPTION</h2>
-
- <p><span class="command"><strong>delv</strong></span>
- is a tool for sending
- DNS queries and validating the results, using the same internal
- resolver and validator logic as <span class="command"><strong>named</strong></span>.
- </p>
- <p>
- <span class="command"><strong>delv</strong></span> will send to a specified name server all
- queries needed to fetch and validate the requested data; this
- includes the original requested query, subsequent queries to follow
- CNAME or DNAME chains, and queries for DNSKEY, DS and DLV records
- to establish a chain of trust for DNSSEC validation.
- It does not perform iterative resolution, but simulates the
- behavior of a name server configured for DNSSEC validating and
- forwarding.
- </p>
- <p>
- By default, responses are validated using built-in DNSSEC trust
- anchors for the root zone (".") and for the ISC DNSSEC lookaside
- validation zone ("dlv.isc.org"). Records returned by
- <span class="command"><strong>delv</strong></span> are either fully validated or
- were not signed. If validation fails, an explanation of
- the failure is included in the output; the validation process
- can be traced in detail. Because <span class="command"><strong>delv</strong></span> does
- not rely on an external server to carry out validation, it can
- be used to check the validity of DNS responses in environments
- where local name servers may not be trustworthy.
- </p>
- <p>
- Unless it is told to query a specific name server,
- <span class="command"><strong>delv</strong></span> will try each of the servers listed in
- <code class="filename">/etc/resolv.conf</code>. If no usable server
- addresses are found, <span class="command"><strong>delv</strong></span> will send
- queries to the localhost addresses (127.0.0.1 for IPv4, ::1
- for IPv6).
- </p>
- <p>
- When no command line arguments or options are given,
- <span class="command"><strong>delv</strong></span> will perform an NS query for "."
- (the root zone).
- </p>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.5.8"></a><h2>SIMPLE USAGE</h2>
-
-
- <p>
- A typical invocation of <span class="command"><strong>delv</strong></span> looks like:
- </p>
-<pre class="programlisting"> delv @server name type </pre>
-<p>
- where:
-
- </p>
-<div class="variablelist"><dl class="variablelist">
-<dt><span class="term"><code class="constant">server</code></span></dt>
-<dd>
- <p>
- is the name or IP address of the name server to query. This
- can be an IPv4 address in dotted-decimal notation or an IPv6
- address in colon-delimited notation. When the supplied
- <em class="parameter"><code>server</code></em> argument is a hostname,
- <span class="command"><strong>delv</strong></span> resolves that name before
- querying that name server (note, however, that this
- initial lookup is <span class="emphasis"><em>not</em></span> validated
- by DNSSEC).
- </p>
- <p>
- If no <em class="parameter"><code>server</code></em> argument is
- provided, <span class="command"><strong>delv</strong></span> consults
- <code class="filename">/etc/resolv.conf</code>; if an
- address is found there, it queries the name server at
- that address. If either of the <code class="option">-4</code> or
- <code class="option">-6</code> options are in use, then
- only addresses for the corresponding transport
- will be tried. If no usable addresses are found,
- <span class="command"><strong>delv</strong></span> will send queries to
- the localhost addresses (127.0.0.1 for IPv4,
- ::1 for IPv6).
- </p>
- </dd>
-<dt><span class="term"><code class="constant">name</code></span></dt>
-<dd>
- <p>
- is the domain name to be looked up.
- </p>
- </dd>
-<dt><span class="term"><code class="constant">type</code></span></dt>
-<dd>
- <p>
- indicates what type of query is required —
- ANY, A, MX, etc.
- <em class="parameter"><code>type</code></em> can be any valid query
- type. If no
- <em class="parameter"><code>type</code></em> argument is supplied,
- <span class="command"><strong>delv</strong></span> will perform a lookup for an
- A record.
- </p>
- </dd>
-</dl></div>
-<p>
- </p>
-
- </div>
-
- <div class="refsection">
-<a name="id-1.14.5.9"></a><h2>OPTIONS</h2>
-
- <div class="variablelist"><dl class="variablelist">
-<dt><span class="term">-a <em class="replaceable"><code>anchor-file</code></em></span></dt>
-<dd>
- <p>
- Specifies a file from which to read DNSSEC trust anchors.
- The default is <code class="filename">/etc/bind.keys</code>, which
- is included with <acronym class="acronym">BIND</acronym> 9 and contains
- trust anchors for the root zone (".") and for the ISC
- DNSSEC lookaside validation zone ("dlv.isc.org").
- </p>
- <p>
- Keys that do not match the root or DLV trust-anchor
- names are ignored; these key names can be overridden
- using the <code class="option">+dlv=NAME</code> or
- <code class="option">+root=NAME</code> options.
- </p>
- <p>
- Note: When reading the trust anchor file,
- <span class="command"><strong>delv</strong></span> treats <code class="option">managed-keys</code>
- statements and <code class="option">trusted-keys</code> statements
- identically. That is, for a managed key, it is the
- <span class="emphasis"><em>initial</em></span> key that is trusted; RFC 5011
- key management is not supported. <span class="command"><strong>delv</strong></span>
- will not consult the managed-keys database maintained by
- <span class="command"><strong>named</strong></span>. This means that if either of the
- keys in <code class="filename">/etc/bind.keys</code> is revoked
- and rolled over, it will be necessary to update
- <code class="filename">/etc/bind.keys</code> to use DNSSEC
- validation in <span class="command"><strong>delv</strong></span>.
- </p>
- </dd>
-<dt><span class="term">-b <em class="replaceable"><code>address</code></em></span></dt>
-<dd>
- <p>
- Sets the source IP address of the query to
- <em class="parameter"><code>address</code></em>. This must be a valid address
- on one of the host's network interfaces or "0.0.0.0" or "::".
- An optional source port may be specified by appending
- "#<port>"
- </p>
- </dd>
-<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
-<dd>
- <p>
- Sets the query class for the requested data. Currently,
- only class "IN" is supported in <span class="command"><strong>delv</strong></span>
- and any other value is ignored.
- </p>
- </dd>
-<dt><span class="term">-d <em class="replaceable"><code>level</code></em></span></dt>
-<dd>
- <p>
- Set the systemwide debug level to <code class="option">level</code>.
- The allowed range is from 0 to 99.
- The default is 0 (no debugging).
- Debugging traces from <span class="command"><strong>delv</strong></span> become
- more verbose as the debug level increases.
- See the <code class="option">+mtrace</code>, <code class="option">+rtrace</code>,
- and <code class="option">+vtrace</code> options below for additional
- debugging details.
- </p>
- </dd>
-<dt><span class="term">-h</span></dt>
-<dd>
- <p>
- Display the <span class="command"><strong>delv</strong></span> help usage output and exit.
- </p>
- </dd>
-<dt><span class="term">-i</span></dt>
-<dd>
- <p>
- Insecure mode. This disables internal DNSSEC validation.
- (Note, however, this does not set the CD bit on upstream
- queries. If the server being queried is performing DNSSEC
- validation, then it will not return invalid data; this
- can cause <span class="command"><strong>delv</strong></span> to time out. When it
- is necessary to examine invalid data to debug a DNSSEC
- problem, use <span class="command"><strong>dig +cd</strong></span>.)
- </p>
- </dd>
-<dt><span class="term">-m</span></dt>
-<dd>
- <p>
- Enables memory usage debugging.
- </p>
- </dd>
-<dt><span class="term">-p <em class="replaceable"><code>port#</code></em></span></dt>
-<dd>
- <p>
- Specifies a destination port to use for queries instead of
- the standard DNS port number 53. This option would be used
- with a name server that has been configured to listen
- for queries on a non-standard port number.
- </p>
- </dd>
-<dt><span class="term">-q <em class="replaceable"><code>name</code></em></span></dt>
-<dd>
- <p>
- Sets the query name to <em class="parameter"><code>name</code></em>.
- While the query name can be specified without using the
- <code class="option">-q</code>, it is sometimes necessary to disambiguate
- names from types or classes (for example, when looking up the
- name "ns", which could be misinterpreted as the type NS,
- or "ch", which could be misinterpreted as class CH).
- </p>
- </dd>
-<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
-<dd>
- <p>
- Sets the query type to <em class="parameter"><code>type</code></em>, which
- can be any valid query type supported in BIND 9 except
- for zone transfer types AXFR and IXFR. As with
- <code class="option">-q</code>, this is useful to distinguish
- query name type or class when they are ambiguous.
- it is sometimes necessary to disambiguate names from types.
- </p>
- <p>
- The default query type is "A", unless the <code class="option">-x</code>
- option is supplied to indicate a reverse lookup, in which case
- it is "PTR".
- </p>
- </dd>
-<dt><span class="term">-v</span></dt>
-<dd>
- <p>
- Print the <span class="command"><strong>delv</strong></span> version and exit.
- </p>
- </dd>
-<dt><span class="term">-x <em class="replaceable"><code>addr</code></em></span></dt>
-<dd>
- <p>
- Performs a reverse lookup, mapping an addresses to
- a name. <em class="parameter"><code>addr</code></em> is an IPv4 address in
- dotted-decimal notation, or a colon-delimited IPv6 address.
- When <code class="option">-x</code> is used, there is no need to provide
- the <em class="parameter"><code>name</code></em> or <em class="parameter"><code>type</code></em>
- arguments. <span class="command"><strong>delv</strong></span> automatically performs a
- lookup for a name like <code class="literal">11.12.13.10.in-addr.arpa</code>
- and sets the query type to PTR. IPv6 addresses are looked up
- using nibble format under the IP6.ARPA domain.
- </p>
- </dd>
-<dt><span class="term">-4</span></dt>
-<dd>
- <p>
- Forces <span class="command"><strong>delv</strong></span> to only use IPv4.
- </p>
- </dd>
-<dt><span class="term">-6</span></dt>
-<dd>
- <p>
- Forces <span class="command"><strong>delv</strong></span> to only use IPv6.
- </p>
- </dd>
-</dl></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.5.10"></a><h2>QUERY OPTIONS</h2>
-
-
- <p><span class="command"><strong>delv</strong></span>
- provides a number of query options which affect the way results are
- displayed, and in some cases the way lookups are performed.
- </p>
-
- <p>
- Each query option is identified by a keyword preceded by a plus sign
- (<code class="literal">+</code>). Some keywords set or reset an
- option. These may be preceded by the string
- <code class="literal">no</code> to negate the meaning of that keyword.
- Other keywords assign values to options like the timeout interval.
- They have the form <code class="option">+keyword=value</code>.
- The query options are:
-
- </p>
-<div class="variablelist"><dl class="variablelist">
-<dt><span class="term"><code class="option">+[no]cdflag</code></span></dt>
-<dd>
- <p>
- Controls whether to set the CD (checking disabled) bit in
- queries sent by <span class="command"><strong>delv</strong></span>. This may be useful
- when troubleshooting DNSSEC problems from behind a validating
- resolver. A validating resolver will block invalid responses,
- making it difficult to retrieve them for analysis. Setting
- the CD flag on queries will cause the resolver to return
- invalid responses, which <span class="command"><strong>delv</strong></span> can then
- validate internally and report the errors in detail.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]class</code></span></dt>
-<dd>
- <p>
- Controls whether to display the CLASS when printing
- a record. The default is to display the CLASS.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]ttl</code></span></dt>
-<dd>
- <p>
- Controls whether to display the TTL when printing
- a record. The default is to display the TTL.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]rtrace</code></span></dt>
-<dd>
- <p>
- Toggle resolver fetch logging. This reports the
- name and type of each query sent by <span class="command"><strong>delv</strong></span>
- in the process of carrying out the resolution and validation
- process: this includes including the original query and
- all subsequent queries to follow CNAMEs and to establish a
- chain of trust for DNSSEC validation.
- </p>
- <p>
- This is equivalent to setting the debug level to 1 in
- the "resolver" logging category. Setting the systemwide
- debug level to 1 using the <code class="option">-d</code> option will
- product the same output (but will affect other logging
- categories as well).
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]mtrace</code></span></dt>
-<dd>
- <p>
- Toggle message logging. This produces a detailed dump of
- the responses received by <span class="command"><strong>delv</strong></span> in the
- process of carrying out the resolution and validation process.
- </p>
- <p>
- This is equivalent to setting the debug level to 10
- for the "packets" module of the "resolver" logging
- category. Setting the systemwide debug level to 10 using
- the <code class="option">-d</code> option will produce the same output
- (but will affect other logging categories as well).
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]vtrace</code></span></dt>
-<dd>
- <p>
- Toggle validation logging. This shows the internal
- process of the validator as it determines whether an
- answer is validly signed, unsigned, or invalid.
- </p>
- <p>
- This is equivalent to setting the debug level to 3
- for the "validator" module of the "dnssec" logging
- category. Setting the systemwide debug level to 3 using
- the <code class="option">-d</code> option will produce the same output
- (but will affect other logging categories as well).
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]short</code></span></dt>
-<dd>
- <p>
- Provide a terse answer. The default is to print the answer in a
- verbose form.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]comments</code></span></dt>
-<dd>
- <p>
- Toggle the display of comment lines in the output. The default
- is to print comments.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]rrcomments</code></span></dt>
-<dd>
- <p>
- Toggle the display of per-record comments in the output (for
- example, human-readable key information about DNSKEY records).
- The default is to print per-record comments.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]crypto</code></span></dt>
-<dd>
- <p>
- Toggle the display of cryptographic fields in DNSSEC records.
- The contents of these field are unnecessary to debug most DNSSEC
- validation failures and removing them makes it easier to see
- the common failures. The default is to display the fields.
- When omitted they are replaced by the string "[omitted]" or
- in the DNSKEY case the key id is displayed as the replacement,
- e.g. "[ key id = value ]".
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]trust</code></span></dt>
-<dd>
- <p>
- Controls whether to display the trust level when printing
- a record. The default is to display the trust level.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]split[=W]</code></span></dt>
-<dd>
- <p>
- Split long hex- or base64-formatted fields in resource
- records into chunks of <em class="parameter"><code>W</code></em> characters
- (where <em class="parameter"><code>W</code></em> is rounded up to the nearest
- multiple of 4).
- <em class="parameter"><code>+nosplit</code></em> or
- <em class="parameter"><code>+split=0</code></em> causes fields not to be
- split at all. The default is 56 characters, or 44 characters
- when multiline mode is active.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]all</code></span></dt>
-<dd>
- <p>
- Set or clear the display options
- <code class="option">+[no]comments</code>,
- <code class="option">+[no]rrcomments</code>, and
- <code class="option">+[no]trust</code> as a group.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]multiline</code></span></dt>
-<dd>
- <p>
- Print long records (such as RRSIG, DNSKEY, and SOA records)
- in a verbose multi-line format with human-readable comments.
- The default is to print each record on a single line, to
- facilitate machine parsing of the <span class="command"><strong>delv</strong></span>
- output.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]dnssec</code></span></dt>
-<dd>
- <p>
- Indicates whether to display RRSIG records in the
- <span class="command"><strong>delv</strong></span> output. The default is to
- do so. Note that (unlike in <span class="command"><strong>dig</strong></span>)
- this does <span class="emphasis"><em>not</em></span> control whether to
- request DNSSEC records or whether to validate them.
- DNSSEC records are always requested, and validation
- will always occur unless suppressed by the use of
- <code class="option">-i</code> or <code class="option">+noroot</code> and
- <code class="option">+nodlv</code>.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]root[=ROOT]</code></span></dt>
-<dd>
- <p>
- Indicates whether to perform conventional (non-lookaside)
- DNSSEC validation, and if so, specifies the
- name of a trust anchor. The default is to validate using
- a trust anchor of "." (the root zone), for which there is
- a built-in key. If specifying a different trust anchor,
- then <code class="option">-a</code> must be used to specify a file
- containing the key.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]dlv[=DLV]</code></span></dt>
-<dd>
- <p>
- Indicates whether to perform DNSSEC lookaside validation,
- and if so, specifies the name of the DLV trust anchor.
- The default is to perform lookaside validation using
- a trust anchor of "dlv.isc.org", for which there is a
- built-in key. If specifying a different name, then
- <code class="option">-a</code> must be used to specify a file
- containing the DLV key.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]tcp</code></span></dt>
-<dd>
- <p>
- Controls whether to use TCP when sending queries.
- The default is to use UDP unless a truncated
- response has been received.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]unknownformat</code></span></dt>
-<dd>
- <p>
- Print all RDATA in unknown RR type presentation format
- (RFC 3597). The default is to print RDATA for known types
- in the type's presentation format.
- </p>
- </dd>
-</dl></div>
-<p>
-
- </p>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.5.11"></a><h2>FILES</h2>
-
- <p><code class="filename">/etc/bind.keys</code></p>
- <p><code class="filename">/etc/resolv.conf</code></p>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.5.12"></a><h2>SEE ALSO</h2>
-
- <p><span class="citerefentry">
- <span class="refentrytitle">dig</span>(1)
- </span>,
- <span class="citerefentry">
- <span class="refentrytitle">named</span>(8)
- </span>,
- <em class="citetitle">RFC4034</em>,
- <em class="citetitle">RFC4035</em>,
- <em class="citetitle">RFC4431</em>,
- <em class="citetitle">RFC5074</em>,
- <em class="citetitle">RFC5155</em>.
- </p>
- </div>
-
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="man.host.html">Prev</a>Â </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
-<td width="40%" align="right">Â <a accesskey="n" href="man.nslookup.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">host </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top">Â nslookup</td>
-</tr>
-</table>
-</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.0-pre-alpha</p>
-</body>
-</html>
+++ /dev/null
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<!--
- - Copyright (C) 2000-2017 Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
--->
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>dig</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
-<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
-<link rel="prev" href="Bv9ARM.ch13.html" title="Manual pages">
-<link rel="next" href="man.mdig.html" title="mdig">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center">dig</th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="Bv9ARM.ch13.html">Prev</a>Â </td>
-<th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right">Â <a accesskey="n" href="man.mdig.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="refentry">
-<a name="man.dig"></a><div class="titlepage"></div>
-
-
-
-
-
- <div class="refnamediv">
-<h2>Name</h2>
-<p>
- dig
- — DNS lookup utility
- </p>
-</div>
-
-
-
- <div class="refsynopsisdiv">
-<h2>Synopsis</h2>
- <div class="cmdsynopsis"><p>
- <code class="command">dig</code>
- [@server]
- [<code class="option">-b <em class="replaceable"><code>address</code></em></code>]
- [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
- [<code class="option">-f <em class="replaceable"><code>filename</code></em></code>]
- [<code class="option">-k <em class="replaceable"><code>filename</code></em></code>]
- [<code class="option">-m</code>]
- [<code class="option">-p <em class="replaceable"><code>port#</code></em></code>]
- [<code class="option">-q <em class="replaceable"><code>name</code></em></code>]
- [<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
- [<code class="option">-v</code>]
- [<code class="option">-x <em class="replaceable"><code>addr</code></em></code>]
- [<code class="option">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]name:key</code></em></code>]
- [
- [<code class="option">-4</code>]
- | [<code class="option">-6</code>]
- ]
- [name]
- [type]
- [class]
- [queryopt...]
- </p></div>
-
- <div class="cmdsynopsis"><p>
- <code class="command">dig</code>
- [<code class="option">-h</code>]
- </p></div>
-
- <div class="cmdsynopsis"><p>
- <code class="command">dig</code>
- [global-queryopt...]
- [query...]
- </p></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.2.7"></a><h2>DESCRIPTION</h2>
-
- <p><span class="command"><strong>dig</strong></span> is a flexible tool
- for interrogating DNS name servers. It performs DNS lookups and
- displays the answers that are returned from the name server(s) that
- were queried. Most DNS administrators use <span class="command"><strong>dig</strong></span> to
- troubleshoot DNS problems because of its flexibility, ease of use and
- clarity of output. Other lookup tools tend to have less functionality
- than <span class="command"><strong>dig</strong></span>.
- </p>
-
- <p>
- Although <span class="command"><strong>dig</strong></span> is normally used with
- command-line
- arguments, it also has a batch mode of operation for reading lookup
- requests from a file. A brief summary of its command-line arguments
- and options is printed when the <code class="option">-h</code> option is given.
- Unlike earlier versions, the BIND 9 implementation of
- <span class="command"><strong>dig</strong></span> allows multiple lookups to be issued
- from the
- command line.
- </p>
-
- <p>
- Unless it is told to query a specific name server,
- <span class="command"><strong>dig</strong></span> will try each of the servers listed in
- <code class="filename">/etc/resolv.conf</code>. If no usable server addresses
- are found, <span class="command"><strong>dig</strong></span> will send the query to the local
- host.
- </p>
-
- <p>
- When no command line arguments or options are given,
- <span class="command"><strong>dig</strong></span> will perform an NS query for "." (the root).
- </p>
-
- <p>
- It is possible to set per-user defaults for <span class="command"><strong>dig</strong></span> via
- <code class="filename">${HOME}/.digrc</code>. This file is read and
- any options in it
- are applied before the command line arguments.
- </p>
-
- <p>
- The IN and CH class names overlap with the IN and CH top level
- domain names. Either use the <code class="option">-t</code> and
- <code class="option">-c</code> options to specify the type and class,
- use the <code class="option">-q</code> the specify the domain name, or
- use "IN." and "CH." when looking up these top level domains.
- </p>
-
- </div>
-
- <div class="refsection">
-<a name="id-1.14.2.8"></a><h2>SIMPLE USAGE</h2>
-
-
- <p>
- A typical invocation of <span class="command"><strong>dig</strong></span> looks like:
- </p>
-<pre class="programlisting"> dig @server name type </pre>
-<p>
- where:
-
- </p>
-<div class="variablelist"><dl class="variablelist">
-<dt><span class="term"><code class="constant">server</code></span></dt>
-<dd>
- <p>
- is the name or IP address of the name server to query. This
- can be an IPv4 address in dotted-decimal notation or an IPv6
- address in colon-delimited notation. When the supplied
- <em class="parameter"><code>server</code></em> argument is a hostname,
- <span class="command"><strong>dig</strong></span> resolves that name before querying
- that name server.
- </p>
- <p>
- If no <em class="parameter"><code>server</code></em> argument is
- provided, <span class="command"><strong>dig</strong></span> consults
- <code class="filename">/etc/resolv.conf</code>; if an
- address is found there, it queries the name server at
- that address. If either of the <code class="option">-4</code> or
- <code class="option">-6</code> options are in use, then
- only addresses for the corresponding transport
- will be tried. If no usable addresses are found,
- <span class="command"><strong>dig</strong></span> will send the query to the
- local host. The reply from the name server that
- responds is displayed.
- </p>
- </dd>
-<dt><span class="term"><code class="constant">name</code></span></dt>
-<dd>
- <p>
- is the name of the resource record that is to be looked up.
- </p>
- </dd>
-<dt><span class="term"><code class="constant">type</code></span></dt>
-<dd>
- <p>
- indicates what type of query is required —
- ANY, A, MX, SIG, etc.
- <em class="parameter"><code>type</code></em> can be any valid query
- type. If no
- <em class="parameter"><code>type</code></em> argument is supplied,
- <span class="command"><strong>dig</strong></span> will perform a lookup for an
- A record.
- </p>
- </dd>
-</dl></div>
-<p>
- </p>
-
- </div>
-
- <div class="refsection">
-<a name="id-1.14.2.9"></a><h2>OPTIONS</h2>
-
-
- <div class="variablelist"><dl class="variablelist">
-<dt><span class="term">-4</span></dt>
-<dd>
- <p>
- Use IPv4 only.
- </p>
- </dd>
-<dt><span class="term">-6</span></dt>
-<dd>
- <p>
- Use IPv6 only.
- </p>
- </dd>
-<dt><span class="term">-b <em class="replaceable"><code>address[<span class="optional">#port</span>]</code></em></span></dt>
-<dd>
- <p>
- Set the source IP address of the query.
- The <em class="parameter"><code>address</code></em> must be a valid address on
- one of the host's network interfaces, or "0.0.0.0" or "::". An
- optional port may be specified by appending "#<port>"
- </p>
- </dd>
-<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
-<dd>
- <p>
- Set the query class. The
- default <em class="parameter"><code>class</code></em> is IN; other classes
- are HS for Hesiod records or CH for Chaosnet records.
- </p>
- </dd>
-<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
-<dd>
- <p>
- Batch mode: <span class="command"><strong>dig</strong></span> reads a list of lookup
- requests to process from the
- given <em class="parameter"><code>file</code></em>. Each line in the file
- should be organized in the same way they would be
- presented as queries to
- <span class="command"><strong>dig</strong></span> using the command-line interface.
- </p>
- </dd>
-<dt><span class="term">-i</span></dt>
-<dd>
- <p>
- Do reverse IPv6 lookups using the obsolete RFC1886 IP6.INT
- domain, which is no longer in use. Obsolete bit string
- label queries (RFC2874) are not attempted.
- </p>
- </dd>
-<dt><span class="term">-k <em class="replaceable"><code>keyfile</code></em></span></dt>
-<dd>
- <p>
- Sign queries using TSIG using a key read from the given file.
- Key files can be generated using
- <span class="citerefentry">
- <span class="refentrytitle">tsig-keygen</span>(8)
- </span>.
- When using TSIG authentication with <span class="command"><strong>dig</strong></span>,
- the name server that is queried needs to know the key and
- algorithm that is being used. In BIND, this is done by
- providing appropriate <span class="command"><strong>key</strong></span>
- and <span class="command"><strong>server</strong></span> statements in
- <code class="filename">named.conf</code>.
- </p>
- </dd>
-<dt><span class="term">-m</span></dt>
-<dd>
- <p>
- Enable memory usage debugging.
-
- </p>
- </dd>
-<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
-<dd>
- <p>
- Send the query to a non-standard port on the server,
- instead of the default port 53. This option would be used
- to test a name server that has been configured to listen
- for queries on a non-standard port number.
- </p>
- </dd>
-<dt><span class="term">-q <em class="replaceable"><code>name</code></em></span></dt>
-<dd>
- <p>
- The domain name to query. This is useful to distinguish
- the <em class="parameter"><code>name</code></em> from other arguments.
- </p>
- </dd>
-<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
-<dd>
- <p>
- The resource record type to query. It can be any valid query type
- which is
- supported in BIND 9. The default query type is "A", unless the
- <code class="option">-x</code> option is supplied to indicate a reverse lookup.
- A zone transfer can be requested by specifying a type of AXFR. When
- an incremental zone transfer (IXFR) is required, set the
- <em class="parameter"><code>type</code></em> to <code class="literal">ixfr=N</code>.
- The incremental zone transfer will contain the changes
- made to the zone since the serial number in the zone's SOA
- record was
- <em class="parameter"><code>N</code></em>.
- </p>
- </dd>
-<dt><span class="term">-v</span></dt>
-<dd>
- <p>
- Print the version number and exit.
- </p>
- </dd>
-<dt><span class="term">-x <em class="replaceable"><code>addr</code></em></span></dt>
-<dd>
- <p>
- Simplified reverse lookups, for mapping addresses to
- names. The <em class="parameter"><code>addr</code></em> is an IPv4 address
- in dotted-decimal notation, or a colon-delimited IPv6
- address. When the <code class="option">-x</code> is used, there is no
- need to provide
- the <em class="parameter"><code>name</code></em>, <em class="parameter"><code>class</code></em>
- and <em class="parameter"><code>type</code></em>
- arguments. <span class="command"><strong>dig</strong></span> automatically performs a
- lookup for a name like
- <code class="literal">94.2.0.192.in-addr.arpa</code> and sets the
- query type and class to PTR and IN respectively. IPv6
- addresses are looked up using nibble format under the
- IP6.ARPA domain (but see also the <code class="option">-i</code>
- option).
- </p>
- </dd>
-<dt><span class="term">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]keyname:secret</code></em></span></dt>
-<dd>
- <p>
- Sign queries using TSIG with the given authentication key.
- <em class="parameter"><code>keyname</code></em> is the name of the key, and
- <em class="parameter"><code>secret</code></em> is the base64 encoded shared secret.
- <em class="parameter"><code>hmac</code></em> is the name of the key algorithm;
- valid choices are <code class="literal">hmac-md5</code>,
- <code class="literal">hmac-sha1</code>, <code class="literal">hmac-sha224</code>,
- <code class="literal">hmac-sha256</code>, <code class="literal">hmac-sha384</code>, or
- <code class="literal">hmac-sha512</code>. If <em class="parameter"><code>hmac</code></em>
- is not specified, the default is <code class="literal">hmac-md5</code>
- or if MD5 was disabled <code class="literal">hmac-sha256</code>.
- </p>
- <p>
- NOTE: You should use the <code class="option">-k</code> option and
- avoid the <code class="option">-y</code> option, because
- with <code class="option">-y</code> the shared secret is supplied as
- a command line argument in clear text. This may be visible
- in the output from
- <span class="citerefentry">
- <span class="refentrytitle">ps</span>(1)
- </span>
- or in a history file maintained by the user's shell.
- </p>
- </dd>
-</dl></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.2.10"></a><h2>QUERY OPTIONS</h2>
-
-
- <p><span class="command"><strong>dig</strong></span>
- provides a number of query options which affect
- the way in which lookups are made and the results displayed. Some of
- these set or reset flag bits in the query header, some determine which
- sections of the answer get printed, and others determine the timeout
- and retry strategies.
- </p>
-
- <p>
- Each query option is identified by a keyword preceded by a plus sign
- (<code class="literal">+</code>). Some keywords set or reset an
- option. These may be preceded
- by the string <code class="literal">no</code> to negate the meaning of
- that keyword. Other
- keywords assign values to options like the timeout interval. They
- have the form <code class="option">+keyword=value</code>.
- Keywords may be abbreviated, provided the abbreviation is
- unambiguous; for example, <code class="literal">+cd</code> is equivalent
- to <code class="literal">+cdflag</code>.
- The query options are:
-
- </p>
-<div class="variablelist"><dl class="variablelist">
-<dt><span class="term"><code class="option">+[no]aaflag</code></span></dt>
-<dd>
- <p>
- A synonym for <em class="parameter"><code>+[no]aaonly</code></em>.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]aaonly</code></span></dt>
-<dd>
- <p>
- Sets the "aa" flag in the query.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]additional</code></span></dt>
-<dd>
- <p>
- Display [do not display] the additional section of a
- reply. The default is to display it.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]adflag</code></span></dt>
-<dd>
- <p>
- Set [do not set] the AD (authentic data) bit in the
- query. This requests the server to return whether
- all of the answer and authority sections have all
- been validated as secure according to the security
- policy of the server. AD=1 indicates that all records
- have been validated as secure and the answer is not
- from a OPT-OUT range. AD=0 indicate that some part
- of the answer was insecure or not validated. This
- bit is set by default.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]all</code></span></dt>
-<dd>
- <p>
- Set or clear all display flags.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]answer</code></span></dt>
-<dd>
- <p>
- Display [do not display] the answer section of a
- reply. The default is to display it.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]authority</code></span></dt>
-<dd>
- <p>
- Display [do not display] the authority section of a
- reply. The default is to display it.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]badcookie</code></span></dt>
-<dd>
- <p>
- Retry lookup with the new server cookie if a
- BADCOOKIE response is received.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]besteffort</code></span></dt>
-<dd>
- <p>
- Attempt to display the contents of messages which are
- malformed. The default is to not display malformed
- answers.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+bufsize=B</code></span></dt>
-<dd>
- <p>
- Set the UDP message buffer size advertised using EDNS0
- to <em class="parameter"><code>B</code></em> bytes. The maximum and
- minimum sizes of this buffer are 65535 and 0 respectively.
- Values outside this range are rounded up or down
- appropriately. Values other than zero will cause a
- EDNS query to be sent.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]cdflag</code></span></dt>
-<dd>
- <p>
- Set [do not set] the CD (checking disabled) bit in
- the query. This requests the server to not perform
- DNSSEC validation of responses.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]class</code></span></dt>
-<dd>
- <p>
- Display [do not display] the CLASS when printing the
- record.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]cmd</code></span></dt>
-<dd>
- <p>
- Toggles the printing of the initial comment in the
- output identifying the version of <span class="command"><strong>dig</strong></span>
- and the query options that have been applied. This
- comment is printed by default.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]comments</code></span></dt>
-<dd>
- <p>
- Toggle the display of comment lines in the output.
- The default is to print comments.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]cookie[<span class="optional">=####</span>]</code></span></dt>
-<dd>
- <p>
- Send a COOKIE EDNS option, with optional
- value. Replaying a COOKIE from a previous response will
- allow the server to identify a previous client. The
- default is <code class="option">+cookie</code>.
- </p>
- <p>
- <span class="command"><strong>+cookie</strong></span> is also set when +trace
- is set to better emulate the default queries from a
- nameserver.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]crypto</code></span></dt>
-<dd>
- <p>
- Toggle the display of cryptographic fields in DNSSEC
- records. The contents of these field are unnecessary
- to debug most DNSSEC validation failures and removing
- them makes it easier to see the common failures. The
- default is to display the fields. When omitted they
- are replaced by the string "[omitted]" or in the
- DNSKEY case the key id is displayed as the replacement,
- e.g. "[ key id = value ]".
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]defname</code></span></dt>
-<dd>
- <p>
- Deprecated, treated as a synonym for
- <em class="parameter"><code>+[no]search</code></em>
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]dnssec</code></span></dt>
-<dd>
- <p>
- Requests DNSSEC records be sent by setting the DNSSEC
- OK bit (DO) in the OPT record in the additional section
- of the query.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+domain=somename</code></span></dt>
-<dd>
- <p>
- Set the search list to contain the single domain
- <em class="parameter"><code>somename</code></em>, as if specified in
- a <span class="command"><strong>domain</strong></span> directive in
- <code class="filename">/etc/resolv.conf</code>, and enable
- search list processing as if the
- <em class="parameter"><code>+search</code></em> option were given.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+dscp=value</code></span></dt>
-<dd>
- <p>
- Set the DSCP code point to be used when sending the
- query. Valid DSCP code points are in the range
- [0..63]. By default no code point is explicitly set.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]edns[=#]</code></span></dt>
-<dd>
- <p>
- Specify the EDNS version to query with. Valid values
- are 0 to 255. Setting the EDNS version will cause
- a EDNS query to be sent. <code class="option">+noedns</code>
- clears the remembered EDNS version. EDNS is set to
- 0 by default.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]ednsflags[=#]</code></span></dt>
-<dd>
- <p>
- Set the must-be-zero EDNS flags bits (Z bits) to the
- specified value. Decimal, hex and octal encodings are
- accepted. Setting a named flag (e.g. DO) will silently be
- ignored. By default, no Z bits are set.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]ednsnegotiation</code></span></dt>
-<dd>
- <p>
- Enable / disable EDNS version negotiation. By default
- EDNS version negotiation is enabled.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]ednsopt[=code[:value]]</code></span></dt>
-<dd>
- <p>
- Specify EDNS option with code point <code class="option">code</code>
- and optionally payload of <code class="option">value</code> as a
- hexadecimal string. <code class="option">code</code> can be
- either an EDNS option name (for example,
- <code class="literal">NSID</code> or <code class="literal">ECS</code>),
- or an arbitrary numeric value. <code class="option">+noednsopt</code>
- clears the EDNS options to be sent.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]expire</code></span></dt>
-<dd>
- <p>
- Send an EDNS Expire option.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]fail</code></span></dt>
-<dd>
- <p>
- Do not try the next server if you receive a SERVFAIL.
- The default is to not try the next server which is
- the reverse of normal stub resolver behavior.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]header-only</code></span></dt>
-<dd>
- <p>
- Send a query with a DNS header without a question section.
- The default is to add a question section. The query type
- and query name are ignored when this is set.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]identify</code></span></dt>
-<dd>
- <p>
- Show [or do not show] the IP address and port number
- that supplied the answer when the
- <em class="parameter"><code>+short</code></em> option is enabled. If
- short form answers are requested, the default is not
- to show the source address and port number of the
- server that provided the answer.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]idnout</code></span></dt>
-<dd>
- <p>
- Convert [do not convert] puny code on output.
- This requires IDN SUPPORT to have been enabled at
- compile time. The default is to convert output.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]ignore</code></span></dt>
-<dd>
- <p>
- Ignore truncation in UDP responses instead of retrying
- with TCP. By default, TCP retries are performed.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]keepopen</code></span></dt>
-<dd>
- <p>
- Keep the TCP socket open between queries and reuse
- it rather than creating a new TCP socket for each
- lookup. The default is <code class="option">+nokeepopen</code>.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]mapped</code></span></dt>
-<dd>
- <p>
- Allow mapped IPv4 over IPv6 addresses to be used. The
- default is <code class="option">+mapped</code>.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]multiline</code></span></dt>
-<dd>
- <p>
- Print records like the SOA records in a verbose
- multi-line format with human-readable comments. The
- default is to print each record on a single line, to
- facilitate machine parsing of the <span class="command"><strong>dig</strong></span>
- output.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+ndots=D</code></span></dt>
-<dd>
- <p>
- Set the number of dots that have to appear in
- <em class="parameter"><code>name</code></em> to <em class="parameter"><code>D</code></em>
- for it to be considered absolute. The default value
- is that defined using the ndots statement in
- <code class="filename">/etc/resolv.conf</code>, or 1 if no
- ndots statement is present. Names with fewer dots
- are interpreted as relative names and will be searched
- for in the domains listed in the <code class="option">search</code>
- or <code class="option">domain</code> directive in
- <code class="filename">/etc/resolv.conf</code> if
- <code class="option">+search</code> is set.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]nsid</code></span></dt>
-<dd>
- <p>
- Include an EDNS name server ID request when sending
- a query.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]nssearch</code></span></dt>
-<dd>
- <p>
- When this option is set, <span class="command"><strong>dig</strong></span>
- attempts to find the authoritative name servers for
- the zone containing the name being looked up and
- display the SOA record that each name server has for
- the zone.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]onesoa</code></span></dt>
-<dd>
- <p>
- Print only one (starting) SOA record when performing
- an AXFR. The default is to print both the starting
- and ending SOA records.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]opcode=value</code></span></dt>
-<dd>
- <p>
- Set [restore] the DNS message opcode to the specified
- value. The default value is QUERY (0).
- </p>
- </dd>
-<dt><span class="term"><code class="option">+padding=value</code></span></dt>
-<dd>
- <p>
- Pad the size of the query packet using the EDNS Padding option
- to blocks of <em class="parameter"><code>value</code></em> bytes. For example,
- <code class="option">+padding=32</code> would cause a 48-byte query to
- be padded to 64 bytes. The default block size is 0, which
- disables padding. The maximum is 512. Values are
- ordinarily expected to be powers of two, such as 128;
- however, this is not mandatory. Responses to
- padded queries may also be padded, but only if the query
- uses TCP or DNS COOKIE.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]qr</code></span></dt>
-<dd>
- <p>
- Print [do not print] the query as it is sent. By
- default, the query is not printed.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]question</code></span></dt>
-<dd>
- <p>
- Print [do not print] the question section of a query
- when an answer is returned. The default is to print
- the question section as a comment.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]rdflag</code></span></dt>
-<dd>
- <p>
- A synonym for <em class="parameter"><code>+[no]recurse</code></em>.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]recurse</code></span></dt>
-<dd>
- <p>
- Toggle the setting of the RD (recursion desired) bit
- in the query. This bit is set by default, which means
- <span class="command"><strong>dig</strong></span> normally sends recursive
- queries. Recursion is automatically disabled when
- the <em class="parameter"><code>+nssearch</code></em> or
- <em class="parameter"><code>+trace</code></em> query options are used.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+retry=T</code></span></dt>
-<dd>
- <p>
- Sets the number of times to retry UDP queries to
- server to <em class="parameter"><code>T</code></em> instead of the
- default, 2. Unlike <em class="parameter"><code>+tries</code></em>,
- this does not include the initial query.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]rrcomments</code></span></dt>
-<dd>
- <p>
- Toggle the display of per-record comments in the
- output (for example, human-readable key information
- about DNSKEY records). The default is not to print
- record comments unless multiline mode is active.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]search</code></span></dt>
-<dd>
- <p>
- Use [do not use] the search list defined by the
- searchlist or domain directive in
- <code class="filename">resolv.conf</code> (if any). The search
- list is not used by default.
- </p>
- <p>
- 'ndots' from <code class="filename">resolv.conf</code> (default 1)
- which may be overridden by <em class="parameter"><code>+ndots</code></em>
- determines if the name will be treated as relative
- or not and hence whether a search is eventually
- performed or not.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]short</code></span></dt>
-<dd>
- <p>
- Provide a terse answer. The default is to print the
- answer in a verbose form.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]showsearch</code></span></dt>
-<dd>
- <p>
- Perform [do not perform] a search showing intermediate
- results.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]sigchase</code></span></dt>
-<dd>
- <p>
- This feature is now obsolete and has been removed;
- use <span class="command"><strong>delv</strong></span> instead.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+split=W</code></span></dt>
-<dd>
- <p>
- Split long hex- or base64-formatted fields in resource
- records into chunks of <em class="parameter"><code>W</code></em>
- characters (where <em class="parameter"><code>W</code></em> is rounded
- up to the nearest multiple of 4).
- <em class="parameter"><code>+nosplit</code></em> or
- <em class="parameter"><code>+split=0</code></em> causes fields not to
- be split at all. The default is 56 characters, or
- 44 characters when multiline mode is active.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]stats</code></span></dt>
-<dd>
- <p>
- This query option toggles the printing of statistics:
- when the query was made, the size of the reply and
- so on. The default behavior is to print the query
- statistics.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]subnet=addr[/prefix-length]</code></span></dt>
-<dd>
- <p>
- Send (don't send) an EDNS Client Subnet option with the
- specified IP address or network prefix.
- </p>
- <p>
- <span class="command"><strong>dig +subnet=0.0.0.0/0</strong></span>, or simply
- <span class="command"><strong>dig +subnet=0</strong></span> for short, sends an EDNS
- CLIENT-SUBNET option with an empty address and a source
- prefix-length of zero, which signals a resolver that
- the client's address information must
- <span class="emphasis"><em>not</em></span> be used when resolving
- this query.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]tcp</code></span></dt>
-<dd>
- <p>
- Use [do not use] TCP when querying name servers. The
- default behavior is to use UDP unless a type
- <code class="literal">any</code> or <code class="literal">ixfr=N</code>
- query is requested, in which case the default is TCP.
- AXFR queries always use TCP.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+timeout=T</code></span></dt>
-<dd>
- <p>
-
- Sets the timeout for a query to
- <em class="parameter"><code>T</code></em> seconds. The default
- timeout is 5 seconds.
- An attempt to set <em class="parameter"><code>T</code></em> to less
- than 1 will result
- in a query timeout of 1 second being applied.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]topdown</code></span></dt>
-<dd>
- <p>
- This feature is related to <span class="command"><strong>dig +sigchase</strong></span>,
- which is obsolete and has been removed. Use
- <span class="command"><strong>delv</strong></span> instead.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]trace</code></span></dt>
-<dd>
- <p>
- Toggle tracing of the delegation path from the root
- name servers for the name being looked up. Tracing
- is disabled by default. When tracing is enabled,
- <span class="command"><strong>dig</strong></span> makes iterative queries to
- resolve the name being looked up. It will follow
- referrals from the root servers, showing the answer
- from each server that was used to resolve the lookup.
- </p> <p>
- If @server is also specified, it affects only the
- initial query for the root zone name servers.
- </p> <p>
- <span class="command"><strong>+dnssec</strong></span> is also set when +trace
- is set to better emulate the default queries from a
- nameserver.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+tries=T</code></span></dt>
-<dd>
- <p>
- Sets the number of times to try UDP queries to server
- to <em class="parameter"><code>T</code></em> instead of the default,
- 3. If <em class="parameter"><code>T</code></em> is less than or equal
- to zero, the number of tries is silently rounded up
- to 1.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+trusted-key=####</code></span></dt>
-<dd>
- <p>
- Formerly specified trusted keys for use with
- <span class="command"><strong>dig +sigchase</strong></span>. This feature is now
- obsolete and has been removed; use
- <span class="command"><strong>delv</strong></span> instead.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]ttlid</code></span></dt>
-<dd>
- <p>
- Display [do not display] the TTL when printing the
- record.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]ttlunits</code></span></dt>
-<dd>
- <p>
- Display [do not display] the TTL in friendly human-readable
- time units of "s", "m", "h", "d", and "w", representing
- seconds, minutes, hours, days and weeks. Implies +ttlid.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]unknownformat</code></span></dt>
-<dd>
- <p>
- Print all RDATA in unknown RR type presentation format
- (RFC 3597). The default is to print RDATA for known types
- in the type's presentation format.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]vc</code></span></dt>
-<dd>
- <p>
- Use [do not use] TCP when querying name servers. This
- alternate syntax to <em class="parameter"><code>+[no]tcp</code></em>
- is provided for backwards compatibility. The "vc"
- stands for "virtual circuit".
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]zflag</code></span></dt>
-<dd>
- <p>
- Set [do not set] the last unassigned DNS header flag in a
- DNS query. This flag is off by default.
- </p>
- </dd>
-</dl></div>
-<p>
-
- </p>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.2.11"></a><h2>MULTIPLE QUERIES</h2>
-
-
- <p>
- The BIND 9 implementation of <span class="command"><strong>dig </strong></span>
- supports
- specifying multiple queries on the command line (in addition to
- supporting the <code class="option">-f</code> batch file option). Each of those
- queries can be supplied with its own set of flags, options and query
- options.
- </p>
-
- <p>
- In this case, each <em class="parameter"><code>query</code></em> argument
- represent an
- individual query in the command-line syntax described above. Each
- consists of any of the standard options and flags, the name to be
- looked up, an optional query type and class and any query options that
- should be applied to that query.
- </p>
-
- <p>
- A global set of query options, which should be applied to all queries,
- can also be supplied. These global query options must precede the
- first tuple of name, class, type, options, flags, and query options
- supplied on the command line. Any global query options (except
- <code class="option">+[no]cmd</code> and <code class="option">+[no]short</code> options)
- can be overridden by a query-specific set of query options.
- For example:
- </p>
-<pre class="programlisting">
-dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
-</pre>
-<p>
- shows how <span class="command"><strong>dig</strong></span> could be used from the
- command line
- to make three lookups: an ANY query for <code class="literal">www.isc.org</code>, a
- reverse lookup of 127.0.0.1 and a query for the NS records of
- <code class="literal">isc.org</code>.
-
- A global query option of <em class="parameter"><code>+qr</code></em> is
- applied, so
- that <span class="command"><strong>dig</strong></span> shows the initial query it made
- for each
- lookup. The final query has a local query option of
- <em class="parameter"><code>+noqr</code></em> which means that <span class="command"><strong>dig</strong></span>
- will not print the initial query when it looks up the NS records for
- <code class="literal">isc.org</code>.
- </p>
-
- </div>
-
- <div class="refsection">
-<a name="id-1.14.2.12"></a><h2>IDN SUPPORT</h2>
-
- <p>
- If <span class="command"><strong>dig</strong></span> has been built with IDN (internationalized
- domain name) support, it can accept and display non-ASCII domain names.
- <span class="command"><strong>dig</strong></span> appropriately converts character encoding of
- domain name before sending a request to DNS server or displaying a
- reply from the server.
- If you'd like to turn off the IDN support for some reason, defines
- the <code class="envar">IDN_DISABLE</code> environment variable.
- The IDN support is disabled if the variable is set when
- <span class="command"><strong>dig</strong></span> runs.
- </p>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.2.13"></a><h2>FILES</h2>
-
- <p><code class="filename">/etc/resolv.conf</code>
- </p>
- <p><code class="filename">${HOME}/.digrc</code>
- </p>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.2.14"></a><h2>SEE ALSO</h2>
-
- <p><span class="citerefentry">
- <span class="refentrytitle">delv</span>(1)
- </span>,
- <span class="citerefentry">
- <span class="refentrytitle">host</span>(1)
- </span>,
- <span class="citerefentry">
- <span class="refentrytitle">named</span>(8)
- </span>,
- <span class="citerefentry">
- <span class="refentrytitle">dnssec-keygen</span>(8)
- </span>,
- <em class="citetitle">RFC1035</em>.
- </p>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.2.15"></a><h2>BUGS</h2>
-
- <p>
- There are probably too many query options.
- </p>
- </div>
-
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="Bv9ARM.ch13.html">Prev</a>Â </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
-<td width="40%" align="right">Â <a accesskey="n" href="man.mdig.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">Manual pages </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top">Â <span class="application">mdig</span>
-</td>
-</tr>
-</table>
-</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.0-pre-alpha</p>
-</body>
-</html>
+++ /dev/null
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<!--
- - Copyright (C) 2000-2017 Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
--->
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>dnssec-checkds</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
-<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
-<link rel="prev" href="man.nslookup.html" title="nslookup">
-<link rel="next" href="man.dnssec-coverage.html" title="dnssec-coverage">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center"><span class="application">dnssec-checkds</span></th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="man.nslookup.html">Prev</a>Â </td>
-<th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right">Â <a accesskey="n" href="man.dnssec-coverage.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="refentry">
-<a name="man.dnssec-checkds"></a><div class="titlepage"></div>
-
-
-
-
-
- <div class="refnamediv">
-<h2>Name</h2>
-<p>
- <span class="application">dnssec-checkds</span>
- — DNSSEC delegation consistency checking tool
- </p>
-</div>
-
-
-
- <div class="refsynopsisdiv">
-<h2>Synopsis</h2>
- <div class="cmdsynopsis"><p>
- <code class="command">dnssec-checkds</code>
- [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>]
- [<code class="option">-f <em class="replaceable"><code>file</code></em></code>]
- [<code class="option">-d <em class="replaceable"><code>dig path</code></em></code>]
- [<code class="option">-D <em class="replaceable"><code>dsfromkey path</code></em></code>]
- {zone}
- </p></div>
- <div class="cmdsynopsis"><p>
- <code class="command">dnssec-dsfromkey</code>
- [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>]
- [<code class="option">-f <em class="replaceable"><code>file</code></em></code>]
- [<code class="option">-d <em class="replaceable"><code>dig path</code></em></code>]
- [<code class="option">-D <em class="replaceable"><code>dsfromkey path</code></em></code>]
- {zone}
- </p></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.7.7"></a><h2>DESCRIPTION</h2>
-
- <p><span class="command"><strong>dnssec-checkds</strong></span>
- verifies the correctness of Delegation Signer (DS) or DNSSEC
- Lookaside Validation (DLV) resource records for keys in a specified
- zone.
- </p>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.7.8"></a><h2>OPTIONS</h2>
-
-
- <div class="variablelist"><dl class="variablelist">
-<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
-<dd>
- <p>
- If a <code class="option">file</code> is specified, then the zone is
- read from that file to find the DNSKEY records. If not,
- then the DNSKEY records for the zone are looked up in the DNS.
- </p>
- </dd>
-<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
-<dd>
- <p>
- Check for a DLV record in the specified lookaside domain,
- instead of checking for a DS record in the zone's parent.
- For example, to check for DLV records for "example.com"
- in ISC's DLV zone, use:
- <span class="command"><strong>dnssec-checkds -l dlv.isc.org example.com</strong></span>
- </p>
- </dd>
-<dt><span class="term">-d <em class="replaceable"><code>dig path</code></em></span></dt>
-<dd>
- <p>
- Specifies a path to a <span class="command"><strong>dig</strong></span> binary. Used
- for testing.
- </p>
- </dd>
-<dt><span class="term">-D <em class="replaceable"><code>dsfromkey path</code></em></span></dt>
-<dd>
- <p>
- Specifies a path to a <span class="command"><strong>dnssec-dsfromkey</strong></span> binary.
- Used for testing.
- </p>
- </dd>
-</dl></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.7.9"></a><h2>SEE ALSO</h2>
-
- <p><span class="citerefentry">
- <span class="refentrytitle">dnssec-dsfromkey</span>(8)
- </span>,
- <span class="citerefentry">
- <span class="refentrytitle">dnssec-keygen</span>(8)
- </span>,
- <span class="citerefentry">
- <span class="refentrytitle">dnssec-signzone</span>(8)
- </span>,
- </p>
- </div>
-
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="man.nslookup.html">Prev</a>Â </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
-<td width="40%" align="right">Â <a accesskey="n" href="man.dnssec-coverage.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">nslookup </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top">Â <span class="application">dnssec-coverage</span>
-</td>
-</tr>
-</table>
-</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.0-pre-alpha</p>
-</body>
-</html>
+++ /dev/null
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<!--
- - Copyright (C) 2000-2017 Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
--->
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>dnssec-coverage</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
-<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
-<link rel="prev" href="man.dnssec-checkds.html" title="dnssec-checkds">
-<link rel="next" href="man.dnssec-dsfromkey.html" title="dnssec-dsfromkey">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center"><span class="application">dnssec-coverage</span></th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="man.dnssec-checkds.html">Prev</a>Â </td>
-<th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right">Â <a accesskey="n" href="man.dnssec-dsfromkey.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="refentry">
-<a name="man.dnssec-coverage"></a><div class="titlepage"></div>
-
-
-
-
-
- <div class="refnamediv">
-<h2>Name</h2>
-<p>
- <span class="application">dnssec-coverage</span>
- — checks future DNSKEY coverage for a zone
- </p>
-</div>
-
-
-
- <div class="refsynopsisdiv">
-<h2>Synopsis</h2>
- <div class="cmdsynopsis"><p>
- <code class="command">dnssec-coverage</code>
- [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
- [<code class="option">-l <em class="replaceable"><code>length</code></em></code>]
- [<code class="option">-f <em class="replaceable"><code>file</code></em></code>]
- [<code class="option">-d <em class="replaceable"><code>DNSKEY TTL</code></em></code>]
- [<code class="option">-m <em class="replaceable"><code>max TTL</code></em></code>]
- [<code class="option">-r <em class="replaceable"><code>interval</code></em></code>]
- [<code class="option">-c <em class="replaceable"><code>compilezone path</code></em></code>]
- [<code class="option">-k</code>]
- [<code class="option">-z</code>]
- [zone...]
- </p></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.8.7"></a><h2>DESCRIPTION</h2>
-
- <p><span class="command"><strong>dnssec-coverage</strong></span>
- verifies that the DNSSEC keys for a given zone or a set of zones
- have timing metadata set properly to ensure no future lapses in DNSSEC
- coverage.
- </p>
- <p>
- If <code class="option">zone</code> is specified, then keys found in
- the key repository matching that zone are scanned, and an ordered
- list is generated of the events scheduled for that key (i.e.,
- publication, activation, inactivation, deletion). The list of
- events is walked in order of occurrence. Warnings are generated
- if any event is scheduled which could cause the zone to enter a
- state in which validation failures might occur: for example, if
- the number of published or active keys for a given algorithm drops
- to zero, or if a key is deleted from the zone too soon after a new
- key is rolled, and cached data signed by the prior key has not had
- time to expire from resolver caches.
- </p>
- <p>
- If <code class="option">zone</code> is not specified, then all keys in the
- key repository will be scanned, and all zones for which there are
- keys will be analyzed. (Note: This method of reporting is only
- accurate if all the zones that have keys in a given repository
- share the same TTL parameters.)
- </p>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.8.8"></a><h2>OPTIONS</h2>
-
-
- <div class="variablelist"><dl class="variablelist">
-<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
-<dd>
- <p>
- Sets the directory in which keys can be found. Defaults to the
- current working directory.
- </p>
- </dd>
-<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
-<dd>
- <p>
- If a <code class="option">file</code> is specified, then the zone is
- read from that file; the largest TTL and the DNSKEY TTL are
- determined directly from the zone data, and the
- <code class="option">-m</code> and <code class="option">-d</code> options do
- not need to be specified on the command line.
- </p>
- </dd>
-<dt><span class="term">-l <em class="replaceable"><code>duration</code></em></span></dt>
-<dd>
- <p>
- The length of time to check for DNSSEC coverage. Key events
- scheduled further into the future than <code class="option">duration</code>
- will be ignored, and assumed to be correct.
- </p>
- <p>
- The value of <code class="option">duration</code> can be set in seconds,
- or in larger units of time by adding a suffix: 'mi' for minutes,
- 'h' for hours, 'd' for days, 'w' for weeks, 'mo' for months,
- 'y' for years.
- </p>
- </dd>
-<dt><span class="term">-m <em class="replaceable"><code>maximum TTL</code></em></span></dt>
-<dd>
- <p>
- Sets the value to be used as the maximum TTL for the zone or
- zones being analyzed when determining whether there is a
- possibility of validation failure. When a zone-signing key is
- deactivated, there must be enough time for the record in the
- zone with the longest TTL to have expired from resolver caches
- before that key can be purged from the DNSKEY RRset. If that
- condition does not apply, a warning will be generated.
- </p>
- <p>
- The length of the TTL can be set in seconds, or in larger units
- of time by adding a suffix: 'mi' for minutes, 'h' for hours,
- 'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.
- </p>
- <p>
- This option is not necessary if the <code class="option">-f</code> has
- been used to specify a zone file. If <code class="option">-f</code> has
- been specified, this option may still be used; it will override
- the value found in the file.
- </p>
- <p>
- If this option is not used and the maximum TTL cannot be retrieved
- from a zone file, a warning is generated and a default value of
- 1 week is used.
- </p>
- </dd>
-<dt><span class="term">-d <em class="replaceable"><code>DNSKEY TTL</code></em></span></dt>
-<dd>
- <p>
- Sets the value to be used as the DNSKEY TTL for the zone or
- zones being analyzed when determining whether there is a
- possibility of validation failure. When a key is rolled (that
- is, replaced with a new key), there must be enough time for the
- old DNSKEY RRset to have expired from resolver caches before
- the new key is activated and begins generating signatures. If
- that condition does not apply, a warning will be generated.
- </p>
- <p>
- The length of the TTL can be set in seconds, or in larger units
- of time by adding a suffix: 'mi' for minutes, 'h' for hours,
- 'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.
- </p>
- <p>
- This option is not necessary if <code class="option">-f</code> has
- been used to specify a zone file from which the TTL
- of the DNSKEY RRset can be read, or if a default key TTL was
- set using ith the <code class="option">-L</code> to
- <span class="command"><strong>dnssec-keygen</strong></span>. If either of those is true,
- this option may still be used; it will override the values
- found in the zone file or the key file.
- </p>
- <p>
- If this option is not used and the key TTL cannot be retrieved
- from the zone file or the key file, then a warning is generated
- and a default value of 1 day is used.
- </p>
- </dd>
-<dt><span class="term">-r <em class="replaceable"><code>resign interval</code></em></span></dt>
-<dd>
- <p>
- Sets the value to be used as the resign interval for the zone
- or zones being analyzed when determining whether there is a
- possibility of validation failure. This value defaults to
- 22.5 days, which is also the default in
- <span class="command"><strong>named</strong></span>. However, if it has been changed
- by the <code class="option">sig-validity-interval</code> option in
- <code class="filename">named.conf</code>, then it should also be
- changed here.
- </p>
- <p>
- The length of the interval can be set in seconds, or in larger
- units of time by adding a suffix: 'mi' for minutes, 'h' for hours,
- 'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.
- </p>
- </dd>
-<dt><span class="term">-k</span></dt>
-<dd>
- <p>
- Only check KSK coverage; ignore ZSK events. Cannot be
- used with <code class="option">-z</code>.
- </p>
- </dd>
-<dt><span class="term">-z</span></dt>
-<dd>
- <p>
- Only check ZSK coverage; ignore KSK events. Cannot be
- used with <code class="option">-k</code>.
- </p>
- </dd>
-<dt><span class="term">-c <em class="replaceable"><code>compilezone path</code></em></span></dt>
-<dd>
- <p>
- Specifies a path to a <span class="command"><strong>named-compilezone</strong></span> binary.
- Used for testing.
- </p>
- </dd>
-</dl></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.8.9"></a><h2>SEE ALSO</h2>
-
- <p>
- <span class="citerefentry">
- <span class="refentrytitle">dnssec-checkds</span>(8)
- </span>,
- <span class="citerefentry">
- <span class="refentrytitle">dnssec-dsfromkey</span>(8)
- </span>,
- <span class="citerefentry">
- <span class="refentrytitle">dnssec-keygen</span>(8)
- </span>,
- <span class="citerefentry">
- <span class="refentrytitle">dnssec-signzone</span>(8)
- </span>
- </p>
- </div>
-
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="man.dnssec-checkds.html">Prev</a>Â </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
-<td width="40%" align="right">Â <a accesskey="n" href="man.dnssec-dsfromkey.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">
-<span class="application">dnssec-checkds</span>Â </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top">Â <span class="application">dnssec-dsfromkey</span>
-</td>
-</tr>
-</table>
-</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.0-pre-alpha</p>
-</body>
-</html>
+++ /dev/null
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<!--
- - Copyright (C) 2000-2017 Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
--->
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>dnssec-dsfromkey</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
-<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
-<link rel="prev" href="man.dnssec-coverage.html" title="dnssec-coverage">
-<link rel="next" href="man.dnssec-importkey.html" title="dnssec-importkey">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center"><span class="application">dnssec-dsfromkey</span></th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="man.dnssec-coverage.html">Prev</a>Â </td>
-<th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right">Â <a accesskey="n" href="man.dnssec-importkey.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="refentry">
-<a name="man.dnssec-dsfromkey"></a><div class="titlepage"></div>
-
-
-
-
-
- <div class="refnamediv">
-<h2>Name</h2>
-<p>
- <span class="application">dnssec-dsfromkey</span>
- — DNSSEC DS RR generation tool
- </p>
-</div>
-
-
-
- <div class="refsynopsisdiv">
-<h2>Synopsis</h2>
- <div class="cmdsynopsis"><p>
- <code class="command">dnssec-dsfromkey</code>
- [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
- [<code class="option">-1</code>]
- [<code class="option">-2</code>]
- [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>]
- [<code class="option">-C</code>]
- [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>]
- [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>]
- {keyfile}
- </p></div>
- <div class="cmdsynopsis"><p>
- <code class="command">dnssec-dsfromkey</code>
- {-s}
- [<code class="option">-1</code>]
- [<code class="option">-2</code>]
- [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>]
- [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
- [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>]
- [<code class="option">-s</code>]
- [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
- [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>]
- [<code class="option">-f <em class="replaceable"><code>file</code></em></code>]
- [<code class="option">-A</code>]
- [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
- {dnsname}
- </p></div>
- <div class="cmdsynopsis"><p>
- <code class="command">dnssec-dsfromkey</code>
- [<code class="option">-h</code>]
- [<code class="option">-V</code>]
- </p></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.9.7"></a><h2>DESCRIPTION</h2>
-
- <p><span class="command"><strong>dnssec-dsfromkey</strong></span>
- outputs the Delegation Signer (DS) resource record (RR), as defined in
- RFC 3658 and RFC 4509, for the given key(s).
- </p>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.9.8"></a><h2>OPTIONS</h2>
-
-
- <div class="variablelist"><dl class="variablelist">
-<dt><span class="term">-1</span></dt>
-<dd>
- <p>
- Use SHA-1 as the digest algorithm (the default is to use
- both SHA-1 and SHA-256).
- </p>
- </dd>
-<dt><span class="term">-2</span></dt>
-<dd>
- <p>
- Use SHA-256 as the digest algorithm.
- </p>
- </dd>
-<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
-<dd>
- <p>
- Select the digest algorithm. The value of
- <code class="option">algorithm</code> must be one of SHA-1 (SHA1),
- SHA-256 (SHA256), GOST or SHA-384 (SHA384).
- These values are case insensitive.
- </p>
- </dd>
-<dt><span class="term">-C</span></dt>
-<dd>
- <p>
- Generate CDS records rather than DS records. This is mutually
- exclusive with generating lookaside records.
- </p>
- </dd>
-<dt><span class="term">-T <em class="replaceable"><code>TTL</code></em></span></dt>
-<dd>
- <p>
- Specifies the TTL of the DS records.
- </p>
- </dd>
-<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
-<dd>
- <p>
- Look for key files (or, in keyset mode,
- <code class="filename">keyset-</code> files) in
- <code class="option">directory</code>.
- </p>
- </dd>
-<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
-<dd>
- <p>
- Zone file mode: in place of the keyfile name, the argument is
- the DNS domain name of a zone master file, which can be read
- from <code class="option">file</code>. If the zone name is the same as
- <code class="option">file</code>, then it may be omitted.
- </p>
- <p>
- If <code class="option">file</code> is set to <code class="literal">"-"</code>, then
- the zone data is read from the standard input. This makes it
- possible to use the output of the <span class="command"><strong>dig</strong></span>
- command as input, as in:
- </p>
- <p>
- <strong class="userinput"><code>dig dnskey example.com | dnssec-dsfromkey -f - example.com</code></strong>
- </p>
- </dd>
-<dt><span class="term">-A</span></dt>
-<dd>
- <p>
- Include ZSKs when generating DS records. Without this option,
- only keys which have the KSK flag set will be converted to DS
- records and printed. Useful only in zone file mode.
- </p>
- </dd>
-<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
-<dd>
- <p>
- Generate a DLV set instead of a DS set. The specified
- <code class="option">domain</code> is appended to the name for each
- record in the set.
- The DNSSEC Lookaside Validation (DLV) RR is described
- in RFC 4431. This is mutually exclusive with generating
- CDS records.
- </p>
- </dd>
-<dt><span class="term">-s</span></dt>
-<dd>
- <p>
- Keyset mode: in place of the keyfile name, the argument is
- the DNS domain name of a keyset file.
- </p>
- </dd>
-<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
-<dd>
- <p>
- Specifies the DNS class (default is IN). Useful only
- in keyset or zone file mode.
- </p>
- </dd>
-<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
-<dd>
- <p>
- Sets the debugging level.
- </p>
- </dd>
-<dt><span class="term">-h</span></dt>
-<dd>
- <p>
- Prints usage information.
- </p>
- </dd>
-<dt><span class="term">-V</span></dt>
-<dd>
- <p>
- Prints version information.
- </p>
- </dd>
-</dl></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.9.9"></a><h2>EXAMPLE</h2>
-
- <p>
- To build the SHA-256 DS RR from the
- <strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
- keyfile name, the following command would be issued:
- </p>
- <p><strong class="userinput"><code>dnssec-dsfromkey -2 Kexample.com.+003+26160</code></strong>
- </p>
- <p>
- The command would print something like:
- </p>
- <p><strong class="userinput"><code>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94</code></strong>
- </p>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.9.10"></a><h2>FILES</h2>
-
- <p>
- The keyfile can be designed by the key identification
- <code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
- <code class="filename">Knnnn.+aaa+iiiii.key</code> as generated by
- <span class="refentrytitle">dnssec-keygen</span>(8).
- </p>
- <p>
- The keyset file name is built from the <code class="option">directory</code>,
- the string <code class="filename">keyset-</code> and the
- <code class="option">dnsname</code>.
- </p>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.9.11"></a><h2>CAVEAT</h2>
-
- <p>
- A keyfile error can give a "file not found" even if the file exists.
- </p>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.9.12"></a><h2>SEE ALSO</h2>
-
- <p><span class="citerefentry">
- <span class="refentrytitle">dnssec-keygen</span>(8)
- </span>,
- <span class="citerefentry">
- <span class="refentrytitle">dnssec-signzone</span>(8)
- </span>,
- <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
- <em class="citetitle">RFC 3658</em>,
- <em class="citetitle">RFC 4431</em>.
- <em class="citetitle">RFC 4509</em>.
- </p>
- </div>
-
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="man.dnssec-coverage.html">Prev</a>Â </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
-<td width="40%" align="right">Â <a accesskey="n" href="man.dnssec-importkey.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">
-<span class="application">dnssec-coverage</span>Â </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top">Â <span class="application">dnssec-importkey</span>
-</td>
-</tr>
-</table>
-</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.0-pre-alpha</p>
-</body>
-</html>
+++ /dev/null
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<!--
- - Copyright (C) 2000-2017 Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
--->
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>dnssec-importkey</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
-<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
-<link rel="prev" href="man.dnssec-dsfromkey.html" title="dnssec-dsfromkey">
-<link rel="next" href="man.dnssec-keyfromlabel.html" title="dnssec-keyfromlabel">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center"><span class="application">dnssec-importkey</span></th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="man.dnssec-dsfromkey.html">Prev</a>Â </td>
-<th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right">Â <a accesskey="n" href="man.dnssec-keyfromlabel.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="refentry">
-<a name="man.dnssec-importkey"></a><div class="titlepage"></div>
-
-
-
-
-
- <div class="refnamediv">
-<h2>Name</h2>
-<p>
- <span class="application">dnssec-importkey</span>
- — import DNSKEY records from external systems so they can be managed
- </p>
-</div>
-
-
-
- <div class="refsynopsisdiv">
-<h2>Synopsis</h2>
- <div class="cmdsynopsis"><p>
- <code class="command">dnssec-importkey</code>
- [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
- [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>]
- [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>]
- [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>]
- [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
- [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>]
- [<code class="option">-h</code>]
- [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
- [<code class="option">-V</code>]
- {<code class="option">keyfile</code>}
- </p></div>
- <div class="cmdsynopsis"><p>
- <code class="command">dnssec-importkey</code>
- {<code class="option">-f <em class="replaceable"><code>filename</code></em></code>}
- [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
- [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>]
- [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>]
- [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>]
- [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
- [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>]
- [<code class="option">-h</code>]
- [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
- [<code class="option">-V</code>]
- [<code class="option">dnsname</code>]
- </p></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.10.7"></a><h2>DESCRIPTION</h2>
-
- <p><span class="command"><strong>dnssec-importkey</strong></span>
- reads a public DNSKEY record and generates a pair of
- .key/.private files. The DNSKEY record may be read from an
- existing .key file, in which case a corresponding .private file
- will be generated, or it may be read from any other file or
- from the standard input, in which case both .key and .private
- files will be generated.
- </p>
- <p>
- The newly-created .private file does <span class="emphasis"><em>not</em></span>
- contain private key data, and cannot be used for signing.
- However, having a .private file makes it possible to set
- publication (<code class="option">-P</code>) and deletion
- (<code class="option">-D</code>) times for the key, which means the
- public key can be added to and removed from the DNSKEY RRset
- on schedule even if the true private key is stored offline.
- </p>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.10.8"></a><h2>OPTIONS</h2>
-
-
- <div class="variablelist"><dl class="variablelist">
-<dt><span class="term">-f <em class="replaceable"><code>filename</code></em></span></dt>
-<dd>
- <p>
- Zone file mode: instead of a public keyfile name, the argument
- is the DNS domain name of a zone master file, which can be read
- from <code class="option">file</code>. If the domain name is the same as
- <code class="option">file</code>, then it may be omitted.
- </p>
- <p>
- If <code class="option">file</code> is set to <code class="literal">"-"</code>, then
- the zone data is read from the standard input.
- </p>
- </dd>
-<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
-<dd>
- <p>
- Sets the directory in which the key files are to reside.
- </p>
- </dd>
-<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
-<dd>
- <p>
- Sets the default TTL to use for this key when it is converted
- into a DNSKEY RR. If the key is imported into a zone,
- this is the TTL that will be used for it, unless there was
- already a DNSKEY RRset in place, in which case the existing TTL
- would take precedence. Setting the default TTL to
- <code class="literal">0</code> or <code class="literal">none</code> removes it.
- </p>
- </dd>
-<dt><span class="term">-h</span></dt>
-<dd>
- <p>
- Emit usage message and exit.
- </p>
- </dd>
-<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
-<dd>
- <p>
- Sets the debugging level.
- </p>
- </dd>
-<dt><span class="term">-V</span></dt>
-<dd>
- <p>
- Prints version information.
- </p>
- </dd>
-</dl></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.10.9"></a><h2>TIMING OPTIONS</h2>
-
- <p>
- Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
- If the argument begins with a '+' or '-', it is interpreted as
- an offset from the present time. For convenience, if such an offset
- is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
- then the offset is computed in years (defined as 365 24-hour days,
- ignoring leap years), months (defined as 30 24-hour days), weeks,
- days, hours, or minutes, respectively. Without a suffix, the offset
- is computed in seconds. To explicitly prevent a date from being
- set, use 'none' or 'never'.
- </p>
-
- <div class="variablelist"><dl class="variablelist">
-<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd>
- <p>
- Sets the date on which a key is to be published to the zone.
- After that date, the key will be included in the zone but will
- not be used to sign it.
- </p>
- </dd>
-<dt><span class="term">-P sync <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd>
- <p>
- Sets the date on which CDS and CDNSKEY records that match this
- key are to be published to the zone.
- </p>
- </dd>
-<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd>
- <p>
- Sets the date on which the key is to be deleted. After that
- date, the key will no longer be included in the zone. (It
- may remain in the key repository, however.)
- </p>
- </dd>
-<dt><span class="term">-D sync <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd>
- <p>
- Sets the date on which the CDS and CDNSKEY records that match
- this key are to be deleted.
- </p>
- </dd>
-</dl></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.10.10"></a><h2>FILES</h2>
-
- <p>
- A keyfile can be designed by the key identification
- <code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
- <code class="filename">Knnnn.+aaa+iiiii.key</code> as generated by
- <span class="refentrytitle">dnssec-keygen</span>(8).
- </p>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.10.11"></a><h2>SEE ALSO</h2>
-
- <p><span class="citerefentry">
- <span class="refentrytitle">dnssec-keygen</span>(8)
- </span>,
- <span class="citerefentry">
- <span class="refentrytitle">dnssec-signzone</span>(8)
- </span>,
- <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
- <em class="citetitle">RFC 5011</em>.
- </p>
- </div>
-
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="man.dnssec-dsfromkey.html">Prev</a>Â </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
-<td width="40%" align="right">Â <a accesskey="n" href="man.dnssec-keyfromlabel.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">
-<span class="application">dnssec-dsfromkey</span>Â </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top">Â <span class="application">dnssec-keyfromlabel</span>
-</td>
-</tr>
-</table>
-</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.0-pre-alpha</p>
-</body>
-</html>
+++ /dev/null
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<!--
- - Copyright (C) 2000-2017 Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
--->
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>dnssec-keyfromlabel</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
-<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
-<link rel="prev" href="man.dnssec-importkey.html" title="dnssec-importkey">
-<link rel="next" href="man.dnssec-keygen.html" title="dnssec-keygen">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center"><span class="application">dnssec-keyfromlabel</span></th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="man.dnssec-importkey.html">Prev</a>Â </td>
-<th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right">Â <a accesskey="n" href="man.dnssec-keygen.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="refentry">
-<a name="man.dnssec-keyfromlabel"></a><div class="titlepage"></div>
-
-
-
-
-
- <div class="refnamediv">
-<h2>Name</h2>
-<p>
- <span class="application">dnssec-keyfromlabel</span>
- — DNSSEC key generation tool
- </p>
-</div>
-
-
-
- <div class="refsynopsisdiv">
-<h2>Synopsis</h2>
- <div class="cmdsynopsis"><p>
- <code class="command">dnssec-keyfromlabel</code>
- {-l <em class="replaceable"><code>label</code></em>}
- [<code class="option">-3</code>]
- [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>]
- [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>]
- [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
- [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
- [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>]
- [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
- [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>]
- [<code class="option">-G</code>]
- [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>]
- [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>]
- [<code class="option">-k</code>]
- [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
- [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>]
- [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>]
- [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>]
- [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>]
- [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>]
- [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>]
- [<code class="option">-S <em class="replaceable"><code>key</code></em></code>]
- [<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
- [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
- [<code class="option">-V</code>]
- [<code class="option">-y</code>]
- {name}
- </p></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.11.7"></a><h2>DESCRIPTION</h2>
-
- <p><span class="command"><strong>dnssec-keyfromlabel</strong></span>
- generates a key pair of files that referencing a key object stored
- in a cryptographic hardware service module (HSM). The private key
- file can be used for DNSSEC signing of zone data as if it were a
- conventional signing key created by <span class="command"><strong>dnssec-keygen</strong></span>,
- but the key material is stored within the HSM, and the actual signing
- takes place there.
- </p>
- <p>
- The <code class="option">name</code> of the key is specified on the command
- line. This must match the name of the zone for which the key is
- being generated.
- </p>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.11.8"></a><h2>OPTIONS</h2>
-
-
- <div class="variablelist"><dl class="variablelist">
-<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
-<dd>
- <p>
- Selects the cryptographic algorithm. The value of
- <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
- DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
- ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
- </p>
- <p>
- If no algorithm is specified, then RSASHA1 will be used by
- default, unless the <code class="option">-3</code> option is specified,
- in which case NSEC3RSASHA1 will be used instead. (If
- <code class="option">-3</code> is used and an algorithm is specified,
- that algorithm will be checked for compatibility with NSEC3.)
- </p>
- <p>
- These values are case insensitive. In some cases, abbreviations
- are supported, such as ECDSA256 for ECDSAP256SHA256 and
- ECDSA384 for ECDSAP384SHA384. If RSASHA1 or DSA is specified
- along with the <code class="option">-3</code> option, then NSEC3RSASHA1
- or NSEC3DSA will be used instead.
- </p>
- <p>
- As of BIND 9.12.0, this option is mandatory except when using
- the <code class="option">-S</code> option (which copies the algorithm from
- the predecessory key). Previously, the default for newly
- generated keys was RSASHA1.
- </p>
- </dd>
-<dt><span class="term">-3</span></dt>
-<dd>
- <p>
- Use an NSEC3-capable algorithm to generate a DNSSEC key.
- If this option is used with an algorithm that has both
- NSEC and NSEC3 versions, then the NSEC3 version will be
- used; for example, <span class="command"><strong>dnssec-keygen -3a RSASHA1</strong></span>
- specifies the NSEC3RSASHA1 algorithm.
- </p>
- </dd>
-<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
-<dd>
- <p>
- Specifies the cryptographic hardware to use.
- </p>
- <p>
- When BIND is built with OpenSSL PKCS#11 support, this defaults
- to the string "pkcs11", which identifies an OpenSSL engine
- that can drive a cryptographic accelerator or hardware service
- module. When BIND is built with native PKCS#11 cryptography
- (--enable-native-pkcs11), it defaults to the path of the PKCS#11
- provider library specified via "--with-pkcs11".
- </p>
- </dd>
-<dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt>
-<dd>
- <p>
- Specifies the label for a key pair in the crypto hardware.
- </p>
- <p>
- When <acronym class="acronym">BIND</acronym> 9 is built with OpenSSL-based
- PKCS#11 support, the label is an arbitrary string that
- identifies a particular key. It may be preceded by an
- optional OpenSSL engine name, followed by a colon, as in
- "pkcs11:<em class="replaceable"><code>keylabel</code></em>".
- </p>
- <p>
- When <acronym class="acronym">BIND</acronym> 9 is built with native PKCS#11
- support, the label is a PKCS#11 URI string in the format
- "pkcs11:<code class="option">keyword</code>=<em class="replaceable"><code>value</code></em>[<span class="optional">;<code class="option">keyword</code>=<em class="replaceable"><code>value</code></em>;...</span>]"
- Keywords include "token", which identifies the HSM; "object", which
- identifies the key; and "pin-source", which identifies a file from
- which the HSM's PIN code can be obtained. The label will be
- stored in the on-disk "private" file.
- </p>
- <p>
- If the label contains a
- <code class="option">pin-source</code> field, tools using the generated
- key files will be able to use the HSM for signing and other
- operations without any need for an operator to manually enter
- a PIN. Note: Making the HSM's PIN accessible in this manner
- may reduce the security advantage of using an HSM; be sure
- this is what you want to do before making use of this feature.
- </p>
- </dd>
-<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
-<dd>
- <p>
- Specifies the owner type of the key. The value of
- <code class="option">nametype</code> must either be ZONE (for a DNSSEC
- zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
- a host (KEY)),
- USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
- These values are case insensitive.
- </p>
- </dd>
-<dt><span class="term">-C</span></dt>
-<dd>
- <p>
- Compatibility mode: generates an old-style key, without
- any metadata. By default, <span class="command"><strong>dnssec-keyfromlabel</strong></span>
- will include the key's creation date in the metadata stored
- with the private key, and other dates may be set there as well
- (publication date, activation date, etc). Keys that include
- this data may be incompatible with older versions of BIND; the
- <code class="option">-C</code> option suppresses them.
- </p>
- </dd>
-<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
-<dd>
- <p>
- Indicates that the DNS record containing the key should have
- the specified class. If not specified, class IN is used.
- </p>
- </dd>
-<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
-<dd>
- <p>
- Set the specified flag in the flag field of the KEY/DNSKEY record.
- The only recognized flags are KSK (Key Signing Key) and REVOKE.
- </p>
- </dd>
-<dt><span class="term">-G</span></dt>
-<dd>
- <p>
- Generate a key, but do not publish it or sign with it. This
- option is incompatible with -P and -A.
- </p>
- </dd>
-<dt><span class="term">-h</span></dt>
-<dd>
- <p>
- Prints a short summary of the options and arguments to
- <span class="command"><strong>dnssec-keyfromlabel</strong></span>.
- </p>
- </dd>
-<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
-<dd>
- <p>
- Sets the directory in which the key files are to be written.
- </p>
- </dd>
-<dt><span class="term">-k</span></dt>
-<dd>
- <p>
- Generate KEY records rather than DNSKEY records.
- </p>
- </dd>
-<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
-<dd>
- <p>
- Sets the default TTL to use for this key when it is converted
- into a DNSKEY RR. If the key is imported into a zone,
- this is the TTL that will be used for it, unless there was
- already a DNSKEY RRset in place, in which case the existing TTL
- would take precedence. Setting the default TTL to
- <code class="literal">0</code> or <code class="literal">none</code> removes it.
- </p>
- </dd>
-<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
-<dd>
- <p>
- Sets the protocol value for the key. The protocol
- is a number between 0 and 255. The default is 3 (DNSSEC).
- Other possible values for this argument are listed in
- RFC 2535 and its successors.
- </p>
- </dd>
-<dt><span class="term">-S <em class="replaceable"><code>key</code></em></span></dt>
-<dd>
- <p>
- Generate a key as an explicit successor to an existing key.
- The name, algorithm, size, and type of the key will be set
- to match the predecessor. The activation date of the new
- key will be set to the inactivation date of the existing
- one. The publication date will be set to the activation
- date minus the prepublication interval, which defaults to
- 30 days.
- </p>
- </dd>
-<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
-<dd>
- <p>
- Indicates the use of the key. <code class="option">type</code> must be
- one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
- is AUTHCONF. AUTH refers to the ability to authenticate
- data, and CONF the ability to encrypt data.
- </p>
- </dd>
-<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
-<dd>
- <p>
- Sets the debugging level.
- </p>
- </dd>
-<dt><span class="term">-V</span></dt>
-<dd>
- <p>
- Prints version information.
- </p>
- </dd>
-<dt><span class="term">-y</span></dt>
-<dd>
- <p>
- Allows DNSSEC key files to be generated even if the key ID
- would collide with that of an existing key, in the event of
- either key being revoked. (This is only safe to use if you
- are sure you won't be using RFC 5011 trust anchor maintenance
- with either of the keys involved.)
- </p>
- </dd>
-</dl></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.11.9"></a><h2>TIMING OPTIONS</h2>
-
-
- <p>
- Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
- If the argument begins with a '+' or '-', it is interpreted as
- an offset from the present time. For convenience, if such an offset
- is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
- then the offset is computed in years (defined as 365 24-hour days,
- ignoring leap years), months (defined as 30 24-hour days), weeks,
- days, hours, or minutes, respectively. Without a suffix, the offset
- is computed in seconds. To explicitly prevent a date from being
- set, use 'none' or 'never'.
- </p>
-
- <div class="variablelist"><dl class="variablelist">
-<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd>
- <p>
- Sets the date on which a key is to be published to the zone.
- After that date, the key will be included in the zone but will
- not be used to sign it. If not set, and if the -G option has
- not been used, the default is "now".
- </p>
- </dd>
-<dt><span class="term">-P sync <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd>
- <p>
- Sets the date on which the CDS and CDNSKEY records which match
- this key are to be published to the zone.
- </p>
- </dd>
-<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd>
- <p>
- Sets the date on which the key is to be activated. After that
- date, the key will be included in the zone and used to sign
- it. If not set, and if the -G option has not been used, the
- default is "now".
- </p>
- </dd>
-<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd>
- <p>
- Sets the date on which the key is to be revoked. After that
- date, the key will be flagged as revoked. It will be included
- in the zone and will be used to sign it.
- </p>
- </dd>
-<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd>
- <p>
- Sets the date on which the key is to be retired. After that
- date, the key will still be included in the zone, but it
- will not be used to sign it.
- </p>
- </dd>
-<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd>
- <p>
- Sets the date on which the key is to be deleted. After that
- date, the key will no longer be included in the zone. (It
- may remain in the key repository, however.)
- </p>
- </dd>
-<dt><span class="term">-D sync <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd>
- <p>
- Sets the date on which the CDS and CDNSKEY records which match
- this key are to be deleted.
- </p>
- </dd>
-<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
-<dd>
- <p>
- Sets the prepublication interval for a key. If set, then
- the publication and activation dates must be separated by at least
- this much time. If the activation date is specified but the
- publication date isn't, then the publication date will default
- to this much time before the activation date; conversely, if
- the publication date is specified but activation date isn't,
- then activation will be set to this much time after publication.
- </p>
- <p>
- If the key is being created as an explicit successor to another
- key, then the default prepublication interval is 30 days;
- otherwise it is zero.
- </p>
- <p>
- As with date offsets, if the argument is followed by one of
- the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
- interval is measured in years, months, weeks, days, hours,
- or minutes, respectively. Without a suffix, the interval is
- measured in seconds.
- </p>
- </dd>
-</dl></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.11.10"></a><h2>GENERATED KEY FILES</h2>
-
- <p>
- When <span class="command"><strong>dnssec-keyfromlabel</strong></span> completes
- successfully,
- it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
- to the standard output. This is an identification string for
- the key files it has generated.
- </p>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
- <p><code class="filename">nnnn</code> is the key name.
- </p>
- </li>
-<li class="listitem">
- <p><code class="filename">aaa</code> is the numeric representation
- of the algorithm.
- </p>
- </li>
-<li class="listitem">
- <p><code class="filename">iiiii</code> is the key identifier (or
- footprint).
- </p>
- </li>
-</ul></div>
- <p><span class="command"><strong>dnssec-keyfromlabel</strong></span>
- creates two files, with names based
- on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>
- contains the public key, and
- <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
- private key.
- </p>
- <p>
- The <code class="filename">.key</code> file contains a DNS KEY record
- that
- can be inserted into a zone file (directly or with a $INCLUDE
- statement).
- </p>
- <p>
- The <code class="filename">.private</code> file contains
- algorithm-specific
- fields. For obvious security reasons, this file does not have
- general read permission.
- </p>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.11.11"></a><h2>SEE ALSO</h2>
-
- <p><span class="citerefentry">
- <span class="refentrytitle">dnssec-keygen</span>(8)
- </span>,
- <span class="citerefentry">
- <span class="refentrytitle">dnssec-signzone</span>(8)
- </span>,
- <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
- <em class="citetitle">RFC 4034</em>,
- <em class="citetitle">The PKCS#11 URI Scheme (draft-pechanec-pkcs11uri-13)</em>.
- </p>
- </div>
-
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="man.dnssec-importkey.html">Prev</a>Â </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
-<td width="40%" align="right">Â <a accesskey="n" href="man.dnssec-keygen.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">
-<span class="application">dnssec-importkey</span>Â </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top">Â <span class="application">dnssec-keygen</span>
-</td>
-</tr>
-</table>
-</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.0-pre-alpha</p>
-</body>
-</html>
+++ /dev/null
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<!--
- - Copyright (C) 2000-2017 Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
--->
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>dnssec-keygen</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
-<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
-<link rel="prev" href="man.dnssec-keyfromlabel.html" title="dnssec-keyfromlabel">
-<link rel="next" href="man.dnssec-keymgr.html" title="dnssec-keymgr">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center"><span class="application">dnssec-keygen</span></th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="man.dnssec-keyfromlabel.html">Prev</a>Â </td>
-<th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right">Â <a accesskey="n" href="man.dnssec-keymgr.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="refentry">
-<a name="man.dnssec-keygen"></a><div class="titlepage"></div>
-
-
-
-
-
- <div class="refnamediv">
-<h2>Name</h2>
-<p>
- <span class="application">dnssec-keygen</span>
- — DNSSEC key generation tool
- </p>
-</div>
-
-
-
- <div class="refsynopsisdiv">
-<h2>Synopsis</h2>
- <div class="cmdsynopsis"><p>
- <code class="command">dnssec-keygen</code>
- [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>]
- [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>]
- [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>]
- [<code class="option">-3</code>]
- [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>]
- [<code class="option">-C</code>]
- [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
- [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
- [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>]
- [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
- [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>]
- [<code class="option">-G</code>]
- [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>]
- [<code class="option">-h</code>]
- [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>]
- [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>]
- [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
- [<code class="option">-k</code>]
- [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>]
- [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>]
- [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>]
- [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>]
- [<code class="option">-q</code>]
- [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>]
- [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>]
- [<code class="option">-S <em class="replaceable"><code>key</code></em></code>]
- [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>]
- [<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
- [<code class="option">-V</code>]
- [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
- [<code class="option">-z</code>]
- {name}
- </p></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.12.7"></a><h2>DESCRIPTION</h2>
-
- <p><span class="command"><strong>dnssec-keygen</strong></span>
- generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
- and RFC 4034. It can also generate keys for use with
- TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY
- (Transaction Key) as defined in RFC 2930.
- </p>
- <p>
- The <code class="option">name</code> of the key is specified on the command
- line. For DNSSEC keys, this must match the name of the zone for
- which the key is being generated.
- </p>
- <p>
- The <span class="command"><strong>dnssec-keymgr</strong></span> command acts as a wrapper
- around <span class="command"><strong>dnssec-keygen</strong></span>, generating and updating keys
- as needed to enforce defined security policies such as key rollover
- scheduling. Using <span class="command"><strong>dnssec-keymgr</strong></span> may be preferable
- to direct use of <span class="command"><strong>dnssec-keygen</strong></span>.
- </p>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.12.8"></a><h2>OPTIONS</h2>
-
-
- <div class="variablelist"><dl class="variablelist">
-<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
-<dd>
- <p>
- Selects the cryptographic algorithm. For DNSSEC keys, the value
- of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
- DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
- ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448. For
- TSIG/TKEY keys, the value must be one of DH (Diffie Hellman),
- HMAC-MD5, HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384,
- or HMAC-SHA512; specifying any of these algorithms will
- automatically set the <code class="option">-T KEY</code> option as well.
- (Note: <span class="command"><strong>tsig-keygen</strong></span> produces TSIG keys in a
- more useful format than <span class="command"><strong>dnssec-keygen</strong></span>.)
- </p>
- <p>
- These values are case insensitive. In some cases, abbreviations
- are supported, such as ECDSA256 for ECDSAP256SHA256 and
- ECDSA384 for ECDSAP384SHA384. If RSASHA1 or DSA is specified
- along with the <code class="option">-3</code> option, then NSEC3RSASHA1
- or NSEC3DSA will be used instead.
- </p>
- <p>
- As of BIND 9.12.0, this option is mandatory except when using
- the <code class="option">-S</code> option (which copies the algorithm from
- the predecessor key). Previously, the default for newly
- generated keys was RSASHA1.
- </p>
- </dd>
-<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
-<dd>
- <p>
- Specifies the number of bits in the key. The choice of key
- size depends on the algorithm used. RSA keys must be
- between 1024 and 2048 bits. Diffie Hellman keys must be between
- 128 and 4096 bits. DSA keys must be between 512 and 1024
- bits and an exact multiple of 64. HMAC keys must be
- between 1 and 512 bits. Elliptic curve algorithms don't need
- this parameter.
- </p>
- <p>
- If the key size is not specified, some algorithms have
- pre-defined defaults. For example, RSA keys for use as
- DNSSEC zone signing keys have a default size of 1024 bits;
- RSA keys for use as key signing keys (KSKs, generated with
- <code class="option">-f KSK</code>) default to 2048 bits.
- </p>
- </dd>
-<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
-<dd>
- <p>
- Specifies the owner type of the key. The value of
- <code class="option">nametype</code> must either be ZONE (for a DNSSEC
- zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated
- with a host (KEY)), USER (for a key associated with a
- user(KEY)) or OTHER (DNSKEY). These values are case
- insensitive. Defaults to ZONE for DNSKEY generation.
- </p>
- </dd>
-<dt><span class="term">-3</span></dt>
-<dd>
- <p>
- Use an NSEC3-capable algorithm to generate a DNSSEC key.
- If this option is used with an algorithm that has both
- NSEC and NSEC3 versions, then the NSEC3 version will be
- used; for example, <span class="command"><strong>dnssec-keygen -3a RSASHA1</strong></span>
- specifies the NSEC3RSASHA1 algorithm.
- </p>
- </dd>
-<dt><span class="term">-C</span></dt>
-<dd>
- <p>
- Compatibility mode: generates an old-style key, without
- any metadata. By default, <span class="command"><strong>dnssec-keygen</strong></span>
- will include the key's creation date in the metadata stored
- with the private key, and other dates may be set there as well
- (publication date, activation date, etc). Keys that include
- this data may be incompatible with older versions of BIND; the
- <code class="option">-C</code> option suppresses them.
- </p>
- </dd>
-<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
-<dd>
- <p>
- Indicates that the DNS record containing the key should have
- the specified class. If not specified, class IN is used.
- </p>
- </dd>
-<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
-<dd>
- <p>
- Specifies the cryptographic hardware to use, when applicable.
- </p>
- <p>
- When BIND is built with OpenSSL PKCS#11 support, this defaults
- to the string "pkcs11", which identifies an OpenSSL engine
- that can drive a cryptographic accelerator or hardware service
- module. When BIND is built with native PKCS#11 cryptography
- (--enable-native-pkcs11), it defaults to the path of the PKCS#11
- provider library specified via "--with-pkcs11".
- </p>
- </dd>
-<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
-<dd>
- <p>
- Set the specified flag in the flag field of the KEY/DNSKEY record.
- The only recognized flags are KSK (Key Signing Key) and REVOKE.
- </p>
- </dd>
-<dt><span class="term">-G</span></dt>
-<dd>
- <p>
- Generate a key, but do not publish it or sign with it. This
- option is incompatible with -P and -A.
- </p>
- </dd>
-<dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt>
-<dd>
- <p>
- If generating a Diffie Hellman key, use this generator.
- Allowed values are 2 and 5. If no generator
- is specified, a known prime from RFC 2539 will be used
- if possible; otherwise the default is 2.
- </p>
- </dd>
-<dt><span class="term">-h</span></dt>
-<dd>
- <p>
- Prints a short summary of the options and arguments to
- <span class="command"><strong>dnssec-keygen</strong></span>.
- </p>
- </dd>
-<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
-<dd>
- <p>
- Sets the directory in which the key files are to be written.
- </p>
- </dd>
-<dt><span class="term">-k</span></dt>
-<dd>
- <p>
- Deprecated in favor of -T KEY.
- </p>
- </dd>
-<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
-<dd>
- <p>
- Sets the default TTL to use for this key when it is converted
- into a DNSKEY RR. If the key is imported into a zone,
- this is the TTL that will be used for it, unless there was
- already a DNSKEY RRset in place, in which case the existing TTL
- would take precedence. If this value is not set and there
- is no existing DNSKEY RRset, the TTL will default to the
- SOA TTL. Setting the default TTL to <code class="literal">0</code>
- or <code class="literal">none</code> is the same as leaving it unset.
- </p>
- </dd>
-<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
-<dd>
- <p>
- Sets the protocol value for the generated key. The protocol
- is a number between 0 and 255. The default is 3 (DNSSEC).
- Other possible values for this argument are listed in
- RFC 2535 and its successors.
- </p>
- </dd>
-<dt><span class="term">-q</span></dt>
-<dd>
- <p>
- Quiet mode: Suppresses unnecessary output, including
- progress indication. Without this option, when
- <span class="command"><strong>dnssec-keygen</strong></span> is run interactively
- to generate an RSA or DSA key pair, it will print a string
- of symbols to <code class="filename">stderr</code> indicating the
- progress of the key generation. A '.' indicates that a
- random number has been found which passed an initial
- sieve test; '+' means a number has passed a single
- round of the Miller-Rabin primality test; a space
- means that the number has passed all the tests and is
- a satisfactory key.
- </p>
- </dd>
-<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
-<dd>
- <p>
- Specifies the source of randomness. If the operating
- system does not provide a <code class="filename">/dev/random</code>
- or equivalent device, the default source of randomness
- is keyboard input. <code class="filename">randomdev</code>
- specifies
- the name of a character device or file containing random
- data to be used instead of the default. The special value
- <code class="filename">keyboard</code> indicates that keyboard
- input should be used.
- </p>
- </dd>
-<dt><span class="term">-S <em class="replaceable"><code>key</code></em></span></dt>
-<dd>
- <p>
- Create a new key which is an explicit successor to an
- existing key. The name, algorithm, size, and type of the
- key will be set to match the existing key. The activation
- date of the new key will be set to the inactivation date of
- the existing one. The publication date will be set to the
- activation date minus the prepublication interval, which
- defaults to 30 days.
- </p>
- </dd>
-<dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt>
-<dd>
- <p>
- Specifies the strength value of the key. The strength is
- a number between 0 and 15, and currently has no defined
- purpose in DNSSEC.
- </p>
- </dd>
-<dt><span class="term">-T <em class="replaceable"><code>rrtype</code></em></span></dt>
-<dd>
- <p>
- Specifies the resource record type to use for the key.
- <code class="option">rrtype</code> must be either DNSKEY or KEY. The
- default is DNSKEY when using a DNSSEC algorithm, but it can be
- overridden to KEY for use with SIG(0).
- </p>
-<p>
- </p>
-<p>
- Specifying any TSIG algorithm (HMAC-* or DH) with
- <code class="option">-a</code> forces this option to KEY.
- </p>
- </dd>
-<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
-<dd>
- <p>
- Indicates the use of the key. <code class="option">type</code> must be
- one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
- is AUTHCONF. AUTH refers to the ability to authenticate
- data, and CONF the ability to encrypt data.
- </p>
- </dd>
-<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
-<dd>
- <p>
- Sets the debugging level.
- </p>
- </dd>
-<dt><span class="term">-V</span></dt>
-<dd>
- <p>
- Prints version information.
- </p>
- </dd>
-</dl></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.12.9"></a><h2>TIMING OPTIONS</h2>
-
-
- <p>
- Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
- If the argument begins with a '+' or '-', it is interpreted as
- an offset from the present time. For convenience, if such an offset
- is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
- then the offset is computed in years (defined as 365 24-hour days,
- ignoring leap years), months (defined as 30 24-hour days), weeks,
- days, hours, or minutes, respectively. Without a suffix, the offset
- is computed in seconds. To explicitly prevent a date from being
- set, use 'none' or 'never'.
- </p>
-
- <div class="variablelist"><dl class="variablelist">
-<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd>
- <p>
- Sets the date on which a key is to be published to the zone.
- After that date, the key will be included in the zone but will
- not be used to sign it. If not set, and if the -G option has
- not been used, the default is "now".
- </p>
- </dd>
-<dt><span class="term">-P sync <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd>
- <p>
- Sets the date on which CDS and CDNSKEY records that match this
- key are to be published to the zone.
- </p>
- </dd>
-<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd>
- <p>
- Sets the date on which the key is to be activated. After that
- date, the key will be included in the zone and used to sign
- it. If not set, and if the -G option has not been used, the
- default is "now". If set, if and -P is not set, then
- the publication date will be set to the activation date
- minus the prepublication interval.
- </p>
- </dd>
-<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd>
- <p>
- Sets the date on which the key is to be revoked. After that
- date, the key will be flagged as revoked. It will be included
- in the zone and will be used to sign it.
- </p>
- </dd>
-<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd>
- <p>
- Sets the date on which the key is to be retired. After that
- date, the key will still be included in the zone, but it
- will not be used to sign it.
- </p>
- </dd>
-<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd>
- <p>
- Sets the date on which the key is to be deleted. After that
- date, the key will no longer be included in the zone. (It
- may remain in the key repository, however.)
- </p>
- </dd>
-<dt><span class="term">-D sync <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd>
- <p>
- Sets the date on which the CDS and CDNSKEY records that match this
- key are to be deleted.
- </p>
- </dd>
-<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
-<dd>
- <p>
- Sets the prepublication interval for a key. If set, then
- the publication and activation dates must be separated by at least
- this much time. If the activation date is specified but the
- publication date isn't, then the publication date will default
- to this much time before the activation date; conversely, if
- the publication date is specified but activation date isn't,
- then activation will be set to this much time after publication.
- </p>
- <p>
- If the key is being created as an explicit successor to another
- key, then the default prepublication interval is 30 days;
- otherwise it is zero.
- </p>
- <p>
- As with date offsets, if the argument is followed by one of
- the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
- interval is measured in years, months, weeks, days, hours,
- or minutes, respectively. Without a suffix, the interval is
- measured in seconds.
- </p>
- </dd>
-</dl></div>
- </div>
-
-
- <div class="refsection">
-<a name="id-1.14.12.10"></a><h2>GENERATED KEYS</h2>
-
- <p>
- When <span class="command"><strong>dnssec-keygen</strong></span> completes
- successfully,
- it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
- to the standard output. This is an identification string for
- the key it has generated.
- </p>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
- <p><code class="filename">nnnn</code> is the key name.
- </p>
- </li>
-<li class="listitem">
- <p><code class="filename">aaa</code> is the numeric representation
- of the
- algorithm.
- </p>
- </li>
-<li class="listitem">
- <p><code class="filename">iiiii</code> is the key identifier (or
- footprint).
- </p>
- </li>
-</ul></div>
- <p><span class="command"><strong>dnssec-keygen</strong></span>
- creates two files, with names based
- on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>
- contains the public key, and
- <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
- private
- key.
- </p>
- <p>
- The <code class="filename">.key</code> file contains a DNS KEY record
- that
- can be inserted into a zone file (directly or with a $INCLUDE
- statement).
- </p>
- <p>
- The <code class="filename">.private</code> file contains
- algorithm-specific
- fields. For obvious security reasons, this file does not have
- general read permission.
- </p>
- <p>
- Both <code class="filename">.key</code> and <code class="filename">.private</code>
- files are generated for symmetric cryptography algorithms such as
- HMAC-MD5, even though the public and private key are equivalent.
- </p>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.12.11"></a><h2>EXAMPLE</h2>
-
- <p>
- To generate a 768-bit DSA key for the domain
- <strong class="userinput"><code>example.com</code></strong>, the following command would be
- issued:
- </p>
- <p><strong class="userinput"><code>dnssec-keygen -a DSA -b 768 -n ZONE example.com</code></strong>
- </p>
- <p>
- The command would print a string of the form:
- </p>
- <p><strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
- </p>
- <p>
- In this example, <span class="command"><strong>dnssec-keygen</strong></span> creates
- the files <code class="filename">Kexample.com.+003+26160.key</code>
- and
- <code class="filename">Kexample.com.+003+26160.private</code>.
- </p>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.12.12"></a><h2>SEE ALSO</h2>
-
- <p><span class="citerefentry">
- <span class="refentrytitle">dnssec-signzone</span>(8)
- </span>,
- <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
- <em class="citetitle">RFC 2539</em>,
- <em class="citetitle">RFC 2845</em>,
- <em class="citetitle">RFC 4034</em>.
- </p>
- </div>
-
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="man.dnssec-keyfromlabel.html">Prev</a>Â </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
-<td width="40%" align="right">Â <a accesskey="n" href="man.dnssec-keymgr.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">
-<span class="application">dnssec-keyfromlabel</span>Â </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top">Â <span class="application">dnssec-keymgr</span>
-</td>
-</tr>
-</table>
-</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.0-pre-alpha</p>
-</body>
-</html>
+++ /dev/null
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<!--
- - Copyright (C) 2000-2017 Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
--->
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>dnssec-keymgr</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
-<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
-<link rel="prev" href="man.dnssec-keygen.html" title="dnssec-keygen">
-<link rel="next" href="man.dnssec-revoke.html" title="dnssec-revoke">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center"><span class="application">dnssec-keymgr</span></th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="man.dnssec-keygen.html">Prev</a>Â </td>
-<th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right">Â <a accesskey="n" href="man.dnssec-revoke.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="refentry">
-<a name="man.dnssec-keymgr"></a><div class="titlepage"></div>
-
-
-
-
-
- <div class="refnamediv">
-<h2>Name</h2>
-<p>
- <span class="application">dnssec-keymgr</span>
- — Ensures correct DNSKEY coverage for a zone based on a defined policy
- </p>
-</div>
-
-
-
- <div class="refsynopsisdiv">
-<h2>Synopsis</h2>
- <div class="cmdsynopsis"><p>
- <code class="command">dnssec-keymgr</code>
- [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
- [<code class="option">-c <em class="replaceable"><code>file</code></em></code>]
- [<code class="option">-f</code>]
- [<code class="option">-k</code>]
- [<code class="option">-q</code>]
- [<code class="option">-v</code>]
- [<code class="option">-z</code>]
- [<code class="option">-g <em class="replaceable"><code>path</code></em></code>]
- [<code class="option">-r <em class="replaceable"><code>path</code></em></code>]
- [<code class="option">-s <em class="replaceable"><code>path</code></em></code>]
- [zone...]
- </p></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.13.7"></a><h2>DESCRIPTION</h2>
- <p>
- <span class="command"><strong>dnssec-keymgr</strong></span> is a high level Python wrapper
- to facilitate the key rollover process for zones handled by
- BIND. It uses the BIND commands for manipulating DNSSEC key
- metadata: <span class="command"><strong>dnssec-keygen</strong></span> and
- <span class="command"><strong>dnssec-settime</strong></span>.
- </p>
- <p>
- DNSSEC policy can be read from a configuration file (default
- <code class="filename">/etc/dnssec-policy.conf</code>), from which the key
- parameters, publication and rollover schedule, and desired
- coverage duration for any given zone can be determined. This
- file may be used to define individual DNSSEC policies on a
- per-zone basis, or to set a default policy used for all zones.
- </p>
- <p>
- When <span class="command"><strong>dnssec-keymgr</strong></span> runs, it examines the DNSSEC
- keys for one or more zones, comparing their timing metadata against
- the policies for those zones. If key settings do not conform to the
- DNSSEC policy (for example, because the policy has been changed),
- they are automatically corrected.
- </p>
- <p>
- A zone policy can specify a duration for which we want to
- ensure the key correctness (<code class="option">coverage</code>). It can
- also specify a rollover period (<code class="option">roll-period</code>).
- If policy indicates that a key should roll over before the
- coverage period ends, then a successor key will automatically be
- created and added to the end of the key series.
- </p>
- <p>
- If zones are specified on the command line,
- <span class="command"><strong>dnssec-keymgr</strong></span> will examine only those zones.
- If a specified zone does not already have keys in place, then
- keys will be generated for it according to policy.
- </p>
- <p>
- If zones are <span class="emphasis"><em>not</em></span> specified on the command
- line, then <span class="command"><strong>dnssec-keymgr</strong></span> will search the
- key directory (either the current working directory or the directory
- set by the <code class="option">-K</code> option), and check the keys for
- all the zones represented in the directory.
- </p>
- <p>
- It is expected that this tool will be run automatically and
- unattended (for example, by <span class="command"><strong>cron</strong></span>).
- </p>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.13.8"></a><h2>OPTIONS</h2>
- <div class="variablelist"><dl class="variablelist">
-<dt><span class="term">-c <em class="replaceable"><code>file</code></em></span></dt>
-<dd>
- <p>
- If <code class="option">-c</code> is specified, then the DNSSEC
- policy is read from <code class="option">file</code>. (If not
- specified, then the policy is read from
- <code class="filename">/etc/dnssec-policy.conf</code>; if that file
- doesn't exist, a built-in global default policy is used.)
- </p>
- </dd>
-<dt><span class="term">-f</span></dt>
-<dd>
- <p>
- Force: allow updating of key events even if they are
- already in the past. This is not recommended for use with
- zones in which keys have already been published. However,
- if a set of keys has been generated all of which have
- publication and activation dates in the past, but the
- keys have not been published in a zone as yet, then this
- option can be used to clean them up and turn them into a
- proper series of keys with appropriate rollover intervals.
- </p>
- </dd>
-<dt><span class="term">-g <em class="replaceable"><code>keygen-path</code></em></span></dt>
-<dd>
- <p>
- Specifies a path to a <span class="command"><strong>dnssec-keygen</strong></span> binary.
- Used for testing.
- See also the <code class="option">-s</code> option.
- </p>
- </dd>
-<dt><span class="term">-h</span></dt>
-<dd>
- <p>
- Print the <span class="command"><strong>dnssec-keymgr</strong></span> help summary
- and exit.
- </p>
- </dd>
-<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
-<dd>
- <p>
- Sets the directory in which keys can be found. Defaults to the
- current working directory.
- </p>
- </dd>
-<dt><span class="term">-k</span></dt>
-<dd>
- <p>
- Only apply policies to KSK keys.
- See also the <code class="option">-z</code> option.
- </p>
- </dd>
-<dt><span class="term">-q</span></dt>
-<dd>
- <p>
- Quiet: suppress printing of <span class="command"><strong>dnssec-keygen</strong></span>
- and <span class="command"><strong>dnssec-settime</strong></span>.
- </p>
- </dd>
-<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
-<dd>
- <p>
- Specifies a path to a file containing random data.
- This is passed to the <span class="command"><strong>dnssec-keygen</strong></span> binary
- using its <code class="option">-r</code> option.
-
- </p>
- </dd>
-<dt><span class="term">-s <em class="replaceable"><code>settime-path</code></em></span></dt>
-<dd>
- <p>
- Specifies a path to a <span class="command"><strong>dnssec-settime</strong></span> binary.
- Used for testing.
- See also the <code class="option">-g</code> option.
- </p>
- </dd>
-<dt><span class="term">-v</span></dt>
-<dd>
- <p>
- Print the <span class="command"><strong>dnssec-keymgr</strong></span> version and exit.
- </p>
- </dd>
-<dt><span class="term">-z</span></dt>
-<dd>
- <p>
- Only apply policies to ZSK keys.
- See also the <code class="option">-k</code> option.
- </p>
- </dd>
-</dl></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.13.9"></a><h2>POLICY CONFIGURATION</h2>
- <p>
- The <code class="filename">dnssec-policy.conf</code> file can specify three kinds
- of policies:
- </p>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
- <p>
- <span class="emphasis"><em>Policy classes</em></span>
- (<code class="option">policy <em class="replaceable"><code>name</code></em> { ... };</code>)
- can be inherited by zone policies or other policy classes; these
- can be used to create sets of different security profiles. For
- example, a policy class <strong class="userinput"><code>normal</code></strong> might specify
- 1024-bit key sizes, but a class <strong class="userinput"><code>extra</code></strong> might
- specify 2048 bits instead; <strong class="userinput"><code>extra</code></strong> would be
- used for zones that had unusually high security needs.
- </p>
- </li>
-<li class="listitem">
- <p>
- Algorithm policies:
- (<code class="option">algorithm-policy <em class="replaceable"><code>algorithm</code></em> { ... };</code> )
- override default per-algorithm settings. For example, by default,
- RSASHA256 keys use 2048-bit key sizes for both KSK and ZSK. This
- can be modified using <span class="command"><strong>algorithm-policy</strong></span>, and the
- new key sizes would then be used for any key of type RSASHA256.
- </p>
- </li>
-<li class="listitem">
- <p>
- Zone policies:
- (<code class="option">zone <em class="replaceable"><code>name</code></em> { ... };</code> )
- set policy for a single zone by name. A zone policy can inherit
- a policy class by including a <code class="option">policy</code> option.
- Zone names beginning with digits (i.e., 0-9) must be quoted.
- </p>
- </li>
-</ul></div>
- <p>
- Options that can be specified in policies:
- </p>
- <div class="variablelist"><dl class="variablelist">
-<dt><span class="term"><span class="command"><strong>algorithm</strong></span></span></dt>
-<dd>
- <p>
- The key algorithm. If no policy is defined, the default is
- RSASHA256.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>coverage</strong></span></span></dt>
-<dd>
- <p>
- The length of time to ensure that keys will be correct; no action
- will be taken to create new keys to be activated after this time.
- This can be represented as a number of seconds, or as a duration using
- human-readable units (examples: "1y" or "6 months").
- A default value for this option can be set in algorithm policies
- as well as in policy classes or zone policies.
- If no policy is configured, the default is six months.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>directory</strong></span></span></dt>
-<dd>
- <p>
- Specifies the directory in which keys should be stored.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>key-size</strong></span></span></dt>
-<dd>
- <p>
- Specifies the number of bits to use in creating keys.
- Takes two arguments: keytype (eihter "zsk" or "ksk") and size.
- A default value for this option can be set in algorithm policies
- as well as in policy classes or zone policies. If no policy is
- configured, the default is 1024 bits for DSA keys and 2048 for
- RSA.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>keyttl</strong></span></span></dt>
-<dd>
- <p>
- The key TTL. If no policy is defined, the default is one hour.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>post-publish</strong></span></span></dt>
-<dd>
- <p>
- How long after inactivation a key should be deleted from the zone.
- Note: If <code class="option">roll-period</code> is not set, this value is
- ignored. Takes two arguments: keytype (eihter "zsk" or "ksk") and a
- duration. A default value for this option can be set in algorithm
- policies as well as in policy classes or zone policies. The default
- is one month.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>pre-publish</strong></span></span></dt>
-<dd>
- <p>
- How long before activation a key should be published. Note: If
- <code class="option">roll-period</code> is not set, this value is ignored.
- Takes two arguments: keytype (either "zsk" or "ksk") and a duration.
- A default value for this option can be set in algorithm policies
- as well as in policy classes or zone policies. The default is
- one month.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>roll-period</strong></span></span></dt>
-<dd>
- <p>
- How frequently keys should be rolled over.
- Takes two arguments: keytype (eihter "zsk" or "ksk") and a duration.
- A default value for this option can be set in algorithm policies
- as well as in policy classes or zone policies. If no policy is
- configured, the default is one year for ZSK's. KSK's do not
- roll over by default.
- </p>
- </dd>
-<dt><span class="term"><span class="command"><strong>standby</strong></span></span></dt>
-<dd>
- <p>
- Not yet implemented.
- </p>
- </dd>
-</dl></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.13.10"></a><h2>REMAINING WORK</h2>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
- <p>
- Enable scheduling of KSK rollovers using the <code class="option">-P sync</code>
- and <code class="option">-D sync</code> options to
- <span class="command"><strong>dnssec-keygen</strong></span> and
- <span class="command"><strong>dnssec-settime</strong></span>. Check the parent zone
- (as in <span class="command"><strong>dnssec-checkds</strong></span>) to determine when it's
- safe for the key to roll.
- </p>
- </li>
-<li class="listitem">
- <p>
- Allow configuration of standby keys and use of the REVOKE bit,
- for keys that use RFC 5011 semantics.
- </p>
- </li>
-</ul></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.13.11"></a><h2>SEE ALSO</h2>
- <p>
- <span class="citerefentry">
- <span class="refentrytitle">dnssec-coverage</span>(8)
- </span>,
- <span class="citerefentry">
- <span class="refentrytitle">dnssec-keygen</span>(8)
- </span>,
- <span class="citerefentry">
- <span class="refentrytitle">dnssec-settime</span>(8)
- </span>,
- <span class="citerefentry">
- <span class="refentrytitle">dnssec-checkds</span>(8)
- </span>
- </p>
- </div>
-
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="man.dnssec-keygen.html">Prev</a>Â </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
-<td width="40%" align="right">Â <a accesskey="n" href="man.dnssec-revoke.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">
-<span class="application">dnssec-keygen</span>Â </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top">Â <span class="application">dnssec-revoke</span>
-</td>
-</tr>
-</table>
-</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.0-pre-alpha</p>
-</body>
-</html>
+++ /dev/null
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<!--
- - Copyright (C) 2000-2017 Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
--->
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>dnssec-revoke</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
-<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
-<link rel="prev" href="man.dnssec-keymgr.html" title="dnssec-keymgr">
-<link rel="next" href="man.dnssec-settime.html" title="dnssec-settime">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center"><span class="application">dnssec-revoke</span></th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="man.dnssec-keymgr.html">Prev</a>Â </td>
-<th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right">Â <a accesskey="n" href="man.dnssec-settime.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="refentry">
-<a name="man.dnssec-revoke"></a><div class="titlepage"></div>
-
-
-
-
-
- <div class="refnamediv">
-<h2>Name</h2>
-<p>
- <span class="application">dnssec-revoke</span>
- — set the REVOKED bit on a DNSSEC key
- </p>
-</div>
-
-
-
- <div class="refsynopsisdiv">
-<h2>Synopsis</h2>
- <div class="cmdsynopsis"><p>
- <code class="command">dnssec-revoke</code>
- [<code class="option">-hr</code>]
- [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
- [<code class="option">-V</code>]
- [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
- [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
- [<code class="option">-f</code>]
- [<code class="option">-R</code>]
- {keyfile}
- </p></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.14.7"></a><h2>DESCRIPTION</h2>
-
- <p><span class="command"><strong>dnssec-revoke</strong></span>
- reads a DNSSEC key file, sets the REVOKED bit on the key as defined
- in RFC 5011, and creates a new pair of key files containing the
- now-revoked key.
- </p>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.14.8"></a><h2>OPTIONS</h2>
-
-
- <div class="variablelist"><dl class="variablelist">
-<dt><span class="term">-h</span></dt>
-<dd>
- <p>
- Emit usage message and exit.
- </p>
- </dd>
-<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
-<dd>
- <p>
- Sets the directory in which the key files are to reside.
- </p>
- </dd>
-<dt><span class="term">-r</span></dt>
-<dd>
- <p>
- After writing the new keyset files remove the original keyset
- files.
- </p>
- </dd>
-<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
-<dd>
- <p>
- Sets the debugging level.
- </p>
- </dd>
-<dt><span class="term">-V</span></dt>
-<dd>
- <p>
- Prints version information.
- </p>
- </dd>
-<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
-<dd>
- <p>
- Specifies the cryptographic hardware to use, when applicable.
- </p>
- <p>
- When BIND is built with OpenSSL PKCS#11 support, this defaults
- to the string "pkcs11", which identifies an OpenSSL engine
- that can drive a cryptographic accelerator or hardware service
- module. When BIND is built with native PKCS#11 cryptography
- (--enable-native-pkcs11), it defaults to the path of the PKCS#11
- provider library specified via "--with-pkcs11".
- </p>
- </dd>
-<dt><span class="term">-f</span></dt>
-<dd>
- <p>
- Force overwrite: Causes <span class="command"><strong>dnssec-revoke</strong></span> to
- write the new key pair even if a file already exists matching
- the algorithm and key ID of the revoked key.
- </p>
- </dd>
-<dt><span class="term">-R</span></dt>
-<dd>
- <p>
- Print the key tag of the key with the REVOKE bit set but do
- not revoke the key.
- </p>
- </dd>
-</dl></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.14.9"></a><h2>SEE ALSO</h2>
-
- <p><span class="citerefentry">
- <span class="refentrytitle">dnssec-keygen</span>(8)
- </span>,
- <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
- <em class="citetitle">RFC 5011</em>.
- </p>
- </div>
-
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="man.dnssec-keymgr.html">Prev</a>Â </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
-<td width="40%" align="right">Â <a accesskey="n" href="man.dnssec-settime.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">
-<span class="application">dnssec-keymgr</span>Â </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top">Â <span class="application">dnssec-settime</span>
-</td>
-</tr>
-</table>
-</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.0-pre-alpha</p>
-</body>
-</html>
+++ /dev/null
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<!--
- - Copyright (C) 2000-2017 Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
--->
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>dnssec-settime</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
-<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
-<link rel="prev" href="man.dnssec-revoke.html" title="dnssec-revoke">
-<link rel="next" href="man.dnssec-signzone.html" title="dnssec-signzone">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center"><span class="application">dnssec-settime</span></th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="man.dnssec-revoke.html">Prev</a>Â </td>
-<th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right">Â <a accesskey="n" href="man.dnssec-signzone.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="refentry">
-<a name="man.dnssec-settime"></a><div class="titlepage"></div>
-
-
-
-
-
- <div class="refnamediv">
-<h2>Name</h2>
-<p>
- <span class="application">dnssec-settime</span>
- — set the key timing metadata for a DNSSEC key
- </p>
-</div>
-
-
-
- <div class="refsynopsisdiv">
-<h2>Synopsis</h2>
- <div class="cmdsynopsis"><p>
- <code class="command">dnssec-settime</code>
- [<code class="option">-f</code>]
- [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
- [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>]
- [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>]
- [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>]
- [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>]
- [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>]
- [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>]
- [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
- [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>]
- [<code class="option">-S <em class="replaceable"><code>key</code></em></code>]
- [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>]
- [<code class="option">-h</code>]
- [<code class="option">-V</code>]
- [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
- [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
- {keyfile}
- </p></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.15.7"></a><h2>DESCRIPTION</h2>
-
- <p><span class="command"><strong>dnssec-settime</strong></span>
- reads a DNSSEC private key file and sets the key timing metadata
- as specified by the <code class="option">-P</code>, <code class="option">-A</code>,
- <code class="option">-R</code>, <code class="option">-I</code>, and <code class="option">-D</code>
- options. The metadata can then be used by
- <span class="command"><strong>dnssec-signzone</strong></span> or other signing software to
- determine when a key is to be published, whether it should be
- used for signing a zone, etc.
- </p>
- <p>
- If none of these options is set on the command line,
- then <span class="command"><strong>dnssec-settime</strong></span> simply prints the key timing
- metadata already stored in the key.
- </p>
- <p>
- When key metadata fields are changed, both files of a key
- pair (<code class="filename">Knnnn.+aaa+iiiii.key</code> and
- <code class="filename">Knnnn.+aaa+iiiii.private</code>) are regenerated.
- Metadata fields are stored in the private file. A human-readable
- description of the metadata is also placed in comments in the key
- file. The private file's permissions are always set to be
- inaccessible to anyone other than the owner (mode 0600).
- </p>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.15.8"></a><h2>OPTIONS</h2>
-
-
- <div class="variablelist"><dl class="variablelist">
-<dt><span class="term">-f</span></dt>
-<dd>
- <p>
- Force an update of an old-format key with no metadata fields.
- Without this option, <span class="command"><strong>dnssec-settime</strong></span> will
- fail when attempting to update a legacy key. With this option,
- the key will be recreated in the new format, but with the
- original key data retained. The key's creation date will be
- set to the present time. If no other values are specified,
- then the key's publication and activation dates will also
- be set to the present time.
- </p>
- </dd>
-<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
-<dd>
- <p>
- Sets the directory in which the key files are to reside.
- </p>
- </dd>
-<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
-<dd>
- <p>
- Sets the default TTL to use for this key when it is converted
- into a DNSKEY RR. If the key is imported into a zone,
- this is the TTL that will be used for it, unless there was
- already a DNSKEY RRset in place, in which case the existing TTL
- would take precedence. If this value is not set and there
- is no existing DNSKEY RRset, the TTL will default to the
- SOA TTL. Setting the default TTL to <code class="literal">0</code>
- or <code class="literal">none</code> removes it from the key.
- </p>
- </dd>
-<dt><span class="term">-h</span></dt>
-<dd>
- <p>
- Emit usage message and exit.
- </p>
- </dd>
-<dt><span class="term">-V</span></dt>
-<dd>
- <p>
- Prints version information.
- </p>
- </dd>
-<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
-<dd>
- <p>
- Sets the debugging level.
- </p>
- </dd>
-<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
-<dd>
- <p>
- Specifies the cryptographic hardware to use, when applicable.
- </p>
- <p>
- When BIND is built with OpenSSL PKCS#11 support, this defaults
- to the string "pkcs11", which identifies an OpenSSL engine
- that can drive a cryptographic accelerator or hardware service
- module. When BIND is built with native PKCS#11 cryptography
- (--enable-native-pkcs11), it defaults to the path of the PKCS#11
- provider library specified via "--with-pkcs11".
- </p>
- </dd>
-</dl></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.15.9"></a><h2>TIMING OPTIONS</h2>
-
- <p>
- Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
- If the argument begins with a '+' or '-', it is interpreted as
- an offset from the present time. For convenience, if such an offset
- is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
- then the offset is computed in years (defined as 365 24-hour days,
- ignoring leap years), months (defined as 30 24-hour days), weeks,
- days, hours, or minutes, respectively. Without a suffix, the offset
- is computed in seconds. To unset a date, use 'none' or 'never'.
- </p>
-
- <div class="variablelist"><dl class="variablelist">
-<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd>
- <p>
- Sets the date on which a key is to be published to the zone.
- After that date, the key will be included in the zone but will
- not be used to sign it.
- </p>
- </dd>
-<dt><span class="term">-P sync <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd>
- <p>
- Sets the date on which CDS and CDNSKEY records that match this
- key are to be published to the zone.
- </p>
- </dd>
-<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd>
- <p>
- Sets the date on which the key is to be activated. After that
- date, the key will be included in the zone and used to sign
- it.
- </p>
- </dd>
-<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd>
- <p>
- Sets the date on which the key is to be revoked. After that
- date, the key will be flagged as revoked. It will be included
- in the zone and will be used to sign it.
- </p>
- </dd>
-<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd>
- <p>
- Sets the date on which the key is to be retired. After that
- date, the key will still be included in the zone, but it
- will not be used to sign it.
- </p>
- </dd>
-<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd>
- <p>
- Sets the date on which the key is to be deleted. After that
- date, the key will no longer be included in the zone. (It
- may remain in the key repository, however.)
- </p>
- </dd>
-<dt><span class="term">-D sync <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd>
- <p>
- Sets the date on which the CDS and CDNSKEY records that match this
- key are to be deleted.
- </p>
- </dd>
-<dt><span class="term">-S <em class="replaceable"><code>predecessor key</code></em></span></dt>
-<dd>
- <p>
- Select a key for which the key being modified will be an
- explicit successor. The name, algorithm, size, and type of the
- predecessor key must exactly match those of the key being
- modified. The activation date of the successor key will be set
- to the inactivation date of the predecessor. The publication
- date will be set to the activation date minus the prepublication
- interval, which defaults to 30 days.
- </p>
- </dd>
-<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
-<dd>
- <p>
- Sets the prepublication interval for a key. If set, then
- the publication and activation dates must be separated by at least
- this much time. If the activation date is specified but the
- publication date isn't, then the publication date will default
- to this much time before the activation date; conversely, if
- the publication date is specified but activation date isn't,
- then activation will be set to this much time after publication.
- </p>
- <p>
- If the key is being set to be an explicit successor to another
- key, then the default prepublication interval is 30 days;
- otherwise it is zero.
- </p>
- <p>
- As with date offsets, if the argument is followed by one of
- the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
- interval is measured in years, months, weeks, days, hours,
- or minutes, respectively. Without a suffix, the interval is
- measured in seconds.
- </p>
- </dd>
-</dl></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.15.10"></a><h2>PRINTING OPTIONS</h2>
-
- <p>
- <span class="command"><strong>dnssec-settime</strong></span> can also be used to print the
- timing metadata associated with a key.
- </p>
-
- <div class="variablelist"><dl class="variablelist">
-<dt><span class="term">-u</span></dt>
-<dd>
- <p>
- Print times in UNIX epoch format.
- </p>
- </dd>
-<dt><span class="term">-p <em class="replaceable"><code>C/P/Psync/A/R/I/D/Dsync/all</code></em></span></dt>
-<dd>
- <p>
- Print a specific metadata value or set of metadata values.
- The <code class="option">-p</code> option may be followed by one or more
- of the following letters or strings to indicate which value
- or values to print:
- <code class="option">C</code> for the creation date,
- <code class="option">P</code> for the publication date,
- <code class="option">Psync</code> for the CDS and CDNSKEY publication date,
- <code class="option">A</code> for the activation date,
- <code class="option">R</code> for the revocation date,
- <code class="option">I</code> for the inactivation date,
- <code class="option">D</code> for the deletion date, and
- <code class="option">Dsync</code> for the CDS and CDNSKEY deletion date
- To print all of the metadata, use <code class="option">-p all</code>.
- </p>
- </dd>
-</dl></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.15.11"></a><h2>SEE ALSO</h2>
-
- <p><span class="citerefentry">
- <span class="refentrytitle">dnssec-keygen</span>(8)
- </span>,
- <span class="citerefentry">
- <span class="refentrytitle">dnssec-signzone</span>(8)
- </span>,
- <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
- <em class="citetitle">RFC 5011</em>.
- </p>
- </div>
-
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="man.dnssec-revoke.html">Prev</a>Â </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
-<td width="40%" align="right">Â <a accesskey="n" href="man.dnssec-signzone.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">
-<span class="application">dnssec-revoke</span>Â </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top">Â <span class="application">dnssec-signzone</span>
-</td>
-</tr>
-</table>
-</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.0-pre-alpha</p>
-</body>
-</html>
+++ /dev/null
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<!--
- - Copyright (C) 2000-2017 Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
--->
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>dnssec-signzone</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
-<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
-<link rel="prev" href="man.dnssec-settime.html" title="dnssec-settime">
-<link rel="next" href="man.dnssec-verify.html" title="dnssec-verify">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center"><span class="application">dnssec-signzone</span></th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="man.dnssec-settime.html">Prev</a>Â </td>
-<th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right">Â <a accesskey="n" href="man.dnssec-verify.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="refentry">
-<a name="man.dnssec-signzone"></a><div class="titlepage"></div>
-
-
-
-
-
- <div class="refnamediv">
-<h2>Name</h2>
-<p>
- <span class="application">dnssec-signzone</span>
- — DNSSEC zone signing tool
- </p>
-</div>
-
-
-
- <div class="refsynopsisdiv">
-<h2>Synopsis</h2>
- <div class="cmdsynopsis"><p>
- <code class="command">dnssec-signzone</code>
- [<code class="option">-a</code>]
- [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
- [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>]
- [<code class="option">-D</code>]
- [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
- [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>]
- [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>]
- [<code class="option">-g</code>]
- [<code class="option">-h</code>]
- [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>]
- [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>]
- [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>]
- [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
- [<code class="option">-k <em class="replaceable"><code>key</code></em></code>]
- [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>]
- [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>]
- [<code class="option">-M <em class="replaceable"><code>maxttl</code></em></code>]
- [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>]
- [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>]
- [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>]
- [<code class="option">-P</code>]
- [<code class="option">-p</code>]
- [<code class="option">-Q</code>]
- [<code class="option">-R</code>]
- [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>]
- [<code class="option">-S</code>]
- [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>]
- [<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>]
- [<code class="option">-t</code>]
- [<code class="option">-u</code>]
- [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
- [<code class="option">-V</code>]
- [<code class="option">-X <em class="replaceable"><code>extended end-time</code></em></code>]
- [<code class="option">-x</code>]
- [<code class="option">-z</code>]
- [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>]
- [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>]
- [<code class="option">-A</code>]
- {zonefile}
- [key...]
- </p></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.16.7"></a><h2>DESCRIPTION</h2>
-
- <p><span class="command"><strong>dnssec-signzone</strong></span>
- signs a zone. It generates
- NSEC and RRSIG records and produces a signed version of the
- zone. The security status of delegations from the signed zone
- (that is, whether the child zones are secure or not) is
- determined by the presence or absence of a
- <code class="filename">keyset</code> file for each child zone.
- </p>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.16.8"></a><h2>OPTIONS</h2>
-
-
- <div class="variablelist"><dl class="variablelist">
-<dt><span class="term">-a</span></dt>
-<dd>
- <p>
- Verify all generated signatures.
- </p>
- </dd>
-<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
-<dd>
- <p>
- Specifies the DNS class of the zone.
- </p>
- </dd>
-<dt><span class="term">-C</span></dt>
-<dd>
- <p>
- Compatibility mode: Generate a
- <code class="filename">keyset-<em class="replaceable"><code>zonename</code></em></code>
- file in addition to
- <code class="filename">dsset-<em class="replaceable"><code>zonename</code></em></code>
- when signing a zone, for use by older versions of
- <span class="command"><strong>dnssec-signzone</strong></span>.
- </p>
- </dd>
-<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
-<dd>
- <p>
- Look for <code class="filename">dsset-</code> or
- <code class="filename">keyset-</code> files in <code class="option">directory</code>.
- </p>
- </dd>
-<dt><span class="term">-D</span></dt>
-<dd>
- <p>
- Output only those record types automatically managed by
- <span class="command"><strong>dnssec-signzone</strong></span>, i.e. RRSIG, NSEC,
- NSEC3 and NSEC3PARAM records. If smart signing
- (<code class="option">-S</code>) is used, DNSKEY records are also
- included. The resulting file can be included in the original
- zone file with <span class="command"><strong>$INCLUDE</strong></span>. This option
- cannot be combined with <code class="option">-O raw</code>,
- <code class="option">-O map</code>, or serial number updating.
- </p>
- </dd>
-<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
-<dd>
- <p>
- When applicable, specifies the hardware to use for
- cryptographic operations, such as a secure key store used
- for signing.
- </p>
- <p>
- When BIND is built with OpenSSL PKCS#11 support, this defaults
- to the string "pkcs11", which identifies an OpenSSL engine
- that can drive a cryptographic accelerator or hardware service
- module. When BIND is built with native PKCS#11 cryptography
- (--enable-native-pkcs11), it defaults to the path of the PKCS#11
- provider library specified via "--with-pkcs11".
- </p>
- </dd>
-<dt><span class="term">-g</span></dt>
-<dd>
- <p>
- Generate DS records for child zones from
- <code class="filename">dsset-</code> or <code class="filename">keyset-</code>
- file. Existing DS records will be removed.
- </p>
- </dd>
-<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
-<dd>
- <p>
- Key repository: Specify a directory to search for DNSSEC keys.
- If not specified, defaults to the current directory.
- </p>
- </dd>
-<dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt>
-<dd>
- <p>
- Treat specified key as a key signing key ignoring any
- key flags. This option may be specified multiple times.
- </p>
- </dd>
-<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
-<dd>
- <p>
- Generate a DLV set in addition to the key (DNSKEY) and DS sets.
- The domain is appended to the name of the records.
- </p>
- </dd>
-<dt><span class="term">-M <em class="replaceable"><code>maxttl</code></em></span></dt>
-<dd>
- <p>
- Sets the maximum TTL for the signed zone.
- Any TTL higher than <em class="replaceable"><code>maxttl</code></em> in the
- input zone will be reduced to <em class="replaceable"><code>maxttl</code></em>
- in the output. This provides certainty as to the largest
- possible TTL in the signed zone, which is useful to know when
- rolling keys because it is the longest possible time before
- signatures that have been retrieved by resolvers will expire
- from resolver caches. Zones that are signed with this
- option should be configured to use a matching
- <code class="option">max-zone-ttl</code> in <code class="filename">named.conf</code>.
- (Note: This option is incompatible with <code class="option">-D</code>,
- because it modifies non-DNSSEC data in the output zone.)
- </p>
- </dd>
-<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
-<dd>
- <p>
- Specify the date and time when the generated RRSIG records
- become valid. This can be either an absolute or relative
- time. An absolute start time is indicated by a number
- in YYYYMMDDHHMMSS notation; 20000530144500 denotes
- 14:45:00 UTC on May 30th, 2000. A relative start time is
- indicated by +N, which is N seconds from the current time.
- If no <code class="option">start-time</code> is specified, the current
- time minus 1 hour (to allow for clock skew) is used.
- </p>
- </dd>
-<dt><span class="term">-e <em class="replaceable"><code>end-time</code></em></span></dt>
-<dd>
- <p>
- Specify the date and time when the generated RRSIG records
- expire. As with <code class="option">start-time</code>, an absolute
- time is indicated in YYYYMMDDHHMMSS notation. A time relative
- to the start time is indicated with +N, which is N seconds from
- the start time. A time relative to the current time is
- indicated with now+N. If no <code class="option">end-time</code> is
- specified, 30 days from the start time is used as a default.
- <code class="option">end-time</code> must be later than
- <code class="option">start-time</code>.
- </p>
- </dd>
-<dt><span class="term">-X <em class="replaceable"><code>extended end-time</code></em></span></dt>
-<dd>
- <p>
- Specify the date and time when the generated RRSIG records
- for the DNSKEY RRset will expire. This is to be used in cases
- when the DNSKEY signatures need to persist longer than
- signatures on other records; e.g., when the private component
- of the KSK is kept offline and the KSK signature is to be
- refreshed manually.
- </p>
- <p>
- As with <code class="option">start-time</code>, an absolute
- time is indicated in YYYYMMDDHHMMSS notation. A time relative
- to the start time is indicated with +N, which is N seconds from
- the start time. A time relative to the current time is
- indicated with now+N. If no <code class="option">extended end-time</code> is
- specified, the value of <code class="option">end-time</code> is used as
- the default. (<code class="option">end-time</code>, in turn, defaults to
- 30 days from the start time.) <code class="option">extended end-time</code>
- must be later than <code class="option">start-time</code>.
- </p>
- </dd>
-<dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt>
-<dd>
- <p>
- The name of the output file containing the signed zone. The
- default is to append <code class="filename">.signed</code> to
- the input filename. If <code class="option">output-file</code> is
- set to <code class="literal">"-"</code>, then the signed zone is
- written to the standard output, with a default output
- format of "full".
- </p>
- </dd>
-<dt><span class="term">-h</span></dt>
-<dd>
- <p>
- Prints a short summary of the options and arguments to
- <span class="command"><strong>dnssec-signzone</strong></span>.
- </p>
- </dd>
-<dt><span class="term">-V</span></dt>
-<dd>
- <p>
- Prints version information.
- </p>
- </dd>
-<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
-<dd>
- <p>
- When a previously-signed zone is passed as input, records
- may be resigned. The <code class="option">interval</code> option
- specifies the cycle interval as an offset from the current
- time (in seconds). If a RRSIG record expires after the
- cycle interval, it is retained. Otherwise, it is considered
- to be expiring soon, and it will be replaced.
- </p>
- <p>
- The default cycle interval is one quarter of the difference
- between the signature end and start times. So if neither
- <code class="option">end-time</code> or <code class="option">start-time</code>
- are specified, <span class="command"><strong>dnssec-signzone</strong></span>
- generates
- signatures that are valid for 30 days, with a cycle
- interval of 7.5 days. Therefore, if any existing RRSIG records
- are due to expire in less than 7.5 days, they would be
- replaced.
- </p>
- </dd>
-<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
-<dd>
- <p>
- The format of the input zone file.
- Possible formats are <span class="command"><strong>"text"</strong></span> (default),
- <span class="command"><strong>"raw"</strong></span>, and <span class="command"><strong>"map"</strong></span>.
- This option is primarily intended to be used for dynamic
- signed zones so that the dumped zone file in a non-text
- format containing updates can be signed directly.
- The use of this option does not make much sense for
- non-dynamic zones.
- </p>
- </dd>
-<dt><span class="term">-j <em class="replaceable"><code>jitter</code></em></span></dt>
-<dd>
- <p>
- When signing a zone with a fixed signature lifetime, all
- RRSIG records issued at the time of signing expires
- simultaneously. If the zone is incrementally signed, i.e.
- a previously-signed zone is passed as input to the signer,
- all expired signatures have to be regenerated at about the
- same time. The <code class="option">jitter</code> option specifies a
- jitter window that will be used to randomize the signature
- expire time, thus spreading incremental signature
- regeneration over time.
- </p>
- <p>
- Signature lifetime jitter also to some extent benefits
- validators and servers by spreading out cache expiration,
- i.e. if large numbers of RRSIGs don't expire at the same time
- from all caches there will be less congestion than if all
- validators need to refetch at mostly the same time.
- </p>
- </dd>
-<dt><span class="term">-L <em class="replaceable"><code>serial</code></em></span></dt>
-<dd>
- <p>
- When writing a signed zone to "raw" or "map" format, set the
- "source serial" value in the header to the specified serial
- number. (This is expected to be used primarily for testing
- purposes.)
- </p>
- </dd>
-<dt><span class="term">-n <em class="replaceable"><code>ncpus</code></em></span></dt>
-<dd>
- <p>
- Specifies the number of threads to use. By default, one
- thread is started for each detected CPU.
- </p>
- </dd>
-<dt><span class="term">-N <em class="replaceable"><code>soa-serial-format</code></em></span></dt>
-<dd>
- <p>
- The SOA serial number format of the signed zone.
- Possible formats are <span class="command"><strong>"keep"</strong></span> (default),
- <span class="command"><strong>"increment"</strong></span>, <span class="command"><strong>"unixtime"</strong></span>,
- and <span class="command"><strong>"date"</strong></span>.
- </p>
-
- <div class="variablelist"><dl class="variablelist">
-<dt><span class="term"><span class="command"><strong>"keep"</strong></span></span></dt>
-<dd>
- <p>Do not modify the SOA serial number.</p>
- </dd>
-<dt><span class="term"><span class="command"><strong>"increment"</strong></span></span></dt>
-<dd>
- <p>Increment the SOA serial number using RFC 1982
- arithmetics.</p>
- </dd>
-<dt><span class="term"><span class="command"><strong>"unixtime"</strong></span></span></dt>
-<dd>
- <p>Set the SOA serial number to the number of seconds
- since epoch.</p>
- </dd>
-<dt><span class="term"><span class="command"><strong>"date"</strong></span></span></dt>
-<dd>
- <p>Set the SOA serial number to today's date in
- YYYYMMDDNN format.</p>
- </dd>
-</dl></div>
-
- </dd>
-<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
-<dd>
- <p>
- The zone origin. If not specified, the name of the zone file
- is assumed to be the origin.
- </p>
- </dd>
-<dt><span class="term">-O <em class="replaceable"><code>output-format</code></em></span></dt>
-<dd>
- <p>
- The format of the output file containing the signed zone.
- Possible formats are <span class="command"><strong>"text"</strong></span> (default),
- which is the standard textual representation of the zone;
- <span class="command"><strong>"full"</strong></span>, which is text output in a
- format suitable for processing by external scripts;
- and <span class="command"><strong>"map"</strong></span>, <span class="command"><strong>"raw"</strong></span>,
- and <span class="command"><strong>"raw=N"</strong></span>, which store the zone in
- binary formats for rapid loading by <span class="command"><strong>named</strong></span>.
- <span class="command"><strong>"raw=N"</strong></span> specifies the format version of
- the raw zone file: if N is 0, the raw file can be read by
- any version of <span class="command"><strong>named</strong></span>; if N is 1, the file
- can be read by release 9.9.0 or higher; the default is 1.
- </p>
- </dd>
-<dt><span class="term">-p</span></dt>
-<dd>
- <p>
- Use pseudo-random data when signing the zone. This is faster,
- but less secure, than using real random data. This option
- may be useful when signing large zones or when the entropy
- source is limited.
- </p>
- </dd>
-<dt><span class="term">-P</span></dt>
-<dd>
- <p>
- Disable post sign verification tests.
- </p>
- <p>
- The post sign verification test ensures that for each algorithm
- in use there is at least one non revoked self signed KSK key,
- that all revoked KSK keys are self signed, and that all records
- in the zone are signed by the algorithm.
- This option skips these tests.
- </p>
- </dd>
-<dt><span class="term">-Q</span></dt>
-<dd>
- <p>
- Remove signatures from keys that are no longer active.
- </p>
- <p>
- Normally, when a previously-signed zone is passed as input
- to the signer, and a DNSKEY record has been removed and
- replaced with a new one, signatures from the old key
- that are still within their validity period are retained.
- This allows the zone to continue to validate with cached
- copies of the old DNSKEY RRset. The <code class="option">-Q</code>
- forces <span class="command"><strong>dnssec-signzone</strong></span> to remove
- signatures from keys that are no longer active. This
- enables ZSK rollover using the procedure described in
- RFC 4641, section 4.2.1.1 ("Pre-Publish Key Rollover").
- </p>
- </dd>
-<dt><span class="term">-R</span></dt>
-<dd>
- <p>
- Remove signatures from keys that are no longer published.
- </p>
- <p>
- This option is similar to <code class="option">-Q</code>, except it
- forces <span class="command"><strong>dnssec-signzone</strong></span> to signatures from
- keys that are no longer published. This enables ZSK rollover
- using the procedure described in RFC 4641, section 4.2.1.2
- ("Double Signature Zone Signing Key Rollover").
- </p>
- </dd>
-<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
-<dd>
- <p>
- Specifies the source of randomness. If the operating
- system does not provide a <code class="filename">/dev/random</code>
- or equivalent device, the default source of randomness
- is keyboard input. <code class="filename">randomdev</code>
- specifies
- the name of a character device or file containing random
- data to be used instead of the default. The special value
- <code class="filename">keyboard</code> indicates that keyboard
- input should be used.
- </p>
- </dd>
-<dt><span class="term">-S</span></dt>
-<dd>
- <p>
- Smart signing: Instructs <span class="command"><strong>dnssec-signzone</strong></span> to
- search the key repository for keys that match the zone being
- signed, and to include them in the zone if appropriate.
- </p>
- <p>
- When a key is found, its timing metadata is examined to
- determine how it should be used, according to the following
- rules. Each successive rule takes priority over the prior
- ones:
- </p>
- <div class="variablelist"><dl class="variablelist">
-<dt></dt>
-<dd>
- <p>
- If no timing metadata has been set for the key, the key is
- published in the zone and used to sign the zone.
- </p>
- </dd>
-<dt></dt>
-<dd>
- <p>
- If the key's publication date is set and is in the past, the
- key is published in the zone.
- </p>
- </dd>
-<dt></dt>
-<dd>
- <p>
- If the key's activation date is set and in the past, the
- key is published (regardless of publication date) and
- used to sign the zone.
- </p>
- </dd>
-<dt></dt>
-<dd>
- <p>
- If the key's revocation date is set and in the past, and the
- key is published, then the key is revoked, and the revoked key
- is used to sign the zone.
- </p>
- </dd>
-<dt></dt>
-<dd>
- <p>
- If either of the key's unpublication or deletion dates are set
- and in the past, the key is NOT published or used to sign the
- zone, regardless of any other metadata.
- </p>
- </dd>
-</dl></div>
- </dd>
-<dt><span class="term">-T <em class="replaceable"><code>ttl</code></em></span></dt>
-<dd>
- <p>
- Specifies a TTL to be used for new DNSKEY records imported
- into the zone from the key repository. If not
- specified, the default is the TTL value from the zone's SOA
- record. This option is ignored when signing without
- <code class="option">-S</code>, since DNSKEY records are not imported
- from the key repository in that case. It is also ignored if
- there are any pre-existing DNSKEY records at the zone apex,
- in which case new records' TTL values will be set to match
- them, or if any of the imported DNSKEY records had a default
- TTL value. In the event of a a conflict between TTL values in
- imported keys, the shortest one is used.
- </p>
- </dd>
-<dt><span class="term">-t</span></dt>
-<dd>
- <p>
- Print statistics at completion.
- </p>
- </dd>
-<dt><span class="term">-u</span></dt>
-<dd>
- <p>
- Update NSEC/NSEC3 chain when re-signing a previously signed
- zone. With this option, a zone signed with NSEC can be
- switched to NSEC3, or a zone signed with NSEC3 can
- be switch to NSEC or to NSEC3 with different parameters.
- Without this option, <span class="command"><strong>dnssec-signzone</strong></span> will
- retain the existing chain when re-signing.
- </p>
- </dd>
-<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
-<dd>
- <p>
- Sets the debugging level.
- </p>
- </dd>
-<dt><span class="term">-x</span></dt>
-<dd>
- <p>
- Only sign the DNSKEY RRset with key-signing keys, and omit
- signatures from zone-signing keys. (This is similar to the
- <span class="command"><strong>dnssec-dnskey-kskonly yes;</strong></span> zone option in
- <span class="command"><strong>named</strong></span>.)
- </p>
- </dd>
-<dt><span class="term">-z</span></dt>
-<dd>
- <p>
- Ignore KSK flag on key when determining what to sign. This
- causes KSK-flagged keys to sign all records, not just the
- DNSKEY RRset. (This is similar to the
- <span class="command"><strong>update-check-ksk no;</strong></span> zone option in
- <span class="command"><strong>named</strong></span>.)
- </p>
- </dd>
-<dt><span class="term">-3 <em class="replaceable"><code>salt</code></em></span></dt>
-<dd>
- <p>
- Generate an NSEC3 chain with the given hex encoded salt.
- A dash (<em class="replaceable"><code>salt</code></em>) can
- be used to indicate that no salt is to be used when generating the NSEC3 chain.
- </p>
- </dd>
-<dt><span class="term">-H <em class="replaceable"><code>iterations</code></em></span></dt>
-<dd>
- <p>
- When generating an NSEC3 chain, use this many iterations. The
- default is 10.
- </p>
- </dd>
-<dt><span class="term">-A</span></dt>
-<dd>
- <p>
- When generating an NSEC3 chain set the OPTOUT flag on all
- NSEC3 records and do not generate NSEC3 records for insecure
- delegations.
- </p>
- <p>
- Using this option twice (i.e., <code class="option">-AA</code>)
- turns the OPTOUT flag off for all records. This is useful
- when using the <code class="option">-u</code> option to modify an NSEC3
- chain which previously had OPTOUT set.
- </p>
- </dd>
-<dt><span class="term">zonefile</span></dt>
-<dd>
- <p>
- The file containing the zone to be signed.
- </p>
- </dd>
-<dt><span class="term">key</span></dt>
-<dd>
- <p>
- Specify which keys should be used to sign the zone. If
- no keys are specified, then the zone will be examined
- for DNSKEY records at the zone apex. If these are found and
- there are matching private keys, in the current directory,
- then these will be used for signing.
- </p>
- </dd>
-</dl></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.16.9"></a><h2>EXAMPLE</h2>
-
- <p>
- The following command signs the <strong class="userinput"><code>example.com</code></strong>
- zone with the DSA key generated by <span class="command"><strong>dnssec-keygen</strong></span>
- (Kexample.com.+003+17247). Because the <span class="command"><strong>-S</strong></span> option
- is not being used, the zone's keys must be in the master file
- (<code class="filename">db.example.com</code>). This invocation looks
- for <code class="filename">dsset</code> files, in the current directory,
- so that DS records can be imported from them (<span class="command"><strong>-g</strong></span>).
- </p>
-<pre class="programlisting">% dnssec-signzone -g -o example.com db.example.com \
-Kexample.com.+003+17247
-db.example.com.signed
-%</pre>
- <p>
- In the above example, <span class="command"><strong>dnssec-signzone</strong></span> creates
- the file <code class="filename">db.example.com.signed</code>. This
- file should be referenced in a zone statement in a
- <code class="filename">named.conf</code> file.
- </p>
- <p>
- This example re-signs a previously signed zone with default parameters.
- The private keys are assumed to be in the current directory.
- </p>
-<pre class="programlisting">% cp db.example.com.signed db.example.com
-% dnssec-signzone -o example.com db.example.com
-db.example.com.signed
-%</pre>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.16.10"></a><h2>SEE ALSO</h2>
-
- <p><span class="citerefentry">
- <span class="refentrytitle">dnssec-keygen</span>(8)
- </span>,
- <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
- <em class="citetitle">RFC 4033</em>, <em class="citetitle">RFC 4641</em>.
- </p>
- </div>
-
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="man.dnssec-settime.html">Prev</a>Â </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
-<td width="40%" align="right">Â <a accesskey="n" href="man.dnssec-verify.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">
-<span class="application">dnssec-settime</span>Â </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top">Â <span class="application">dnssec-verify</span>
-</td>
-</tr>
-</table>
-</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.0-pre-alpha</p>
-</body>
-</html>
+++ /dev/null
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<!--
- - Copyright (C) 2000-2017 Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
--->
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>dnssec-verify</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
-<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
-<link rel="prev" href="man.dnssec-signzone.html" title="dnssec-signzone">
-<link rel="next" href="man.named.html" title="named">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center"><span class="application">dnssec-verify</span></th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="man.dnssec-signzone.html">Prev</a>Â </td>
-<th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right">Â <a accesskey="n" href="man.named.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="refentry">
-<a name="man.dnssec-verify"></a><div class="titlepage"></div>
-
-
-
-
-
- <div class="refnamediv">
-<h2>Name</h2>
-<p>
- <span class="application">dnssec-verify</span>
- — DNSSEC zone verification tool
- </p>
-</div>
-
-
-
- <div class="refsynopsisdiv">
-<h2>Synopsis</h2>
- <div class="cmdsynopsis"><p>
- <code class="command">dnssec-verify</code>
- [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
- [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
- [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>]
- [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>]
- [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
- [<code class="option">-V</code>]
- [<code class="option">-x</code>]
- [<code class="option">-z</code>]
- {zonefile}
- </p></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.17.7"></a><h2>DESCRIPTION</h2>
-
- <p><span class="command"><strong>dnssec-verify</strong></span>
- verifies that a zone is fully signed for each algorithm found
- in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
- chains are complete.
- </p>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.17.8"></a><h2>OPTIONS</h2>
-
-
- <div class="variablelist"><dl class="variablelist">
-<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
-<dd>
- <p>
- Specifies the DNS class of the zone.
- </p>
- </dd>
-<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
-<dd>
- <p>
- Specifies the cryptographic hardware to use, when applicable.
- </p>
- <p>
- When BIND is built with OpenSSL PKCS#11 support, this defaults
- to the string "pkcs11", which identifies an OpenSSL engine
- that can drive a cryptographic accelerator or hardware service
- module. When BIND is built with native PKCS#11 cryptography
- (--enable-native-pkcs11), it defaults to the path of the PKCS#11
- provider library specified via "--with-pkcs11".
- </p>
- </dd>
-<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
-<dd>
- <p>
- The format of the input zone file.
- Possible formats are <span class="command"><strong>"text"</strong></span> (default)
- and <span class="command"><strong>"raw"</strong></span>.
- This option is primarily intended to be used for dynamic
- signed zones so that the dumped zone file in a non-text
- format containing updates can be verified independently.
- The use of this option does not make much sense for
- non-dynamic zones.
- </p>
- </dd>
-<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
-<dd>
- <p>
- The zone origin. If not specified, the name of the zone file
- is assumed to be the origin.
- </p>
- </dd>
-<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
-<dd>
- <p>
- Sets the debugging level.
- </p>
- </dd>
-<dt><span class="term">-V</span></dt>
-<dd>
- <p>
- Prints version information.
- </p>
- </dd>
-<dt><span class="term">-x</span></dt>
-<dd>
- <p>
- Only verify that the DNSKEY RRset is signed with key-signing
- keys. Without this flag, it is assumed that the DNSKEY RRset
- will be signed by all active keys. When this flag is set,
- it will not be an error if the DNSKEY RRset is not signed
- by zone-signing keys. This corresponds to the <code class="option">-x</code>
- option in <span class="command"><strong>dnssec-signzone</strong></span>.
- </p>
- </dd>
-<dt><span class="term">-z</span></dt>
-<dd>
- <p>
- Ignore the KSK flag on the keys when determining whether
- the zone if correctly signed. Without this flag it is
- assumed that there will be a non-revoked, self-signed
- DNSKEY with the KSK flag set for each algorithm and
- that RRsets other than DNSKEY RRset will be signed with
- a different DNSKEY without the KSK flag set.
- </p>
- <p>
- With this flag set, we only require that for each algorithm,
- there will be at least one non-revoked, self-signed DNSKEY,
- regardless of the KSK flag state, and that other RRsets
- will be signed by a non-revoked key for the same algorithm
- that includes the self-signed key; the same key may be used
- for both purposes. This corresponds to the <code class="option">-z</code>
- option in <span class="command"><strong>dnssec-signzone</strong></span>.
- </p>
- </dd>
-<dt><span class="term">zonefile</span></dt>
-<dd>
- <p>
- The file containing the zone to be signed.
- </p>
- </dd>
-</dl></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.17.9"></a><h2>SEE ALSO</h2>
-
- <p>
- <span class="citerefentry">
- <span class="refentrytitle">dnssec-signzone</span>(8)
- </span>,
- <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
- <em class="citetitle">RFC 4033</em>.
- </p>
- </div>
-
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="man.dnssec-signzone.html">Prev</a>Â </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
-<td width="40%" align="right">Â <a accesskey="n" href="man.named.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">
-<span class="application">dnssec-signzone</span>Â </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top">Â <span class="application">named</span>
-</td>
-</tr>
-</table>
-</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.0-pre-alpha</p>
-</body>
-</html>
+++ /dev/null
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<!--
- - Copyright (C) 2000-2017 Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
--->
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>dnstap-read</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
-<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
-<link rel="prev" href="man.arpaname.html" title="arpaname">
-<link rel="next" href="man.genrandom.html" title="genrandom">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center"><span class="application">dnstap-read</span></th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="man.arpaname.html">Prev</a>Â </td>
-<th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right">Â <a accesskey="n" href="man.genrandom.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="refentry">
-<a name="man.dnstap-read"></a><div class="titlepage"></div>
-
-
-
-
-
- <div class="refnamediv">
-<h2>Name</h2>
-<p>
- <span class="application">dnstap-read</span>
- — print dnstap data in human-readable form
- </p>
-</div>
-
-
-
- <div class="refsynopsisdiv">
-<h2>Synopsis</h2>
- <div class="cmdsynopsis"><p>
- <code class="command">dnstap-read</code>
- [<code class="option">-m</code>]
- [<code class="option">-p</code>]
- [<code class="option">-x</code>]
- [<code class="option">-y</code>]
- {<em class="replaceable"><code>file</code></em>}
- </p></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.31.7"></a><h2>DESCRIPTION</h2>
-
- <p>
- <span class="command"><strong>dnstap-read</strong></span>
- reads <span class="command"><strong>dnstap</strong></span> data from a specified file
- and prints it in a human-readable format. By default,
- <span class="command"><strong>dnstap</strong></span> data is printed in a short summary
- format, but if the <code class="option">-y</code> option is specified,
- then a longer and more detailed YAML format is used instead.
- </p>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.31.8"></a><h2>OPTIONS</h2>
-
-
- <div class="variablelist"><dl class="variablelist">
-<dt><span class="term">-m</span></dt>
-<dd>
- <p>
- Trace memory allocations; used for debugging memory leaks.
- </p>
- </dd>
-<dt><span class="term">-p</span></dt>
-<dd>
- <p>
- After printing the <span class="command"><strong>dnstap</strong></span> data, print
- the text form of the DNS message that was encapsulated in the
- <span class="command"><strong>dnstap</strong></span> frame.
- </p>
- </dd>
-<dt><span class="term">-x</span></dt>
-<dd>
- <p>
- After printing the <span class="command"><strong>dnstap</strong></span> data, print
- a hex dump of the wire form of the DNS message that was
- encapsulated in the <span class="command"><strong>dnstap</strong></span> frame.
- </p>
- </dd>
-<dt><span class="term">-y</span></dt>
-<dd>
- <p>
- Print <span class="command"><strong>dnstap</strong></span> data in a detailed YAML
- format.
- </p>
- </dd>
-</dl></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.31.9"></a><h2>SEE ALSO</h2>
-
- <p>
- <span class="citerefentry">
- <span class="refentrytitle">named</span>(8)
- </span>,
- <span class="citerefentry">
- <span class="refentrytitle">rndc</span>(8)
- </span>,
- <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
- </p>
- </div>
-
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="man.arpaname.html">Prev</a>Â </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
-<td width="40%" align="right">Â <a accesskey="n" href="man.genrandom.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">
-<span class="application">arpaname</span>Â </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top">Â <span class="application">genrandom</span>
-</td>
-</tr>
-</table>
-</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.0-pre-alpha</p>
-</body>
-</html>
+++ /dev/null
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<!--
- - Copyright (C) 2000-2017 Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
--->
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>genrandom</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
-<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
-<link rel="prev" href="man.dnstap-read.html" title="dnstap-read">
-<link rel="next" href="man.isc-hmac-fixup.html" title="isc-hmac-fixup">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center"><span class="application">genrandom</span></th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="man.dnstap-read.html">Prev</a>Â </td>
-<th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right">Â <a accesskey="n" href="man.isc-hmac-fixup.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="refentry">
-<a name="man.genrandom"></a><div class="titlepage"></div>
-
-
-
-
-
- <div class="refnamediv">
-<h2>Name</h2>
-<p>
- <span class="application">genrandom</span>
- — generate a file containing random data
- </p>
-</div>
-
-
-
- <div class="refsynopsisdiv">
-<h2>Synopsis</h2>
- <div class="cmdsynopsis"><p>
- <code class="command">genrandom</code>
- [<code class="option">-n <em class="replaceable"><code>number</code></em></code>]
- {<em class="replaceable"><code>size</code></em>}
- {<em class="replaceable"><code>filename</code></em>}
- </p></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.32.7"></a><h2>DESCRIPTION</h2>
-
- <p>
- <span class="command"><strong>genrandom</strong></span>
- generates a file or a set of files containing a specified quantity
- of pseudo-random data, which can be used as a source of entropy for
- other commands on systems with no random device.
- </p>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.32.8"></a><h2>ARGUMENTS</h2>
-
- <div class="variablelist"><dl class="variablelist">
-<dt><span class="term">-n <em class="replaceable"><code>number</code></em></span></dt>
-<dd>
- <p>
- In place of generating one file, generates <code class="option">number</code>
- (from 2 to 9) files, appending <code class="option">number</code> to the name.
- </p>
- </dd>
-<dt><span class="term">size</span></dt>
-<dd>
- <p>
- The size of the file, in kilobytes, to generate.
- </p>
- </dd>
-<dt><span class="term">filename</span></dt>
-<dd>
- <p>
- The file name into which random data should be written.
- </p>
- </dd>
-</dl></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.32.9"></a><h2>SEE ALSO</h2>
-
- <p>
- <span class="citerefentry">
- <span class="refentrytitle">rand</span>(3)
- </span>,
- <span class="citerefentry">
- <span class="refentrytitle">arc4random</span>(3)
- </span>
- </p>
- </div>
-
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="man.dnstap-read.html">Prev</a>Â </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
-<td width="40%" align="right">Â <a accesskey="n" href="man.isc-hmac-fixup.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">
-<span class="application">dnstap-read</span>Â </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top">Â <span class="application">isc-hmac-fixup</span>
-</td>
-</tr>
-</table>
-</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.0-pre-alpha</p>
-</body>
-</html>
+++ /dev/null
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<!--
- - Copyright (C) 2000-2017 Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
--->
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>host</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
-<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
-<link rel="prev" href="man.mdig.html" title="mdig">
-<link rel="next" href="man.delv.html" title="delv">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center">host</th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="man.mdig.html">Prev</a>Â </td>
-<th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right">Â <a accesskey="n" href="man.delv.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="refentry">
-<a name="man.host"></a><div class="titlepage"></div>
-
-
-
-
-
- <div class="refnamediv">
-<h2>Name</h2>
-<p>
- host
- — DNS lookup utility
- </p>
-</div>
-
-
-
- <div class="refsynopsisdiv">
-<h2>Synopsis</h2>
- <div class="cmdsynopsis"><p>
- <code class="command">host</code>
- [<code class="option">-aACdlnrsTUwv</code>]
- [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
- [<code class="option">-N <em class="replaceable"><code>ndots</code></em></code>]
- [<code class="option">-R <em class="replaceable"><code>number</code></em></code>]
- [<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
- [<code class="option">-W <em class="replaceable"><code>wait</code></em></code>]
- [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>]
- [
- [<code class="option">-4</code>]
- | [<code class="option">-6</code>]
- ]
- [<code class="option">-v</code>]
- [<code class="option">-V</code>]
- {name}
- [server]
- </p></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.4.7"></a><h2>DESCRIPTION</h2>
-
-
- <p><span class="command"><strong>host</strong></span>
- is a simple utility for performing DNS lookups.
- It is normally used to convert names to IP addresses and vice versa.
- When no arguments or options are given,
- <span class="command"><strong>host</strong></span>
- prints a short summary of its command line arguments and options.
- </p>
-
- <p><em class="parameter"><code>name</code></em> is the domain name that is to be
- looked
- up. It can also be a dotted-decimal IPv4 address or a colon-delimited
- IPv6 address, in which case <span class="command"><strong>host</strong></span> will by
- default
- perform a reverse lookup for that address.
- <em class="parameter"><code>server</code></em> is an optional argument which
- is either
- the name or IP address of the name server that <span class="command"><strong>host</strong></span>
- should query instead of the server or servers listed in
- <code class="filename">/etc/resolv.conf</code>.
- </p>
-
- </div>
-
- <div class="refsection">
-<a name="id-1.14.4.8"></a><h2>OPTIONS</h2>
-
- <div class="variablelist"><dl class="variablelist">
-<dt><span class="term">-4</span></dt>
-<dd>
- <p>
- Use IPv4 only for query transport.
- See also the <code class="option">-6</code> option.
- </p>
- </dd>
-<dt><span class="term">-6</span></dt>
-<dd>
- <p>
- Use IPv6 only for query transport.
- See also the <code class="option">-4</code> option.
- </p>
- </dd>
-<dt><span class="term">-a</span></dt>
-<dd>
- <p>
- "All". The <code class="option">-a</code> option is normally equivalent
- to <code class="option">-v -t <code class="literal">ANY</code></code>.
- It also affects the behaviour of the <code class="option">-l</code>
- list zone option.
- </p>
- </dd>
-<dt><span class="term">-A</span></dt>
-<dd>
- <p>
- "Almost all". The <code class="option">-A</code> option is equivalent
- to <code class="option">-a</code> except RRSIG, NSEC, and NSEC3
- records are omitted from the output.
- </p>
- </dd>
-<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
-<dd>
- <p>
- Query class: This can be used to lookup HS (Hesiod) or CH
- (Chaosnet) class resource records. The default class is IN
- (Internet).
- </p>
- </dd>
-<dt><span class="term">-C</span></dt>
-<dd>
- <p>
- Check consistency: <span class="command"><strong>host</strong></span> will query the
- SOA records for zone <em class="parameter"><code>name</code></em> from all
- the listed authoritative name servers for that zone. The
- list of name servers is defined by the NS records that are
- found for the zone.
- </p>
- </dd>
-<dt><span class="term">-d</span></dt>
-<dd>
- <p>
- Print debugging traces.
- Equivalent to the <code class="option">-v</code> verbose option.
- </p>
- </dd>
-<dt><span class="term">-i</span></dt>
-<dd>
- <p>
- Obsolete.
- Use the IP6.INT domain for reverse lookups of IPv6
- addresses as defined in RFC1886 and deprecated in RFC4159.
- The default is to use IP6.ARPA as specified in RFC3596.
- </p>
- </dd>
-<dt><span class="term">-l</span></dt>
-<dd>
- <p>
- List zone:
- The <span class="command"><strong>host</strong></span> command performs a zone transfer of
- zone <em class="parameter"><code>name</code></em> and prints out the NS,
- PTR and address records (A/AAAA).
- </p>
- <p>
- Together, the <code class="option">-l -a</code>
- options print all records in the zone.
- </p>
- </dd>
-<dt><span class="term">-N <em class="replaceable"><code>ndots</code></em></span></dt>
-<dd>
- <p>
- The number of dots that have to be
- in <em class="parameter"><code>name</code></em> for it to be considered
- absolute. The default value is that defined using the
- ndots statement in <code class="filename">/etc/resolv.conf</code>,
- or 1 if no ndots statement is present. Names with fewer
- dots are interpreted as relative names and will be
- searched for in the domains listed in
- the <span class="type">search</span> or <span class="type">domain</span> directive
- in <code class="filename">/etc/resolv.conf</code>.
- </p>
- </dd>
-<dt><span class="term">-r</span></dt>
-<dd>
- <p>
- Non-recursive query:
- Setting this option clears the RD (recursion desired) bit
- in the query. This should mean that the name server
- receiving the query will not attempt to
- resolve <em class="parameter"><code>name</code></em>.
- The <code class="option">-r</code> option
- enables <span class="command"><strong>host</strong></span> to mimic the behavior of a
- name server by making non-recursive queries and expecting
- to receive answers to those queries that can be
- referrals to other name servers.
- </p>
- </dd>
-<dt><span class="term">-R <em class="replaceable"><code>number</code></em></span></dt>
-<dd>
- <p>
- Number of retries for UDP queries:
- If <em class="parameter"><code>number</code></em> is negative or zero, the
- number of retries will default to 1. The default value is
- 1, or the value of the <em class="parameter"><code>attempts</code></em>
- option in <code class="filename">/etc/resolv.conf</code>, if set.
- </p>
- </dd>
-<dt><span class="term">-s</span></dt>
-<dd>
- <p>
- Do <span class="emphasis"><em>not</em></span> send the query to the next
- nameserver if any server responds with a SERVFAIL
- response, which is the reverse of normal stub resolver
- behavior.
- </p>
- </dd>
-<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
-<dd>
- <p>
- Query type:
- The <em class="parameter"><code>type</code></em> argument can be any
- recognized query type: CNAME, NS, SOA, TXT, DNSKEY, AXFR, etc.
- </p>
- <p>
- When no query type is specified, <span class="command"><strong>host</strong></span>
- automatically selects an appropriate query type. By default, it
- looks for A, AAAA, and MX records.
- If the <code class="option">-C</code> option is given, queries will
- be made for SOA records.
- If <em class="parameter"><code>name</code></em> is a dotted-decimal IPv4
- address or colon-delimited IPv6
- address, <span class="command"><strong>host</strong></span> will query for PTR
- records.
- </p>
- <p>
- If a query type of IXFR is chosen the starting serial
- number can be specified by appending an equal followed by
- the starting serial number
- (like <code class="option">-t <code class="literal">IXFR=12345678</code></code>).
- </p>
- </dd>
-<dt>
-<span class="term">-T, </span><span class="term">-U</span>
-</dt>
-<dd>
- <p>
- TCP/UDP:
- By default, <span class="command"><strong>host</strong></span> uses UDP when making
- queries. The <code class="option">-T</code> option makes it use a TCP
- connection when querying the name server. TCP will be
- automatically selected for queries that require it, such
- as zone transfer (AXFR) requests. Type ANY queries default
- to TCP but can be forced to UDP initially using <code class="option">-U</code>.
- </p>
- </dd>
-<dt><span class="term">-m <em class="replaceable"><code>flag</code></em></span></dt>
-<dd>
- <p>
- Memory usage debugging: the flag can
- be <em class="parameter"><code>record</code></em>, <em class="parameter"><code>usage</code></em>,
- or <em class="parameter"><code>trace</code></em>. You can specify
- the <code class="option">-m</code> option more than once to set
- multiple flags.
- </p>
- </dd>
-<dt><span class="term">-v</span></dt>
-<dd>
- <p>
- Verbose output.
- Equivalent to the <code class="option">-d</code> debug option.
- Verbose output can also be enabled by setting
- the <em class="parameter"><code>debug</code></em> option
- in <code class="filename">/etc/resolv.conf</code>.
- </p>
- </dd>
-<dt><span class="term">-V</span></dt>
-<dd>
- <p>
- Print the version number and exit.
- </p>
- </dd>
-<dt><span class="term">-w</span></dt>
-<dd>
- <p>
- Wait forever: The query timeout is set to the maximum possible.
- See also the <code class="option">-W</code> option.
- </p>
- </dd>
-<dt><span class="term">-W <em class="replaceable"><code>wait</code></em></span></dt>
-<dd>
- <p>
- Timeout: Wait for up to <em class="parameter"><code>wait</code></em>
- seconds for a reply. If <em class="parameter"><code>wait</code></em> is
- less than one, the wait interval is set to one second.
- </p>
- <p>
- By default, <span class="command"><strong>host</strong></span> will wait for 5
- seconds for UDP responses and 10 seconds for TCP
- connections. These defaults can be overridden by
- the <em class="parameter"><code>timeout</code></em> option
- in <code class="filename">/etc/resolv.conf</code>.
- </p>
- <p>
- See also the <code class="option">-w</code> option.
- </p>
- </dd>
-</dl></div>
-
- </div>
-
- <div class="refsection">
-<a name="id-1.14.4.9"></a><h2>IDN SUPPORT</h2>
-
- <p>
- If <span class="command"><strong>host</strong></span> has been built with IDN (internationalized
- domain name) support, it can accept and display non-ASCII domain names.
- <span class="command"><strong>host</strong></span> appropriately converts character encoding of
- domain name before sending a request to DNS server or displaying a
- reply from the server.
- If you'd like to turn off the IDN support for some reason, defines
- the <code class="envar">IDN_DISABLE</code> environment variable.
- The IDN support is disabled if the variable is set when
- <span class="command"><strong>host</strong></span> runs.
- </p>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.4.10"></a><h2>FILES</h2>
-
- <p><code class="filename">/etc/resolv.conf</code>
- </p>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.4.11"></a><h2>SEE ALSO</h2>
-
- <p><span class="citerefentry">
- <span class="refentrytitle">dig</span>(1)
- </span>,
- <span class="citerefentry">
- <span class="refentrytitle">named</span>(8)
- </span>.
- </p>
- </div>
-
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="man.mdig.html">Prev</a>Â </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
-<td width="40%" align="right">Â <a accesskey="n" href="man.delv.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">
-<span class="application">mdig</span>Â </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top">Â delv</td>
-</tr>
-</table>
-</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.0-pre-alpha</p>
-</body>
-</html>
+++ /dev/null
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<!--
- - Copyright (C) 2000-2017 Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
--->
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>isc-hmac-fixup</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
-<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
-<link rel="prev" href="man.genrandom.html" title="genrandom">
-<link rel="next" href="man.nsec3hash.html" title="nsec3hash">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center"><span class="application">isc-hmac-fixup</span></th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="man.genrandom.html">Prev</a>Â </td>
-<th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right">Â <a accesskey="n" href="man.nsec3hash.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="refentry">
-<a name="man.isc-hmac-fixup"></a><div class="titlepage"></div>
-
-
-
-
-
- <div class="refnamediv">
-<h2>Name</h2>
-<p>
- <span class="application">isc-hmac-fixup</span>
- — fixes HMAC keys generated by older versions of BIND
- </p>
-</div>
-
-
-
- <div class="refsynopsisdiv">
-<h2>Synopsis</h2>
- <div class="cmdsynopsis"><p>
- <code class="command">isc-hmac-fixup</code>
- {<em class="replaceable"><code>algorithm</code></em>}
- {<em class="replaceable"><code>secret</code></em>}
- </p></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.33.7"></a><h2>DESCRIPTION</h2>
-
- <p>
- Versions of BIND 9 up to and including BIND 9.6 had a bug causing
- HMAC-SHA* TSIG keys which were longer than the digest length of the
- hash algorithm (i.e., SHA1 keys longer than 160 bits, SHA256 keys
- longer than 256 bits, etc) to be used incorrectly, generating a
- message authentication code that was incompatible with other DNS
- implementations.
- </p>
- <p>
- This bug has been fixed in BIND 9.7. However, the fix may
- cause incompatibility between older and newer versions of
- BIND, when using long keys. <span class="command"><strong>isc-hmac-fixup</strong></span>
- modifies those keys to restore compatibility.
- </p>
- <p>
- To modify a key, run <span class="command"><strong>isc-hmac-fixup</strong></span> and
- specify the key's algorithm and secret on the command line. If the
- secret is longer than the digest length of the algorithm (64 bytes
- for SHA1 through SHA256, or 128 bytes for SHA384 and SHA512), then a
- new secret will be generated consisting of a hash digest of the old
- secret. (If the secret did not require conversion, then it will be
- printed without modification.)
- </p>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.33.8"></a><h2>SECURITY CONSIDERATIONS</h2>
-
- <p>
- Secrets that have been converted by <span class="command"><strong>isc-hmac-fixup</strong></span>
- are shortened, but as this is how the HMAC protocol works in
- operation anyway, it does not affect security. RFC 2104 notes,
- "Keys longer than [the digest length] are acceptable but the
- extra length would not significantly increase the function
- strength."
- </p>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.33.9"></a><h2>SEE ALSO</h2>
-
- <p>
- <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
- <em class="citetitle">RFC 2104</em>.
- </p>
- </div>
-
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="man.genrandom.html">Prev</a>Â </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
-<td width="40%" align="right">Â <a accesskey="n" href="man.nsec3hash.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">
-<span class="application">genrandom</span>Â </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top">Â <span class="application">nsec3hash</span>
-</td>
-</tr>
-</table>
-</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.0-pre-alpha</p>
-</body>
-</html>
+++ /dev/null
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<!--
- - Copyright (C) 2000-2017 Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
--->
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>mdig</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
-<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
-<link rel="prev" href="man.dig.html" title="dig">
-<link rel="next" href="man.host.html" title="host">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center"><span class="application">mdig</span></th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="man.dig.html">Prev</a>Â </td>
-<th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right">Â <a accesskey="n" href="man.host.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="refentry">
-<a name="man.mdig"></a><div class="titlepage"></div>
-
-
-
- <div class="refnamediv">
-<h2>Name</h2>
-<p>
- <span class="application">mdig</span>
- — DNS pipelined lookup utility
- </p>
-</div>
-
-
-
- <div class="refsynopsisdiv">
-<h2>Synopsis</h2>
- <div class="cmdsynopsis"><p>
- <code class="command">mdig</code>
- {@server}
- [<code class="option">-f <em class="replaceable"><code>filename</code></em></code>]
- [<code class="option">-h</code>]
- [<code class="option">-v</code>]
- [
- [<code class="option">-4</code>]
- | [<code class="option">-6</code>]
- ]
- [<code class="option">-m</code>]
- [<code class="option">-b <em class="replaceable"><code>address</code></em></code>]
- [<code class="option">-p <em class="replaceable"><code>port#</code></em></code>]
- [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
- [<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
- [<code class="option">-i</code>]
- [<code class="option">-x <em class="replaceable"><code>addr</code></em></code>]
- [plusopt...]
- </p></div>
-
- <div class="cmdsynopsis"><p>
- <code class="command">mdig</code>
- {-h}
- </p></div>
-
- <div class="cmdsynopsis"><p>
- <code class="command">mdig</code>
- [@server]
- {global-opt...}
- {
- {local-opt...}
- {query}
- ...}
- </p></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.3.7"></a><h2>DESCRIPTION</h2>
-
- <p><span class="command"><strong>mdig</strong></span>
- is a multiple/pipelined query version of <span class="command"><strong>dig</strong></span>:
- instead of waiting for a response after sending each query,
- it begins by sending all queries. Responses are displayed in
- the order in which they are received, not in the order the
- corresponding queries were sent.
- </p>
-
- <p>
- <span class="command"><strong>mdig</strong></span> options are a subset of the
- <span class="command"><strong>dig</strong></span> options, and are divided into "anywhere
- options" which can occur anywhere, "global options" which must
- occur before the query name (or they are ignored with a warning),
- and "local options" which apply to the next query on the command
- line.
- </p>
-
- <p>
- The {@server} option is a mandatory global
- option. It is the name or IP address of the name server to query.
- (Unlike <span class="command"><strong>dig</strong></span>, this value is not retrieved from
- <code class="filename">/etc/resolv.conf</code>.) It can be an IPv4 address
- in dotted-decimal notation, an IPv6 address in colon-delimited
- notation, or a hostname. When the supplied
- <em class="parameter"><code>server</code></em> argument is a hostname,
- <span class="command"><strong>mdig</strong></span> resolves that name before querying
- the name server.
- </p>
-
- <p><span class="command"><strong>mdig</strong></span>
- provides a number of query options which affect
- the way in which lookups are made and the results displayed. Some of
- these set or reset flag bits in the query header, some determine which
- sections of the answer get printed, and others determine the timeout
- and retry strategies.
- </p>
-
- <p>
- Each query option is identified by a keyword preceded by a plus
- sign (<code class="literal">+</code>). Some keywords set or reset an
- option. These may be preceded by the string <code class="literal">no</code>
- to negate the meaning of that keyword. Other keywords assign
- values to options like the timeout interval. They have the
- form <code class="option">+keyword=value</code>.
- </p>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.3.8"></a><h2>ANYWHERE OPTIONS</h2>
-
-
- <p>
- The <code class="option">-f</code> option makes <span class="command"><strong>mdig</strong></span>
- operate in batch mode by reading a list of lookup requests to
- process from the file <em class="parameter"><code>filename</code></em>. The file
- contains a number of queries, one per line. Each entry in the
- file should be organized in the same way they would be presented
- as queries to <span class="command"><strong>mdig</strong></span> using the command-line interface.
- </p>
-
- <p>
- The <code class="option">-h</code> causes <span class="command"><strong>mdig</strong></span> to
- print the detailed help with the full list of options and exit.
- </p>
-
- <p>
- The <code class="option">-v</code> causes <span class="command"><strong>mdig</strong></span> to
- print the version number and exit.
- </p>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.3.9"></a><h2>GLOBAL OPTIONS</h2>
-
-
- <p>
- The <code class="option">-4</code> option forces <span class="command"><strong>mdig</strong></span> to
- only use IPv4 query transport.
- </p>
-
- <p>
- The <code class="option">-6</code> option forces <span class="command"><strong>mdig</strong></span> to
- only use IPv6 query transport.
- </p>
-
- <p>
- The <code class="option">-b</code> option sets the source IP address of the
- query to <em class="parameter"><code>address</code></em>. This must be a valid
- address on one of the host's network interfaces or "0.0.0.0" or
- "::". An optional port may be specified by appending
- "#<port>"
- </p>
-
- <p>
- The <code class="option">-m</code> option enables memory usage debugging.
- </p>
-
- <p>
- The <code class="option">-p</code> option is used when a non-standard port
- number is to be queried.
- <em class="parameter"><code>port#</code></em> is the port number
- that <span class="command"><strong>mdig</strong></span> will send its queries instead of
- the standard DNS port number 53. This option would be used to
- test a name server that has been configured to listen for
- queries on a non-standard port number.
- </p>
-
- <p>
- The global query options are:
- </p>
-<div class="variablelist"><dl class="variablelist">
-<dt><span class="term"><code class="option">+[no]additional</code></span></dt>
-<dd>
- <p>
- Display [do not display] the additional section of a
- reply. The default is to display it.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]all</code></span></dt>
-<dd>
- <p>
- Set or clear all display flags.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]answer</code></span></dt>
-<dd>
- <p>
- Display [do not display] the answer section of a
- reply. The default is to display it.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]authority</code></span></dt>
-<dd>
- <p>
- Display [do not display] the authority section of a
- reply. The default is to display it.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]besteffort</code></span></dt>
-<dd>
- <p>
- Attempt to display the contents of messages which are
- malformed. The default is to not display malformed
- answers.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]cl</code></span></dt>
-<dd>
- <p>
- Display [do not display] the CLASS when printing the
- record.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]comments</code></span></dt>
-<dd>
- <p>
- Toggle the display of comment lines in the output.
- The default is to print comments.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]continue</code></span></dt>
-<dd>
- <p>
- Continue on errors (e.g. timeouts).
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]crypto</code></span></dt>
-<dd>
- <p>
- Toggle the display of cryptographic fields in DNSSEC
- records. The contents of these field are unnecessary
- to debug most DNSSEC validation failures and removing
- them makes it easier to see the common failures. The
- default is to display the fields. When omitted they
- are replaced by the string "[omitted]" or in the
- DNSKEY case the key id is displayed as the replacement,
- e.g. "[ key id = value ]".
- </p>
- </dd>
-<dt><span class="term"><code class="option">+dscp[=value]</code></span></dt>
-<dd>
- <p>
- Set the DSCP code point to be used when sending the
- query. Valid DSCP code points are in the range
- [0..63]. By default no code point is explicitly set.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]multiline</code></span></dt>
-<dd>
- <p>
- Print records like the SOA records in a verbose
- multi-line format with human-readable comments. The
- default is to print each record on a single line, to
- facilitate machine parsing of the <span class="command"><strong>mdig</strong></span>
- output.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]question</code></span></dt>
-<dd>
- <p>
- Print [do not print] the question section of a query
- when an answer is returned. The default is to print
- the question section as a comment.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]rrcomments</code></span></dt>
-<dd>
- <p>
- Toggle the display of per-record comments in the
- output (for example, human-readable key information
- about DNSKEY records). The default is not to print
- record comments unless multiline mode is active.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]short</code></span></dt>
-<dd>
- <p>
- Provide a terse answer. The default is to print the
- answer in a verbose form.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+split=W</code></span></dt>
-<dd>
- <p>
- Split long hex- or base64-formatted fields in resource
- records into chunks of <em class="parameter"><code>W</code></em>
- characters (where <em class="parameter"><code>W</code></em> is rounded
- up to the nearest multiple of 4).
- <em class="parameter"><code>+nosplit</code></em> or
- <em class="parameter"><code>+split=0</code></em> causes fields not to
- be split at all. The default is 56 characters, or
- 44 characters when multiline mode is active.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]tcp</code></span></dt>
-<dd>
- <p>
- Use [do not use] TCP when querying name servers. The
- default behavior is to use UDP.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]ttlid</code></span></dt>
-<dd>
- <p>
- Display [do not display] the TTL when printing the
- record.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]ttlunits</code></span></dt>
-<dd>
- <p>
- Display [do not display] the TTL in friendly human-readable
- time units of "s", "m", "h", "d", and "w", representing
- seconds, minutes, hours, days and weeks. Implies +ttlid.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]vc</code></span></dt>
-<dd>
- <p>
- Use [do not use] TCP when querying name servers. This
- alternate syntax to <em class="parameter"><code>+[no]tcp</code></em>
- is provided for backwards compatibility. The "vc"
- stands for "virtual circuit".
- </p>
- </dd>
-</dl></div>
-<p>
-
- </p>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.3.10"></a><h2>LOCAL OPTIONS</h2>
-
-
- <p>
- The <code class="option">-c</code> option sets the query class to
- <em class="parameter"><code>class</code></em>. It can be any valid query class
- which is supported in BIND 9. The default query class is "IN".
- </p>
-
- <p>
- The <code class="option">-t</code> option sets the query type to
- <em class="parameter"><code>type</code></em>. It can be any valid query type
- which is supported in BIND 9. The default query type is "A",
- unless the <code class="option">-x</code> option is supplied to indicate
- a reverse lookup with the "PTR" query type.
- </p>
-
- <p>
- The <code class="option">-i</code> option sets the reverse domain for
- IPv6 addresses to IP6.INT.
- </p>
-
- <p>
- Reverse lookups — mapping addresses to names — are
- simplified by the <code class="option">-x</code> option.
- <em class="parameter"><code>addr</code></em> is an IPv4
- address in dotted-decimal notation, or a colon-delimited IPv6 address.
- <span class="command"><strong>mdig</strong></span> automatically performs a lookup for a
- query name like <code class="literal">11.12.13.10.in-addr.arpa</code> and
- sets the query type and class to PTR and IN respectively.
- By default, IPv6 addresses are looked up using nibble format
- under the IP6.ARPA domain. To use the older RFC1886 method
- using the IP6.INT domain specify the <code class="option">-i</code> option.
- </p>
-
- <p>
- The local query options are:
- </p>
-<div class="variablelist"><dl class="variablelist">
-<dt><span class="term"><code class="option">+[no]aaflag</code></span></dt>
-<dd>
- <p>
- A synonym for <em class="parameter"><code>+[no]aaonly</code></em>.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]aaonly</code></span></dt>
-<dd>
- <p>
- Sets the "aa" flag in the query.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]adflag</code></span></dt>
-<dd>
- <p>
- Set [do not set] the AD (authentic data) bit in the
- query. This requests the server to return whether
- all of the answer and authority sections have all
- been validated as secure according to the security
- policy of the server. AD=1 indicates that all records
- have been validated as secure and the answer is not
- from a OPT-OUT range. AD=0 indicate that some part
- of the answer was insecure or not validated. This
- bit is set by default.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+bufsize=B</code></span></dt>
-<dd>
- <p>
- Set the UDP message buffer size advertised using EDNS0
- to <em class="parameter"><code>B</code></em> bytes. The maximum and
- minimum sizes of this buffer are 65535 and 0 respectively.
- Values outside this range are rounded up or down
- appropriately. Values other than zero will cause a
- EDNS query to be sent.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]cdflag</code></span></dt>
-<dd>
- <p>
- Set [do not set] the CD (checking disabled) bit in
- the query. This requests the server to not perform
- DNSSEC validation of responses.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]cookie[<span class="optional">=####</span>]</code></span></dt>
-<dd>
- <p>
- Send a COOKIE EDNS option, with optional value.
- Replaying a COOKIE from a previous response will allow
- the server to identify a previous client. The default
- is <code class="option">+nocookie</code>.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]dnssec</code></span></dt>
-<dd>
- <p>
- Requests DNSSEC records be sent by setting the DNSSEC
- OK bit (DO) in the OPT record in the additional section
- of the query.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]edns[=#]</code></span></dt>
-<dd>
- <p>
- Specify the EDNS version to query with. Valid values
- are 0 to 255. Setting the EDNS version will cause
- a EDNS query to be sent. <code class="option">+noedns</code>
- clears the remembered EDNS version. EDNS is set to
- 0 by default.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]ednsflags[=#]</code></span></dt>
-<dd>
- <p>
- Set the must-be-zero EDNS flags bits (Z bits) to the
- specified value. Decimal, hex and octal encodings are
- accepted. Setting a named flag (e.g. DO) will silently be
- ignored. By default, no Z bits are set.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]ednsopt[=code[:value]]</code></span></dt>
-<dd>
- <p>
- Specify EDNS option with code point <code class="option">code</code>
- and optionally payload of <code class="option">value</code> as a
- hexadecimal string. <code class="option">+noednsopt</code>
- clears the EDNS options to be sent.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]expire</code></span></dt>
-<dd>
- <p>
- Send an EDNS Expire option.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]nsid</code></span></dt>
-<dd>
- <p>
- Include an EDNS name server ID request when sending
- a query.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]recurse</code></span></dt>
-<dd>
- <p>
- Toggle the setting of the RD (recursion desired) bit
- in the query. This bit is set by default, which means
- <span class="command"><strong>mdig</strong></span> normally sends recursive
- queries.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+retry=T</code></span></dt>
-<dd>
- <p>
- Sets the number of times to retry UDP queries to
- server to <em class="parameter"><code>T</code></em> instead of the
- default, 2. Unlike <em class="parameter"><code>+tries</code></em>,
- this does not include the initial query.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]subnet=addr[/prefix-length]</code></span></dt>
-<dd>
- <p>
- Send (don't send) an EDNS Client Subnet option with the
- specified IP address or network prefix.
- </p>
- <p>
- <span class="command"><strong>mdig +subnet=0.0.0.0/0</strong></span>, or simply
- <span class="command"><strong>mdig +subnet=0</strong></span> for short, sends an EDNS
- client-subnet option with an empty address and a source
- prefix-length of zero, which signals a resolver that
- the client's address information must
- <span class="emphasis"><em>not</em></span> be used when resolving
- this query.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+timeout=T</code></span></dt>
-<dd>
- <p>
- Sets the timeout for a query to
- <em class="parameter"><code>T</code></em> seconds. The default
- timeout is 5 seconds for UDP transport and 10 for TCP.
- An attempt to set <em class="parameter"><code>T</code></em> to less
- than 1 will result
- in a query timeout of 1 second being applied.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+tries=T</code></span></dt>
-<dd>
- <p>
- Sets the number of times to try UDP queries to server
- to <em class="parameter"><code>T</code></em> instead of the default,
- 3. If <em class="parameter"><code>T</code></em> is less than or equal
- to zero, the number of tries is silently rounded up
- to 1.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+udptimeout=T</code></span></dt>
-<dd>
- <p>
- Sets the timeout between UDP query retries.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]unknownformat</code></span></dt>
-<dd>
- <p>
- Print all RDATA in unknown RR type presentation format
- (RFC 3597). The default is to print RDATA for known types
- in the type's presentation format.
- </p>
- </dd>
-<dt><span class="term"><code class="option">+[no]zflag</code></span></dt>
-<dd>
- <p>
- Set [do not set] the last unassigned DNS header flag in a
- DNS query. This flag is off by default.
- </p>
- </dd>
-</dl></div>
-<p>
-
- </p>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.3.11"></a><h2>SEE ALSO</h2>
-
- <p><span class="citerefentry">
- <span class="refentrytitle">dig</span>(1)
- </span>,
- <em class="citetitle">RFC1035</em>.
- </p>
- </div>
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="man.dig.html">Prev</a>Â </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
-<td width="40%" align="right">Â <a accesskey="n" href="man.host.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">dig </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top">Â host</td>
-</tr>
-</table>
-</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.0-pre-alpha</p>
-</body>
-</html>
+++ /dev/null
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<!--
- - Copyright (C) 2000-2017 Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
--->
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>named-checkconf</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
-<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
-<link rel="prev" href="man.named.conf.html" title="named.conf">
-<link rel="next" href="man.named-checkzone.html" title="named-checkzone">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center"><span class="application">named-checkconf</span></th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="man.named.conf.html">Prev</a>Â </td>
-<th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right">Â <a accesskey="n" href="man.named-checkzone.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="refentry">
-<a name="man.named-checkconf"></a><div class="titlepage"></div>
-
-
-
-
-
-
-
- <div class="refnamediv">
-<h2>Name</h2>
-<p>
- <span class="application">named-checkconf</span>
- — named configuration file syntax checking tool
- </p>
-</div>
-
- <div class="refsynopsisdiv">
-<h2>Synopsis</h2>
- <div class="cmdsynopsis"><p>
- <code class="command">named-checkconf</code>
- [<code class="option">-hjlvz</code>]
- [<code class="option">-p</code>
- [<code class="option">-x</code>
- ]]
- [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>]
- {filename}
- </p></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.20.7"></a><h2>DESCRIPTION</h2>
-
- <p><span class="command"><strong>named-checkconf</strong></span>
- checks the syntax, but not the semantics, of a
- <span class="command"><strong>named</strong></span> configuration file. The file is parsed
- and checked for syntax errors, along with all files included by it.
- If no file is specified, <code class="filename">/etc/named.conf</code> is read
- by default.
- </p>
- <p>
- Note: files that <span class="command"><strong>named</strong></span> reads in separate
- parser contexts, such as <code class="filename">rndc.key</code> and
- <code class="filename">bind.keys</code>, are not automatically read
- by <span class="command"><strong>named-checkconf</strong></span>. Configuration
- errors in these files may cause <span class="command"><strong>named</strong></span> to
- fail to run, even if <span class="command"><strong>named-checkconf</strong></span> was
- successful. <span class="command"><strong>named-checkconf</strong></span> can be run
- on these files explicitly, however.
- </p>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.20.8"></a><h2>OPTIONS</h2>
-
- <div class="variablelist"><dl class="variablelist">
-<dt><span class="term">-h</span></dt>
-<dd>
- <p>
- Print the usage summary and exit.
- </p>
- </dd>
-<dt><span class="term">-j</span></dt>
-<dd>
- <p>
- When loading a zonefile read the journal if it exists.
- </p>
- </dd>
-<dt><span class="term">-l</span></dt>
-<dd>
- <p>
- List all the configured zones. Each line of output
- contains the zone name, class (e.g. IN), view, and type
- (e.g. master or slave).
- </p>
- </dd>
-<dt><span class="term">-p</span></dt>
-<dd>
- <p>
- Print out the <code class="filename">named.conf</code> and included files
- in canonical form if no errors were detected.
- See also the <code class="option">-x</code> option.
- </p>
- </dd>
-<dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
-<dd>
- <p>
- Chroot to <code class="filename">directory</code> so that include
- directives in the configuration file are processed as if
- run by a similarly chrooted <span class="command"><strong>named</strong></span>.
- </p>
- </dd>
-<dt><span class="term">-v</span></dt>
-<dd>
- <p>
- Print the version of the <span class="command"><strong>named-checkconf</strong></span>
- program and exit.
- </p>
- </dd>
-<dt><span class="term">-x</span></dt>
-<dd>
- <p>
- When printing the configuration files in canonical
- form, obscure shared secrets by replacing them with
- strings of question marks ('?'). This allows the
- contents of <code class="filename">named.conf</code> and related
- files to be shared — for example, when submitting
- bug reports — without compromising private data.
- This option cannot be used without <code class="option">-p</code>.
- </p>
- </dd>
-<dt><span class="term">-z</span></dt>
-<dd>
- <p>
- Perform a test load of all master zones found in
- <code class="filename">named.conf</code>.
- </p>
- </dd>
-<dt><span class="term">filename</span></dt>
-<dd>
- <p>
- The name of the configuration file to be checked. If not
- specified, it defaults to <code class="filename">/etc/named.conf</code>.
- </p>
- </dd>
-</dl></div>
-
- </div>
-
- <div class="refsection">
-<a name="id-1.14.20.9"></a><h2>RETURN VALUES</h2>
-
- <p><span class="command"><strong>named-checkconf</strong></span>
- returns an exit status of 1 if
- errors were detected and 0 otherwise.
- </p>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.20.10"></a><h2>SEE ALSO</h2>
-
- <p><span class="citerefentry">
- <span class="refentrytitle">named</span>(8)
- </span>,
- <span class="citerefentry">
- <span class="refentrytitle">named-checkzone</span>(8)
- </span>,
- <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
- </p>
- </div>
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="man.named.conf.html">Prev</a>Â </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
-<td width="40%" align="right">Â <a accesskey="n" href="man.named-checkzone.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">
-<code class="filename">named.conf</code>Â </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top">Â <span class="application">named-checkzone</span>
-</td>
-</tr>
-</table>
-</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.0-pre-alpha</p>
-</body>
-</html>
+++ /dev/null
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<!--
- - Copyright (C) 2000-2017 Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
--->
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>named-checkzone</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
-<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
-<link rel="prev" href="man.named-checkconf.html" title="named-checkconf">
-<link rel="next" href="man.named-journalprint.html" title="named-journalprint">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center"><span class="application">named-checkzone</span></th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="man.named-checkconf.html">Prev</a>Â </td>
-<th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right">Â <a accesskey="n" href="man.named-journalprint.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="refentry">
-<a name="man.named-checkzone"></a><div class="titlepage"></div>
-
-
-
-
-
-
-
- <div class="refnamediv">
-<h2>Name</h2>
-<p>
- <span class="application">named-checkzone</span>,
- <span class="application">named-compilezone</span>
- — zone file validity checking or converting tool
- </p>
-</div>
-
- <div class="refsynopsisdiv">
-<h2>Synopsis</h2>
- <div class="cmdsynopsis"><p>
- <code class="command">named-checkzone</code>
- [<code class="option">-d</code>]
- [<code class="option">-h</code>]
- [<code class="option">-j</code>]
- [<code class="option">-q</code>]
- [<code class="option">-v</code>]
- [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
- [<code class="option">-f <em class="replaceable"><code>format</code></em></code>]
- [<code class="option">-F <em class="replaceable"><code>format</code></em></code>]
- [<code class="option">-J <em class="replaceable"><code>filename</code></em></code>]
- [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>]
- [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>]
- [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>]
- [<code class="option">-M <em class="replaceable"><code>mode</code></em></code>]
- [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>]
- [<code class="option">-l <em class="replaceable"><code>ttl</code></em></code>]
- [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>]
- [<code class="option">-o <em class="replaceable"><code>filename</code></em></code>]
- [<code class="option">-r <em class="replaceable"><code>mode</code></em></code>]
- [<code class="option">-s <em class="replaceable"><code>style</code></em></code>]
- [<code class="option">-S <em class="replaceable"><code>mode</code></em></code>]
- [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>]
- [<code class="option">-T <em class="replaceable"><code>mode</code></em></code>]
- [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>]
- [<code class="option">-D</code>]
- [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>]
- {zonename}
- {filename}
- </p></div>
- <div class="cmdsynopsis"><p>
- <code class="command">named-compilezone</code>
- [<code class="option">-d</code>]
- [<code class="option">-j</code>]
- [<code class="option">-q</code>]
- [<code class="option">-v</code>]
- [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
- [<code class="option">-C <em class="replaceable"><code>mode</code></em></code>]
- [<code class="option">-f <em class="replaceable"><code>format</code></em></code>]
- [<code class="option">-F <em class="replaceable"><code>format</code></em></code>]
- [<code class="option">-J <em class="replaceable"><code>filename</code></em></code>]
- [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>]
- [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>]
- [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>]
- [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>]
- [<code class="option">-l <em class="replaceable"><code>ttl</code></em></code>]
- [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>]
- [<code class="option">-r <em class="replaceable"><code>mode</code></em></code>]
- [<code class="option">-s <em class="replaceable"><code>style</code></em></code>]
- [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>]
- [<code class="option">-T <em class="replaceable"><code>mode</code></em></code>]
- [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>]
- [<code class="option">-D</code>]
- [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>]
- {<code class="option">-o <em class="replaceable"><code>filename</code></em></code>}
- {zonename}
- {filename}
- </p></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.21.7"></a><h2>DESCRIPTION</h2>
-
- <p><span class="command"><strong>named-checkzone</strong></span>
- checks the syntax and integrity of a zone file. It performs the
- same checks as <span class="command"><strong>named</strong></span> does when loading a
- zone. This makes <span class="command"><strong>named-checkzone</strong></span> useful for
- checking zone files before configuring them into a name server.
- </p>
- <p>
- <span class="command"><strong>named-compilezone</strong></span> is similar to
- <span class="command"><strong>named-checkzone</strong></span>, but it always dumps the
- zone contents to a specified file in a specified format.
- Additionally, it applies stricter check levels by default,
- since the dump output will be used as an actual zone file
- loaded by <span class="command"><strong>named</strong></span>.
- When manually specified otherwise, the check levels must at
- least be as strict as those specified in the
- <span class="command"><strong>named</strong></span> configuration file.
- </p>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.21.8"></a><h2>OPTIONS</h2>
-
-
- <div class="variablelist"><dl class="variablelist">
-<dt><span class="term">-d</span></dt>
-<dd>
- <p>
- Enable debugging.
- </p>
- </dd>
-<dt><span class="term">-h</span></dt>
-<dd>
- <p>
- Print the usage summary and exit.
- </p>
- </dd>
-<dt><span class="term">-q</span></dt>
-<dd>
- <p>
- Quiet mode - exit code only.
- </p>
- </dd>
-<dt><span class="term">-v</span></dt>
-<dd>
- <p>
- Print the version of the <span class="command"><strong>named-checkzone</strong></span>
- program and exit.
- </p>
- </dd>
-<dt><span class="term">-j</span></dt>
-<dd>
- <p>
- When loading a zone file, read the journal if it exists.
- The journal file name is assumed to be the zone file name
- appended with the string <code class="filename">.jnl</code>.
- </p>
- </dd>
-<dt><span class="term">-J <em class="replaceable"><code>filename</code></em></span></dt>
-<dd>
- <p>
- When loading the zone file read the journal from the given
- file, if it exists. (Implies -j.)
- </p>
- </dd>
-<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
-<dd>
- <p>
- Specify the class of the zone. If not specified, "IN" is assumed.
- </p>
- </dd>
-<dt><span class="term">-i <em class="replaceable"><code>mode</code></em></span></dt>
-<dd>
- <p>
- Perform post-load zone integrity checks. Possible modes are
- <span class="command"><strong>"full"</strong></span> (default),
- <span class="command"><strong>"full-sibling"</strong></span>,
- <span class="command"><strong>"local"</strong></span>,
- <span class="command"><strong>"local-sibling"</strong></span> and
- <span class="command"><strong>"none"</strong></span>.
- </p>
- <p>
- Mode <span class="command"><strong>"full"</strong></span> checks that MX records
- refer to A or AAAA record (both in-zone and out-of-zone
- hostnames). Mode <span class="command"><strong>"local"</strong></span> only
- checks MX records which refer to in-zone hostnames.
- </p>
- <p>
- Mode <span class="command"><strong>"full"</strong></span> checks that SRV records
- refer to A or AAAA record (both in-zone and out-of-zone
- hostnames). Mode <span class="command"><strong>"local"</strong></span> only
- checks SRV records which refer to in-zone hostnames.
- </p>
- <p>
- Mode <span class="command"><strong>"full"</strong></span> checks that delegation NS
- records refer to A or AAAA record (both in-zone and out-of-zone
- hostnames). It also checks that glue address records
- in the zone match those advertised by the child.
- Mode <span class="command"><strong>"local"</strong></span> only checks NS records which
- refer to in-zone hostnames or that some required glue exists,
- that is when the nameserver is in a child zone.
- </p>
- <p>
- Mode <span class="command"><strong>"full-sibling"</strong></span> and
- <span class="command"><strong>"local-sibling"</strong></span> disable sibling glue
- checks but are otherwise the same as <span class="command"><strong>"full"</strong></span>
- and <span class="command"><strong>"local"</strong></span> respectively.
- </p>
- <p>
- Mode <span class="command"><strong>"none"</strong></span> disables the checks.
- </p>
- </dd>
-<dt><span class="term">-f <em class="replaceable"><code>format</code></em></span></dt>
-<dd>
- <p>
- Specify the format of the zone file.
- Possible formats are <span class="command"><strong>"text"</strong></span> (default),
- <span class="command"><strong>"raw"</strong></span>, and <span class="command"><strong>"map"</strong></span>.
- </p>
- </dd>
-<dt><span class="term">-F <em class="replaceable"><code>format</code></em></span></dt>
-<dd>
- <p>
- Specify the format of the output file specified.
- For <span class="command"><strong>named-checkzone</strong></span>,
- this does not cause any effects unless it dumps the zone
- contents.
- </p>
- <p>
- Possible formats are <span class="command"><strong>"text"</strong></span> (default),
- which is the standard textual representation of the zone,
- and <span class="command"><strong>"map"</strong></span>, <span class="command"><strong>"raw"</strong></span>,
- and <span class="command"><strong>"raw=N"</strong></span>, which store the zone in a
- binary format for rapid loading by <span class="command"><strong>named</strong></span>.
- <span class="command"><strong>"raw=N"</strong></span> specifies the format version of
- the raw zone file: if N is 0, the raw file can be read by
- any version of <span class="command"><strong>named</strong></span>; if N is 1, the file
- can be read by release 9.9.0 or higher; the default is 1.
- </p>
- </dd>
-<dt><span class="term">-k <em class="replaceable"><code>mode</code></em></span></dt>
-<dd>
- <p>
- Perform <span class="command"><strong>"check-names"</strong></span> checks with the
- specified failure mode.
- Possible modes are <span class="command"><strong>"fail"</strong></span>
- (default for <span class="command"><strong>named-compilezone</strong></span>),
- <span class="command"><strong>"warn"</strong></span>
- (default for <span class="command"><strong>named-checkzone</strong></span>) and
- <span class="command"><strong>"ignore"</strong></span>.
- </p>
- </dd>
-<dt><span class="term">-l <em class="replaceable"><code>ttl</code></em></span></dt>
-<dd>
- <p>
- Sets a maximum permissible TTL for the input file.
- Any record with a TTL higher than this value will cause
- the zone to be rejected. This is similar to using the
- <span class="command"><strong>max-zone-ttl</strong></span> option in
- <code class="filename">named.conf</code>.
- </p>
- </dd>
-<dt><span class="term">-L <em class="replaceable"><code>serial</code></em></span></dt>
-<dd>
- <p>
- When compiling a zone to "raw" or "map" format, set the
- "source serial" value in the header to the specified serial
- number. (This is expected to be used primarily for testing
- purposes.)
- </p>
- </dd>
-<dt><span class="term">-m <em class="replaceable"><code>mode</code></em></span></dt>
-<dd>
- <p>
- Specify whether MX records should be checked to see if they
- are addresses. Possible modes are <span class="command"><strong>"fail"</strong></span>,
- <span class="command"><strong>"warn"</strong></span> (default) and
- <span class="command"><strong>"ignore"</strong></span>.
- </p>
- </dd>
-<dt><span class="term">-M <em class="replaceable"><code>mode</code></em></span></dt>
-<dd>
- <p>
- Check if a MX record refers to a CNAME.
- Possible modes are <span class="command"><strong>"fail"</strong></span>,
- <span class="command"><strong>"warn"</strong></span> (default) and
- <span class="command"><strong>"ignore"</strong></span>.
- </p>
- </dd>
-<dt><span class="term">-n <em class="replaceable"><code>mode</code></em></span></dt>
-<dd>
- <p>
- Specify whether NS records should be checked to see if they
- are addresses.
- Possible modes are <span class="command"><strong>"fail"</strong></span>
- (default for <span class="command"><strong>named-compilezone</strong></span>),
- <span class="command"><strong>"warn"</strong></span>
- (default for <span class="command"><strong>named-checkzone</strong></span>) and
- <span class="command"><strong>"ignore"</strong></span>.
- </p>
- </dd>
-<dt><span class="term">-o <em class="replaceable"><code>filename</code></em></span></dt>
-<dd>
- <p>
- Write zone output to <code class="filename">filename</code>.
- If <code class="filename">filename</code> is <code class="filename">-</code> then
- write to standard out.
- This is mandatory for <span class="command"><strong>named-compilezone</strong></span>.
- </p>
- </dd>
-<dt><span class="term">-r <em class="replaceable"><code>mode</code></em></span></dt>
-<dd>
- <p>
- Check for records that are treated as different by DNSSEC but
- are semantically equal in plain DNS.
- Possible modes are <span class="command"><strong>"fail"</strong></span>,
- <span class="command"><strong>"warn"</strong></span> (default) and
- <span class="command"><strong>"ignore"</strong></span>.
- </p>
- </dd>
-<dt><span class="term">-s <em class="replaceable"><code>style</code></em></span></dt>
-<dd>
- <p>
- Specify the style of the dumped zone file.
- Possible styles are <span class="command"><strong>"full"</strong></span> (default)
- and <span class="command"><strong>"relative"</strong></span>.
- The full format is most suitable for processing
- automatically by a separate script.
- On the other hand, the relative format is more
- human-readable and is thus suitable for editing by hand.
- For <span class="command"><strong>named-checkzone</strong></span>
- this does not cause any effects unless it dumps the zone
- contents.
- It also does not have any meaning if the output format
- is not text.
- </p>
- </dd>
-<dt><span class="term">-S <em class="replaceable"><code>mode</code></em></span></dt>
-<dd>
- <p>
- Check if a SRV record refers to a CNAME.
- Possible modes are <span class="command"><strong>"fail"</strong></span>,
- <span class="command"><strong>"warn"</strong></span> (default) and
- <span class="command"><strong>"ignore"</strong></span>.
- </p>
- </dd>
-<dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
-<dd>
- <p>
- Chroot to <code class="filename">directory</code> so that
- include
- directives in the configuration file are processed as if
- run by a similarly chrooted <span class="command"><strong>named</strong></span>.
- </p>
- </dd>
-<dt><span class="term">-T <em class="replaceable"><code>mode</code></em></span></dt>
-<dd>
- <p>
- Check if Sender Policy Framework (SPF) records exist
- and issues a warning if an SPF-formatted TXT record is
- not also present. Possible modes are <span class="command"><strong>"warn"</strong></span>
- (default), <span class="command"><strong>"ignore"</strong></span>.
- </p>
- </dd>
-<dt><span class="term">-w <em class="replaceable"><code>directory</code></em></span></dt>
-<dd>
- <p>
- chdir to <code class="filename">directory</code> so that
- relative
- filenames in master file $INCLUDE directives work. This
- is similar to the directory clause in
- <code class="filename">named.conf</code>.
- </p>
- </dd>
-<dt><span class="term">-D</span></dt>
-<dd>
- <p>
- Dump zone file in canonical format.
- This is always enabled for <span class="command"><strong>named-compilezone</strong></span>.
- </p>
- </dd>
-<dt><span class="term">-W <em class="replaceable"><code>mode</code></em></span></dt>
-<dd>
- <p>
- Specify whether to check for non-terminal wildcards.
- Non-terminal wildcards are almost always the result of a
- failure to understand the wildcard matching algorithm (RFC 1034).
- Possible modes are <span class="command"><strong>"warn"</strong></span> (default)
- and
- <span class="command"><strong>"ignore"</strong></span>.
- </p>
- </dd>
-<dt><span class="term">zonename</span></dt>
-<dd>
- <p>
- The domain name of the zone being checked.
- </p>
- </dd>
-<dt><span class="term">filename</span></dt>
-<dd>
- <p>
- The name of the zone file.
- </p>
- </dd>
-</dl></div>
-
- </div>
-
- <div class="refsection">
-<a name="id-1.14.21.9"></a><h2>RETURN VALUES</h2>
-
- <p><span class="command"><strong>named-checkzone</strong></span>
- returns an exit status of 1 if
- errors were detected and 0 otherwise.
- </p>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.21.10"></a><h2>SEE ALSO</h2>
-
- <p><span class="citerefentry">
- <span class="refentrytitle">named</span>(8)
- </span>,
- <span class="citerefentry">
- <span class="refentrytitle">named-checkconf</span>(8)
- </span>,
- <em class="citetitle">RFC 1035</em>,
- <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
- </p>
- </div>
-
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="man.named-checkconf.html">Prev</a>Â </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
-<td width="40%" align="right">Â <a accesskey="n" href="man.named-journalprint.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">
-<span class="application">named-checkconf</span>Â </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top">Â <span class="application">named-journalprint</span>
-</td>
-</tr>
-</table>
-</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.0-pre-alpha</p>
-</body>
-</html>
+++ /dev/null
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<!--
- - Copyright (C) 2000-2017 Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
--->
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>named-journalprint</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
-<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
-<link rel="prev" href="man.named-checkzone.html" title="named-checkzone">
-<link rel="next" href="man.named-nzd2nzf.html" title="named-nzd2nzf">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center"><span class="application">named-journalprint</span></th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="man.named-checkzone.html">Prev</a>Â </td>
-<th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right">Â <a accesskey="n" href="man.named-nzd2nzf.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="refentry">
-<a name="man.named-journalprint"></a><div class="titlepage"></div>
-
-
-
-
-
- <div class="refnamediv">
-<h2>Name</h2>
-<p>
- <span class="application">named-journalprint</span>
- — print zone journal in human-readable form
- </p>
-</div>
-
-
-
- <div class="refsynopsisdiv">
-<h2>Synopsis</h2>
- <div class="cmdsynopsis"><p>
- <code class="command">named-journalprint</code>
- {<em class="replaceable"><code>journal</code></em>}
- </p></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.22.7"></a><h2>DESCRIPTION</h2>
-
- <p>
- <span class="command"><strong>named-journalprint</strong></span>
- prints the contents of a zone journal file in a human-readable
- form.
- </p>
- <p>
- Journal files are automatically created by <span class="command"><strong>named</strong></span>
- when changes are made to dynamic zones (e.g., by
- <span class="command"><strong>nsupdate</strong></span>). They record each addition
- or deletion of a resource record, in binary format, allowing the
- changes to be re-applied to the zone when the server is
- restarted after a shutdown or crash. By default, the name of
- the journal file is formed by appending the extension
- <code class="filename">.jnl</code> to the name of the corresponding
- zone file.
- </p>
- <p>
- <span class="command"><strong>named-journalprint</strong></span> converts the contents of a given
- journal file into a human-readable text format. Each line begins
- with "add" or "del", to indicate whether the record was added or
- deleted, and continues with the resource record in master-file
- format.
- </p>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.22.8"></a><h2>SEE ALSO</h2>
-
- <p>
- <span class="citerefentry">
- <span class="refentrytitle">named</span>(8)
- </span>,
- <span class="citerefentry">
- <span class="refentrytitle">nsupdate</span>(1)
- </span>,
- <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
- </p>
- </div>
-
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="man.named-checkzone.html">Prev</a>Â </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
-<td width="40%" align="right">Â <a accesskey="n" href="man.named-nzd2nzf.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">
-<span class="application">named-checkzone</span>Â </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top">Â <span class="application">named-nzd2nzf</span>
-</td>
-</tr>
-</table>
-</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.0-pre-alpha</p>
-</body>
-</html>
+++ /dev/null
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<!--
- - Copyright (C) 2000-2017 Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
--->
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>named-nzd2nzf</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
-<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
-<link rel="prev" href="man.named-journalprint.html" title="named-journalprint">
-<link rel="next" href="man.named-rrchecker.html" title="named-rrchecker">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center"><span class="application">named-nzd2nzf</span></th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="man.named-journalprint.html">Prev</a>Â </td>
-<th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right">Â <a accesskey="n" href="man.named-rrchecker.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="refentry">
-<a name="man.named-nzd2nzf"></a><div class="titlepage"></div>
-
-
-
-
- <div class="refnamediv">
-<h2>Name</h2>
-<p>
- <span class="application">named-nzd2nzf</span>
- —
- Convert an NZD database to NZF text format
-
- </p>
-</div>
-
-
-
- <div class="refsynopsisdiv">
-<h2>Synopsis</h2>
- <div class="cmdsynopsis"><p>
- <code class="command">named-nzd2nzf</code>
- {filename}
- </p></div>
- </div>
-
- <div class="refsect1">
-<a name="id-1.14.23.6"></a><h2>DESCRIPTION</h2>
-
- <p>
- <span class="command"><strong>named-nzd2nzf</strong></span> converts an NZD database to NZF
- format and prints it to standard output. This can be used to
- review the configuration of zones that were added to
- <span class="command"><strong>named</strong></span> via <span class="command"><strong>rndc addzone</strong></span>.
- It can also be used to restore the old file format
- when rolling back from a newer version
- of BIND to an older version.
- </p>
- </div>
-
- <div class="refsect1">
-<a name="id-1.14.23.7"></a><h2>ARGUMENTS</h2>
-
- <div class="variablelist"><dl class="variablelist">
-<dt><span class="term">filename</span></dt>
-<dd>
- <p>
- The name of the <code class="filename">.nzd</code> file whose contents
- should be printed.
- </p>
- </dd>
-</dl></div>
- </div>
-
- <div class="refsect1">
-<a name="id-1.14.23.8"></a><h2>SEE ALSO</h2>
-
- <p>
- <em class="citetitle">BIND 9 Administrator Reference Manual</em>
- </p>
- </div>
-
- <div class="refsect1">
-<a name="id-1.14.23.9"></a><h2>AUTHOR</h2>
-
- <p><span class="corpauthor">Internet Systems Consortium</span>
- </p>
- </div>
-
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="man.named-journalprint.html">Prev</a>Â </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
-<td width="40%" align="right">Â <a accesskey="n" href="man.named-rrchecker.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">
-<span class="application">named-journalprint</span>Â </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top">Â <span class="application">named-rrchecker</span>
-</td>
-</tr>
-</table>
-</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.0-pre-alpha</p>
-</body>
-</html>
+++ /dev/null
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<!--
- - Copyright (C) 2000-2017 Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
--->
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>named-rrchecker</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
-<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
-<link rel="prev" href="man.named-nzd2nzf.html" title="named-nzd2nzf">
-<link rel="next" href="man.nsupdate.html" title="nsupdate">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center"><span class="application">named-rrchecker</span></th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="man.named-nzd2nzf.html">Prev</a>Â </td>
-<th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right">Â <a accesskey="n" href="man.nsupdate.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="refentry">
-<a name="man.named-rrchecker"></a><div class="titlepage"></div>
-
-
-
- <div class="refnamediv">
-<h2>Name</h2>
-<p>
- <span class="application">named-rrchecker</span>
- — syntax checker for individual DNS resource records
- </p>
-</div>
-
-
-
- <div class="refsynopsisdiv">
-<h2>Synopsis</h2>
- <div class="cmdsynopsis"><p>
- <code class="command">named-rrchecker</code>
- [<code class="option">-h</code>]
- [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>]
- [<code class="option">-p</code>]
- [<code class="option">-u</code>]
- [<code class="option">-C</code>]
- [<code class="option">-T</code>]
- [<code class="option">-P</code>]
- </p></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.24.7"></a><h2>DESCRIPTION</h2>
-
- <p><span class="command"><strong>named-rrchecker</strong></span>
- read a individual DNS resource record from standard input and checks if it
- is syntactically correct.
- </p>
- <p>
- The <code class="option">-h</code> prints out the help menu.
- </p>
- <p>
- The <code class="option">-o <em class="replaceable"><code>origin</code></em></code>
- option specifies a origin to be used when interpreting the record.
- </p>
- <p>
- The <code class="option">-p</code> prints out the resulting record in canonical
- form. If there is no canonical form defined then the record will be
- printed in unknown record format.
- </p>
- <p>
- The <code class="option">-u</code> prints out the resulting record in unknown record
- form.
- </p>
- <p>
- The <code class="option">-C</code>, <code class="option">-T</code> and <code class="option">-P</code>
- print out the known class, standard type and private type mnemonics
- respectively.
- </p>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.24.8"></a><h2>SEE ALSO</h2>
-
- <p>
- <em class="citetitle">RFC 1034</em>,
- <em class="citetitle">RFC 1035</em>,
- <span class="citerefentry">
- <span class="refentrytitle">named</span>(8)
- </span>
- </p>
- </div>
-
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="man.named-nzd2nzf.html">Prev</a>Â </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
-<td width="40%" align="right">Â <a accesskey="n" href="man.nsupdate.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">
-<span class="application">named-nzd2nzf</span>Â </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top">Â <span class="application">nsupdate</span>
-</td>
-</tr>
-</table>
-</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.0-pre-alpha</p>
-</body>
-</html>
+++ /dev/null
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<!--
- - Copyright (C) 2000-2017 Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
--->
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>named.conf</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
-<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
-<link rel="prev" href="man.named.html" title="named">
-<link rel="next" href="man.named-checkconf.html" title="named-checkconf">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center"><code class="filename">named.conf</code></th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="man.named.html">Prev</a>Â </td>
-<th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right">Â <a accesskey="n" href="man.named-checkconf.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="refentry">
-<a name="man.named.conf"></a><div class="titlepage"></div>
-
-
-
-
-
- <div class="refnamediv">
-<h2>Name</h2>
-<p>
- <code class="filename">named.conf</code>
- — configuration file for <span class="command"><strong>named</strong></span>
- </p>
-</div>
-
-
-
- <div class="refsynopsisdiv">
-<h2>Synopsis</h2>
- <div class="cmdsynopsis"><p>
- <code class="command">named.conf</code>
- </p></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.19.7"></a><h2>DESCRIPTION</h2>
-
- <p><code class="filename">named.conf</code> is the configuration file
- for
- <span class="command"><strong>named</strong></span>. Statements are enclosed
- in braces and terminated with a semi-colon. Clauses in
- the statements are also semi-colon terminated. The usual
- comment styles are supported:
- </p>
- <p>
- C style: /* */
- </p>
- <p>
- C++ style: // to end of line
- </p>
- <p>
- Unix style: # to end of line
- </p>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.19.8"></a><h2>ACL</h2>
-
- <div class="literallayout"><p><br>
-acl <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-</p></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.19.9"></a><h2>CONTROLS</h2>
-
- <div class="literallayout"><p><br>
-controls {<br>
- inet ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> |<br>
-     * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] allow<br>
-     { <em class="replaceable"><code>address_match_element</code></em>; ... } [<span class="optional"><br>
-     keys { <em class="replaceable"><code>string</code></em>; ... } </span>] [<span class="optional"> read-only<br>
- Â Â Â Â <em class="replaceable"><code>boolean</code></em>Â </span>];<br>
- unix <em class="replaceable"><code>quoted_string</code></em> perm <em class="replaceable"><code>integer</code></em><br>
-     owner <em class="replaceable"><code>integer</code></em> group <em class="replaceable"><code>integer</code></em> [<span class="optional"><br>
-     keys { <em class="replaceable"><code>string</code></em>; ... } </span>] [<span class="optional"> read-only<br>
- Â Â Â Â <em class="replaceable"><code>boolean</code></em>Â </span>];<br>
-};<br>
-</p></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.19.10"></a><h2>DLZ</h2>
-
- <div class="literallayout"><p><br>
-dlz <em class="replaceable"><code>string</code></em> {<br>
- database <em class="replaceable"><code>string</code></em>;<br>
- search <em class="replaceable"><code>boolean</code></em>;<br>
-};<br>
-</p></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.19.11"></a><h2>DYNDB</h2>
-
- <div class="literallayout"><p><br>
-dyndb <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>quoted_string</code></em> {<br>
-Â Â Â Â <em class="replaceable"><code>unspecified-text</code></em>Â };<br>
-</p></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.19.12"></a><h2>KEY</h2>
-
- <div class="literallayout"><p><br>
-key <em class="replaceable"><code>string</code></em> {<br>
- algorithm <em class="replaceable"><code>string</code></em>;<br>
- secret <em class="replaceable"><code>string</code></em>;<br>
-};<br>
-</p></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.19.13"></a><h2>LOGGING</h2>
-
- <div class="literallayout"><p><br>
-logging {<br>
- category <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };<br>
- channel <em class="replaceable"><code>string</code></em> {<br>
- buffered <em class="replaceable"><code>boolean</code></em>;<br>
- file <em class="replaceable"><code>quoted_string</code></em> [<span class="optional"> versions ( unlimited | <em class="replaceable"><code>integer</code></em> ) </span>]<br>
-     [<span class="optional"> size <em class="replaceable"><code>size</code></em> </span>] [<span class="optional"> suffix ( increment | timestamp ) </span>];<br>
- null;<br>
- print-category <em class="replaceable"><code>boolean</code></em>;<br>
- print-severity <em class="replaceable"><code>boolean</code></em>;<br>
- print-time ( iso8601 | iso8601-utc | local | <em class="replaceable"><code>boolean</code></em> );<br>
- severity <em class="replaceable"><code>log_severity</code></em>;<br>
- stderr;<br>
- syslog [<span class="optional"> <em class="replaceable"><code>syslog_facility</code></em> </span>];<br>
- };<br>
-};<br>
-</p></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.19.14"></a><h2>MANAGED-KEYS</h2>
-
- <div class="literallayout"><p><br>
-managed-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em><br>
-    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
-</p></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.19.15"></a><h2>MASTERS</h2>
-
- <div class="literallayout"><p><br>
-masters <em class="replaceable"><code>string</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp<br>
-Â Â Â Â <em class="replaceable"><code>integer</code></em>Â </span>]Â {Â (Â <em class="replaceable"><code>masters</code></em>Â |Â <em class="replaceable"><code>ipv4_address</code></em>Â [<span class="optional"><br>
-    port <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port<br>
-    <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>]; ... };<br>
-</p></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.19.16"></a><h2>OPTIONS</h2>
-
- <div class="literallayout"><p><br>
-options {<br>
- acache-cleaning-interval <em class="replaceable"><code>integer</code></em>;<br>
- acache-enable <em class="replaceable"><code>boolean</code></em>;<br>
- additional-from-auth <em class="replaceable"><code>boolean</code></em>;<br>
- additional-from-cache <em class="replaceable"><code>boolean</code></em>;<br>
- allow-new-zones <em class="replaceable"><code>boolean</code></em>;<br>
- allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
- allow-query { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
- allow-query-cache { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
- allow-query-cache-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
- allow-query-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
- allow-recursion { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
- allow-recursion-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
- allow-transfer { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
- allow-update { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
- allow-update-forwarding { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
- also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>masters</code></em> |<br>
-     <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port<br>
-     <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>]; ... };<br>
- alt-transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * )<br>
-     </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
- alt-transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> |<br>
-     * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
- attach-cache <em class="replaceable"><code>string</code></em>;<br>
- auth-nxdomain <em class="replaceable"><code>boolean</code></em>; // default changed<br>
- auto-dnssec ( allow | maintain | off );<br>
- automatic-interface-scan <em class="replaceable"><code>boolean</code></em>;<br>
- avoid-v4-udp-ports { <em class="replaceable"><code>portrange</code></em>; ... };<br>
- avoid-v6-udp-ports { <em class="replaceable"><code>portrange</code></em>; ... };<br>
- bindkeys-file <em class="replaceable"><code>quoted_string</code></em>;<br>
- blackhole { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
- cache-file <em class="replaceable"><code>quoted_string</code></em>;<br>
- catalog-zones { zone <em class="replaceable"><code>quoted_string</code></em> [<span class="optional"> default-masters [<span class="optional"> port<br>
-     <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"><br>
-     port <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key<br>
-     <em class="replaceable"><code>string</code></em> </span>]; ... } </span>] [<span class="optional"> zone-directory <em class="replaceable"><code>quoted_string</code></em> </span>] [<span class="optional"><br>
-     in-memory <em class="replaceable"><code>boolean</code></em> </span>] [<span class="optional"> min-update-interval <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
- check-dup-records ( fail | warn | ignore );<br>
- check-integrity <em class="replaceable"><code>boolean</code></em>;<br>
- check-mx ( fail | warn | ignore );<br>
- check-mx-cname ( fail | warn | ignore );<br>
- check-names ( master | slave | response<br>
-     ) ( fail | warn | ignore );<br>
- check-sibling <em class="replaceable"><code>boolean</code></em>;<br>
- check-spf ( warn | ignore );<br>
- check-srv-cname ( fail | warn | ignore );<br>
- check-wildcard <em class="replaceable"><code>boolean</code></em>;<br>
- cleaning-interval <em class="replaceable"><code>integer</code></em>;<br>
- clients-per-query <em class="replaceable"><code>integer</code></em>;<br>
- cookie-algorithm ( aes | sha1 | sha256 );<br>
- cookie-secret <em class="replaceable"><code>string</code></em>;<br>
- coresize ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
- datasize ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
- deny-answer-addresses { <em class="replaceable"><code>address_match_element</code></em>; ... } [<span class="optional"><br>
-     except-from { <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br>
- deny-answer-aliases { <em class="replaceable"><code>quoted_string</code></em>; ... } [<span class="optional"> except-from {<br>
-     <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br>
- dialup ( notify | notify-passive | passive | refresh | <em class="replaceable"><code>boolean</code></em> );<br>
- directory <em class="replaceable"><code>quoted_string</code></em>;<br>
- disable-algorithms <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>;<br>
-     ... };<br>
- disable-ds-digests <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>;<br>
-     ... };<br>
- disable-empty-zone <em class="replaceable"><code>string</code></em>;<br>
- dns64Â <em class="replaceable"><code>netprefix</code></em>Â {<br>
- break-dnssec <em class="replaceable"><code>boolean</code></em>;<br>
- clients { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
- exclude { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
- mapped { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
- recursive-only <em class="replaceable"><code>boolean</code></em>;<br>
- suffix <em class="replaceable"><code>ipv6_address</code></em>;<br>
- };<br>
- dns64-contact <em class="replaceable"><code>string</code></em>;<br>
- dns64-server <em class="replaceable"><code>string</code></em>;<br>
- dnssec-accept-expired <em class="replaceable"><code>boolean</code></em>;<br>
- dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
- dnssec-enable <em class="replaceable"><code>boolean</code></em>;<br>
- dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
- dnssec-lookaside ( <em class="replaceable"><code>string</code></em> trust-anchor<br>
-     <em class="replaceable"><code>string</code></em> | auto | no );<br>
- dnssec-must-be-secure <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;<br>
- dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
- dnssec-update-mode ( maintain | no-resign );<br>
- dnssec-validation ( yes | no | auto );<br>
- dnstap { ( all | auth | client | forwarder |<br>
-     resolver ) [<span class="optional"> ( query | response ) </span>]; ... };<br>
- dnstap-identity ( <em class="replaceable"><code>quoted_string</code></em> | none |<br>
-     hostname );<br>
- dnstap-output ( file | unix ) <em class="replaceable"><code>quoted_string</code></em> [<span class="optional"><br>
-     size ( unlimited | <em class="replaceable"><code>size</code></em> ) </span>] [<span class="optional"> versions (<br>
-     unlimited | <em class="replaceable"><code>integer</code></em> ) </span>] [<span class="optional"> suffix ( increment<br>
-     | timestamp ) </span>];<br>
- dnstap-version ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
- dscp <em class="replaceable"><code>integer</code></em>;<br>
- dual-stack-servers [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>quoted_string</code></em> [<span class="optional"> port<br>
-     <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"> port<br>
-     <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port<br>
-     <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] ); ... };<br>
- dump-file <em class="replaceable"><code>quoted_string</code></em>;<br>
- edns-udp-size <em class="replaceable"><code>integer</code></em>;<br>
- empty-contact <em class="replaceable"><code>string</code></em>;<br>
- empty-server <em class="replaceable"><code>string</code></em>;<br>
- empty-zones-enable <em class="replaceable"><code>boolean</code></em>;<br>
- fetch-quota-params <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>fixedpoint</code></em> <em class="replaceable"><code>fixedpoint</code></em> <em class="replaceable"><code>fixedpoint</code></em>;<br>
- fetches-per-server <em class="replaceable"><code>integer</code></em> [<span class="optional"> ( drop | fail ) </span>];<br>
- fetches-per-zone <em class="replaceable"><code>integer</code></em> [<span class="optional"> ( drop | fail ) </span>];<br>
- files ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
- filter-aaaa { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
- filter-aaaa-on-v4 ( break-dnssec | <em class="replaceable"><code>boolean</code></em> );<br>
- filter-aaaa-on-v6 ( break-dnssec | <em class="replaceable"><code>boolean</code></em> );<br>
- flush-zones-on-shutdown <em class="replaceable"><code>boolean</code></em>;<br>
- forward ( first | only );<br>
- forwarders [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>ipv4_address</code></em><br>
-     | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
- fstrm-set-buffer-hint <em class="replaceable"><code>integer</code></em>;<br>
- fstrm-set-flush-timeout <em class="replaceable"><code>integer</code></em>;<br>
- fstrm-set-input-queue-size <em class="replaceable"><code>integer</code></em>;<br>
- fstrm-set-output-notify-threshold <em class="replaceable"><code>integer</code></em>;<br>
- fstrm-set-output-queue-model ( mpsc | spsc );<br>
- fstrm-set-output-queue-size <em class="replaceable"><code>integer</code></em>;<br>
- fstrm-set-reopen-interval <em class="replaceable"><code>integer</code></em>;<br>
- geoip-directory ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
- geoip-use-ecs ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
- heartbeat-interval <em class="replaceable"><code>integer</code></em>;<br>
- hostname ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
- inline-signing <em class="replaceable"><code>boolean</code></em>;<br>
- interface-interval <em class="replaceable"><code>integer</code></em>;<br>
- ixfr-from-differences ( master | slave | <em class="replaceable"><code>boolean</code></em> );<br>
- keep-response-order { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
- key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
- lame-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
- listen-on [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp<br>
- Â Â Â Â <em class="replaceable"><code>integer</code></em>Â </span>]Â {<br>
-     <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
- listen-on-v6 [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp<br>
- Â Â Â Â <em class="replaceable"><code>integer</code></em>Â </span>]Â {<br>
-     <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
- lmdb-mapsize <em class="replaceable"><code>sizeval</code></em>;<br>
- lock-file ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
- managed-keys-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
- masterfile-format ( map | raw | text );<br>
- masterfile-style ( full | relative );<br>
- match-mapped-addresses <em class="replaceable"><code>boolean</code></em>;<br>
- max-acache-size ( unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
- max-cache-size ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> | <em class="replaceable"><code>percentage</code></em> );<br>
- max-cache-ttl <em class="replaceable"><code>integer</code></em>;<br>
- max-clients-per-query <em class="replaceable"><code>integer</code></em>;<br>
- max-journal-size ( unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
- max-ncache-ttl <em class="replaceable"><code>integer</code></em>;<br>
- max-records <em class="replaceable"><code>integer</code></em>;<br>
- max-recursion-depth <em class="replaceable"><code>integer</code></em>;<br>
- max-recursion-queries <em class="replaceable"><code>integer</code></em>;<br>
- max-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
- max-retry-time <em class="replaceable"><code>integer</code></em>;<br>
- max-rsa-exponent-size <em class="replaceable"><code>integer</code></em>;<br>
- max-transfer-idle-in <em class="replaceable"><code>integer</code></em>;<br>
- max-transfer-idle-out <em class="replaceable"><code>integer</code></em>;<br>
- max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
- max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br>
- max-udp-size <em class="replaceable"><code>integer</code></em>;<br>
- max-zone-ttl ( unlimited | <em class="replaceable"><code>ttlval</code></em> );<br>
- memstatistics <em class="replaceable"><code>boolean</code></em>;<br>
- memstatistics-file <em class="replaceable"><code>quoted_string</code></em>;<br>
- message-compression <em class="replaceable"><code>boolean</code></em>;<br>
- min-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
- min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
- minimal-any <em class="replaceable"><code>boolean</code></em>;<br>
- minimal-responses ( no-auth | no-auth-recursive | <em class="replaceable"><code>boolean</code></em> );<br>
- multi-master <em class="replaceable"><code>boolean</code></em>;<br>
- no-case-compress { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
- nocookie-udp-size <em class="replaceable"><code>integer</code></em>;<br>
- notify ( explicit | master-only | <em class="replaceable"><code>boolean</code></em> );<br>
- notify-delay <em class="replaceable"><code>integer</code></em>;<br>
- notify-rate <em class="replaceable"><code>integer</code></em>;<br>
- notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
-     dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
- notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>]<br>
-     [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
- notify-to-soa <em class="replaceable"><code>boolean</code></em>;<br>
- nsec3-test-zone <em class="replaceable"><code>boolean</code></em>; // test only<br>
- nta-lifetime <em class="replaceable"><code>ttlval</code></em>;<br>
- nta-recheck <em class="replaceable"><code>ttlval</code></em>;<br>
- nxdomain-redirect <em class="replaceable"><code>string</code></em>;<br>
- pid-file ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
- port <em class="replaceable"><code>integer</code></em>;<br>
- preferred-glue <em class="replaceable"><code>string</code></em>;<br>
- prefetch <em class="replaceable"><code>integer</code></em> [<span class="optional"> <em class="replaceable"><code>integer</code></em> </span>];<br>
- provide-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
- query-source ( ( [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port (<br>
-     <em class="replaceable"><code>integer</code></em> | * ) </span>] ) | ( [<span class="optional"> [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) </span>]<br>
-     port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
- query-source-v6 ( ( [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port (<br>
-     <em class="replaceable"><code>integer</code></em> | * ) </span>] ) | ( [<span class="optional"> [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) </span>]<br>
-     port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
- querylog <em class="replaceable"><code>boolean</code></em>;<br>
- random-device <em class="replaceable"><code>quoted_string</code></em>;<br>
- rate-limit {<br>
- all-per-second <em class="replaceable"><code>integer</code></em>;<br>
- errors-per-second <em class="replaceable"><code>integer</code></em>;<br>
- exempt-clients { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
- ipv4-prefix-length <em class="replaceable"><code>integer</code></em>;<br>
- ipv6-prefix-length <em class="replaceable"><code>integer</code></em>;<br>
- log-only <em class="replaceable"><code>boolean</code></em>;<br>
- max-table-size <em class="replaceable"><code>integer</code></em>;<br>
- min-table-size <em class="replaceable"><code>integer</code></em>;<br>
- nodata-per-second <em class="replaceable"><code>integer</code></em>;<br>
- nxdomains-per-second <em class="replaceable"><code>integer</code></em>;<br>
- qps-scale <em class="replaceable"><code>integer</code></em>;<br>
- referrals-per-second <em class="replaceable"><code>integer</code></em>;<br>
- responses-per-second <em class="replaceable"><code>integer</code></em>;<br>
- slip <em class="replaceable"><code>integer</code></em>;<br>
- window <em class="replaceable"><code>integer</code></em>;<br>
- };<br>
- recursing-file <em class="replaceable"><code>quoted_string</code></em>;<br>
- recursion <em class="replaceable"><code>boolean</code></em>;<br>
- recursive-clients <em class="replaceable"><code>integer</code></em>;<br>
- request-expire <em class="replaceable"><code>boolean</code></em>;<br>
- request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
- request-nsid <em class="replaceable"><code>boolean</code></em>;<br>
- require-server-cookie <em class="replaceable"><code>boolean</code></em>;<br>
- reserved-sockets <em class="replaceable"><code>integer</code></em>;<br>
- resolver-query-timeout <em class="replaceable"><code>integer</code></em>;<br>
- response-padding { <em class="replaceable"><code>address_match_element</code></em>; ... } block-size<br>
- Â Â Â Â <em class="replaceable"><code>integer</code></em>;<br>
- response-policy { zone <em class="replaceable"><code>quoted_string</code></em> [<span class="optional"> log <em class="replaceable"><code>boolean</code></em> </span>] [<span class="optional"><br>
-     max-policy-ttl <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> min-update-interval <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"><br>
-     policy ( cname | disabled | drop | given | no-op | nodata |<br>
-     nxdomain | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) </span>] [<span class="optional"><br>
-     recursive-only <em class="replaceable"><code>boolean</code></em> </span>]; ... } [<span class="optional"> break-dnssec <em class="replaceable"><code>boolean</code></em> </span>] [<span class="optional"><br>
-     max-policy-ttl <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> min-update-interval <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"><br>
-     min-ns-dots <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> nsip-wait-recurse <em class="replaceable"><code>boolean</code></em> </span>] [<span class="optional"><br>
-     qname-wait-recurse <em class="replaceable"><code>boolean</code></em> </span>] [<span class="optional"> recursive-only <em class="replaceable"><code>boolean</code></em> </span>];<br>
- root-delegation-only [<span class="optional"> exclude { <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br>
- rrset-order { [<span class="optional"> class <em class="replaceable"><code>string</code></em> </span>] [<span class="optional"> type <em class="replaceable"><code>string</code></em> </span>] [<span class="optional"> name<br>
-     <em class="replaceable"><code>quoted_string</code></em> </span>] <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em>; ... };<br>
- secroots-file <em class="replaceable"><code>quoted_string</code></em>;<br>
- send-cookie <em class="replaceable"><code>boolean</code></em>;<br>
- serial-query-rate <em class="replaceable"><code>integer</code></em>;<br>
- serial-update-method ( date | increment | unixtime );<br>
- server-id ( <em class="replaceable"><code>quoted_string</code></em> | none | hostname );<br>
- servfail-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
- session-keyalg <em class="replaceable"><code>string</code></em>;<br>
- session-keyfile ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
- session-keyname <em class="replaceable"><code>string</code></em>;<br>
- sig-signing-nodes <em class="replaceable"><code>integer</code></em>;<br>
- sig-signing-signatures <em class="replaceable"><code>integer</code></em>;<br>
- sig-signing-type <em class="replaceable"><code>integer</code></em>;<br>
- sig-validity-interval <em class="replaceable"><code>integer</code></em> [<span class="optional"> <em class="replaceable"><code>integer</code></em> </span>];<br>
- sortlist { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
- stacksize ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
- startup-notify-rate <em class="replaceable"><code>integer</code></em>;<br>
- statistics-file <em class="replaceable"><code>quoted_string</code></em>;<br>
- synth-from-dnssec <em class="replaceable"><code>boolean</code></em>;<br>
- tcp-advertised-timeout <em class="replaceable"><code>integer</code></em>;<br>
- tcp-clients <em class="replaceable"><code>integer</code></em>;<br>
- tcp-idle-timeout <em class="replaceable"><code>integer</code></em>;<br>
- tcp-initial-timeout <em class="replaceable"><code>integer</code></em>;<br>
- tcp-keepalive-timeout <em class="replaceable"><code>integer</code></em>;<br>
- tcp-listen-queue <em class="replaceable"><code>integer</code></em>;<br>
- tkey-dhkey <em class="replaceable"><code>quoted_string</code></em> <em class="replaceable"><code>integer</code></em>;<br>
- tkey-domain <em class="replaceable"><code>quoted_string</code></em>;<br>
- tkey-gssapi-credential <em class="replaceable"><code>quoted_string</code></em>;<br>
- tkey-gssapi-keytab <em class="replaceable"><code>quoted_string</code></em>;<br>
- transfer-format ( many-answers | one-answer );<br>
- transfer-message-size <em class="replaceable"><code>integer</code></em>;<br>
- transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
-     dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
- transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * )<br>
-     </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
- transfers-in <em class="replaceable"><code>integer</code></em>;<br>
- transfers-out <em class="replaceable"><code>integer</code></em>;<br>
- transfers-per-ns <em class="replaceable"><code>integer</code></em>;<br>
- trust-anchor-telemetry <em class="replaceable"><code>boolean</code></em>; // experimental<br>
- try-tcp-refresh <em class="replaceable"><code>boolean</code></em>;<br>
- update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br>
- use-alt-transfer-source <em class="replaceable"><code>boolean</code></em>;<br>
- use-v4-udp-ports { <em class="replaceable"><code>portrange</code></em>; ... };<br>
- use-v6-udp-ports { <em class="replaceable"><code>portrange</code></em>; ... };<br>
- v6-bias <em class="replaceable"><code>integer</code></em>;<br>
- version ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
- zero-no-soa-ttl <em class="replaceable"><code>boolean</code></em>;<br>
- zero-no-soa-ttl-cache <em class="replaceable"><code>boolean</code></em>;<br>
- zone-statistics ( full | terse | none | <em class="replaceable"><code>boolean</code></em> );<br>
-};<br>
-</p></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.19.17"></a><h2>SERVER</h2>
-
- <div class="literallayout"><p><br>
-server <em class="replaceable"><code>netprefix</code></em> {<br>
- bogus <em class="replaceable"><code>boolean</code></em>;<br>
- edns <em class="replaceable"><code>boolean</code></em>;<br>
- edns-udp-size <em class="replaceable"><code>integer</code></em>;<br>
- edns-version <em class="replaceable"><code>integer</code></em>;<br>
- keys <em class="replaceable"><code>server_key</code></em>;<br>
- max-udp-size <em class="replaceable"><code>integer</code></em>;<br>
- notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
-     dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
- notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>]<br>
-     [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
- padding <em class="replaceable"><code>integer</code></em>;<br>
- provide-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
- query-source ( ( [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port (<br>
-     <em class="replaceable"><code>integer</code></em> | * ) </span>] ) | ( [<span class="optional"> [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) </span>]<br>
-     port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
- query-source-v6 ( ( [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port (<br>
-     <em class="replaceable"><code>integer</code></em> | * ) </span>] ) | ( [<span class="optional"> [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) </span>]<br>
-     port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
- request-expire <em class="replaceable"><code>boolean</code></em>;<br>
- request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
- request-nsid <em class="replaceable"><code>boolean</code></em>;<br>
- send-cookie <em class="replaceable"><code>boolean</code></em>;<br>
- tcp-keepalive <em class="replaceable"><code>boolean</code></em>;<br>
- tcp-only <em class="replaceable"><code>boolean</code></em>;<br>
- transfer-format ( many-answers | one-answer );<br>
- transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
-     dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
- transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * )<br>
-     </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
- transfers <em class="replaceable"><code>integer</code></em>;<br>
-};<br>
-</p></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.19.18"></a><h2>STATISTICS-CHANNELS</h2>
-
- <div class="literallayout"><p><br>
-statistics-channels {<br>
- inet ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> |<br>
-     * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
-     allow { <em class="replaceable"><code>address_match_element</code></em>; ...<br>
- Â Â Â Â }Â </span>];<br>
-};<br>
-</p></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.19.19"></a><h2>TRUSTED-KEYS</h2>
-
- <div class="literallayout"><p><br>
-trusted-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
-    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
-</p></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.19.20"></a><h2>VIEW</h2>
-
- <div class="literallayout"><p><br>
-view <em class="replaceable"><code>string</code></em> [<span class="optional"> <em class="replaceable"><code>class</code></em> </span>] {<br>
- acache-cleaning-interval <em class="replaceable"><code>integer</code></em>;<br>
- acache-enable <em class="replaceable"><code>boolean</code></em>;<br>
- additional-from-auth <em class="replaceable"><code>boolean</code></em>;<br>
- additional-from-cache <em class="replaceable"><code>boolean</code></em>;<br>
- allow-new-zones <em class="replaceable"><code>boolean</code></em>;<br>
- allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
- allow-query { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
- allow-query-cache { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
- allow-query-cache-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
- allow-query-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
- allow-recursion { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
- allow-recursion-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
- allow-transfer { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
- allow-update { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
- allow-update-forwarding { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
- also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>masters</code></em> |<br>
-     <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port<br>
-     <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>]; ... };<br>
- alt-transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * )<br>
-     </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
- alt-transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> |<br>
-     * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
- attach-cache <em class="replaceable"><code>string</code></em>;<br>
- auth-nxdomain <em class="replaceable"><code>boolean</code></em>; // default changed<br>
- auto-dnssec ( allow | maintain | off );<br>
- cache-file <em class="replaceable"><code>quoted_string</code></em>;<br>
- catalog-zones { zone <em class="replaceable"><code>quoted_string</code></em> [<span class="optional"> default-masters [<span class="optional"> port<br>
-     <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"><br>
-     port <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key<br>
-     <em class="replaceable"><code>string</code></em> </span>]; ... } </span>] [<span class="optional"> zone-directory <em class="replaceable"><code>quoted_string</code></em> </span>] [<span class="optional"><br>
-     in-memory <em class="replaceable"><code>boolean</code></em> </span>] [<span class="optional"> min-update-interval <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
- check-dup-records ( fail | warn | ignore );<br>
- check-integrity <em class="replaceable"><code>boolean</code></em>;<br>
- check-mx ( fail | warn | ignore );<br>
- check-mx-cname ( fail | warn | ignore );<br>
- check-names ( master | slave | response<br>
-     ) ( fail | warn | ignore );<br>
- check-sibling <em class="replaceable"><code>boolean</code></em>;<br>
- check-spf ( warn | ignore );<br>
- check-srv-cname ( fail | warn | ignore );<br>
- check-wildcard <em class="replaceable"><code>boolean</code></em>;<br>
- cleaning-interval <em class="replaceable"><code>integer</code></em>;<br>
- clients-per-query <em class="replaceable"><code>integer</code></em>;<br>
- deny-answer-addresses { <em class="replaceable"><code>address_match_element</code></em>; ... } [<span class="optional"><br>
-     except-from { <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br>
- deny-answer-aliases { <em class="replaceable"><code>quoted_string</code></em>; ... } [<span class="optional"> except-from {<br>
-     <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br>
- dialup ( notify | notify-passive | passive | refresh | <em class="replaceable"><code>boolean</code></em> );<br>
- disable-algorithms <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>;<br>
-     ... };<br>
- disable-ds-digests <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>;<br>
-     ... };<br>
- disable-empty-zone <em class="replaceable"><code>string</code></em>;<br>
- dlz <em class="replaceable"><code>string</code></em> {<br>
- database <em class="replaceable"><code>string</code></em>;<br>
- search <em class="replaceable"><code>boolean</code></em>;<br>
- };<br>
- dns64Â <em class="replaceable"><code>netprefix</code></em>Â {<br>
- break-dnssec <em class="replaceable"><code>boolean</code></em>;<br>
- clients { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
- exclude { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
- mapped { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
- recursive-only <em class="replaceable"><code>boolean</code></em>;<br>
- suffix <em class="replaceable"><code>ipv6_address</code></em>;<br>
- };<br>
- dns64-contact <em class="replaceable"><code>string</code></em>;<br>
- dns64-server <em class="replaceable"><code>string</code></em>;<br>
- dnssec-accept-expired <em class="replaceable"><code>boolean</code></em>;<br>
- dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
- dnssec-enable <em class="replaceable"><code>boolean</code></em>;<br>
- dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
- dnssec-lookaside ( <em class="replaceable"><code>string</code></em> trust-anchor<br>
-     <em class="replaceable"><code>string</code></em> | auto | no );<br>
- dnssec-must-be-secure <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;<br>
- dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
- dnssec-update-mode ( maintain | no-resign );<br>
- dnssec-validation ( yes | no | auto );<br>
- dnstap { ( all | auth | client | forwarder |<br>
-     resolver ) [<span class="optional"> ( query | response ) </span>]; ... };<br>
- dual-stack-servers [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>quoted_string</code></em> [<span class="optional"> port<br>
-     <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"> port<br>
-     <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port<br>
-     <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] ); ... };<br>
- dyndb <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>quoted_string</code></em> {<br>
- Â Â Â Â <em class="replaceable"><code>unspecified-text</code></em>Â };<br>
- edns-udp-size <em class="replaceable"><code>integer</code></em>;<br>
- empty-contact <em class="replaceable"><code>string</code></em>;<br>
- empty-server <em class="replaceable"><code>string</code></em>;<br>
- empty-zones-enable <em class="replaceable"><code>boolean</code></em>;<br>
- fetch-quota-params <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>fixedpoint</code></em> <em class="replaceable"><code>fixedpoint</code></em> <em class="replaceable"><code>fixedpoint</code></em>;<br>
- fetches-per-server <em class="replaceable"><code>integer</code></em> [<span class="optional"> ( drop | fail ) </span>];<br>
- fetches-per-zone <em class="replaceable"><code>integer</code></em> [<span class="optional"> ( drop | fail ) </span>];<br>
- filter-aaaa { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
- filter-aaaa-on-v4 ( break-dnssec | <em class="replaceable"><code>boolean</code></em> );<br>
- filter-aaaa-on-v6 ( break-dnssec | <em class="replaceable"><code>boolean</code></em> );<br>
- forward ( first | only );<br>
- forwarders [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>ipv4_address</code></em><br>
-     | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
- inline-signing <em class="replaceable"><code>boolean</code></em>;<br>
- ixfr-from-differences ( master | slave | <em class="replaceable"><code>boolean</code></em> );<br>
- key <em class="replaceable"><code>string</code></em> {<br>
- algorithm <em class="replaceable"><code>string</code></em>;<br>
- secret <em class="replaceable"><code>string</code></em>;<br>
- };<br>
- key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
- lame-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
- lmdb-mapsize <em class="replaceable"><code>sizeval</code></em>;<br>
- managed-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em><br>
- Â Â Â Â <em class="replaceable"><code>integer</code></em>Â <em class="replaceable"><code>integer</code></em>Â <em class="replaceable"><code>integer</code></em><br>
-     <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
- masterfile-format ( map | raw | text );<br>
- masterfile-style ( full | relative );<br>
- match-clients { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
- match-destinations { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
- match-recursive-only <em class="replaceable"><code>boolean</code></em>;<br>
- max-acache-size ( unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
- max-cache-size ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> | <em class="replaceable"><code>percentage</code></em> );<br>
- max-cache-ttl <em class="replaceable"><code>integer</code></em>;<br>
- max-clients-per-query <em class="replaceable"><code>integer</code></em>;<br>
- max-journal-size ( unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
- max-ncache-ttl <em class="replaceable"><code>integer</code></em>;<br>
- max-records <em class="replaceable"><code>integer</code></em>;<br>
- max-recursion-depth <em class="replaceable"><code>integer</code></em>;<br>
- max-recursion-queries <em class="replaceable"><code>integer</code></em>;<br>
- max-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
- max-retry-time <em class="replaceable"><code>integer</code></em>;<br>
- max-transfer-idle-in <em class="replaceable"><code>integer</code></em>;<br>
- max-transfer-idle-out <em class="replaceable"><code>integer</code></em>;<br>
- max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
- max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br>
- max-udp-size <em class="replaceable"><code>integer</code></em>;<br>
- max-zone-ttl ( unlimited | <em class="replaceable"><code>ttlval</code></em> );<br>
- message-compression <em class="replaceable"><code>boolean</code></em>;<br>
- min-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
- min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
- minimal-any <em class="replaceable"><code>boolean</code></em>;<br>
- minimal-responses ( no-auth | no-auth-recursive | <em class="replaceable"><code>boolean</code></em> );<br>
- multi-master <em class="replaceable"><code>boolean</code></em>;<br>
- no-case-compress { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
- nocookie-udp-size <em class="replaceable"><code>integer</code></em>;<br>
- notify ( explicit | master-only | <em class="replaceable"><code>boolean</code></em> );<br>
- notify-delay <em class="replaceable"><code>integer</code></em>;<br>
- notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
-     dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
- notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>]<br>
-     [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
- notify-to-soa <em class="replaceable"><code>boolean</code></em>;<br>
- nsec3-test-zone <em class="replaceable"><code>boolean</code></em>; // test only<br>
- nta-lifetime <em class="replaceable"><code>ttlval</code></em>;<br>
- nta-recheck <em class="replaceable"><code>ttlval</code></em>;<br>
- nxdomain-redirect <em class="replaceable"><code>string</code></em>;<br>
- preferred-glue <em class="replaceable"><code>string</code></em>;<br>
- prefetch <em class="replaceable"><code>integer</code></em> [<span class="optional"> <em class="replaceable"><code>integer</code></em> </span>];<br>
- provide-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
- query-source ( ( [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port (<br>
-     <em class="replaceable"><code>integer</code></em> | * ) </span>] ) | ( [<span class="optional"> [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) </span>]<br>
-     port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
- query-source-v6 ( ( [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port (<br>
-     <em class="replaceable"><code>integer</code></em> | * ) </span>] ) | ( [<span class="optional"> [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) </span>]<br>
-     port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
- rate-limit {<br>
- all-per-second <em class="replaceable"><code>integer</code></em>;<br>
- errors-per-second <em class="replaceable"><code>integer</code></em>;<br>
- exempt-clients { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
- ipv4-prefix-length <em class="replaceable"><code>integer</code></em>;<br>
- ipv6-prefix-length <em class="replaceable"><code>integer</code></em>;<br>
- log-only <em class="replaceable"><code>boolean</code></em>;<br>
- max-table-size <em class="replaceable"><code>integer</code></em>;<br>
- min-table-size <em class="replaceable"><code>integer</code></em>;<br>
- nodata-per-second <em class="replaceable"><code>integer</code></em>;<br>
- nxdomains-per-second <em class="replaceable"><code>integer</code></em>;<br>
- qps-scale <em class="replaceable"><code>integer</code></em>;<br>
- referrals-per-second <em class="replaceable"><code>integer</code></em>;<br>
- responses-per-second <em class="replaceable"><code>integer</code></em>;<br>
- slip <em class="replaceable"><code>integer</code></em>;<br>
- window <em class="replaceable"><code>integer</code></em>;<br>
- };<br>
- recursion <em class="replaceable"><code>boolean</code></em>;<br>
- request-expire <em class="replaceable"><code>boolean</code></em>;<br>
- request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
- request-nsid <em class="replaceable"><code>boolean</code></em>;<br>
- require-server-cookie <em class="replaceable"><code>boolean</code></em>;<br>
- resolver-query-timeout <em class="replaceable"><code>integer</code></em>;<br>
- response-padding { <em class="replaceable"><code>address_match_element</code></em>; ... } block-size<br>
- Â Â Â Â <em class="replaceable"><code>integer</code></em>;<br>
- response-policy { zone <em class="replaceable"><code>quoted_string</code></em> [<span class="optional"> log <em class="replaceable"><code>boolean</code></em> </span>] [<span class="optional"><br>
-     max-policy-ttl <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> min-update-interval <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"><br>
-     policy ( cname | disabled | drop | given | no-op | nodata |<br>
-     nxdomain | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) </span>] [<span class="optional"><br>
-     recursive-only <em class="replaceable"><code>boolean</code></em> </span>]; ... } [<span class="optional"> break-dnssec <em class="replaceable"><code>boolean</code></em> </span>] [<span class="optional"><br>
-     max-policy-ttl <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> min-update-interval <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"><br>
-     min-ns-dots <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> nsip-wait-recurse <em class="replaceable"><code>boolean</code></em> </span>] [<span class="optional"><br>
-     qname-wait-recurse <em class="replaceable"><code>boolean</code></em> </span>] [<span class="optional"> recursive-only <em class="replaceable"><code>boolean</code></em> </span>];<br>
- root-delegation-only [<span class="optional"> exclude { <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br>
- rrset-order { [<span class="optional"> class <em class="replaceable"><code>string</code></em> </span>] [<span class="optional"> type <em class="replaceable"><code>string</code></em> </span>] [<span class="optional"> name<br>
-     <em class="replaceable"><code>quoted_string</code></em> </span>] <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em>; ... };<br>
- send-cookie <em class="replaceable"><code>boolean</code></em>;<br>
- serial-update-method ( date | increment | unixtime );<br>
- server <em class="replaceable"><code>netprefix</code></em> {<br>
- bogus <em class="replaceable"><code>boolean</code></em>;<br>
- edns <em class="replaceable"><code>boolean</code></em>;<br>
- edns-udp-size <em class="replaceable"><code>integer</code></em>;<br>
- edns-version <em class="replaceable"><code>integer</code></em>;<br>
- keys <em class="replaceable"><code>server_key</code></em>;<br>
- max-udp-size <em class="replaceable"><code>integer</code></em>;<br>
- notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | *<br>
-     ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
- notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em><br>
-     | * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
- padding <em class="replaceable"><code>integer</code></em>;<br>
- provide-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
- query-source ( ( [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port<br>
-     ( <em class="replaceable"><code>integer</code></em> | * ) </span>] ) | ( [<span class="optional"> [<span class="optional"> address </span>] (<br>
-     <em class="replaceable"><code>ipv4_address</code></em> | * ) </span>] port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [<span class="optional"><br>
-     dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
- query-source-v6 ( ( [<span class="optional"> address </span>] ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"><br>
-     port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] ) | ( [<span class="optional"> [<span class="optional"> address </span>] (<br>
-     <em class="replaceable"><code>ipv6_address</code></em> | * ) </span>] port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [<span class="optional"><br>
-     dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
- request-expire <em class="replaceable"><code>boolean</code></em>;<br>
- request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
- request-nsid <em class="replaceable"><code>boolean</code></em>;<br>
- send-cookie <em class="replaceable"><code>boolean</code></em>;<br>
- tcp-keepalive <em class="replaceable"><code>boolean</code></em>;<br>
- tcp-only <em class="replaceable"><code>boolean</code></em>;<br>
- transfer-format ( many-answers | one-answer );<br>
- transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> |<br>
-     * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
- transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port (<br>
-     <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
- transfers <em class="replaceable"><code>integer</code></em>;<br>
- };<br>
- servfail-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
- sig-signing-nodes <em class="replaceable"><code>integer</code></em>;<br>
- sig-signing-signatures <em class="replaceable"><code>integer</code></em>;<br>
- sig-signing-type <em class="replaceable"><code>integer</code></em>;<br>
- sig-validity-interval <em class="replaceable"><code>integer</code></em> [<span class="optional"> <em class="replaceable"><code>integer</code></em> </span>];<br>
- sortlist { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
- synth-from-dnssec <em class="replaceable"><code>boolean</code></em>;<br>
- transfer-format ( many-answers | one-answer );<br>
- transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
-     dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
- transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * )<br>
-     </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
- trust-anchor-telemetry <em class="replaceable"><code>boolean</code></em>; // experimental<br>
- trusted-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em><br>
- Â Â Â Â <em class="replaceable"><code>integer</code></em>Â <em class="replaceable"><code>integer</code></em>Â <em class="replaceable"><code>quoted_string</code></em>;<br>
-     ... };<br>
- try-tcp-refresh <em class="replaceable"><code>boolean</code></em>;<br>
- update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br>
- use-alt-transfer-source <em class="replaceable"><code>boolean</code></em>;<br>
- v6-bias <em class="replaceable"><code>integer</code></em>;<br>
- zero-no-soa-ttl <em class="replaceable"><code>boolean</code></em>;<br>
- zero-no-soa-ttl-cache <em class="replaceable"><code>boolean</code></em>;<br>
- zone <em class="replaceable"><code>string</code></em> [<span class="optional"> <em class="replaceable"><code>class</code></em> </span>] {<br>
- allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
- allow-query { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
- allow-query-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
- allow-transfer { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
- allow-update { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
- allow-update-forwarding { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
- also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { (<br>
-     <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] |<br>
-     <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>];<br>
-     ... };<br>
- alt-transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port (<br>
-     <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
- alt-transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port (<br>
-     <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
- auto-dnssec ( allow | maintain | off );<br>
- check-dup-records ( fail | warn | ignore );<br>
- check-integrity <em class="replaceable"><code>boolean</code></em>;<br>
- check-mx ( fail | warn | ignore );<br>
- check-mx-cname ( fail | warn | ignore );<br>
- check-names ( fail | warn | ignore );<br>
- check-sibling <em class="replaceable"><code>boolean</code></em>;<br>
- check-spf ( warn | ignore );<br>
- check-srv-cname ( fail | warn | ignore );<br>
- check-wildcard <em class="replaceable"><code>boolean</code></em>;<br>
- database <em class="replaceable"><code>string</code></em>;<br>
- delegation-only <em class="replaceable"><code>boolean</code></em>;<br>
- dialup ( notify | notify-passive | passive | refresh |<br>
- Â Â Â Â <em class="replaceable"><code>boolean</code></em>Â );<br>
- dlz <em class="replaceable"><code>string</code></em>;<br>
- dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
- dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
- dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
- dnssec-update-mode ( maintain | no-resign );<br>
- file <em class="replaceable"><code>quoted_string</code></em>;<br>
- forward ( first | only );<br>
- forwarders [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { (<br>
-     <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"><br>
-     dscp <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
- in-view <em class="replaceable"><code>string</code></em>;<br>
- inline-signing <em class="replaceable"><code>boolean</code></em>;<br>
- ixfr-from-differences <em class="replaceable"><code>boolean</code></em>;<br>
- journal <em class="replaceable"><code>quoted_string</code></em>;<br>
- key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
- masterfile-format ( map | raw | text );<br>
- masterfile-style ( full | relative );<br>
- masters [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>masters</code></em><br>
-     | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"><br>
-     port <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>]; ... };<br>
- max-ixfr-log-size ( default | unlimited |<br>
- max-journal-size ( unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
- max-records <em class="replaceable"><code>integer</code></em>;<br>
- max-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
- max-retry-time <em class="replaceable"><code>integer</code></em>;<br>
- max-transfer-idle-in <em class="replaceable"><code>integer</code></em>;<br>
- max-transfer-idle-out <em class="replaceable"><code>integer</code></em>;<br>
- max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
- max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br>
- max-zone-ttl ( unlimited | <em class="replaceable"><code>ttlval</code></em> );<br>
- min-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
- min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
- multi-master <em class="replaceable"><code>boolean</code></em>;<br>
- notify ( explicit | master-only | <em class="replaceable"><code>boolean</code></em> );<br>
- notify-delay <em class="replaceable"><code>integer</code></em>;<br>
- notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | *<br>
-     ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
- notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em><br>
-     | * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
- notify-to-soa <em class="replaceable"><code>boolean</code></em>;<br>
- nsec3-test-zone <em class="replaceable"><code>boolean</code></em>; // test only<br>
- pubkey <em class="replaceable"><code>integer</code></em><br>
- Â Â Â Â <em class="replaceable"><code>integer</code></em><br>
- Â Â Â Â <em class="replaceable"><code>integer</code></em><br>
- request-expire <em class="replaceable"><code>boolean</code></em>;<br>
- request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
- serial-update-method ( date | increment | unixtime );<br>
- server-addresses { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"><br>
-     port <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
- server-names { <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
- sig-signing-nodes <em class="replaceable"><code>integer</code></em>;<br>
- sig-signing-signatures <em class="replaceable"><code>integer</code></em>;<br>
- sig-signing-type <em class="replaceable"><code>integer</code></em>;<br>
- sig-validity-interval <em class="replaceable"><code>integer</code></em> [<span class="optional"> <em class="replaceable"><code>integer</code></em> </span>];<br>
- transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> |<br>
-     * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
- transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port (<br>
-     <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
- try-tcp-refresh <em class="replaceable"><code>boolean</code></em>;<br>
- type ( delegation-only | forward | hint | master | redirect<br>
-     | slave | static-stub | stub );<br>
- update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br>
- update-policy ( local | { ( deny | grant ) <em class="replaceable"><code>string</code></em> (<br>
-     6to4-self | external | krb5-self | krb5-subdomain |<br>
-     ms-self | ms-subdomain | name | self | selfsub |<br>
-     selfwild | subdomain | tcp-self | wildcard | zonesub )<br>
-     [<span class="optional"> <em class="replaceable"><code>string</code></em> </span>] <em class="replaceable"><code>rrtypelist</code></em>; ... };<br>
- use-alt-transfer-source <em class="replaceable"><code>boolean</code></em>;<br>
- zero-no-soa-ttl <em class="replaceable"><code>boolean</code></em>;<br>
- zone-statistics ( full | terse | none | <em class="replaceable"><code>boolean</code></em> );<br>
- };<br>
- zone-statistics ( full | terse | none | <em class="replaceable"><code>boolean</code></em> );<br>
-};<br>
-</p></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.19.21"></a><h2>ZONE</h2>
-
- <div class="literallayout"><p><br>
-zone <em class="replaceable"><code>string</code></em> [<span class="optional"> <em class="replaceable"><code>class</code></em> </span>] {<br>
- allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
- allow-query { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
- allow-query-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
- allow-transfer { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
- allow-update { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
- allow-update-forwarding { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
- also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>masters</code></em> |<br>
-     <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port<br>
-     <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>]; ... };<br>
- alt-transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * )<br>
-     </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
- alt-transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> |<br>
-     * ) </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
- auto-dnssec ( allow | maintain | off );<br>
- check-dup-records ( fail | warn | ignore );<br>
- check-integrity <em class="replaceable"><code>boolean</code></em>;<br>
- check-mx ( fail | warn | ignore );<br>
- check-mx-cname ( fail | warn | ignore );<br>
- check-names ( fail | warn | ignore );<br>
- check-sibling <em class="replaceable"><code>boolean</code></em>;<br>
- check-spf ( warn | ignore );<br>
- check-srv-cname ( fail | warn | ignore );<br>
- check-wildcard <em class="replaceable"><code>boolean</code></em>;<br>
- database <em class="replaceable"><code>string</code></em>;<br>
- delegation-only <em class="replaceable"><code>boolean</code></em>;<br>
- dialup ( notify | notify-passive | passive | refresh | <em class="replaceable"><code>boolean</code></em> );<br>
- dlz <em class="replaceable"><code>string</code></em>;<br>
- dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
- dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
- dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
- dnssec-update-mode ( maintain | no-resign );<br>
- file <em class="replaceable"><code>quoted_string</code></em>;<br>
- forward ( first | only );<br>
- forwarders [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>ipv4_address</code></em><br>
-     | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
- in-view <em class="replaceable"><code>string</code></em>;<br>
- inline-signing <em class="replaceable"><code>boolean</code></em>;<br>
- ixfr-from-differences <em class="replaceable"><code>boolean</code></em>;<br>
- journal <em class="replaceable"><code>quoted_string</code></em>;<br>
- key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
- masterfile-format ( map | raw | text );<br>
- masterfile-style ( full | relative );<br>
- masters [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>masters</code></em> |<br>
-     <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] | <em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port<br>
-     <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>]; ... };<br>
- max-journal-size ( unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
- max-records <em class="replaceable"><code>integer</code></em>;<br>
- max-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
- max-retry-time <em class="replaceable"><code>integer</code></em>;<br>
- max-transfer-idle-in <em class="replaceable"><code>integer</code></em>;<br>
- max-transfer-idle-out <em class="replaceable"><code>integer</code></em>;<br>
- max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
- max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br>
- max-zone-ttl ( unlimited | <em class="replaceable"><code>ttlval</code></em> );<br>
- min-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
- min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
- multi-master <em class="replaceable"><code>boolean</code></em>;<br>
- notify ( explicit | master-only | <em class="replaceable"><code>boolean</code></em> );<br>
- notify-delay <em class="replaceable"><code>integer</code></em>;<br>
- notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
-     dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
- notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>]<br>
-     [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
- notify-to-soa <em class="replaceable"><code>boolean</code></em>;<br>
- nsec3-test-zone <em class="replaceable"><code>boolean</code></em>; // test only<br>
- pubkey <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
- request-expire <em class="replaceable"><code>boolean</code></em>;<br>
- request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
- serial-update-method ( date | increment | unixtime );<br>
- server-addresses { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port<br>
-     <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
- server-names { <em class="replaceable"><code>quoted_string</code></em>; ... };<br>
- sig-signing-nodes <em class="replaceable"><code>integer</code></em>;<br>
- sig-signing-signatures <em class="replaceable"><code>integer</code></em>;<br>
- sig-signing-type <em class="replaceable"><code>integer</code></em>;<br>
- sig-validity-interval <em class="replaceable"><code>integer</code></em> [<span class="optional"> <em class="replaceable"><code>integer</code></em> </span>];<br>
- transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
-     dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
- transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * )<br>
-     </span>] [<span class="optional"> dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
- try-tcp-refresh <em class="replaceable"><code>boolean</code></em>;<br>
- type ( delegation-only | forward | hint | master | redirect | slave<br>
-     | static-stub | stub );<br>
- update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br>
- update-policy ( local | { ( deny | grant ) <em class="replaceable"><code>string</code></em> ( 6to4-self |<br>
-     external | krb5-self | krb5-subdomain | ms-self | ms-subdomain<br>
-     | name | self | selfsub | selfwild | subdomain | tcp-self |<br>
-     wildcard | zonesub ) [<span class="optional"> <em class="replaceable"><code>string</code></em> </span>] <em class="replaceable"><code>rrtypelist</code></em>; ... };<br>
- use-alt-transfer-source <em class="replaceable"><code>boolean</code></em>;<br>
- zero-no-soa-ttl <em class="replaceable"><code>boolean</code></em>;<br>
- zone-statistics ( full | terse | none | <em class="replaceable"><code>boolean</code></em> );<br>
-};<br>
-</p></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.19.22"></a><h2>FILES</h2>
-
- <p><code class="filename">/etc/named.conf</code>
- </p>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.19.23"></a><h2>SEE ALSO</h2>
-
- <p><span class="citerefentry">
- <span class="refentrytitle">ddns-confgen</span>(8)
- </span>,
- <span class="citerefentry">
- <span class="refentrytitle">named</span>(8)
- </span>,
- <span class="citerefentry">
- <span class="refentrytitle">named-checkconf</span>(8)
- </span>,
- <span class="citerefentry">
- <span class="refentrytitle">rndc</span>(8)
- </span>,
- <span class="citerefentry">
- <span class="refentrytitle">rndc-confgen</span>(8)
- </span>,
- <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
- </p>
- </div>
-
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="man.named.html">Prev</a>Â </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
-<td width="40%" align="right">Â <a accesskey="n" href="man.named-checkconf.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">
-<span class="application">named</span>Â </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top">Â <span class="application">named-checkconf</span>
-</td>
-</tr>
-</table>
-</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.0-pre-alpha</p>
-</body>
-</html>
+++ /dev/null
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<!--
- - Copyright (C) 2000-2017 Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
--->
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>named</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
-<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
-<link rel="prev" href="man.dnssec-verify.html" title="dnssec-verify">
-<link rel="next" href="man.named.conf.html" title="named.conf">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center"><span class="application">named</span></th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="man.dnssec-verify.html">Prev</a>Â </td>
-<th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right">Â <a accesskey="n" href="man.named.conf.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="refentry">
-<a name="man.named"></a><div class="titlepage"></div>
-
-
-
-
-
- <div class="refnamediv">
-<h2>Name</h2>
-<p>
- <span class="application">named</span>
- — Internet domain name server
- </p>
-</div>
-
-
-
- <div class="refsynopsisdiv">
-<h2>Synopsis</h2>
- <div class="cmdsynopsis"><p>
- <code class="command">named</code>
- [
- [<code class="option">-4</code>]
- | [<code class="option">-6</code>]
- ]
- [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>]
- [<code class="option">-d <em class="replaceable"><code>debug-level</code></em></code>]
- [<code class="option">-D <em class="replaceable"><code>string</code></em></code>]
- [<code class="option">-E <em class="replaceable"><code>engine-name</code></em></code>]
- [<code class="option">-f</code>]
- [<code class="option">-g</code>]
- [<code class="option">-L <em class="replaceable"><code>logfile</code></em></code>]
- [<code class="option">-M <em class="replaceable"><code>option</code></em></code>]
- [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>]
- [<code class="option">-n <em class="replaceable"><code>#cpus</code></em></code>]
- [<code class="option">-p <em class="replaceable"><code>port</code></em></code>]
- [<code class="option">-s</code>]
- [<code class="option">-S <em class="replaceable"><code>#max-socks</code></em></code>]
- [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>]
- [<code class="option">-U <em class="replaceable"><code>#listeners</code></em></code>]
- [<code class="option">-u <em class="replaceable"><code>user</code></em></code>]
- [<code class="option">-v</code>]
- [<code class="option">-V</code>]
- [<code class="option">-X <em class="replaceable"><code>lock-file</code></em></code>]
- [<code class="option">-x <em class="replaceable"><code>cache-file</code></em></code>]
- </p></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.18.7"></a><h2>DESCRIPTION</h2>
-
- <p><span class="command"><strong>named</strong></span>
- is a Domain Name System (DNS) server,
- part of the BIND 9 distribution from ISC. For more
- information on the DNS, see RFCs 1033, 1034, and 1035.
- </p>
- <p>
- When invoked without arguments, <span class="command"><strong>named</strong></span>
- will
- read the default configuration file
- <code class="filename">/etc/named.conf</code>, read any initial
- data, and listen for queries.
- </p>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.18.8"></a><h2>OPTIONS</h2>
-
-
- <div class="variablelist"><dl class="variablelist">
-<dt><span class="term">-4</span></dt>
-<dd>
- <p>
- Use IPv4 only even if the host machine is capable of IPv6.
- <code class="option">-4</code> and <code class="option">-6</code> are mutually
- exclusive.
- </p>
- </dd>
-<dt><span class="term">-6</span></dt>
-<dd>
- <p>
- Use IPv6 only even if the host machine is capable of IPv4.
- <code class="option">-4</code> and <code class="option">-6</code> are mutually
- exclusive.
- </p>
- </dd>
-<dt><span class="term">-c <em class="replaceable"><code>config-file</code></em></span></dt>
-<dd>
- <p>
- Use <em class="replaceable"><code>config-file</code></em> as the
- configuration file instead of the default,
- <code class="filename">/etc/named.conf</code>. To
- ensure that reloading the configuration file continues
- to work after the server has changed its working
- directory due to to a possible
- <code class="option">directory</code> option in the configuration
- file, <em class="replaceable"><code>config-file</code></em> should be
- an absolute pathname.
- </p>
- </dd>
-<dt><span class="term">-d <em class="replaceable"><code>debug-level</code></em></span></dt>
-<dd>
- <p>
- Set the daemon's debug level to <em class="replaceable"><code>debug-level</code></em>.
- Debugging traces from <span class="command"><strong>named</strong></span> become
- more verbose as the debug level increases.
- </p>
- </dd>
-<dt><span class="term">-D <em class="replaceable"><code>string</code></em></span></dt>
-<dd>
- <p>
- Specifies a string that is used to identify a instance of
- <span class="command"><strong>named</strong></span> in a process listing. The contents
- of <em class="replaceable"><code>string</code></em> are
- not examined.
- </p>
- </dd>
-<dt><span class="term">-E <em class="replaceable"><code>engine-name</code></em></span></dt>
-<dd>
- <p>
- When applicable, specifies the hardware to use for
- cryptographic operations, such as a secure key store used
- for signing.
- </p>
- <p>
- When BIND is built with OpenSSL PKCS#11 support, this defaults
- to the string "pkcs11", which identifies an OpenSSL engine
- that can drive a cryptographic accelerator or hardware service
- module. When BIND is built with native PKCS#11 cryptography
- (--enable-native-pkcs11), it defaults to the path of the PKCS#11
- provider library specified via "--with-pkcs11".
- </p>
- </dd>
-<dt><span class="term">-f</span></dt>
-<dd>
- <p>
- Run the server in the foreground (i.e. do not daemonize).
- </p>
- </dd>
-<dt><span class="term">-g</span></dt>
-<dd>
- <p>
- Run the server in the foreground and force all logging
- to <code class="filename">stderr</code>.
- </p>
- </dd>
-<dt><span class="term">-L <em class="replaceable"><code>logfile</code></em></span></dt>
-<dd>
- <p>
- Log to the file <code class="option">logfile</code> by default
- instead of the system log.
- </p>
- </dd>
-<dt><span class="term">-M <em class="replaceable"><code>option</code></em></span></dt>
-<dd>
- <p>
- Sets the default memory context options. Currently
- the only supported option is
- <em class="replaceable"><code>external</code></em>,
- which causes the internal memory manager to be bypassed
- in favor of system-provided memory allocation functions.
- </p>
- </dd>
-<dt><span class="term">-m <em class="replaceable"><code>flag</code></em></span></dt>
-<dd>
- <p>
- Turn on memory usage debugging flags. Possible flags are
- <em class="replaceable"><code>usage</code></em>,
- <em class="replaceable"><code>trace</code></em>,
- <em class="replaceable"><code>record</code></em>,
- <em class="replaceable"><code>size</code></em>, and
- <em class="replaceable"><code>mctx</code></em>.
- These correspond to the ISC_MEM_DEBUGXXXX flags described in
- <code class="filename"><isc/mem.h></code>.
- </p>
- </dd>
-<dt><span class="term">-n <em class="replaceable"><code>#cpus</code></em></span></dt>
-<dd>
- <p>
- Create <em class="replaceable"><code>#cpus</code></em> worker threads
- to take advantage of multiple CPUs. If not specified,
- <span class="command"><strong>named</strong></span> will try to determine the
- number of CPUs present and create one thread per CPU.
- If it is unable to determine the number of CPUs, a
- single worker thread will be created.
- </p>
- </dd>
-<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
-<dd>
- <p>
- Listen for queries on port <em class="replaceable"><code>port</code></em>. If not
- specified, the default is port 53.
- </p>
- </dd>
-<dt><span class="term">-s</span></dt>
-<dd>
- <p>
- Write memory usage statistics to <code class="filename">stdout</code> on exit.
- </p>
- <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
- <p>
- This option is mainly of interest to BIND 9 developers
- and may be removed or changed in a future release.
- </p>
- </div>
- </dd>
-<dt><span class="term">-S <em class="replaceable"><code>#max-socks</code></em></span></dt>
-<dd>
- <p>
- Allow <span class="command"><strong>named</strong></span> to use up to
- <em class="replaceable"><code>#max-socks</code></em> sockets.
- The default value is 4096 on systems built with default
- configuration options, and 21000 on systems built with
- "configure --with-tuning=large".
- </p>
- <div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Warning</h3>
- <p>
- This option should be unnecessary for the vast majority
- of users.
- The use of this option could even be harmful because the
- specified value may exceed the limitation of the
- underlying system API.
- It is therefore set only when the default configuration
- causes exhaustion of file descriptors and the
- operational environment is known to support the
- specified number of sockets.
- Note also that the actual maximum number is normally a little
- fewer than the specified value because
- <span class="command"><strong>named</strong></span> reserves some file descriptors
- for its internal use.
- </p>
- </div>
- </dd>
-<dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
-<dd>
- <p>Chroot
- to <em class="replaceable"><code>directory</code></em> after
- processing the command line arguments, but before
- reading the configuration file.
- </p>
- <div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Warning</h3>
- <p>
- This option should be used in conjunction with the
- <code class="option">-u</code> option, as chrooting a process
- running as root doesn't enhance security on most
- systems; the way <code class="function">chroot(2)</code> is
- defined allows a process with root privileges to
- escape a chroot jail.
- </p>
- </div>
- </dd>
-<dt><span class="term">-U <em class="replaceable"><code>#listeners</code></em></span></dt>
-<dd>
- <p>
- Use <em class="replaceable"><code>#listeners</code></em>
- worker threads to listen for incoming UDP packets on each
- address. If not specified, <span class="command"><strong>named</strong></span> will
- calculate a default value based on the number of detected
- CPUs: 1 for 1 CPU, and the number of detected CPUs
- minus one for machines with more than 1 CPU. This cannot
- be increased to a value higher than the number of CPUs.
- If <code class="option">-n</code> has been set to a higher value than
- the number of detected CPUs, then <code class="option">-U</code> may
- be increased as high as that value, but no higher.
- On Windows, the number of UDP listeners is hardwired to 1
- and this option has no effect.
- </p>
- </dd>
-<dt><span class="term">-u <em class="replaceable"><code>user</code></em></span></dt>
-<dd>
- <p>Setuid
- to <em class="replaceable"><code>user</code></em> after completing
- privileged operations, such as creating sockets that
- listen on privileged ports.
- </p>
- <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
- <p>
- On Linux, <span class="command"><strong>named</strong></span> uses the kernel's
- capability mechanism to drop all root privileges
- except the ability to <code class="function">bind(2)</code> to
- a
- privileged port and set process resource limits.
- Unfortunately, this means that the <code class="option">-u</code>
- option only works when <span class="command"><strong>named</strong></span> is
- run
- on kernel 2.2.18 or later, or kernel 2.3.99-pre3 or
- later, since previous kernels did not allow privileges
- to be retained after <code class="function">setuid(2)</code>.
- </p>
- </div>
- </dd>
-<dt><span class="term">-v</span></dt>
-<dd>
- <p>
- Report the version number and exit.
- </p>
- </dd>
-<dt><span class="term">-V</span></dt>
-<dd>
- <p>
- Report the version number and build options, and exit.
- </p>
- </dd>
-<dt><span class="term">-X <em class="replaceable"><code>lock-file</code></em></span></dt>
-<dd>
- <p>
- Acquire a lock on the specified file at runtime; this
- helps to prevent duplicate <span class="command"><strong>named</strong></span> instances
- from running simultaneously.
- Use of this option overrides the <span class="command"><strong>lock-file</strong></span>
- option in <code class="filename">named.conf</code>.
- If set to <code class="literal">none</code>, the lock file check
- is disabled.
- </p>
- </dd>
-<dt><span class="term">-x <em class="replaceable"><code>cache-file</code></em></span></dt>
-<dd>
- <p>
- Load data from <em class="replaceable"><code>cache-file</code></em> into the
- cache of the default view.
- </p>
- <div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Warning</h3>
- <p>
- This option must not be used. It is only of interest
- to BIND 9 developers and may be removed or changed in a
- future release.
- </p>
- </div>
- </dd>
-</dl></div>
-
- </div>
-
- <div class="refsection">
-<a name="id-1.14.18.9"></a><h2>SIGNALS</h2>
-
- <p>
- In routine operation, signals should not be used to control
- the nameserver; <span class="command"><strong>rndc</strong></span> should be used
- instead.
- </p>
-
- <div class="variablelist"><dl class="variablelist">
-<dt><span class="term">SIGHUP</span></dt>
-<dd>
- <p>
- Force a reload of the server.
- </p>
- </dd>
-<dt><span class="term">SIGINT, SIGTERM</span></dt>
-<dd>
- <p>
- Shut down the server.
- </p>
- </dd>
-</dl></div>
-
- <p>
- The result of sending any other signals to the server is undefined.
- </p>
-
- </div>
-
- <div class="refsection">
-<a name="id-1.14.18.10"></a><h2>CONFIGURATION</h2>
-
- <p>
- The <span class="command"><strong>named</strong></span> configuration file is too complex
- to describe in detail here. A complete description is provided
- in the
- <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
- </p>
-
- <p>
- <span class="command"><strong>named</strong></span> inherits the <code class="function">umask</code>
- (file creation mode mask) from the parent process. If files
- created by <span class="command"><strong>named</strong></span>, such as journal files,
- need to have custom permissions, the <code class="function">umask</code>
- should be set explicitly in the script used to start the
- <span class="command"><strong>named</strong></span> process.
- </p>
-
- </div>
-
- <div class="refsection">
-<a name="id-1.14.18.11"></a><h2>FILES</h2>
-
-
- <div class="variablelist"><dl class="variablelist">
-<dt><span class="term"><code class="filename">/etc/named.conf</code></span></dt>
-<dd>
- <p>
- The default configuration file.
- </p>
- </dd>
-<dt><span class="term"><code class="filename">/var/run/named/named.pid</code></span></dt>
-<dd>
- <p>
- The default process-id file.
- </p>
- </dd>
-</dl></div>
-
- </div>
-
- <div class="refsection">
-<a name="id-1.14.18.12"></a><h2>SEE ALSO</h2>
-
- <p><em class="citetitle">RFC 1033</em>,
- <em class="citetitle">RFC 1034</em>,
- <em class="citetitle">RFC 1035</em>,
- <span class="citerefentry">
- <span class="refentrytitle">named-checkconf</span>
- (8)
- </span>,
- <span class="citerefentry">
- <span class="refentrytitle">named-checkzone</span>
- (8)
- </span>,
- <span class="citerefentry">
- <span class="refentrytitle">rndc</span>
- (8)
- </span>,
- <span class="citerefentry">
- <span class="refentrytitle">named.conf</span>
- (5)
- </span>,
- <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
- </p>
- </div>
-
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="man.dnssec-verify.html">Prev</a>Â </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
-<td width="40%" align="right">Â <a accesskey="n" href="man.named.conf.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">
-<span class="application">dnssec-verify</span>Â </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top">Â <code class="filename">named.conf</code>
-</td>
-</tr>
-</table>
-</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.0-pre-alpha</p>
-</body>
-</html>
+++ /dev/null
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<!--
- - Copyright (C) 2000-2017 Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
--->
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>nsec3hash</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
-<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
-<link rel="prev" href="man.isc-hmac-fixup.html" title="isc-hmac-fixup">
-<link rel="next" href="man.pkcs11-destroy.html" title="pkcs11-destroy">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center"><span class="application">nsec3hash</span></th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="man.isc-hmac-fixup.html">Prev</a>Â </td>
-<th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right">Â <a accesskey="n" href="man.pkcs11-destroy.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="refentry">
-<a name="man.nsec3hash"></a><div class="titlepage"></div>
-
-
-
-
-
- <div class="refnamediv">
-<h2>Name</h2>
-<p>
- <span class="application">nsec3hash</span>
- — generate NSEC3 hash
- </p>
-</div>
-
-
-
- <div class="refsynopsisdiv">
-<h2>Synopsis</h2>
- <div class="cmdsynopsis"><p>
- <code class="command">nsec3hash</code>
- {<em class="replaceable"><code>salt</code></em>}
- {<em class="replaceable"><code>algorithm</code></em>}
- {<em class="replaceable"><code>iterations</code></em>}
- {<em class="replaceable"><code>domain</code></em>}
- </p></div>
- <div class="cmdsynopsis"><p>
- <code class="command">nsec3hash -r</code>
- {<em class="replaceable"><code>algorithm</code></em>}
- {<em class="replaceable"><code>flags</code></em>}
- {<em class="replaceable"><code>iterations</code></em>}
- {<em class="replaceable"><code>salt</code></em>}
- {<em class="replaceable"><code>domain</code></em>}
- </p></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.34.7"></a><h2>DESCRIPTION</h2>
-
- <p>
- <span class="command"><strong>nsec3hash</strong></span> generates an NSEC3 hash based on
- a set of NSEC3 parameters. This can be used to check the validity
- of NSEC3 records in a signed zone.
- </p>
-
- <p>
- If this command is invoked as <span class="command"><strong>nsec3hash -r</strong></span>,
- it takes arguments in an order matching the first four fields
- of an NSEC3 record, followed by the domain name: algorithm, flags,
- iterations, salt, domain. This makes it convenient to copy and
- paste a portion of an NSEC3 or NSEC3PARAM record into a command
- line to confirm the correctness of an NSEC3 hash.
- </p>
-
- </div>
-
- <div class="refsection">
-<a name="id-1.14.34.8"></a><h2>ARGUMENTS</h2>
-
- <div class="variablelist"><dl class="variablelist">
-<dt><span class="term">salt</span></dt>
-<dd>
- <p>
- The salt provided to the hash algorithm.
- </p>
- </dd>
-<dt><span class="term">algorithm</span></dt>
-<dd>
- <p>
- A number indicating the hash algorithm. Currently the
- only supported hash algorithm for NSEC3 is SHA-1, which is
- indicated by the number 1; consequently "1" is the only
- useful value for this argument.
- </p>
- </dd>
-<dt><span class="term">flags</span></dt>
-<dd>
- <p>
- Provided for compatibility with NSEC3 record presentation
- format, but ignored since the flags do not affect the hash.
- </p>
- </dd>
-<dt><span class="term">iterations</span></dt>
-<dd>
- <p>
- The number of additional times the hash should be performed.
- </p>
- </dd>
-<dt><span class="term">domain</span></dt>
-<dd>
- <p>
- The domain name to be hashed.
- </p>
- </dd>
-</dl></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.34.9"></a><h2>SEE ALSO</h2>
-
- <p>
- <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
- <em class="citetitle">RFC 5155</em>.
- </p>
- </div>
-
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="man.isc-hmac-fixup.html">Prev</a>Â </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
-<td width="40%" align="right">Â <a accesskey="n" href="man.pkcs11-destroy.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">
-<span class="application">isc-hmac-fixup</span>Â </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top">Â <span class="application">pkcs11-destroy</span>
-</td>
-</tr>
-</table>
-</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.0-pre-alpha</p>
-</body>
-</html>
+++ /dev/null
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<!--
- - Copyright (C) 2000-2017 Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
--->
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>nslookup</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
-<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
-<link rel="prev" href="man.delv.html" title="delv">
-<link rel="next" href="man.dnssec-checkds.html" title="dnssec-checkds">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center">nslookup</th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="man.delv.html">Prev</a>Â </td>
-<th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right">Â <a accesskey="n" href="man.dnssec-checkds.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="refentry">
-<a name="man.nslookup"></a><div class="titlepage"></div>
-
-
-
-
-
- <div class="refnamediv">
-<h2>Name</h2>
-<p>
- nslookup
- — query Internet name servers interactively
- </p>
-</div>
-
-
-
- <div class="refsynopsisdiv">
-<h2>Synopsis</h2>
- <div class="cmdsynopsis"><p>
- <code class="command">nslookup</code>
- [<code class="option">-option</code>]
- [name | -]
- [server]
- </p></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.6.7"></a><h2>DESCRIPTION</h2>
-
- <p><span class="command"><strong>Nslookup</strong></span>
- is a program to query Internet domain name servers. <span class="command"><strong>Nslookup</strong></span>
- has two modes: interactive and non-interactive. Interactive mode allows
- the user to query name servers for information about various hosts and
- domains or to print a list of hosts in a domain. Non-interactive mode
- is
- used to print just the name and requested information for a host or
- domain.
- </p>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.6.8"></a><h2>ARGUMENTS</h2>
-
- <p>
- Interactive mode is entered in the following cases:
- </p>
-<div class="orderedlist"><ol class="orderedlist" type="a">
-<li class="listitem">
- <p>
- when no arguments are given (the default name server will be used)
- </p>
- </li>
-<li class="listitem">
- <p>
- when the first argument is a hyphen (-) and the second argument is
- the host name or Internet address of a name server.
- </p>
- </li>
-</ol></div>
-<p>
- </p>
-
- <p>
- Non-interactive mode is used when the name or Internet address of the
- host to be looked up is given as the first argument. The optional second
- argument specifies the host name or address of a name server.
- </p>
-
- <p>
- Options can also be specified on the command line if they precede the
- arguments and are prefixed with a hyphen. For example, to
- change the default query type to host information, and the initial
- timeout to 10 seconds, type:
-
- </p>
-<pre class="programlisting">
-nslookup -query=hinfo -timeout=10
-</pre>
-<p>
-
- </p>
- <p>
- The <code class="option">-version</code> option causes
- <span class="command"><strong>nslookup</strong></span> to print the version
- number and immediately exits.
- </p>
-
- </div>
-
- <div class="refsection">
-<a name="id-1.14.6.9"></a><h2>INTERACTIVE COMMANDS</h2>
-
- <div class="variablelist"><dl class="variablelist">
-<dt><span class="term"><code class="constant">host</code> [<span class="optional">server</span>]</span></dt>
-<dd>
- <p>
- Look up information for host using the current default server or
- using server, if specified. If host is an Internet address and
- the query type is A or PTR, the name of the host is returned.
- If host is a name and does not have a trailing period, the
- search list is used to qualify the name.
- </p>
-
- <p>
- To look up a host not in the current domain, append a period to
- the name.
- </p>
- </dd>
-<dt><span class="term"><code class="constant">server</code> <em class="replaceable"><code>domain</code></em></span></dt>
-<dd>
- <p></p>
- </dd>
-<dt><span class="term"><code class="constant">lserver</code> <em class="replaceable"><code>domain</code></em></span></dt>
-<dd>
- <p>
- Change the default server to <em class="replaceable"><code>domain</code></em>; <code class="constant">lserver</code> uses the initial
- server to look up information about <em class="replaceable"><code>domain</code></em>, while <code class="constant">server</code> uses
- the current default server. If an authoritative answer can't be
- found, the names of servers that might have the answer are
- returned.
- </p>
- </dd>
-<dt><span class="term"><code class="constant">root</code></span></dt>
-<dd>
- <p>
- not implemented
- </p>
- </dd>
-<dt><span class="term"><code class="constant">finger</code></span></dt>
-<dd>
- <p>
- not implemented
- </p>
- </dd>
-<dt><span class="term"><code class="constant">ls</code></span></dt>
-<dd>
- <p>
- not implemented
- </p>
- </dd>
-<dt><span class="term"><code class="constant">view</code></span></dt>
-<dd>
- <p>
- not implemented
- </p>
- </dd>
-<dt><span class="term"><code class="constant">help</code></span></dt>
-<dd>
- <p>
- not implemented
- </p>
- </dd>
-<dt><span class="term"><code class="constant">?</code></span></dt>
-<dd>
- <p>
- not implemented
- </p>
- </dd>
-<dt><span class="term"><code class="constant">exit</code></span></dt>
-<dd>
- <p>
- Exits the program.
- </p>
- </dd>
-<dt><span class="term"><code class="constant">set</code>
- <em class="replaceable"><code>keyword[<span class="optional">=value</span>]</code></em></span></dt>
-<dd>
- <p>
- This command is used to change state information that affects
- the lookups. Valid keywords are:
- </p>
-<div class="variablelist"><dl class="variablelist">
-<dt><span class="term"><code class="constant">all</code></span></dt>
-<dd>
- <p>
- Prints the current values of the frequently used
- options to <span class="command"><strong>set</strong></span>.
- Information about the current default
- server and host is also printed.
- </p>
- </dd>
-<dt><span class="term"><code class="constant">class=</code><em class="replaceable"><code>value</code></em></span></dt>
-<dd>
- <p>
- Change the query class to one of:
- </p>
-<div class="variablelist"><dl class="variablelist">
-<dt><span class="term"><code class="constant">IN</code></span></dt>
-<dd>
- <p>
- the Internet class
- </p>
- </dd>
-<dt><span class="term"><code class="constant">CH</code></span></dt>
-<dd>
- <p>
- the Chaos class
- </p>
- </dd>
-<dt><span class="term"><code class="constant">HS</code></span></dt>
-<dd>
- <p>
- the Hesiod class
- </p>
- </dd>
-<dt><span class="term"><code class="constant">ANY</code></span></dt>
-<dd>
- <p>
- wildcard
- </p>
- </dd>
-</dl></div>
-<p>
- The class specifies the protocol group of the information.
-
- </p>
- <p>
- (Default = IN; abbreviation = cl)
- </p>
- </dd>
-<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>debug</code></span></dt>
-<dd>
- <p>
- Turn on or off the display of the full response packet and
- any intermediate response packets when searching.
- </p>
- <p>
- (Default = nodebug; abbreviation = [<span class="optional">no</span>]deb)
- </p>
- </dd>
-<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>d2</code></span></dt>
-<dd>
- <p>
- Turn debugging mode on or off. This displays more about
- what nslookup is doing.
- </p>
- <p>
- (Default = nod2)
- </p>
- </dd>
-<dt><span class="term"><code class="constant">domain=</code><em class="replaceable"><code>name</code></em></span></dt>
-<dd>
- <p>
- Sets the search list to <em class="replaceable"><code>name</code></em>.
- </p>
- </dd>
-<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>search</code></span></dt>
-<dd>
- <p>
- If the lookup request contains at least one period but
- doesn't end with a trailing period, append the domain
- names in the domain search list to the request until an
- answer is received.
- </p>
- <p>
- (Default = search)
- </p>
- </dd>
-<dt><span class="term"><code class="constant">port=</code><em class="replaceable"><code>value</code></em></span></dt>
-<dd>
- <p>
- Change the default TCP/UDP name server port to <em class="replaceable"><code>value</code></em>.
- </p>
- <p>
- (Default = 53; abbreviation = po)
- </p>
- </dd>
-<dt><span class="term"><code class="constant">querytype=</code><em class="replaceable"><code>value</code></em></span></dt>
-<dd>
- <p></p>
- </dd>
-<dt><span class="term"><code class="constant">type=</code><em class="replaceable"><code>value</code></em></span></dt>
-<dd>
- <p>
- Change the type of the information query.
- </p>
- <p>
- (Default = A; abbreviations = q, ty)
- </p>
- </dd>
-<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>recurse</code></span></dt>
-<dd>
- <p>
- Tell the name server to query other servers if it does not
- have the
- information.
- </p>
- <p>
- (Default = recurse; abbreviation = [no]rec)
- </p>
- </dd>
-<dt><span class="term"><code class="constant">ndots=</code><em class="replaceable"><code>number</code></em></span></dt>
-<dd>
- <p>
- Set the number of dots (label separators) in a domain
- that will disable searching. Absolute names always
- stop searching.
- </p>
- </dd>
-<dt><span class="term"><code class="constant">retry=</code><em class="replaceable"><code>number</code></em></span></dt>
-<dd>
- <p>
- Set the number of retries to number.
- </p>
- </dd>
-<dt><span class="term"><code class="constant">timeout=</code><em class="replaceable"><code>number</code></em></span></dt>
-<dd>
- <p>
- Change the initial timeout interval for waiting for a
- reply to number seconds.
- </p>
- </dd>
-<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>vc</code></span></dt>
-<dd>
- <p>
- Always use a virtual circuit when sending requests to the
- server.
- </p>
- <p>
- (Default = novc)
- </p>
- </dd>
-<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>fail</code></span></dt>
-<dd>
- <p>
- Try the next nameserver if a nameserver responds with
- SERVFAIL or a referral (nofail) or terminate query
- (fail) on such a response.
- </p>
- <p>
- (Default = nofail)
- </p>
- </dd>
-</dl></div>
-<p>
- </p>
- </dd>
-</dl></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.6.10"></a><h2>RETURN VALUES</h2>
- <p>
- <span class="command"><strong>nslookup</strong></span> returns with an exit status of 1
- if any query failed, and 0 otherwise.
- </p>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.6.11"></a><h2>FILES</h2>
-
- <p><code class="filename">/etc/resolv.conf</code>
- </p>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.6.12"></a><h2>SEE ALSO</h2>
-
- <p><span class="citerefentry">
- <span class="refentrytitle">dig</span>(1)
- </span>,
- <span class="citerefentry">
- <span class="refentrytitle">host</span>(1)
- </span>,
- <span class="citerefentry">
- <span class="refentrytitle">named</span>(8)
- </span>.
- </p>
- </div>
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="man.delv.html">Prev</a>Â </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
-<td width="40%" align="right">Â <a accesskey="n" href="man.dnssec-checkds.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">delv </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top">Â <span class="application">dnssec-checkds</span>
-</td>
-</tr>
-</table>
-</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.0-pre-alpha</p>
-</body>
-</html>
+++ /dev/null
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<!--
- - Copyright (C) 2000-2017 Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
--->
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>nsupdate</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
-<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
-<link rel="prev" href="man.named-rrchecker.html" title="named-rrchecker">
-<link rel="next" href="man.rndc.html" title="rndc">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center"><span class="application">nsupdate</span></th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="man.named-rrchecker.html">Prev</a>Â </td>
-<th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right">Â <a accesskey="n" href="man.rndc.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="refentry">
-<a name="man.nsupdate"></a><div class="titlepage"></div>
-
-
-
-
- <div class="refnamediv">
-<h2>Name</h2>
-<p>
- <span class="application">nsupdate</span>
- — Dynamic DNS update utility
- </p>
-</div>
-
-
-
- <div class="refsynopsisdiv">
-<h2>Synopsis</h2>
- <div class="cmdsynopsis"><p>
- <code class="command">nsupdate</code>
- [<code class="option">-d</code>]
- [<code class="option">-D</code>]
- [<code class="option">-i</code>]
- [<code class="option">-L <em class="replaceable"><code>level</code></em></code>]
- [
- [<code class="option">-g</code>]
- | [<code class="option">-o</code>]
- | [<code class="option">-l</code>]
- | [<code class="option">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]keyname:secret</code></em></code>]
- | [<code class="option">-k <em class="replaceable"><code>keyfile</code></em></code>]
- ]
- [<code class="option">-t <em class="replaceable"><code>timeout</code></em></code>]
- [<code class="option">-u <em class="replaceable"><code>udptimeout</code></em></code>]
- [<code class="option">-r <em class="replaceable"><code>udpretries</code></em></code>]
- [<code class="option">-R <em class="replaceable"><code>randomdev</code></em></code>]
- [<code class="option">-v</code>]
- [<code class="option">-T</code>]
- [<code class="option">-P</code>]
- [<code class="option">-V</code>]
- [
- [<code class="option">-4</code>]
- | [<code class="option">-6</code>]
- ]
- [filename]
- </p></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.25.7"></a><h2>DESCRIPTION</h2>
-
- <p><span class="command"><strong>nsupdate</strong></span>
- is used to submit Dynamic DNS Update requests as defined in RFC 2136
- to a name server.
- This allows resource records to be added or removed from a zone
- without manually editing the zone file.
- A single update request can contain requests to add or remove more than
- one
- resource record.
- </p>
- <p>
- Zones that are under dynamic control via
- <span class="command"><strong>nsupdate</strong></span>
- or a DHCP server should not be edited by hand.
- Manual edits could
- conflict with dynamic updates and cause data to be lost.
- </p>
- <p>
- The resource records that are dynamically added or removed with
- <span class="command"><strong>nsupdate</strong></span>
- have to be in the same zone.
- Requests are sent to the zone's master server.
- This is identified by the MNAME field of the zone's SOA record.
- </p>
- <p>
- Transaction signatures can be used to authenticate the Dynamic
- DNS updates. These use the TSIG resource record type described
- in RFC 2845 or the SIG(0) record described in RFC 2535 and
- RFC 2931 or GSS-TSIG as described in RFC 3645.
- </p>
- <p>
- TSIG relies on
- a shared secret that should only be known to
- <span class="command"><strong>nsupdate</strong></span> and the name server.
- For instance, suitable <span class="type">key</span> and
- <span class="type">server</span> statements would be added to
- <code class="filename">/etc/named.conf</code> so that the name server
- can associate the appropriate secret key and algorithm with
- the IP address of the client application that will be using
- TSIG authentication. You can use <span class="command"><strong>ddns-confgen</strong></span>
- to generate suitable configuration fragments.
- <span class="command"><strong>nsupdate</strong></span>
- uses the <code class="option">-y</code> or <code class="option">-k</code> options
- to provide the TSIG shared secret. These options are mutually exclusive.
- </p>
- <p>
- SIG(0) uses public key cryptography.
- To use a SIG(0) key, the public key must be stored in a KEY
- record in a zone served by the name server.
- </p>
- <p>
- GSS-TSIG uses Kerberos credentials. Standard GSS-TSIG mode
- is switched on with the <code class="option">-g</code> flag. A
- non-standards-compliant variant of GSS-TSIG used by Windows
- 2000 can be switched on with the <code class="option">-o</code> flag.
- </p>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.25.8"></a><h2>OPTIONS</h2>
-
-
- <div class="variablelist"><dl class="variablelist">
-<dt><span class="term">-4</span></dt>
-<dd>
- <p>
- Use IPv4 only.
- </p>
- </dd>
-<dt><span class="term">-6</span></dt>
-<dd>
- <p>
- Use IPv6 only.
- </p>
- </dd>
-<dt><span class="term">-d</span></dt>
-<dd>
- <p>
- Debug mode. This provides tracing information about the
- update requests that are made and the replies received
- from the name server.
- </p>
- </dd>
-<dt><span class="term">-D</span></dt>
-<dd>
- <p>
- Extra debug mode.
- </p>
- </dd>
-<dt><span class="term">-i</span></dt>
-<dd>
- <p>
- Force interactive mode, even when standard input is not a terminal.
- </p>
- </dd>
-<dt><span class="term">-k <em class="replaceable"><code>keyfile</code></em></span></dt>
-<dd>
- <p>
- The file containing the TSIG authentication key.
- Keyfiles may be in two formats: a single file containing
- a <code class="filename">named.conf</code>-format <span class="command"><strong>key</strong></span>
- statement, which may be generated automatically by
- <span class="command"><strong>ddns-confgen</strong></span>, or a pair of files whose names are
- of the format <code class="filename">K{name}.+157.+{random}.key</code> and
- <code class="filename">K{name}.+157.+{random}.private</code>, which can be
- generated by <span class="command"><strong>dnssec-keygen</strong></span>.
- The <code class="option">-k</code> may also be used to specify a SIG(0) key used
- to authenticate Dynamic DNS update requests. In this case, the key
- specified is not an HMAC-MD5 key.
- </p>
- </dd>
-<dt><span class="term">-l</span></dt>
-<dd>
- <p>
- Local-host only mode. This sets the server address to
- localhost (disabling the <span class="command"><strong>server</strong></span> so that the server
- address cannot be overridden). Connections to the local server will
- use a TSIG key found in <code class="filename">/var/run/named/session.key</code>,
- which is automatically generated by <span class="command"><strong>named</strong></span> if any
- local master zone has set <span class="command"><strong>update-policy</strong></span> to
- <span class="command"><strong>local</strong></span>. The location of this key file can be
- overridden with the <code class="option">-k</code> option.
- </p>
- </dd>
-<dt><span class="term">-L <em class="replaceable"><code>level</code></em></span></dt>
-<dd>
- <p>
- Set the logging debug level. If zero, logging is disabled.
- </p>
- </dd>
-<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
-<dd>
- <p>
- Set the port to use for connections to a name server. The
- default is 53.
- </p>
- </dd>
-<dt><span class="term">-P</span></dt>
-<dd>
- <p>
- Print the list of private BIND-specific resource record
- types whose format is understood
- by <span class="command"><strong>nsupdate</strong></span>. See also
- the <code class="option">-T</code> option.
- </p>
- </dd>
-<dt><span class="term">-r <em class="replaceable"><code>udpretries</code></em></span></dt>
-<dd>
- <p>
- The number of UDP retries. The default is 3. If zero, only
- one update request will be made.
- </p>
- </dd>
-<dt><span class="term">-R <em class="replaceable"><code>randomdev</code></em></span></dt>
-<dd>
- <p>
- Where to obtain randomness. If the operating system
- does not provide a <code class="filename">/dev/random</code> or
- equivalent device, the default source of randomness is keyboard
- input. <code class="filename">randomdev</code> specifies the name of
- a character device or file containing random data to be used
- instead of the default. The special value
- <code class="filename">keyboard</code> indicates that keyboard input
- should be used. This option may be specified multiple times.
- </p>
- </dd>
-<dt><span class="term">-t <em class="replaceable"><code>timeout</code></em></span></dt>
-<dd>
- <p>
- The maximum time an update request can take before it is
- aborted. The default is 300 seconds. Zero can be used to
- disable the timeout.
- </p>
- </dd>
-<dt><span class="term">-T</span></dt>
-<dd>
- <p>
- Print the list of IANA standard resource record types
- whose format is understood by <span class="command"><strong>nsupdate</strong></span>.
- <span class="command"><strong>nsupdate</strong></span> will exit after the lists are
- printed. The <code class="option">-T</code> option can be combined
- with the <code class="option">-P</code> option.
- </p>
- <p>
- Other types can be entered using "TYPEXXXXX" where "XXXXX" is the
- decimal value of the type with no leading zeros. The rdata,
- if present, will be parsed using the UNKNOWN rdata format,
- (<backslash> <hash> <space> <length>
- <space> <hexstring>).
- </p>
- </dd>
-<dt><span class="term">-u <em class="replaceable"><code>udptimeout</code></em></span></dt>
-<dd>
- <p>
- The UDP retry interval. The default is 3 seconds. If zero,
- the interval will be computed from the timeout interval and
- number of UDP retries.
- </p>
- </dd>
-<dt><span class="term">-v</span></dt>
-<dd>
- <p>
- Use TCP even for small update requests.
- By default, <span class="command"><strong>nsupdate</strong></span>
- uses UDP to send update requests to the name server unless they are too
- large to fit in a UDP request in which case TCP will be used.
- TCP may be preferable when a batch of update requests is made.
- </p>
- </dd>
-<dt><span class="term">-V</span></dt>
-<dd>
- <p>
- Print the version number and exit.
- </p>
- </dd>
-<dt><span class="term">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]keyname:secret</code></em></span></dt>
-<dd>
- <p>
- Literal TSIG authentication key.
- <em class="parameter"><code>keyname</code></em> is the name of the key, and
- <em class="parameter"><code>secret</code></em> is the base64 encoded shared secret.
- <em class="parameter"><code>hmac</code></em> is the name of the key algorithm;
- valid choices are <code class="literal">hmac-md5</code>,
- <code class="literal">hmac-sha1</code>, <code class="literal">hmac-sha224</code>,
- <code class="literal">hmac-sha256</code>, <code class="literal">hmac-sha384</code>, or
- <code class="literal">hmac-sha512</code>. If <em class="parameter"><code>hmac</code></em>
- is not specified, the default is <code class="literal">hmac-md5</code>
- or if MD5 was disabled <code class="literal">hmac-sha256</code>.
- </p>
- <p>
- NOTE: Use of the <code class="option">-y</code> option is discouraged because the
- shared secret is supplied as a command line argument in clear text.
- This may be visible in the output from
- <span class="citerefentry">
- <span class="refentrytitle">ps</span>(1)
- </span>
- or in a history file maintained by the user's shell.
- </p>
- </dd>
-</dl></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.25.9"></a><h2>INPUT FORMAT</h2>
-
- <p><span class="command"><strong>nsupdate</strong></span>
- reads input from
- <em class="parameter"><code>filename</code></em>
- or standard input.
- Each command is supplied on exactly one line of input.
- Some commands are for administrative purposes.
- The others are either update instructions or prerequisite checks on the
- contents of the zone.
- These checks set conditions that some name or set of
- resource records (RRset) either exists or is absent from the zone.
- These conditions must be met if the entire update request is to succeed.
- Updates will be rejected if the tests for the prerequisite conditions
- fail.
- </p>
- <p>
- Every update request consists of zero or more prerequisites
- and zero or more updates.
- This allows a suitably authenticated update request to proceed if some
- specified resource records are present or missing from the zone.
- A blank input line (or the <span class="command"><strong>send</strong></span> command)
- causes the
- accumulated commands to be sent as one Dynamic DNS update request to the
- name server.
- </p>
- <p>
- The command formats and their meaning are as follows:
- </p>
-<div class="variablelist"><dl class="variablelist">
-<dt><span class="term">
- <span class="command"><strong>server</strong></span>
- {servername}
- [port]
- </span></dt>
-<dd>
- <p>
- Sends all dynamic update requests to the name server
- <em class="parameter"><code>servername</code></em>.
- When no server statement is provided,
- <span class="command"><strong>nsupdate</strong></span>
- will send updates to the master server of the correct zone.
- The MNAME field of that zone's SOA record will identify the
- master
- server for that zone.
- <em class="parameter"><code>port</code></em>
- is the port number on
- <em class="parameter"><code>servername</code></em>
- where the dynamic update requests get sent.
- If no port number is specified, the default DNS port number of
- 53 is
- used.
- </p>
- </dd>
-<dt><span class="term">
- <span class="command"><strong>local</strong></span>
- {address}
- [port]
- </span></dt>
-<dd>
- <p>
- Sends all dynamic update requests using the local
- <em class="parameter"><code>address</code></em>.
-
- When no local statement is provided,
- <span class="command"><strong>nsupdate</strong></span>
- will send updates using an address and port chosen by the
- system.
- <em class="parameter"><code>port</code></em>
- can additionally be used to make requests come from a specific
- port.
- If no port number is specified, the system will assign one.
- </p>
- </dd>
-<dt><span class="term">
- <span class="command"><strong>zone</strong></span>
- {zonename}
- </span></dt>
-<dd>
- <p>
- Specifies that all updates are to be made to the zone
- <em class="parameter"><code>zonename</code></em>.
- If no
- <em class="parameter"><code>zone</code></em>
- statement is provided,
- <span class="command"><strong>nsupdate</strong></span>
- will attempt determine the correct zone to update based on the
- rest of the input.
- </p>
- </dd>
-<dt><span class="term">
- <span class="command"><strong>class</strong></span>
- {classname}
- </span></dt>
-<dd>
- <p>
- Specify the default class.
- If no <em class="parameter"><code>class</code></em> is specified, the
- default class is
- <em class="parameter"><code>IN</code></em>.
- </p>
- </dd>
-<dt><span class="term">
- <span class="command"><strong>ttl</strong></span>
- {seconds}
- </span></dt>
-<dd>
- <p>
- Specify the default time to live for records to be added.
- The value <em class="parameter"><code>none</code></em> will clear the default
- ttl.
- </p>
- </dd>
-<dt><span class="term">
- <span class="command"><strong>key</strong></span>
- [hmac:] {keyname}
- {secret}
- </span></dt>
-<dd>
- <p>
- Specifies that all updates are to be TSIG-signed using the
- <em class="parameter"><code>keyname</code></em> <em class="parameter"><code>secret</code></em> pair.
- If <em class="parameter"><code>hmac</code></em> is specified, then it sets the
- signing algorithm in use; the default is
- <code class="literal">hmac-md5</code> or if MD5 was disabled
- <code class="literal">hmac-sha256</code>. The <span class="command"><strong>key</strong></span>
- command overrides any key specified on the command line via
- <code class="option">-y</code> or <code class="option">-k</code>.
- </p>
- </dd>
-<dt><span class="term">
- <span class="command"><strong>gsstsig</strong></span>
- </span></dt>
-<dd>
- <p>
- Use GSS-TSIG to sign the updated. This is equivalent to
- specifying <code class="option">-g</code> on the command line.
- </p>
- </dd>
-<dt><span class="term">
- <span class="command"><strong>oldgsstsig</strong></span>
- </span></dt>
-<dd>
- <p>
- Use the Windows 2000 version of GSS-TSIG to sign the updated.
- This is equivalent to specifying <code class="option">-o</code> on the
- command line.
- </p>
- </dd>
-<dt><span class="term">
- <span class="command"><strong>realm</strong></span>
- {[<span class="optional">realm_name</span>]}
- </span></dt>
-<dd>
- <p>
- When using GSS-TSIG use <em class="parameter"><code>realm_name</code></em> rather
- than the default realm in <code class="filename">krb5.conf</code>. If no
- realm is specified the saved realm is cleared.
- </p>
- </dd>
-<dt><span class="term">
- <span class="command"><strong>check-names</strong></span>
- {[<span class="optional">yes_or_no</span>]}
- </span></dt>
-<dd>
- <p>
- Turn on or off check-names processing on records to
- be added. Check-names has no effect on prerequisites
- or records to be deleted. By default check-names
- processing is on. If check-names processing fails
- the record will not be added to the UPDATE message.
- </p>
- </dd>
-<dt><span class="term">
- <span class="command"><strong>[<span class="optional">prereq</span>] nxdomain</strong></span>
- {domain-name}
- </span></dt>
-<dd>
- <p>
- Requires that no resource record of any type exists with name
- <em class="parameter"><code>domain-name</code></em>.
- </p>
- </dd>
-<dt><span class="term">
- <span class="command"><strong>[<span class="optional">prereq</span>] yxdomain</strong></span>
- {domain-name}
- </span></dt>
-<dd>
- <p>
- Requires that
- <em class="parameter"><code>domain-name</code></em>
- exists (has as at least one resource record, of any type).
- </p>
- </dd>
-<dt><span class="term">
- <span class="command"><strong>[<span class="optional">prereq</span>] nxrrset</strong></span>
- {domain-name}
- [class]
- {type}
- </span></dt>
-<dd>
- <p>
- Requires that no resource record exists of the specified
- <em class="parameter"><code>type</code></em>,
- <em class="parameter"><code>class</code></em>
- and
- <em class="parameter"><code>domain-name</code></em>.
- If
- <em class="parameter"><code>class</code></em>
- is omitted, IN (internet) is assumed.
- </p>
- </dd>
-<dt><span class="term">
- <span class="command"><strong>[<span class="optional">prereq</span>] yxrrset</strong></span>
- {domain-name}
- [class]
- {type}
- </span></dt>
-<dd>
- <p>
- This requires that a resource record of the specified
- <em class="parameter"><code>type</code></em>,
- <em class="parameter"><code>class</code></em>
- and
- <em class="parameter"><code>domain-name</code></em>
- must exist.
- If
- <em class="parameter"><code>class</code></em>
- is omitted, IN (internet) is assumed.
- </p>
- </dd>
-<dt><span class="term">
- <span class="command"><strong>[<span class="optional">prereq</span>] yxrrset</strong></span>
- {domain-name}
- [class]
- {type}
- {data...}
- </span></dt>
-<dd>
- <p>
- The
- <em class="parameter"><code>data</code></em>
- from each set of prerequisites of this form
- sharing a common
- <em class="parameter"><code>type</code></em>,
- <em class="parameter"><code>class</code></em>,
- and
- <em class="parameter"><code>domain-name</code></em>
- are combined to form a set of RRs. This set of RRs must
- exactly match the set of RRs existing in the zone at the
- given
- <em class="parameter"><code>type</code></em>,
- <em class="parameter"><code>class</code></em>,
- and
- <em class="parameter"><code>domain-name</code></em>.
- The
- <em class="parameter"><code>data</code></em>
- are written in the standard text representation of the resource
- record's
- RDATA.
- </p>
- </dd>
-<dt><span class="term">
- <span class="command"><strong>[<span class="optional">update</span>] del[<span class="optional">ete</span>]</strong></span>
- {domain-name}
- [ttl]
- [class]
- [type [data...]]
- </span></dt>
-<dd>
- <p>
- Deletes any resource records named
- <em class="parameter"><code>domain-name</code></em>.
- If
- <em class="parameter"><code>type</code></em>
- and
- <em class="parameter"><code>data</code></em>
- is provided, only matching resource records will be removed.
- The internet class is assumed if
- <em class="parameter"><code>class</code></em>
- is not supplied. The
- <em class="parameter"><code>ttl</code></em>
- is ignored, and is only allowed for compatibility.
- </p>
- </dd>
-<dt><span class="term">
- <span class="command"><strong>[<span class="optional">update</span>] add</strong></span>
- {domain-name}
- {ttl}
- [class]
- {type}
- {data...}
- </span></dt>
-<dd>
- <p>
- Adds a new resource record with the specified
- <em class="parameter"><code>ttl</code></em>,
- <em class="parameter"><code>class</code></em>
- and
- <em class="parameter"><code>data</code></em>.
- </p>
- </dd>
-<dt><span class="term">
- <span class="command"><strong>show</strong></span>
- </span></dt>
-<dd>
- <p>
- Displays the current message, containing all of the
- prerequisites and
- updates specified since the last send.
- </p>
- </dd>
-<dt><span class="term">
- <span class="command"><strong>send</strong></span>
- </span></dt>
-<dd>
- <p>
- Sends the current message. This is equivalent to entering a
- blank line.
- </p>
- </dd>
-<dt><span class="term">
- <span class="command"><strong>answer</strong></span>
- </span></dt>
-<dd>
- <p>
- Displays the answer.
- </p>
- </dd>
-<dt><span class="term">
- <span class="command"><strong>debug</strong></span>
- </span></dt>
-<dd>
- <p>
- Turn on debugging.
- </p>
- </dd>
-<dt><span class="term">
- <span class="command"><strong>version</strong></span>
- </span></dt>
-<dd>
- <p>
- Print version number.
- </p>
- </dd>
-<dt><span class="term">
- <span class="command"><strong>help</strong></span>
- </span></dt>
-<dd>
- <p>
- Print a list of commands.
- </p>
- </dd>
-</dl></div>
-<p>
- </p>
-
- <p>
- Lines beginning with a semicolon are comments and are ignored.
- </p>
-
- </div>
-
- <div class="refsection">
-<a name="id-1.14.25.10"></a><h2>EXAMPLES</h2>
-
- <p>
- The examples below show how
- <span class="command"><strong>nsupdate</strong></span>
- could be used to insert and delete resource records from the
- <span class="type">example.com</span>
- zone.
- Notice that the input in each example contains a trailing blank line so
- that
- a group of commands are sent as one dynamic update request to the
- master name server for
- <span class="type">example.com</span>.
-
- </p>
-<pre class="programlisting">
-# nsupdate
-> update delete oldhost.example.com A
-> update add newhost.example.com 86400 A 172.16.1.1
-> send
-</pre>
-<p>
- </p>
- <p>
- Any A records for
- <span class="type">oldhost.example.com</span>
- are deleted.
- And an A record for
- <span class="type">newhost.example.com</span>
- with IP address 172.16.1.1 is added.
- The newly-added record has a 1 day TTL (86400 seconds).
- </p>
-<pre class="programlisting">
-# nsupdate
-> prereq nxdomain nickname.example.com
-> update add nickname.example.com 86400 CNAME somehost.example.com
-> send
-</pre>
-<p>
- </p>
- <p>
- The prerequisite condition gets the name server to check that there
- are no resource records of any type for
- <span class="type">nickname.example.com</span>.
-
- If there are, the update request fails.
- If this name does not exist, a CNAME for it is added.
- This ensures that when the CNAME is added, it cannot conflict with the
- long-standing rule in RFC 1034 that a name must not exist as any other
- record type if it exists as a CNAME.
- (The rule has been updated for DNSSEC in RFC 2535 to allow CNAMEs to have
- RRSIG, DNSKEY and NSEC records.)
- </p>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.25.11"></a><h2>FILES</h2>
-
-
- <div class="variablelist"><dl class="variablelist">
-<dt><span class="term"><code class="constant">/etc/resolv.conf</code></span></dt>
-<dd>
- <p>
- used to identify default name server
- </p>
- </dd>
-<dt><span class="term"><code class="constant">/var/run/named/session.key</code></span></dt>
-<dd>
- <p>
- sets the default TSIG key for use in local-only mode
- </p>
- </dd>
-<dt><span class="term"><code class="constant">K{name}.+157.+{random}.key</code></span></dt>
-<dd>
- <p>
- base-64 encoding of HMAC-MD5 key created by
- <span class="citerefentry">
- <span class="refentrytitle">dnssec-keygen</span>(8)
- </span>.
- </p>
- </dd>
-<dt><span class="term"><code class="constant">K{name}.+157.+{random}.private</code></span></dt>
-<dd>
- <p>
- base-64 encoding of HMAC-MD5 key created by
- <span class="citerefentry">
- <span class="refentrytitle">dnssec-keygen</span>(8)
- </span>.
- </p>
- </dd>
-</dl></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.25.12"></a><h2>SEE ALSO</h2>
-
- <p>
- <em class="citetitle">RFC 2136</em>,
- <em class="citetitle">RFC 3007</em>,
- <em class="citetitle">RFC 2104</em>,
- <em class="citetitle">RFC 2845</em>,
- <em class="citetitle">RFC 1034</em>,
- <em class="citetitle">RFC 2535</em>,
- <em class="citetitle">RFC 2931</em>,
- <span class="citerefentry">
- <span class="refentrytitle">named</span>(8)
- </span>,
- <span class="citerefentry">
- <span class="refentrytitle">ddns-confgen</span>(8)
- </span>,
- <span class="citerefentry">
- <span class="refentrytitle">dnssec-keygen</span>(8)
- </span>.
- </p>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.25.13"></a><h2>BUGS</h2>
-
- <p>
- The TSIG key is redundantly stored in two separate files.
- This is a consequence of nsupdate using the DST library
- for its cryptographic operations, and may change in future
- releases.
- </p>
- </div>
-
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="man.named-rrchecker.html">Prev</a>Â </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
-<td width="40%" align="right">Â <a accesskey="n" href="man.rndc.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">
-<span class="application">named-rrchecker</span>Â </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top">Â <span class="application">rndc</span>
-</td>
-</tr>
-</table>
-</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.0-pre-alpha</p>
-</body>
-</html>
+++ /dev/null
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<!--
- - Copyright (C) 2000-2017 Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
--->
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>pkcs11-destroy</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
-<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
-<link rel="prev" href="man.nsec3hash.html" title="nsec3hash">
-<link rel="next" href="man.pkcs11-list.html" title="pkcs11-list">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center"><span class="application">pkcs11-destroy</span></th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="man.nsec3hash.html">Prev</a>Â </td>
-<th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right">Â <a accesskey="n" href="man.pkcs11-list.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="refentry">
-<a name="man.pkcs11-destroy"></a><div class="titlepage"></div>
-
-
-
-
-
- <div class="refnamediv">
-<h2>Name</h2>
-<p>
- <span class="application">pkcs11-destroy</span>
- — destroy PKCS#11 objects
- </p>
-</div>
-
-
-
- <div class="refsynopsisdiv">
-<h2>Synopsis</h2>
- <div class="cmdsynopsis"><p>
- <code class="command">pkcs11-destroy</code>
- [<code class="option">-m <em class="replaceable"><code>module</code></em></code>]
- [<code class="option">-s <em class="replaceable"><code>slot</code></em></code>]
- {
- -i <em class="replaceable"><code>ID</code></em>
- | -l <em class="replaceable"><code>label</code></em>
- }
- [<code class="option">-p <em class="replaceable"><code>PIN</code></em></code>]
- [<code class="option">-w <em class="replaceable"><code>seconds</code></em></code>]
- </p></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.35.7"></a><h2>DESCRIPTION</h2>
-
- <p>
- <span class="command"><strong>pkcs11-destroy</strong></span> destroys keys stored in a
- PKCS#11 device, identified by their <code class="option">ID</code> or
- <code class="option">label</code>.
- </p>
- <p>
- Matching keys are displayed before being destroyed. By default,
- there is a five second delay to allow the user to interrupt the
- process before the destruction takes place.
- </p>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.35.8"></a><h2>ARGUMENTS</h2>
-
- <div class="variablelist"><dl class="variablelist">
-<dt><span class="term">-m <em class="replaceable"><code>module</code></em></span></dt>
-<dd>
- <p>
- Specify the PKCS#11 provider module. This must be the full
- path to a shared library object implementing the PKCS#11 API
- for the device.
- </p>
- </dd>
-<dt><span class="term">-s <em class="replaceable"><code>slot</code></em></span></dt>
-<dd>
- <p>
- Open the session with the given PKCS#11 slot. The default is
- slot 0.
- </p>
- </dd>
-<dt><span class="term">-i <em class="replaceable"><code>ID</code></em></span></dt>
-<dd>
- <p>
- Destroy keys with the given object ID.
- </p>
- </dd>
-<dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt>
-<dd>
- <p>
- Destroy keys with the given label.
- </p>
- </dd>
-<dt><span class="term">-p <em class="replaceable"><code>PIN</code></em></span></dt>
-<dd>
- <p>
- Specify the PIN for the device. If no PIN is provided on the
- command line, <span class="command"><strong>pkcs11-destroy</strong></span> will prompt for it.
- </p>
- </dd>
-<dt><span class="term">-w <em class="replaceable"><code>seconds</code></em></span></dt>
-<dd>
- <p>
- Specify how long to pause before carrying out key destruction.
- The default is five seconds. If set to <code class="literal">0</code>,
- destruction will be immediate.
- </p>
- </dd>
-</dl></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.35.9"></a><h2>SEE ALSO</h2>
-
- <p>
- <span class="citerefentry">
- <span class="refentrytitle">pkcs11-keygen</span>(8)
- </span>,
- <span class="citerefentry">
- <span class="refentrytitle">pkcs11-list</span>(8)
- </span>,
- <span class="citerefentry">
- <span class="refentrytitle">pkcs11-tokens</span>(8)
- </span>
- </p>
- </div>
-
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="man.nsec3hash.html">Prev</a>Â </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
-<td width="40%" align="right">Â <a accesskey="n" href="man.pkcs11-list.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">
-<span class="application">nsec3hash</span>Â </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top">Â <span class="application">pkcs11-list</span>
-</td>
-</tr>
-</table>
-</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.0-pre-alpha</p>
-</body>
-</html>
+++ /dev/null
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<!--
- - Copyright (C) 2000-2017 Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
--->
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>pkcs11-keygen</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
-<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
-<link rel="prev" href="man.pkcs11-list.html" title="pkcs11-list">
-<link rel="next" href="man.pkcs11-tokens.html" title="pkcs11-tokens">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center"><span class="application">pkcs11-keygen</span></th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="man.pkcs11-list.html">Prev</a>Â </td>
-<th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right">Â <a accesskey="n" href="man.pkcs11-tokens.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="refentry">
-<a name="man.pkcs11-keygen"></a><div class="titlepage"></div>
-
-
-
-
-
- <div class="refnamediv">
-<h2>Name</h2>
-<p>
- <span class="application">pkcs11-keygen</span>
- — generate keys on a PKCS#11 device
- </p>
-</div>
-
-
-
- <div class="refsynopsisdiv">
-<h2>Synopsis</h2>
- <div class="cmdsynopsis"><p>
- <code class="command">pkcs11-keygen</code>
- {-a <em class="replaceable"><code>algorithm</code></em>}
- [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>]
- [<code class="option">-e</code>]
- [<code class="option">-i <em class="replaceable"><code>id</code></em></code>]
- [<code class="option">-m <em class="replaceable"><code>module</code></em></code>]
- [<code class="option">-P</code>]
- [<code class="option">-p <em class="replaceable"><code>PIN</code></em></code>]
- [<code class="option">-q</code>]
- [<code class="option">-S</code>]
- [<code class="option">-s <em class="replaceable"><code>slot</code></em></code>]
- {label}
- </p></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.37.7"></a><h2>DESCRIPTION</h2>
-
- <p>
- <span class="command"><strong>pkcs11-keygen</strong></span> causes a PKCS#11 device to generate
- a new key pair with the given <code class="option">label</code> (which must be
- unique) and with <code class="option">keysize</code> bits of prime.
- </p>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.37.8"></a><h2>ARGUMENTS</h2>
-
- <div class="variablelist"><dl class="variablelist">
-<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
-<dd>
- <p>
- Specify the key algorithm class: Supported classes are RSA,
- DSA, DH, ECC and ECX. In addition to these strings, the
- <code class="option">algorithm</code> can be specified as a DNSSEC
- signing algorithm that will be used with this key; for
- example, NSEC3RSASHA1 maps to RSA, ECDSAP256SHA256 maps
- to ECC, and ED25519 to ECX. The default class is "RSA".
- </p>
- </dd>
-<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
-<dd>
- <p>
- Create the key pair with <code class="option">keysize</code> bits of
- prime. For ECC keys, the only valid values are 256 and 384,
- and the default is 256. For ECX kyes, the only valid values
- are 256 and 456, and the default is 256.
- </p>
- </dd>
-<dt><span class="term">-e</span></dt>
-<dd>
- <p>
- For RSA keys only, use a large exponent.
- </p>
- </dd>
-<dt><span class="term">-i <em class="replaceable"><code>id</code></em></span></dt>
-<dd>
- <p>
- Create key objects with id. The id is either
- an unsigned short 2 byte or an unsigned long 4 byte number.
- </p>
- </dd>
-<dt><span class="term">-m <em class="replaceable"><code>module</code></em></span></dt>
-<dd>
- <p>
- Specify the PKCS#11 provider module. This must be the full
- path to a shared library object implementing the PKCS#11 API
- for the device.
- </p>
- </dd>
-<dt><span class="term">-P</span></dt>
-<dd>
- <p>
- Set the new private key to be non-sensitive and extractable.
- The allows the private key data to be read from the PKCS#11
- device. The default is for private keys to be sensitive and
- non-extractable.
- </p>
- </dd>
-<dt><span class="term">-p <em class="replaceable"><code>PIN</code></em></span></dt>
-<dd>
- <p>
- Specify the PIN for the device. If no PIN is provided on
- the command line, <span class="command"><strong>pkcs11-keygen</strong></span> will
- prompt for it.
- </p>
- </dd>
-<dt><span class="term">-q</span></dt>
-<dd>
- <p>
- Quiet mode: suppress unnecessary output.
- </p>
- </dd>
-<dt><span class="term">-S</span></dt>
-<dd>
- <p>
- For Diffie-Hellman (DH) keys only, use a special prime of
- 768, 1024 or 1536 bit size and base (aka generator) 2.
- If not specified, bit size will default to 1024.
- </p>
- </dd>
-<dt><span class="term">-s <em class="replaceable"><code>slot</code></em></span></dt>
-<dd>
- <p>
- Open the session with the given PKCS#11 slot. The default is
- slot 0.
- </p>
- </dd>
-</dl></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.37.9"></a><h2>SEE ALSO</h2>
-
- <p>
- <span class="citerefentry">
- <span class="refentrytitle">pkcs11-destroy</span>(8)
- </span>,
- <span class="citerefentry">
- <span class="refentrytitle">pkcs11-list</span>(8)
- </span>,
- <span class="citerefentry">
- <span class="refentrytitle">pkcs11-tokens</span>(8)
- </span>,
- <span class="citerefentry">
- <span class="refentrytitle">dnssec-keyfromlabel</span>(8)
- </span>
- </p>
- </div>
-
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="man.pkcs11-list.html">Prev</a>Â </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
-<td width="40%" align="right">Â <a accesskey="n" href="man.pkcs11-tokens.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">
-<span class="application">pkcs11-list</span>Â </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top">Â <span class="application">pkcs11-tokens</span>
-</td>
-</tr>
-</table>
-</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.0-pre-alpha</p>
-</body>
-</html>
+++ /dev/null
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<!--
- - Copyright (C) 2000-2017 Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
--->
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>pkcs11-list</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
-<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
-<link rel="prev" href="man.pkcs11-destroy.html" title="pkcs11-destroy">
-<link rel="next" href="man.pkcs11-keygen.html" title="pkcs11-keygen">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center"><span class="application">pkcs11-list</span></th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="man.pkcs11-destroy.html">Prev</a>Â </td>
-<th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right">Â <a accesskey="n" href="man.pkcs11-keygen.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="refentry">
-<a name="man.pkcs11-list"></a><div class="titlepage"></div>
-
-
-
-
-
- <div class="refnamediv">
-<h2>Name</h2>
-<p>
- <span class="application">pkcs11-list</span>
- — list PKCS#11 objects
- </p>
-</div>
-
-
-
- <div class="refsynopsisdiv">
-<h2>Synopsis</h2>
- <div class="cmdsynopsis"><p>
- <code class="command">pkcs11-list</code>
- [<code class="option">-P</code>]
- [<code class="option">-m <em class="replaceable"><code>module</code></em></code>]
- [<code class="option">-s <em class="replaceable"><code>slot</code></em></code>]
- [-i <em class="replaceable"><code>ID</code></em>]
- [-l <em class="replaceable"><code>label</code></em>]
- [<code class="option">-p <em class="replaceable"><code>PIN</code></em></code>]
- </p></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.36.7"></a><h2>DESCRIPTION</h2>
-
- <p>
- <span class="command"><strong>pkcs11-list</strong></span>
- lists the PKCS#11 objects with <code class="option">ID</code> or
- <code class="option">label</code> or by default all objects.
- The object class, label, and ID are displayed for all
- keys. For private or secret keys, the extractability
- attribute is also displayed, as either <code class="literal">true</code>,
- <code class="literal">false</code>, or <code class="literal">never</code>.
- </p>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.36.8"></a><h2>ARGUMENTS</h2>
-
- <div class="variablelist"><dl class="variablelist">
-<dt><span class="term">-P</span></dt>
-<dd>
- <p>
- List only the public objects. (Note that on some PKCS#11
- devices, all objects are private.)
- </p>
- </dd>
-<dt><span class="term">-m <em class="replaceable"><code>module</code></em></span></dt>
-<dd>
- <p>
- Specify the PKCS#11 provider module. This must be the full
- path to a shared library object implementing the PKCS#11 API
- for the device.
- </p>
- </dd>
-<dt><span class="term">-s <em class="replaceable"><code>slot</code></em></span></dt>
-<dd>
- <p>
- Open the session with the given PKCS#11 slot. The default is
- slot 0.
- </p>
- </dd>
-<dt><span class="term">-i <em class="replaceable"><code>ID</code></em></span></dt>
-<dd>
- <p>
- List only key objects with the given object ID.
- </p>
- </dd>
-<dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt>
-<dd>
- <p>
- List only key objects with the given label.
- </p>
- </dd>
-<dt><span class="term">-p <em class="replaceable"><code>PIN</code></em></span></dt>
-<dd>
- <p>
- Specify the PIN for the device. If no PIN is provided on the
- command line, <span class="command"><strong>pkcs11-list</strong></span> will prompt for it.
- </p>
- </dd>
-</dl></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.36.9"></a><h2>SEE ALSO</h2>
-
- <p>
- <span class="citerefentry">
- <span class="refentrytitle">pkcs11-destroy</span>(8)
- </span>,
- <span class="citerefentry">
- <span class="refentrytitle">pkcs11-keygen</span>(8)
- </span>,
- <span class="citerefentry">
- <span class="refentrytitle">pkcs11-tokens</span>(8)
- </span>
- </p>
- </div>
-
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="man.pkcs11-destroy.html">Prev</a>Â </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
-<td width="40%" align="right">Â <a accesskey="n" href="man.pkcs11-keygen.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">
-<span class="application">pkcs11-destroy</span>Â </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top">Â <span class="application">pkcs11-keygen</span>
-</td>
-</tr>
-</table>
-</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.0-pre-alpha</p>
-</body>
-</html>
+++ /dev/null
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<!--
- - Copyright (C) 2000-2017 Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
--->
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>pkcs11-tokens</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
-<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
-<link rel="prev" href="man.pkcs11-keygen.html" title="pkcs11-keygen">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center"><span class="application">pkcs11-tokens</span></th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="man.pkcs11-keygen.html">Prev</a>Â </td>
-<th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right">Â </td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="refentry">
-<a name="man.pkcs11-tokens"></a><div class="titlepage"></div>
-
-
-
-
-
- <div class="refnamediv">
-<h2>Name</h2>
-<p>
- <span class="application">pkcs11-tokens</span>
- — list PKCS#11 available tokens
- </p>
-</div>
-
-
-
- <div class="refsynopsisdiv">
-<h2>Synopsis</h2>
- <div class="cmdsynopsis"><p>
- <code class="command">pkcs11-tokens</code>
- [<code class="option">-m <em class="replaceable"><code>module</code></em></code>]
- [<code class="option">-v</code>]
- </p></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.38.7"></a><h2>DESCRIPTION</h2>
-
- <p>
- <span class="command"><strong>pkcs11-tokens</strong></span>
- lists the PKCS#11 available tokens with defaults from the slot/token
- scan performed at application initialization.
- </p>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.38.8"></a><h2>ARGUMENTS</h2>
-
- <div class="variablelist"><dl class="variablelist">
-<dt><span class="term">-m <em class="replaceable"><code>module</code></em></span></dt>
-<dd>
- <p>
- Specify the PKCS#11 provider module. This must be the full
- path to a shared library object implementing the PKCS#11 API
- for the device.
- </p>
- </dd>
-<dt><span class="term">-v</span></dt>
-<dd>
- <p>
- Make the PKCS#11 libisc initialization verbose.
- </p>
- </dd>
-</dl></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.38.9"></a><h2>SEE ALSO</h2>
-
- <p>
- <span class="citerefentry">
- <span class="refentrytitle">pkcs11-destroy</span>(8)
- </span>,
- <span class="citerefentry">
- <span class="refentrytitle">pkcs11-keygen</span>(8)
- </span>,
- <span class="citerefentry">
- <span class="refentrytitle">pkcs11-list</span>(8)
- </span>
- </p>
- </div>
-
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="man.pkcs11-keygen.html">Prev</a>Â </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
-<td width="40%" align="right">Â </td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">
-<span class="application">pkcs11-keygen</span>Â </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top">Â </td>
-</tr>
-</table>
-</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.0-pre-alpha</p>
-</body>
-</html>
+++ /dev/null
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<!--
- - Copyright (C) 2000-2017 Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
--->
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>rndc-confgen</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
-<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
-<link rel="prev" href="man.rndc.conf.html" title="rndc.conf">
-<link rel="next" href="man.ddns-confgen.html" title="ddns-confgen">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center"><span class="application">rndc-confgen</span></th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="man.rndc.conf.html">Prev</a>Â </td>
-<th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right">Â <a accesskey="n" href="man.ddns-confgen.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="refentry">
-<a name="man.rndc-confgen"></a><div class="titlepage"></div>
-
-
-
-
-
- <div class="refnamediv">
-<h2>Name</h2>
-<p>
- <span class="application">rndc-confgen</span>
- — rndc key generation tool
- </p>
-</div>
-
-
-
- <div class="refsynopsisdiv">
-<h2>Synopsis</h2>
- <div class="cmdsynopsis"><p>
- <code class="command">rndc-confgen</code>
- [<code class="option">-a</code>]
- [<code class="option">-A <em class="replaceable"><code>algorithm</code></em></code>]
- [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>]
- [<code class="option">-c <em class="replaceable"><code>keyfile</code></em></code>]
- [<code class="option">-h</code>]
- [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>]
- [<code class="option">-p <em class="replaceable"><code>port</code></em></code>]
- [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>]
- [<code class="option">-s <em class="replaceable"><code>address</code></em></code>]
- [<code class="option">-t <em class="replaceable"><code>chrootdir</code></em></code>]
- [<code class="option">-u <em class="replaceable"><code>user</code></em></code>]
- </p></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.28.7"></a><h2>DESCRIPTION</h2>
-
- <p><span class="command"><strong>rndc-confgen</strong></span>
- generates configuration files
- for <span class="command"><strong>rndc</strong></span>. It can be used as a
- convenient alternative to writing the
- <code class="filename">rndc.conf</code> file
- and the corresponding <span class="command"><strong>controls</strong></span>
- and <span class="command"><strong>key</strong></span>
- statements in <code class="filename">named.conf</code> by hand.
- Alternatively, it can be run with the <span class="command"><strong>-a</strong></span>
- option to set up a <code class="filename">rndc.key</code> file and
- avoid the need for a <code class="filename">rndc.conf</code> file
- and a <span class="command"><strong>controls</strong></span> statement altogether.
- </p>
-
- </div>
-
- <div class="refsection">
-<a name="id-1.14.28.8"></a><h2>OPTIONS</h2>
-
-
- <div class="variablelist"><dl class="variablelist">
-<dt><span class="term">-a</span></dt>
-<dd>
- <p>
- Do automatic <span class="command"><strong>rndc</strong></span> configuration.
- This creates a file <code class="filename">rndc.key</code>
- in <code class="filename">/etc</code> (or whatever
- <code class="varname">sysconfdir</code>
- was specified as when <acronym class="acronym">BIND</acronym> was
- built)
- that is read by both <span class="command"><strong>rndc</strong></span>
- and <span class="command"><strong>named</strong></span> on startup. The
- <code class="filename">rndc.key</code> file defines a default
- command channel and authentication key allowing
- <span class="command"><strong>rndc</strong></span> to communicate with
- <span class="command"><strong>named</strong></span> on the local host
- with no further configuration.
- </p>
- <p>
- Running <span class="command"><strong>rndc-confgen -a</strong></span> allows
- BIND 9 and <span class="command"><strong>rndc</strong></span> to be used as
- drop-in
- replacements for BIND 8 and <span class="command"><strong>ndc</strong></span>,
- with no changes to the existing BIND 8
- <code class="filename">named.conf</code> file.
- </p>
- <p>
- If a more elaborate configuration than that
- generated by <span class="command"><strong>rndc-confgen -a</strong></span>
- is required, for example if rndc is to be used remotely,
- you should run <span class="command"><strong>rndc-confgen</strong></span> without
- the
- <span class="command"><strong>-a</strong></span> option and set up a
- <code class="filename">rndc.conf</code> and
- <code class="filename">named.conf</code>
- as directed.
- </p>
- </dd>
-<dt><span class="term">-A <em class="replaceable"><code>algorithm</code></em></span></dt>
-<dd>
- <p>
- Specifies the algorithm to use for the TSIG key. Available
- choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
- hmac-sha384 and hmac-sha512. The default is hmac-md5 or
- if MD5 was disabled hmac-sha256.
- </p>
- </dd>
-<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
-<dd>
- <p>
- Specifies the size of the authentication key in bits.
- Must be between 1 and 512 bits; the default is the
- hash size.
- </p>
- </dd>
-<dt><span class="term">-c <em class="replaceable"><code>keyfile</code></em></span></dt>
-<dd>
- <p>
- Used with the <span class="command"><strong>-a</strong></span> option to specify
- an alternate location for <code class="filename">rndc.key</code>.
- </p>
- </dd>
-<dt><span class="term">-h</span></dt>
-<dd>
- <p>
- Prints a short summary of the options and arguments to
- <span class="command"><strong>rndc-confgen</strong></span>.
- </p>
- </dd>
-<dt><span class="term">-k <em class="replaceable"><code>keyname</code></em></span></dt>
-<dd>
- <p>
- Specifies the key name of the rndc authentication key.
- This must be a valid domain name.
- The default is <code class="constant">rndc-key</code>.
- </p>
- </dd>
-<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
-<dd>
- <p>
- Specifies the command channel port where <span class="command"><strong>named</strong></span>
- listens for connections from <span class="command"><strong>rndc</strong></span>.
- The default is 953.
- </p>
- </dd>
-<dt><span class="term">-r <em class="replaceable"><code>randomfile</code></em></span></dt>
-<dd>
- <p>
- Specifies a source of random data for generating the
- authorization. If the operating
- system does not provide a <code class="filename">/dev/random</code>
- or equivalent device, the default source of randomness
- is keyboard input. <code class="filename">randomdev</code>
- specifies
- the name of a character device or file containing random
- data to be used instead of the default. The special value
- <code class="filename">keyboard</code> indicates that keyboard
- input should be used.
- </p>
- </dd>
-<dt><span class="term">-s <em class="replaceable"><code>address</code></em></span></dt>
-<dd>
- <p>
- Specifies the IP address where <span class="command"><strong>named</strong></span>
- listens for command channel connections from
- <span class="command"><strong>rndc</strong></span>. The default is the loopback
- address 127.0.0.1.
- </p>
- </dd>
-<dt><span class="term">-t <em class="replaceable"><code>chrootdir</code></em></span></dt>
-<dd>
- <p>
- Used with the <span class="command"><strong>-a</strong></span> option to specify
- a directory where <span class="command"><strong>named</strong></span> will run
- chrooted. An additional copy of the <code class="filename">rndc.key</code>
- will be written relative to this directory so that
- it will be found by the chrooted <span class="command"><strong>named</strong></span>.
- </p>
- </dd>
-<dt><span class="term">-u <em class="replaceable"><code>user</code></em></span></dt>
-<dd>
- <p>
- Used with the <span class="command"><strong>-a</strong></span> option to set the
- owner
- of the <code class="filename">rndc.key</code> file generated.
- If
- <span class="command"><strong>-t</strong></span> is also specified only the file
- in
- the chroot area has its owner changed.
- </p>
- </dd>
-</dl></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.28.9"></a><h2>EXAMPLES</h2>
-
- <p>
- To allow <span class="command"><strong>rndc</strong></span> to be used with
- no manual configuration, run
- </p>
- <p><strong class="userinput"><code>rndc-confgen -a</code></strong>
- </p>
- <p>
- To print a sample <code class="filename">rndc.conf</code> file and
- corresponding <span class="command"><strong>controls</strong></span> and <span class="command"><strong>key</strong></span>
- statements to be manually inserted into <code class="filename">named.conf</code>,
- run
- </p>
- <p><strong class="userinput"><code>rndc-confgen</code></strong>
- </p>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.28.10"></a><h2>SEE ALSO</h2>
-
- <p><span class="citerefentry">
- <span class="refentrytitle">rndc</span>(8)
- </span>,
- <span class="citerefentry">
- <span class="refentrytitle">rndc.conf</span>(5)
- </span>,
- <span class="citerefentry">
- <span class="refentrytitle">named</span>(8)
- </span>,
- <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
- </p>
- </div>
-
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="man.rndc.conf.html">Prev</a>Â </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
-<td width="40%" align="right">Â <a accesskey="n" href="man.ddns-confgen.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">
-<code class="filename">rndc.conf</code>Â </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top">Â <span class="application">ddns-confgen</span>
-</td>
-</tr>
-</table>
-</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.0-pre-alpha</p>
-</body>
-</html>
+++ /dev/null
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<!--
- - Copyright (C) 2000-2017 Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
--->
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>rndc.conf</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
-<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
-<link rel="prev" href="man.rndc.html" title="rndc">
-<link rel="next" href="man.rndc-confgen.html" title="rndc-confgen">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center"><code class="filename">rndc.conf</code></th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="man.rndc.html">Prev</a>Â </td>
-<th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right">Â <a accesskey="n" href="man.rndc-confgen.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="refentry">
-<a name="man.rndc.conf"></a><div class="titlepage"></div>
-
-
-
-
-
- <div class="refnamediv">
-<h2>Name</h2>
-<p>
- <code class="filename">rndc.conf</code>
- — rndc configuration file
- </p>
-</div>
-
-
-
- <div class="refsynopsisdiv">
-<h2>Synopsis</h2>
- <div class="cmdsynopsis"><p>
- <code class="command">rndc.conf</code>
- </p></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.27.7"></a><h2>DESCRIPTION</h2>
-
- <p><code class="filename">rndc.conf</code> is the configuration file
- for <span class="command"><strong>rndc</strong></span>, the BIND 9 name server control
- utility. This file has a similar structure and syntax to
- <code class="filename">named.conf</code>. Statements are enclosed
- in braces and terminated with a semi-colon. Clauses in
- the statements are also semi-colon terminated. The usual
- comment styles are supported:
- </p>
- <p>
- C style: /* */
- </p>
- <p>
- C++ style: // to end of line
- </p>
- <p>
- Unix style: # to end of line
- </p>
- <p><code class="filename">rndc.conf</code> is much simpler than
- <code class="filename">named.conf</code>. The file uses three
- statements: an options statement, a server statement
- and a key statement.
- </p>
- <p>
- The <code class="option">options</code> statement contains five clauses.
- The <code class="option">default-server</code> clause is followed by the
- name or address of a name server. This host will be used when
- no name server is given as an argument to
- <span class="command"><strong>rndc</strong></span>. The <code class="option">default-key</code>
- clause is followed by the name of a key which is identified by
- a <code class="option">key</code> statement. If no
- <code class="option">keyid</code> is provided on the rndc command line,
- and no <code class="option">key</code> clause is found in a matching
- <code class="option">server</code> statement, this default key will be
- used to authenticate the server's commands and responses. The
- <code class="option">default-port</code> clause is followed by the port
- to connect to on the remote name server. If no
- <code class="option">port</code> option is provided on the rndc command
- line, and no <code class="option">port</code> clause is found in a
- matching <code class="option">server</code> statement, this default port
- will be used to connect.
- The <code class="option">default-source-address</code> and
- <code class="option">default-source-address-v6</code> clauses which
- can be used to set the IPv4 and IPv6 source addresses
- respectively.
- </p>
- <p>
- After the <code class="option">server</code> keyword, the server
- statement includes a string which is the hostname or address
- for a name server. The statement has three possible clauses:
- <code class="option">key</code>, <code class="option">port</code> and
- <code class="option">addresses</code>. The key name must match the
- name of a key statement in the file. The port number
- specifies the port to connect to. If an <code class="option">addresses</code>
- clause is supplied these addresses will be used instead of
- the server name. Each address can take an optional port.
- If an <code class="option">source-address</code> or <code class="option">source-address-v6</code>
- of supplied then these will be used to specify the IPv4 and IPv6
- source addresses respectively.
- </p>
- <p>
- The <code class="option">key</code> statement begins with an identifying
- string, the name of the key. The statement has two clauses.
- <code class="option">algorithm</code> identifies the authentication algorithm
- for <span class="command"><strong>rndc</strong></span> to use; currently only HMAC-MD5
- (for compatibility), HMAC-SHA1, HMAC-SHA224, HMAC-SHA256
- (default), HMAC-SHA384 and HMAC-SHA512 are
- supported. This is followed by a secret clause which contains
- the base-64 encoding of the algorithm's authentication key. The
- base-64 string is enclosed in double quotes.
- </p>
- <p>
- There are two common ways to generate the base-64 string for the
- secret. The BIND 9 program <span class="command"><strong>rndc-confgen</strong></span>
- can
- be used to generate a random key, or the
- <span class="command"><strong>mmencode</strong></span> program, also known as
- <span class="command"><strong>mimencode</strong></span>, can be used to generate a
- base-64
- string from known input. <span class="command"><strong>mmencode</strong></span> does
- not
- ship with BIND 9 but is available on many systems. See the
- EXAMPLE section for sample command lines for each.
- </p>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.27.8"></a><h2>EXAMPLE</h2>
-
-
- <pre class="programlisting">
- options {
- default-server localhost;
- default-key samplekey;
- };
-</pre>
-<p>
- </p>
- <pre class="programlisting">
- server localhost {
- key samplekey;
- };
-</pre>
-<p>
- </p>
- <pre class="programlisting">
- server testserver {
- key testkey;
- addresses { localhost port 5353; };
- };
-</pre>
-<p>
- </p>
- <pre class="programlisting">
- key samplekey {
- algorithm hmac-sha256;
- secret "6FMfj43Osz4lyb24OIe2iGEz9lf1llJO+lz";
- };
-</pre>
-<p>
- </p>
- <pre class="programlisting">
- key testkey {
- algorithm hmac-sha256;
- secret "R3HI8P6BKw9ZwXwN3VZKuQ==";
- };
- </pre>
-<p>
- </p>
-
- <p>
- In the above example, <span class="command"><strong>rndc</strong></span> will by
- default use
- the server at localhost (127.0.0.1) and the key called samplekey.
- Commands to the localhost server will use the samplekey key, which
- must also be defined in the server's configuration file with the
- same name and secret. The key statement indicates that samplekey
- uses the HMAC-SHA256 algorithm and its secret clause contains the
- base-64 encoding of the HMAC-SHA256 secret enclosed in double quotes.
- </p>
- <p>
- If <span class="command"><strong>rndc -s testserver</strong></span> is used then <span class="command"><strong>rndc</strong></span> will
- connect to server on localhost port 5353 using the key testkey.
- </p>
- <p>
- To generate a random secret with <span class="command"><strong>rndc-confgen</strong></span>:
- </p>
- <p><strong class="userinput"><code>rndc-confgen</code></strong>
- </p>
- <p>
- A complete <code class="filename">rndc.conf</code> file, including
- the
- randomly generated key, will be written to the standard
- output. Commented-out <code class="option">key</code> and
- <code class="option">controls</code> statements for
- <code class="filename">named.conf</code> are also printed.
- </p>
- <p>
- To generate a base-64 secret with <span class="command"><strong>mmencode</strong></span>:
- </p>
- <p><strong class="userinput"><code>echo "known plaintext for a secret" | mmencode</code></strong>
- </p>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.27.9"></a><h2>NAME SERVER CONFIGURATION</h2>
-
- <p>
- The name server must be configured to accept rndc connections and
- to recognize the key specified in the <code class="filename">rndc.conf</code>
- file, using the controls statement in <code class="filename">named.conf</code>.
- See the sections on the <code class="option">controls</code> statement in the
- BIND 9 Administrator Reference Manual for details.
- </p>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.27.10"></a><h2>SEE ALSO</h2>
-
- <p><span class="citerefentry">
- <span class="refentrytitle">rndc</span>(8)
- </span>,
- <span class="citerefentry">
- <span class="refentrytitle">rndc-confgen</span>(8)
- </span>,
- <span class="citerefentry">
- <span class="refentrytitle">mmencode</span>(1)
- </span>,
- <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
- </p>
- </div>
-
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="man.rndc.html">Prev</a>Â </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
-<td width="40%" align="right">Â <a accesskey="n" href="man.rndc-confgen.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">
-<span class="application">rndc</span>Â </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top">Â <span class="application">rndc-confgen</span>
-</td>
-</tr>
-</table>
-</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.0-pre-alpha</p>
-</body>
-</html>
+++ /dev/null
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<!--
- - Copyright (C) 2000-2017 Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
--->
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>rndc</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
-<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
-<link rel="prev" href="man.nsupdate.html" title="nsupdate">
-<link rel="next" href="man.rndc.conf.html" title="rndc.conf">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center"><span class="application">rndc</span></th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="man.nsupdate.html">Prev</a>Â </td>
-<th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right">Â <a accesskey="n" href="man.rndc.conf.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="refentry">
-<a name="man.rndc"></a><div class="titlepage"></div>
-
-
-
-
-
- <div class="refnamediv">
-<h2>Name</h2>
-<p>
- <span class="application">rndc</span>
- — name server control utility
- </p>
-</div>
-
-
-
- <div class="refsynopsisdiv">
-<h2>Synopsis</h2>
- <div class="cmdsynopsis"><p>
- <code class="command">rndc</code>
- [<code class="option">-b <em class="replaceable"><code>source-address</code></em></code>]
- [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>]
- [<code class="option">-k <em class="replaceable"><code>key-file</code></em></code>]
- [<code class="option">-s <em class="replaceable"><code>server</code></em></code>]
- [<code class="option">-p <em class="replaceable"><code>port</code></em></code>]
- [<code class="option">-q</code>]
- [<code class="option">-r</code>]
- [<code class="option">-V</code>]
- [<code class="option">-y <em class="replaceable"><code>key_id</code></em></code>]
- [
- [<code class="option">-4</code>]
- | [<code class="option">-6</code>]
- ]
- {command}
- </p></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.26.7"></a><h2>DESCRIPTION</h2>
-
- <p><span class="command"><strong>rndc</strong></span>
- controls the operation of a name
- server. It supersedes the <span class="command"><strong>ndc</strong></span> utility
- that was provided in old BIND releases. If
- <span class="command"><strong>rndc</strong></span> is invoked with no command line
- options or arguments, it prints a short summary of the
- supported commands and the available options and their
- arguments.
- </p>
- <p><span class="command"><strong>rndc</strong></span>
- communicates with the name server over a TCP connection, sending
- commands authenticated with digital signatures. In the current
- versions of
- <span class="command"><strong>rndc</strong></span> and <span class="command"><strong>named</strong></span>,
- the only supported authentication algorithms are HMAC-MD5
- (for compatibility), HMAC-SHA1, HMAC-SHA224, HMAC-SHA256
- (default), HMAC-SHA384 and HMAC-SHA512.
- They use a shared secret on each end of the connection.
- This provides TSIG-style authentication for the command
- request and the name server's response. All commands sent
- over the channel must be signed by a key_id known to the
- server.
- </p>
- <p><span class="command"><strong>rndc</strong></span>
- reads a configuration file to
- determine how to contact the name server and decide what
- algorithm and key it should use.
- </p>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.26.8"></a><h2>OPTIONS</h2>
-
-
- <div class="variablelist"><dl class="variablelist">
-<dt><span class="term">-4</span></dt>
-<dd>
- <p>
- Use IPv4 only.
- </p>
- </dd>
-<dt><span class="term">-6</span></dt>
-<dd>
- <p>
- Use IPv6 only.
- </p>
- </dd>
-<dt><span class="term">-b <em class="replaceable"><code>source-address</code></em></span></dt>
-<dd>
- <p>
- Use <em class="replaceable"><code>source-address</code></em>
- as the source address for the connection to the server.
- Multiple instances are permitted to allow setting of both
- the IPv4 and IPv6 source addresses.
- </p>
- </dd>
-<dt><span class="term">-c <em class="replaceable"><code>config-file</code></em></span></dt>
-<dd>
- <p>
- Use <em class="replaceable"><code>config-file</code></em>
- as the configuration file instead of the default,
- <code class="filename">/etc/rndc.conf</code>.
- </p>
- </dd>
-<dt><span class="term">-k <em class="replaceable"><code>key-file</code></em></span></dt>
-<dd>
- <p>
- Use <em class="replaceable"><code>key-file</code></em>
- as the key file instead of the default,
- <code class="filename">/etc/rndc.key</code>. The key in
- <code class="filename">/etc/rndc.key</code> will be used to
- authenticate
- commands sent to the server if the <em class="replaceable"><code>config-file</code></em>
- does not exist.
- </p>
- </dd>
-<dt><span class="term">-s <em class="replaceable"><code>server</code></em></span></dt>
-<dd>
- <p><em class="replaceable"><code>server</code></em> is
- the name or address of the server which matches a
- server statement in the configuration file for
- <span class="command"><strong>rndc</strong></span>. If no server is supplied on the
- command line, the host named by the default-server clause
- in the options statement of the <span class="command"><strong>rndc</strong></span>
- configuration file will be used.
- </p>
- </dd>
-<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
-<dd>
- <p>
- Send commands to TCP port
- <em class="replaceable"><code>port</code></em>
- instead
- of BIND 9's default control channel port, 953.
- </p>
- </dd>
-<dt><span class="term">-q</span></dt>
-<dd>
- <p>
- Quiet mode: Message text returned by the server
- will not be printed except when there is an error.
- </p>
- </dd>
-<dt><span class="term">-r</span></dt>
-<dd>
- <p>
- Instructs <span class="command"><strong>rndc</strong></span> to print the result code
- returned by <span class="command"><strong>named</strong></span> after executing the
- requested command (e.g., ISC_R_SUCCESS, ISC_R_FAILURE, etc).
- </p>
- </dd>
-<dt><span class="term">-V</span></dt>
-<dd>
- <p>
- Enable verbose logging.
- </p>
- </dd>
-<dt><span class="term">-y <em class="replaceable"><code>key_id</code></em></span></dt>
-<dd>
- <p>
- Use the key <em class="replaceable"><code>key_id</code></em>
- from the configuration file.
- <em class="replaceable"><code>key_id</code></em>
- must be
- known by <span class="command"><strong>named</strong></span> with the same algorithm and secret string
- in order for control message validation to succeed.
- If no <em class="replaceable"><code>key_id</code></em>
- is specified, <span class="command"><strong>rndc</strong></span> will first look
- for a key clause in the server statement of the server
- being used, or if no server statement is present for that
- host, then the default-key clause of the options statement.
- Note that the configuration file contains shared secrets
- which are used to send authenticated control commands
- to name servers. It should therefore not have general read
- or write access.
- </p>
- </dd>
-</dl></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.26.9"></a><h2>COMMANDS</h2>
-
- <p>
- A list of commands supported by <span class="command"><strong>rndc</strong></span> can
- be seen by running <span class="command"><strong>rndc</strong></span> without arguments.
- </p>
- <p>
- Currently supported commands are:
- </p>
-
- <div class="variablelist"><dl class="variablelist">
-<dt><span class="term"><strong class="userinput"><code>addzone <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] <em class="replaceable"><code>configuration</code></em> </code></strong></span></dt>
-<dd>
- <p>
- Add a zone while the server is running. This
- command requires the
- <span class="command"><strong>allow-new-zones</strong></span> option to be set
- to <strong class="userinput"><code>yes</code></strong>. The
- <em class="replaceable"><code>configuration</code></em> string
- specified on the command line is the zone
- configuration text that would ordinarily be
- placed in <code class="filename">named.conf</code>.
- </p>
- <p>
- The configuration is saved in a file called
- <code class="filename"><em class="replaceable"><code>viewname</code></em>.nzf</code>
- (or, if <span class="command"><strong>named</strong></span> is compiled with
- liblmdb, an LMDB database file called
- <code class="filename"><em class="replaceable"><code>viewname</code></em>.nzd</code>).
- <em class="replaceable"><code>viewname</code></em> is the
- name of the view, unless the view name contains characters
- that are incompatible with use as a file name, in which case
- a cryptographic hash of the view name is used instead.
- When <span class="command"><strong>named</strong></span> is
- restarted, the file will be loaded into the view
- configuration, so that zones that were added
- can persist after a restart.
- </p>
- <p>
- This sample <span class="command"><strong>addzone</strong></span> command
- would add the zone <code class="literal">example.com</code>
- to the default view:
- </p>
- <p>
-<code class="prompt">$ </code><strong class="userinput"><code>rndc addzone example.com '{ type master; file "example.com.db"; };'</code></strong>
- </p>
- <p>
- (Note the brackets and semi-colon around the zone
- configuration text.)
- </p>
- <p>
- See also <span class="command"><strong>rndc delzone</strong></span> and <span class="command"><strong>rndc modzone</strong></span>.
- </p>
- </dd>
-<dt><span class="term"><strong class="userinput"><code>delzone [<span class="optional">-clean</span>] <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] </code></strong></span></dt>
-<dd>
- <p>
- Delete a zone while the server is running.
- </p>
- <p>
- If the <code class="option">-clean</code> argument is specified,
- the zone's master file (and journal file, if any)
- will be deleted along with the zone. Without the
- <code class="option">-clean</code> option, zone files must
- be cleaned up by hand. (If the zone is of
- type "slave" or "stub", the files needing to
- be cleaned up will be reported in the output
- of the <span class="command"><strong>rndc delzone</strong></span> command.)
- </p>
- <p>
- If the zone was originally added via
- <span class="command"><strong>rndc addzone</strong></span>, then it will be
- removed permanently. However, if it was originally
- configured in <code class="filename">named.conf</code>, then
- that original configuration is still in place; when
- the server is restarted or reconfigured, the zone will
- come back. To remove it permanently, it must also be
- removed from <code class="filename">named.conf</code>
- </p>
- <p>
- See also <span class="command"><strong>rndc addzone</strong></span> and <span class="command"><strong>rndc modzone</strong></span>.
- </p>
- </dd>
-<dt><span class="term"><strong class="userinput"><code>dnstap ( -reopen | -roll [<span class="optional"><em class="replaceable"><code>number</code></em></span>] )</code></strong></span></dt>
-<dd>
- <p>
- Close and re-open DNSTAP output files.
- <span class="command"><strong>rndc dnstap -reopen</strong></span> allows the output
- file to be renamed externally, so
- that <span class="command"><strong>named</strong></span> can truncate and re-open it.
- <span class="command"><strong>rndc dnstap -roll</strong></span> causes the output file
- to be rolled automatically, similar to log files; the most
- recent output file has ".0" appended to its name; the
- previous most recent output file is moved to ".1", and so on.
- If <em class="replaceable"><code>number</code></em> is specified, then the
- number of backup log files is limited to that number.
- </p>
- </dd>
-<dt><span class="term"><strong class="userinput"><code>dumpdb [<span class="optional">-all|-cache|-zones|-adb|-bad|-fail</span>] [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt>
-<dd>
- <p>
- Dump the server's caches (default) and/or zones to
- the dump file for the specified views. If no view
- is specified, all views are dumped.
- (See the <span class="command"><strong>dump-file</strong></span> option in
- the BIND 9 Administrator Reference Manual.)
- </p>
- </dd>
-<dt><span class="term"><strong class="userinput"><code>flush</code></strong></span></dt>
-<dd>
- <p>
- Flushes the server's cache.
- </p>
- </dd>
-<dt><span class="term"><strong class="userinput"><code>flushname</code></strong> <em class="replaceable"><code>name</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>] </span></dt>
-<dd>
- <p>
- Flushes the given name from the view's DNS cache
- and, if applicable, from the view's nameserver address
- database, bad server cache and SERVFAIL cache.
- </p>
- </dd>
-<dt><span class="term"><strong class="userinput"><code>flushtree</code></strong> <em class="replaceable"><code>name</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>] </span></dt>
-<dd>
- <p>
- Flushes the given name, and all of its subdomains,
- from the view's DNS cache, address database,
- bad server cache, and SERVFAIL cache.
- </p>
- </dd>
-<dt><span class="term"><strong class="userinput"><code>freeze [<span class="optional"><em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>
-<dd>
- <p>
- Suspend updates to a dynamic zone. If no zone is
- specified, then all zones are suspended. This allows
- manual edits to be made to a zone normally updated by
- dynamic update. It also causes changes in the
- journal file to be synced into the master file.
- All dynamic update attempts will be refused while
- the zone is frozen.
- </p>
- <p>
- See also <span class="command"><strong>rndc thaw</strong></span>.
- </p>
- </dd>
-<dt><span class="term"><strong class="userinput"><code>halt [<span class="optional">-p</span>]</code></strong></span></dt>
-<dd>
- <p>
- Stop the server immediately. Recent changes
- made through dynamic update or IXFR are not saved to
- the master files, but will be rolled forward from the
- journal files when the server is restarted.
- If <code class="option">-p</code> is specified <span class="command"><strong>named</strong></span>'s process id is returned.
- This allows an external process to determine when <span class="command"><strong>named</strong></span>
- had completed halting.
- </p>
- <p>
- See also <span class="command"><strong>rndc stop</strong></span>.
- </p>
- </dd>
-<dt><span class="term"><strong class="userinput"><code>loadkeys <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
-<dd>
- <p>
- Fetch all DNSSEC keys for the given zone
- from the key directory. If they are within
- their publication period, merge them into the
- zone's DNSKEY RRset. Unlike <span class="command"><strong>rndc
- sign</strong></span>, however, the zone is not
- immediately re-signed by the new keys, but is
- allowed to incrementally re-sign over time.
- </p>
- <p>
- This command requires that the
- <span class="command"><strong>auto-dnssec</strong></span> zone option
- be set to <code class="literal">maintain</code>,
- and also requires the zone to be configured to
- allow dynamic DNS.
- (See "Dynamic Update Policies" in the Administrator
- Reference Manual for more details.)
- </p>
- </dd>
-<dt><span class="term"><strong class="userinput"><code>managed-keys <em class="replaceable"><code>(status | refresh | sync)</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
-<dd>
- <p>
- When run with the "status" keyword, print the current
- status of the managed-keys database for the specified
- view, or for all views if none is specified. When run
- with the "refresh" keyword, force an immediate refresh
- of all the managed-keys in the specified view, or all
- views. When run with the "sync" keyword, force an
- immediate dump of the managed-keys database to disk (in
- the file <code class="filename">managed-keys.bind</code> or
- (<code class="filename"><em class="replaceable"><code>viewname</code></em>.mkeys</code>).
- </p>
- </dd>
-<dt><span class="term"><strong class="userinput"><code>modzone <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] <em class="replaceable"><code>configuration</code></em> </code></strong></span></dt>
-<dd>
- <p>
- Modify the configuration of a zone while the server
- is running. This command requires the
- <span class="command"><strong>allow-new-zones</strong></span> option to be
- set to <strong class="userinput"><code>yes</code></strong>. As with
- <span class="command"><strong>addzone</strong></span>, the
- <em class="replaceable"><code>configuration</code></em> string
- specified on the command line is the zone
- configuration text that would ordinarily be
- placed in <code class="filename">named.conf</code>.
- </p>
- <p>
- If the zone was originally added via
- <span class="command"><strong>rndc addzone</strong></span>, the configuration
- changes will be recorded permanently and will still be
- in effect after the server is restarted or reconfigured.
- However, if it was originally configured in
- <code class="filename">named.conf</code>, then that original
- configuration is still in place; when the server is
- restarted or reconfigured, the zone will revert to
- its original configuration. To make the changes
- permanent, it must also be modified in
- <code class="filename">named.conf</code>
- </p>
- <p>
- See also <span class="command"><strong>rndc addzone</strong></span> and <span class="command"><strong>rndc delzone</strong></span>.
- </p>
- </dd>
-<dt><span class="term"><strong class="userinput"><code>notify <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
-<dd>
- <p>
- Resend NOTIFY messages for the zone.
- </p>
- </dd>
-<dt><span class="term"><strong class="userinput"><code>notrace</code></strong></span></dt>
-<dd>
- <p>
- Sets the server's debugging level to 0.
- </p>
- <p>
- See also <span class="command"><strong>rndc trace</strong></span>.
- </p>
- </dd>
-<dt><span class="term"><strong class="userinput"><code>nta
- [<span class="optional">( -d | -f | -r | -l <em class="replaceable"><code>duration</code></em>)</span>]
- <em class="replaceable"><code>domain</code></em>
- [<span class="optional"><em class="replaceable"><code>view</code></em></span>]
- </code></strong></span></dt>
-<dd>
- <p>
- Sets a DNSSEC negative trust anchor (NTA)
- for <code class="option">domain</code>, with a lifetime of
- <code class="option">duration</code>. The default lifetime is
- configured in <code class="filename">named.conf</code> via the
- <code class="option">nta-lifetime</code> option, and defaults to
- one hour. The lifetime cannot exceed one week.
- </p>
- <p>
- A negative trust anchor selectively disables
- DNSSEC validation for zones that are known to be
- failing because of misconfiguration rather than
- an attack. When data to be validated is
- at or below an active NTA (and above any other
- configured trust anchors), <span class="command"><strong>named</strong></span> will
- abort the DNSSEC validation process and treat the data as
- insecure rather than bogus. This continues until the
- NTA's lifetime is elapsed.
- </p>
- <p>
- NTAs persist across restarts of the <span class="command"><strong>named</strong></span> server.
- The NTAs for a view are saved in a file called
- <code class="filename"><em class="replaceable"><code>name</code></em>.nta</code>,
- where <em class="replaceable"><code>name</code></em> is the
- name of the view, or if it contains characters
- that are incompatible with use as a file name, a
- cryptographic hash generated from the name
- of the view.
- </p>
- <p>
- An existing NTA can be removed by using the
- <code class="option">-remove</code> option.
- </p>
- <p>
- An NTA's lifetime can be specified with the
- <code class="option">-lifetime</code> option. TTL-style
- suffixes can be used to specify the lifetime in
- seconds, minutes, or hours. If the specified NTA
- already exists, its lifetime will be updated to the
- new value. Setting <code class="option">lifetime</code> to zero
- is equivalent to <code class="option">-remove</code>.
- </p>
- <p>
- If <code class="option">-dump</code> is used, any other arguments
- are ignored, and a list of existing NTAs is printed
- (note that this may include NTAs that are expired but
- have not yet been cleaned up).
- </p>
- <p>
- Normally, <span class="command"><strong>named</strong></span> will periodically
- test to see whether data below an NTA can now be
- validated (see the <code class="option">nta-recheck</code> option
- in the Administrator Reference Manual for details).
- If data can be validated, then the NTA is regarded as
- no longer necessary, and will be allowed to expire
- early. The <code class="option">-force</code> overrides this
- behavior and forces an NTA to persist for its entire
- lifetime, regardless of whether data could be
- validated if the NTA were not present.
- </p>
- <p>
- All of these options can be shortened, i.e., to
- <code class="option">-l</code>, <code class="option">-r</code>, <code class="option">-d</code>,
- and <code class="option">-f</code>.
- </p>
- </dd>
-<dt><span class="term"><strong class="userinput"><code>querylog</code></strong> [<span class="optional">on|off</span>] </span></dt>
-<dd>
- <p>
- Enable or disable query logging. (For backward
- compatibility, this command can also be used without
- an argument to toggle query logging on and off.)
- </p>
- <p>
- Query logging can also be enabled
- by explicitly directing the <span class="command"><strong>queries</strong></span>
- <span class="command"><strong>category</strong></span> to a
- <span class="command"><strong>channel</strong></span> in the
- <span class="command"><strong>logging</strong></span> section of
- <code class="filename">named.conf</code> or by specifying
- <span class="command"><strong>querylog yes;</strong></span> in the
- <span class="command"><strong>options</strong></span> section of
- <code class="filename">named.conf</code>.
- </p>
- </dd>
-<dt><span class="term"><strong class="userinput"><code>reconfig</code></strong></span></dt>
-<dd>
- <p>
- Reload the configuration file and load new zones,
- but do not reload existing zone files even if they
- have changed.
- This is faster than a full <span class="command"><strong>reload</strong></span> when there
- is a large number of zones because it avoids the need
- to examine the
- modification times of the zones files.
- </p>
- </dd>
-<dt><span class="term"><strong class="userinput"><code>recursing</code></strong></span></dt>
-<dd>
- <p>
- Dump the list of queries <span class="command"><strong>named</strong></span> is currently
- recursing on, and the list of domains to which iterative
- queries are currently being sent. (The second list includes
- the number of fetches currently active for the given domain,
- and how many have been passed or dropped because of the
- <code class="option">fetches-per-zone</code> option.)
- </p>
- </dd>
-<dt><span class="term"><strong class="userinput"><code>refresh <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
-<dd>
- <p>
- Schedule zone maintenance for the given zone.
- </p>
- </dd>
-<dt><span class="term"><strong class="userinput"><code>reload</code></strong></span></dt>
-<dd>
- <p>
- Reload configuration file and zones.
- </p>
- </dd>
-<dt><span class="term"><strong class="userinput"><code>reload <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
-<dd>
- <p>
- Reload the given zone.
- </p>
- </dd>
-<dt><span class="term"><strong class="userinput"><code>retransfer <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
-<dd>
- <p>
- Retransfer the given slave zone from the master server.
- </p>
- <p>
- If the zone is configured to use
- <span class="command"><strong>inline-signing</strong></span>, the signed
- version of the zone is discarded; after the
- retransfer of the unsigned version is complete, the
- signed version will be regenerated with all new
- signatures.
- </p>
- </dd>
-<dt><span class="term"><strong class="userinput"><code>scan</code></strong></span></dt>
-<dd>
- <p>
- Scan the list of available network interfaces
- for changes, without performing a full
- <span class="command"><strong>reconfig</strong></span> or waiting for the
- <span class="command"><strong>interface-interval</strong></span> timer.
- </p>
- </dd>
-<dt><span class="term"><strong class="userinput"><code>serve-stale ( on | off | reset | status) [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
-<dd>
- <p>
- Enable, disable, or reset the serving of stale answers
- as configured in named.conf. Serving of stale answers
- will remain disabled across <code class="filename">named.conf</code>
- reloads if disabled via rndc until it is reset via rndc.
- </p>
- <p>
- Status will report whether serving of stale answers is
- currently enabled, disabled or not configured for a
- view. If serving of stale records is configured then
- the values of stale-answer-ttl and max-stale-ttl are
- reported.
- </p>
- </dd>
-<dt><span class="term"><strong class="userinput"><code>secroots [<span class="optional">-</span>] [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt>
-<dd>
- <p>
- Dump the server's security roots and negative trust anchors
- for the specified views. If no view is specified, all views
- are dumped.
- </p>
- <p>
- If the first argument is "-", then the output is
- returned via the <span class="command"><strong>rndc</strong></span> response channel
- and printed to the standard output.
- Otherwise, it is written to the secroots dump file, which
- defaults to <code class="filename">named.secroots</code>, but can be
- overridden via the <code class="option">secroots-file</code> option in
- <code class="filename">named.conf</code>.
- </p>
- <p>
- See also <span class="command"><strong>rndc managed-keys</strong></span>.
- </p>
- </dd>
-<dt><span class="term"><strong class="userinput"><code>showzone <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] </code></strong></span></dt>
-<dd>
- <p>
- Print the configuration of a running zone.
- </p>
- <p>
- See also <span class="command"><strong>rndc zonestatus</strong></span>.
- </p>
- </dd>
-<dt><span class="term"><strong class="userinput"><code>sign <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
-<dd>
- <p>
- Fetch all DNSSEC keys for the given zone
- from the key directory (see the
- <span class="command"><strong>key-directory</strong></span> option in
- the BIND 9 Administrator Reference Manual). If they are within
- their publication period, merge them into the
- zone's DNSKEY RRset. If the DNSKEY RRset
- is changed, then the zone is automatically
- re-signed with the new key set.
- </p>
- <p>
- This command requires that the
- <span class="command"><strong>auto-dnssec</strong></span> zone option be set
- to <code class="literal">allow</code> or
- <code class="literal">maintain</code>,
- and also requires the zone to be configured to
- allow dynamic DNS.
- (See "Dynamic Update Policies" in the Administrator
- Reference Manual for more details.)
- </p>
- <p>
- See also <span class="command"><strong>rndc loadkeys</strong></span>.
- </p>
- </dd>
-<dt><span class="term"><strong class="userinput"><code>signing [<span class="optional">( -list | -clear <em class="replaceable"><code>keyid/algorithm</code></em> | -clear <code class="literal">all</code> | -nsec3param ( <em class="replaceable"><code>parameters</code></em> | <code class="literal">none</code> ) | -serial <em class="replaceable"><code>value</code></em> ) </span>] <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] </code></strong></span></dt>
-<dd>
- <p>
- List, edit, or remove the DNSSEC signing state records
- for the specified zone. The status of ongoing DNSSEC
- operations (such as signing or generating
- NSEC3 chains) is stored in the zone in the form
- of DNS resource records of type
- <span class="command"><strong>sig-signing-type</strong></span>.
- <span class="command"><strong>rndc signing -list</strong></span> converts
- these records into a human-readable form,
- indicating which keys are currently signing
- or have finished signing the zone, and which NSEC3
- chains are being created or removed.
- </p>
- <p>
- <span class="command"><strong>rndc signing -clear</strong></span> can remove
- a single key (specified in the same format that
- <span class="command"><strong>rndc signing -list</strong></span> uses to
- display it), or all keys. In either case, only
- completed keys are removed; any record indicating
- that a key has not yet finished signing the zone
- will be retained.
- </p>
- <p>
- <span class="command"><strong>rndc signing -nsec3param</strong></span> sets
- the NSEC3 parameters for a zone. This is the
- only supported mechanism for using NSEC3 with
- <span class="command"><strong>inline-signing</strong></span> zones.
- Parameters are specified in the same format as
- an NSEC3PARAM resource record: hash algorithm,
- flags, iterations, and salt, in that order.
- </p>
- <p>
- Currently, the only defined value for hash algorithm
- is <code class="literal">1</code>, representing SHA-1.
- The <code class="option">flags</code> may be set to
- <code class="literal">0</code> or <code class="literal">1</code>,
- depending on whether you wish to set the opt-out
- bit in the NSEC3 chain. <code class="option">iterations</code>
- defines the number of additional times to apply
- the algorithm when generating an NSEC3 hash. The
- <code class="option">salt</code> is a string of data expressed
- in hexadecimal, a hyphen (`-') if no salt is
- to be used, or the keyword <code class="literal">auto</code>,
- which causes <span class="command"><strong>named</strong></span> to generate a
- random 64-bit salt.
- </p>
- <p>
- So, for example, to create an NSEC3 chain using
- the SHA-1 hash algorithm, no opt-out flag,
- 10 iterations, and a salt value of "FFFF", use:
- <span class="command"><strong>rndc signing -nsec3param 1 0 10 FFFF <em class="replaceable"><code>zone</code></em></strong></span>.
- To set the opt-out flag, 15 iterations, and no
- salt, use:
- <span class="command"><strong>rndc signing -nsec3param 1 1 15 - <em class="replaceable"><code>zone</code></em></strong></span>.
- </p>
- <p>
- <span class="command"><strong>rndc signing -nsec3param none</strong></span>
- removes an existing NSEC3 chain and replaces it
- with NSEC.
- </p>
- <p>
- <span class="command"><strong>rndc signing -serial value</strong></span> sets
- the serial number of the zone to value. If the value
- would cause the serial number to go backwards it will
- be rejected. The primary use is to set the serial on
- inline signed zones.
- </p>
- </dd>
-<dt><span class="term"><strong class="userinput"><code>stats</code></strong></span></dt>
-<dd>
- <p>
- Write server statistics to the statistics file.
- (See the <span class="command"><strong>statistics-file</strong></span> option in
- the BIND 9 Administrator Reference Manual.)
- </p>
- </dd>
-<dt><span class="term"><strong class="userinput"><code>status</code></strong></span></dt>
-<dd>
- <p>
- Display status of the server.
- Note that the number of zones includes the internal <span class="command"><strong>bind/CH</strong></span> zone
- and the default <span class="command"><strong>./IN</strong></span>
- hint zone if there is not an
- explicit root zone configured.
- </p>
- </dd>
-<dt><span class="term"><strong class="userinput"><code>stop [<span class="optional">-p</span>]</code></strong></span></dt>
-<dd>
- <p>
- Stop the server, making sure any recent changes
- made through dynamic update or IXFR are first saved to
- the master files of the updated zones.
- If <code class="option">-p</code> is specified <span class="command"><strong>named</strong></span>'s process id is returned.
- This allows an external process to determine when <span class="command"><strong>named</strong></span>
- had completed stopping.
- </p>
- <p>See also <span class="command"><strong>rndc halt</strong></span>.</p>
- </dd>
-<dt><span class="term"><strong class="userinput"><code>sync [<span class="optional">-clean</span>] [<span class="optional"><em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>
-<dd>
- <p>
- Sync changes in the journal file for a dynamic zone
- to the master file. If the "-clean" option is
- specified, the journal file is also removed. If
- no zone is specified, then all zones are synced.
- </p>
- </dd>
-<dt><span class="term"><strong class="userinput"><code>tcp-timeouts [<span class="optional"><em class="replaceable"><code>initial</code></em> <em class="replaceable"><code>idle</code></em> <em class="replaceable"><code>keepalive</code></em> <em class="replaceable"><code>advertised</code></em></span>]</code></strong></span></dt>
-<dd>
- <p>
- When called without arguments, display the current
- values of the <span class="command"><strong>tcp-initial-timeout</strong></span>,
- <span class="command"><strong>tcp-idle-timeout</strong></span>,
- <span class="command"><strong>tcp-keepalive-timeout</strong></span> and
- <span class="command"><strong>tcp-advertised-timeout</strong></span> options.
- When called with arguments, update these values. This
- allows an administrator to make rapid adjustments when
- under a denial of service attack. See the descriptions of
- these options in the BIND 9 Administrator Reference Manual
- for details of their use.
- </p>
- </dd>
-<dt><span class="term"><strong class="userinput"><code>thaw [<span class="optional"><em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>
-<dd>
- <p>
- Enable updates to a frozen dynamic zone. If no
- zone is specified, then all frozen zones are
- enabled. This causes the server to reload the zone
- from disk, and re-enables dynamic updates after the
- load has completed. After a zone is thawed,
- dynamic updates will no longer be refused. If
- the zone has changed and the
- <span class="command"><strong>ixfr-from-differences</strong></span> option is
- in use, then the journal file will be updated to
- reflect changes in the zone. Otherwise, if the
- zone has changed, any existing journal file will be
- removed.
- </p>
- <p>See also <span class="command"><strong>rndc freeze</strong></span>.</p>
- </dd>
-<dt><span class="term"><strong class="userinput"><code>trace</code></strong></span></dt>
-<dd>
- <p>
- Increment the servers debugging level by one.
- </p>
- </dd>
-<dt><span class="term"><strong class="userinput"><code>trace <em class="replaceable"><code>level</code></em></code></strong></span></dt>
-<dd>
- <p>
- Sets the server's debugging level to an explicit
- value.
- </p>
- <p>
- See also <span class="command"><strong>rndc notrace</strong></span>.
- </p>
- </dd>
-<dt><span class="term"><strong class="userinput"><code>tsig-delete</code></strong> <em class="replaceable"><code>keyname</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span></dt>
-<dd>
- <p>
- Delete a given TKEY-negotiated key from the server.
- (This does not apply to statically configured TSIG
- keys.)
- </p>
- </dd>
-<dt><span class="term"><strong class="userinput"><code>tsig-list</code></strong></span></dt>
-<dd>
- <p>
- List the names of all TSIG keys currently configured
- for use by <span class="command"><strong>named</strong></span> in each view. The
- list both statically configured keys and dynamic
- TKEY-negotiated keys.
- </p>
- </dd>
-<dt><span class="term"><strong class="userinput"><code>validation ( on | off | check ) [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>] </code></strong></span></dt>
-<dd>
- <p>
- Enable, disable, or check the current status of
- DNSSEC validation.
- Note <span class="command"><strong>dnssec-enable</strong></span> also needs to be
- set to <strong class="userinput"><code>yes</code></strong> or
- <strong class="userinput"><code>auto</code></strong> to be effective.
- It defaults to enabled.
- </p>
- </dd>
-<dt><span class="term"><strong class="userinput"><code>zonestatus <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
-<dd>
- <p>
- Displays the current status of the given zone,
- including the master file name and any include
- files from which it was loaded, when it was most
- recently loaded, the current serial number, the
- number of nodes, whether the zone supports
- dynamic updates, whether the zone is DNSSEC
- signed, whether it uses automatic DNSSEC key
- management or inline signing, and the scheduled
- refresh or expiry times for the zone.
- </p>
- <p>
- See also <span class="command"><strong>rndc showzone</strong></span>.
- </p>
- </dd>
-</dl></div>
-
- <p>
- <span class="command"><strong>rndc</strong></span> commands that specify zone names,
- such as <span class="command"><strong>reload</strong></span>, <span class="command"><strong>retransfer</strong></span>
- or <span class="command"><strong>zonestatus</strong></span>, can be ambiguous when applied
- to zones of type <code class="option">redirect</code>. Redirect zones are
- always called ".", and can be confused with zones of type
- <code class="option">hint</code> or with slaved copies of the root zone.
- To specify a redirect zone, use the special zone name
- <strong class="userinput"><code>-redirect</code></strong>, without a trailing period.
- (With a trailing period, this would specify a zone called
- "-redirect".)
- </p>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.26.10"></a><h2>LIMITATIONS</h2>
-
- <p>
- There is currently no way to provide the shared secret for a
- <code class="option">key_id</code> without using the configuration file.
- </p>
- <p>
- Several error messages could be clearer.
- </p>
- </div>
-
- <div class="refsection">
-<a name="id-1.14.26.11"></a><h2>SEE ALSO</h2>
-
- <p><span class="citerefentry">
- <span class="refentrytitle">rndc.conf</span>(5)
- </span>,
- <span class="citerefentry">
- <span class="refentrytitle">rndc-confgen</span>(8)
- </span>,
- <span class="citerefentry">
- <span class="refentrytitle">named</span>(8)
- </span>,
- <span class="citerefentry">
- <span class="refentrytitle">named.conf</span>(5)
- </span>,
- <span class="citerefentry">
- <span class="refentrytitle">ndc</span>(8)
- </span>,
- <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
- </p>
- </div>
-
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="man.nsupdate.html">Prev</a>Â </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
-<td width="40%" align="right">Â <a accesskey="n" href="man.rndc.conf.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">
-<span class="application">nsupdate</span>Â </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top">Â <code class="filename">rndc.conf</code>
-</td>
-</tr>
-</table>
-</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.0-pre-alpha</p>
-</body>
-</html>
+++ /dev/null
-<!--
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
--->
-<!-- $Id$ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title></title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="article">
-
- <div class="section">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.2"></a>Release Notes for BIND Version 9.12.0-pre-alpha</h2></div></div></div>
-
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
- <p>
- BIND 9.12.0 is a new feature release of BIND, still under development.
- This document summarizes new features and functional changes that
- have been introduced on this branch. With each development
- release leading up to the final BIND 9.12.0 release, this document
- will be updated with additional features added and bugs fixed.
- </p>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_download"></a>Download</h3></div></div></div>
- <p>
- The latest versions of BIND 9 software can always be found at
- <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
- There you will find additional information about each release,
- source code, and pre-compiled versions for Microsoft Windows
- operating systems.
- </p>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_license"></a>License Change</h3></div></div></div>
- <p>
- With the release of BIND 9.11.0, ISC changed to the open
- source license for BIND from the ISC license to the Mozilla
- Public License (MPL 2.0).
- </p>
- <p>
- The MPL-2.0 license requires that if you make changes to
- licensed software (e.g. BIND) and distribute them outside
- your organization, that you publish those changes under that
- same license. It does not require that you publish or disclose
- anything other than the changes you made to our software.
- </p>
- <p>
- This new requirement will not affect anyone who is using BIND
- without redistributing it, nor anyone redistributing it without
- changes, therefore this change will be without consequence
- for most individuals and organizations who are using BIND.
- </p>
- <p>
- Those unsure whether or not the license change affects their
- use of BIND, or who wish to discuss how to comply with the
- license may contact ISC at <a class="link" href="https://www.isc.org/mission/contact/" target="_top">
- https://www.isc.org/mission/contact/</a>.
- </p>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="win_support"></a>Windows XP No Longer Supported</h3></div></div></div>
- <p>
- As of BIND 9.11.2, Windows XP is no longer a supported platform for
- BIND, and Windows XP binaries are no longer available for download
- from ISC.
- </p>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
- <p>
- An error in TSIG handling could permit unauthorized zone
- transfers or zone updates. These flaws are disclosed in
- CVE-2017-3142 and CVE-2017-3143. [RT #45383]
- </p>
- </li>
-<li class="listitem">
- <p>
- The BIND installer on Windows used an unquoted service path,
- which can enable privilege escalation. This flaw is disclosed
- in CVE-2017-3141. [RT #45229]
- </p>
- </li>
-<li class="listitem">
- <p>
- With certain RPZ configurations, a response with TTL 0
- could cause <span class="command"><strong>named</strong></span> to go into an infinite
- query loop. This flaw is disclosed in CVE-2017-3140.
- [RT #45181]
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>rndc ""</strong></span> could trigger an assertion failure
- in <span class="command"><strong>named</strong></span>. This flaw is disclosed in
- (CVE-2017-3138). [RT #44924]
- </p>
- </li>
-<li class="listitem">
- <p>
- Some chaining (i.e., type CNAME or DNAME) responses to upstream
- queries could trigger assertion failures. This flaw is disclosed
- in CVE-2017-3137. [RT #44734]
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>dns64</strong></span> with <span class="command"><strong>break-dnssec yes;</strong></span>
- can result in an assertion failure. This flaw is disclosed in
- CVE-2017-3136. [RT #44653]
- </p>
- </li>
-<li class="listitem">
- <p>
- If a server is configured with a response policy zone (RPZ)
- that rewrites an answer with local data, and is also configured
- for DNS64 address mapping, a NULL pointer can be read
- triggering a server crash. This flaw is disclosed in
- CVE-2017-3135. [RT #44434]
- </p>
- </li>
-<li class="listitem">
- <p>
- A coding error in the <code class="option">nxdomain-redirect</code>
- feature could lead to an assertion failure if the redirection
- namespace was served from a local authoritative data source
- such as a local zone or a DLZ instead of via recursive
- lookup. This flaw is disclosed in CVE-2016-9778. [RT #43837]
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>named</strong></span> could mishandle authority sections
- with missing RRSIGs, triggering an assertion failure. This
- flaw is disclosed in CVE-2016-9444. [RT #43632]
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>named</strong></span> mishandled some responses where
- covering RRSIG records were returned without the requested
- data, resulting in an assertion failure. This flaw is
- disclosed in CVE-2016-9147. [RT #43548]
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>named</strong></span> incorrectly tried to cache TKEY
- records which could trigger an assertion failure when there was
- a class mismatch. This flaw is disclosed in CVE-2016-9131.
- [RT #43522]
- </p>
- </li>
-<li class="listitem">
- <p>
- It was possible to trigger assertions when processing
- responses containing answers of type DNAME. This flaw is
- disclosed in CVE-2016-8864. [RT #43465]
- </p>
- </li>
-<li class="listitem">
- <p>
- Added the ability to specify the maximum number of records
- permitted in a zone (<code class="option">max-records #;</code>).
- This provides a mechanism to block overly large zone
- transfers, which is a potential risk with slave zones from
- other parties, as described in CVE-2016-6170.
- [RT #42143]
- </p>
- </li>
-</ul></div>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_features"></a>New Features</h3></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
- <p>
- Code implementing name server query processing has been moved
- from <span class="command"><strong>named</strong></span> to an external library,
- <span class="command"><strong>libns</strong></span>. This will make it easier to
- write unit tests for the code, or to link it into new tools.
- [RT #45186]
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>nsupdate</strong></span> and <span class="command"><strong>rndc</strong></span> now accept
- command line options <span class="command"><strong>-4</strong></span> and <span class="command"><strong>-6</strong></span>
- which force using only IPv4 or only IPv6, respectively. [RT #45632]
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>nsec3hash -r</strong></span> ("rdata order") takes arguments
- in the same order as they appear in NSEC3 or NSEC3PARAM records.
- This makes it easier to generate an NSEC3 hash using values cut
- and pasted from an existing record. Thanks to Tony Finch for
- the contribution. [RT #45183]
- </p>
- </li>
-<li class="listitem">
- <p>
- Setting <span class="command"><strong>max-journal-size</strong></span> to
- <code class="literal">default</code> limits journal sizes to twice the
- size of the zone contents. This can be overridden by setting
- <span class="command"><strong>max-journal-size</strong></span> to <code class="literal">unlimited</code>
- or to an explicit value up to 2G. Thanks to Tony Finch for
- the contribution. [RT #38324]
- </p>
- </li>
-<li class="listitem">
- <p>
- The <span class="command"><strong>new-zones-directory</strong></span> option allows
- <span class="command"><strong>named</strong></span> to store configuration parameters
- for zones added via <span class="command"><strong>rndc addzone</strong></span> in a
- location other than the working directory. Thanks to Petr
- MenšÃk of Red Hat for the contribution.
- [RT #44853]
- </p>
- </li>
-<li class="listitem">
- <p>
- Many aspects of <span class="command"><strong>named</strong></span> have been modified
- to improve query performance, and in particular, performance
- for delegation-heavy zones:
- </p>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">
-<li class="listitem">
- <p>
- The additional cache ("acache") was found not to
- significantly improve performance and has been removed;
- the <span class="command"><strong>acache-enable</strong></span> and
- <span class="command"><strong>acache-cleaning-interval</strong></span> options are now
- deprecated.
- </p>
- </li>
-<li class="listitem">
- <p>
- In place of the acache, <span class="command"><strong>named</strong></span> can now use
- a glue cache to speed up retrieval of glue records when sending
- delegation responses. Unlike acache, this feature is on by
- default; use <span class="command"><strong>glue-cache no;</strong></span> to disable it.
- </p>
- </li>
-<li class="listitem">
- <p>
- The <span class="command"><strong>additional-from-cache</strong></span>
- and <span class="command"><strong>additional-from-auth</strong></span> options have been
- deprecated.
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>minimal-responses</strong></span> is now set
- to <code class="literal">yes</code> by default.
- </p>
- </li>
-<li class="listitem">
- <p>
- Several functions have been refactored to improve
- performance, including name compression, owner name
- case restoration, hashing, and buffers.
- </p>
- </li>
-</ul></div>
- </li>
-<li class="listitem">
- <p>
- The <span class="command"><strong>dnstap-read -x</strong></span> option prints a hex
- dump of the wire format DNS message encapsulated in each
- <span class="command"><strong>dnstap</strong></span> log entry. [RT #44816]
- </p>
- </li>
-<li class="listitem">
- <p>
- The <span class="command"><strong>host -A</strong></span> option returns most
- records for a name, but omits types RRSIG, NSEC and NSEC3.
- </p>
- </li>
-<li class="listitem">
- <p>
- Several areas of code have been refactored for improved
- readability, maintainability, and testability:
- </p>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">
-<li class="listitem">
- <p>
- The <span class="command"><strong>named</strong></span> query logic implemented in
- <span class="command"><strong>query_find()</strong></span> has been split into
- smaller functions with a context structure to maintain state
- between them, and extensive comments have been added.
- [RT #43929]
- </p>
- </li>
-<li class="listitem">
- <p>
- Similarly the iterative query logic implemented in
- <span class="command"><strong>resquery_response()</strong></span> function has been
- split into smaller functions and comments added. [RT #45362]
- </p>
- </li>
-</ul></div>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>dnstap</strong></span> logfiles can now be configured to
- automatically roll when they reach a specified size. If
- <span class="command"><strong>dnstap-output</strong></span> is configured with mode
- <code class="literal">file</code>, then it can take optional
- <span class="command"><strong>size</strong></span> and <span class="command"><strong>versions</strong></span>
- key-value arguments to set the logfile rolling parameters.
- (These have the same semantics as the corresponding
- options in a <span class="command"><strong>logging</strong></span> channel statement.)
- [RT #44502]
- </p>
- </li>
-<li class="listitem">
- <p>
- Logging channels and <span class="command"><strong>dnstap-output</strong></span> files can
- now be configured with a <span class="command"><strong>suffix</strong></span> option,
- set to either <code class="literal">increment</code> or
- <code class="literal">timestamp</code>, indicating whether log files
- should be given incrementing suffixes when they roll
- over (e.g., <code class="filename">logfile.0</code>,
- <code class="filename">.1</code>, <code class="filename">.2</code>, etc)
- or suffixes indicating the time of the roll. The default
- is <code class="literal">increment</code>. [RT #42838]
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>dig +ednsopt</strong></span> now accepts the names
- for EDNS options in addition to numeric values. For example,
- an EDNS Client-Subnet option could be sent using
- <span class="command"><strong>dig +ednsopt=ecs:...</strong></span>. Thanks to
- John Worley of Secure64 for the contribution. [RT #44461]
- </p>
- </li>
-<li class="listitem">
- <p>
- Added support for the EDNS TCP Keepalive option (RFC 7828);
- this allows negotiation of longer-lived TCP sessions
- to reduce the overhead of setting up TCP for individual
- queries. [RT #42126]
- </p>
- </li>
-<li class="listitem">
- <p>
- Added support for the EDNS Padding option (RFC 7830),
- which obfuscates packet size analysis when DNS queries
- are sent over an encrypted channel. [RT #42094]
- </p>
- </li>
-<li class="listitem">
- <p>
- The <code class="option">print-time</code> option in the
- <code class="option">logging</code> configuration can now take arguments
- <strong class="userinput"><code>local</code></strong>, <strong class="userinput"><code>iso8601</code></strong> or
- <strong class="userinput"><code>iso8601-utc</code></strong> to indicate the format in
- which the date and time should be logged. For backward
- compatibility, <strong class="userinput"><code>yes</code></strong> is a synonym for
- <strong class="userinput"><code>local</code></strong>. [RT #42585]
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>rndc</strong></span> commands which refer to zone names
- can now reference a zone of type <span class="command"><strong>redirect</strong></span>
- by using the special zone name "-redirect". (Previously this
- was not possible because <span class="command"><strong>redirect</strong></span> zones
- always have the name ".", which can be ambiguous.)
- </p>
- <p>
- In the event you need to manipulate a zone actually
- called "-redirect", use a trailing dot: "-redirect."
- </p>
- <p>
- Note: This change does not appply to the
- <span class="command"><strong>rndc addzone</strong></span> or
- <span class="command"><strong>rndc modzone</strong></span> commands.
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>named-checkconf -l</strong></span> lists the zones found
- in <code class="filename">named.conf</code>. [RT #43154]
- </p>
- </li>
-<li class="listitem">
- <p>
- Query logging now includes the ECS option, if one was
- present in the query, in the format
- "[ECS <em class="replaceable"><code>address/source/scope</code></em>]".
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>named</strong></span> will now synthesize responses
- from cached DNSSEC-verified records. This will reduce
- query loads on authoritative servers for signed domains:
- if existing cached records can be used to determine
- the answer then no query needs to be sent.
- </p>
- <p>
- This behavior is controlled by the new
- <code class="filename">named.conf</code> option
- <span class="command"><strong>synth-from-dnssec</strong></span>. It is enabled by
- default.
- </p>
- </li>
-</ul></div>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="proto_changes"></a>Protocol Changes</h3></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
- <p>
- BIND can now use the Ed25519 and Ed448 Edwards Curve DNSSEC
- signing algorithms described in RFC 8080. Note, however, that
- these algorithms must be supported in OpenSSL;
- currently they are only available in the development branch
- of OpenSSL at
- <a class="link" href="https://github.com/openssl/openssl" target="_top">https://github.com/openssl/openssl</a>.
- [RT #44696]
- </p>
- </li>
-<li class="listitem">
- <p>
- EDNS KEY TAG options are verified and printed.
- </p>
- </li>
-</ul></div>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
- <p>
- The lightweight resolver daemon and library (<span class="command"><strong>lwresd</strong></span>
- and <span class="command"><strong>liblwres</strong></span>) have been removed. [RT #45186]
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>dnssec-keygen</strong></span> no longer has default
- algorithm settings. It is necessary to explicitly specify the
- algorithm on the command line with the <code class="option">-a</code> option
- when generating keys. This may cause errors with existing signing
- scripts if they rely on current defaults. The intent is to
- reduce the long-term cost of transitioning to newer algorithms in
- the event of RSASHA1 being deprecated. [RT #44755]
- </p>
- </li>
-<li class="listitem">
- <p>
- Threads in <span class="command"><strong>named</strong></span> are now set to human-readable
- names to assist debugging on operating systems that support that.
- Threads will have names such as "isc-timer", "isc-sockmgr",
- "isc-worker0001", and so on. This will affect the reporting of
- subsidiary thread names in <span class="command"><strong>ps</strong></span> and
- <span class="command"><strong>top</strong></span>, but not the main thread. [RT #43234]
- </p>
- </li>
-<li class="listitem">
- <p>
- The Response Policy Zone (RPZ) implementation has been
- substantially refactored: updates to the RPZ summary
- database are no longer directly performed by the zone
- database but by a separate function that is called when
- a policy zone is updated. This improves both performance
- and reliability when policy zones receive frequent updates.
- Summary database updates can be rate-limited by using the
- <span class="command"><strong>min-update-interval</strong></span> option in a
- <span class="command"><strong>response-policy</strong></span> statement. [RT #43449]
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>dnstap</strong></span> now stores both the local and remote
- addresses for all messages, instead of only the remote address.
- The default output format for <span class="command"><strong>dnstap-read</strong></span> has
- been updated to include these addresses, with the initiating
- address first and the responding address second, separated by
- "-%gt;" or "%lt;-" to indicate in which direction the message
- was sent. [RT #43595]
- </p>
- </li>
-<li class="listitem">
- <p>
- Expanded and improved the YAML output from
- <span class="command"><strong>dnstap-read -y</strong></span>: it now includes packet
- size and a detailed breakdown of message contents.
- [RT #43622] [RT #43642]
- </p>
- </li>
-<li class="listitem">
- <p>
- If an ACL is specified with an address prefix in which the
- prefix length is longer than the address portion (for example,
- 192.0.2.1/8), it will now be treated as a fatal error during
- configuration. [RT #43367]
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>dig</strong></span> now warns about .local queries which are
- reserved for Multicast DNS. [RT #44783]
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>dig +sigchase</strong></span> and related options
- <span class="command"><strong>+trusted-keys</strong></span> and <span class="command"><strong>+topdown</strong></span>
- have been removed. <span class="command"><strong>delv</strong></span> is now the recommended
- command for looking up records with DNSSEC validation.
- [RT #42793]
- </p>
- </li>
-<li class="listitem">
- <p>
- The view associated with the query is now logged unless it
- it is "_default/IN" or "_dnsclient/IN" when logging DNSSEC
- validator messages.
- </p>
- </li>
-<li class="listitem">
- <p>
- Multiple <span class="command"><strong>cookie-secret</strong></span> clause are now
- supported. The first <span class="command"><strong>cookie-secret</strong></span> in
- <code class="filename">named.conf</code> is used to generate new
- server cookies. Any others are used to accept old server
- cookies or those generated by other servers using the
- matching <span class="command"><strong>cookie-secret</strong></span>.
- </p>
- </li>
-</ul></div>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
- <p>
- Reloading or reconfiguring <span class="command"><strong>named</strong></span> could
- fail on some platforms when LMDB was in use. [RT #45203]
- </p>
- </li>
-<li class="listitem">
- <p>
- Due to some incorrectly deleted code, when BIND was
- built with LMDB, zones that were deleted via
- <span class="command"><strong>rndc delzone</strong></span> were removed from the
- running server but were not removed from the new zone
- database, so that deletion did not persist after a
- server restart. This has been corrected. [RT #45185]
- </p>
- </li>
-<li class="listitem">
- <p>
- Semicolons are no longer escaped when printing CAA and
- URI records. This may break applications that depend on the
- presence of the backslash before the semicolon. [RT #45216]
- </p>
- </li>
-<li class="listitem">
- <p>
- AD could be set on truncated answer with no records present
- in the answer and authority sections. [RT #45140]
- </p>
- </li>
-</ul></div>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="end_of_life"></a>End of Life</h3></div></div></div>
- <p>
- The end of life for BIND 9.12 is yet to be determined but
- will not be before BIND 9.14.0 has been released for 6 months.
- <a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>
- </p>
- </div>
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_thanks"></a>Thank You</h3></div></div></div>
-
- <p>
- Thank you to everyone who assisted us in making this release possible.
- If you would like to contribute to ISC to assist us in continuing to
- make quality open source software, please visit our donations page at
- <a class="link" href="http://www.isc.org/donate/" target="_top">http://www.isc.org/donate/</a>.
- </p>
- </div>
-</div>
-</div></body>
-</html>
+++ /dev/null
-
-This is a summary of the named.conf options supported by
-this version of BIND 9.
-
-acl <string> { <address_match_element>; ... }; // may occur multiple times
-
-controls {
- inet ( <ipv4_address> | <ipv6_address> |
- * ) [ port ( <integer> | * ) ] allow
- { <address_match_element>; ... } [
- keys { <string>; ... } ] [ read-only
- <boolean> ]; // may occur multiple times
- unix <quoted_string> perm <integer>
- owner <integer> group <integer> [
- keys { <string>; ... } ] [ read-only
- <boolean> ]; // may occur multiple times
-}; // may occur multiple times
-
-dlz <string> {
- database <string>;
- search <boolean>;
-}; // may occur multiple times
-
-dyndb <string> <quoted_string> {
- <unspecified-text> }; // may occur multiple times
-
-key <string> {
- algorithm <string>;
- secret <string>;
-}; // may occur multiple times
-
-logging {
- category <string> { <string>; ... }; // may occur multiple times
- channel <string> {
- buffered <boolean>;
- file <quoted_string> [ versions ( unlimited | <integer> ) ]
- [ size <size> ] [ suffix ( increment | timestamp ) ];
- null;
- print-category <boolean>;
- print-severity <boolean>;
- print-time ( iso8601 | iso8601-utc | local | <boolean> );
- severity <log_severity>;
- stderr;
- syslog [ <syslog_facility> ];
- }; // may occur multiple times
-};
-
-lwres { <unspecified-text> }; // obsolete, may occur multiple times
-
-managed-keys { <string> <string> <integer>
- <integer> <integer> <quoted_string>; ... }; // may occur multiple times
-
-masters <string> [ port <integer> ] [ dscp
- <integer> ] { ( <masters> | <ipv4_address> [
- port <integer> ] | <ipv6_address> [ port
- <integer> ] ) [ key <string> ]; ... }; // may occur multiple times
-
-options {
- acache-cleaning-interval <integer>; // obsolete
- acache-enable <boolean>; // obsolete
- additional-from-auth <boolean>; // obsolete
- additional-from-cache <boolean>; // obsolete
- allow-new-zones <boolean>;
- allow-notify { <address_match_element>; ... };
- allow-query { <address_match_element>; ... };
- allow-query-cache { <address_match_element>; ... };
- allow-query-cache-on { <address_match_element>; ... };
- allow-query-on { <address_match_element>; ... };
- allow-recursion { <address_match_element>; ... };
- allow-recursion-on { <address_match_element>; ... };
- allow-transfer { <address_match_element>; ... };
- allow-update { <address_match_element>; ... };
- allow-update-forwarding { <address_match_element>; ... };
- allow-v6-synthesis { <address_match_element>; ... }; // obsolete
- also-notify [ port <integer> ] [ dscp <integer> ] { ( <masters> |
- <ipv4_address> [ port <integer> ] | <ipv6_address> [ port
- <integer> ] ) [ key <string> ]; ... };
- alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * )
- ] [ dscp <integer> ];
- alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> |
- * ) ] [ dscp <integer> ];
- attach-cache <string>;
- auth-nxdomain <boolean>; // default changed
- auto-dnssec ( allow | maintain | off );
- automatic-interface-scan <boolean>;
- avoid-v4-udp-ports { <portrange>; ... };
- avoid-v6-udp-ports { <portrange>; ... };
- bindkeys-file <quoted_string>;
- blackhole { <address_match_element>; ... };
- cache-file <quoted_string>;
- catalog-zones { zone <quoted_string> [ default-masters [ port
- <integer> ] [ dscp <integer> ] { ( <masters> | <ipv4_address> [
- port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key
- <string> ]; ... } ] [ zone-directory <quoted_string> ] [
- in-memory <boolean> ] [ min-update-interval <integer> ]; ... };
- check-dup-records ( fail | warn | ignore );
- check-integrity <boolean>;
- check-mx ( fail | warn | ignore );
- check-mx-cname ( fail | warn | ignore );
- check-names ( master | slave | response
- ) ( fail | warn | ignore ); // may occur multiple times
- check-sibling <boolean>;
- check-spf ( warn | ignore );
- check-srv-cname ( fail | warn | ignore );
- check-wildcard <boolean>;
- cleaning-interval <integer>;
- clients-per-query <integer>;
- cookie-algorithm ( aes | sha1 | sha256 );
- cookie-secret <string>; // may occur multiple times
- coresize ( default | unlimited | <sizeval> );
- datasize ( default | unlimited | <sizeval> );
- deallocate-on-exit <boolean>; // obsolete
- deny-answer-addresses { <address_match_element>; ... } [
- except-from { <quoted_string>; ... } ];
- deny-answer-aliases { <quoted_string>; ... } [ except-from {
- <quoted_string>; ... } ];
- dialup ( notify | notify-passive | passive | refresh | <boolean> );
- directory <quoted_string>;
- disable-algorithms <string> { <string>;
- ... }; // may occur multiple times
- disable-ds-digests <string> { <string>;
- ... }; // may occur multiple times
- disable-empty-zone <string>; // may occur multiple times
- dns64 <netprefix> {
- break-dnssec <boolean>;
- clients { <address_match_element>; ... };
- exclude { <address_match_element>; ... };
- mapped { <address_match_element>; ... };
- recursive-only <boolean>;
- suffix <ipv6_address>;
- }; // may occur multiple times
- dns64-contact <string>;
- dns64-server <string>;
- dnssec-accept-expired <boolean>;
- dnssec-dnskey-kskonly <boolean>;
- dnssec-enable <boolean>;
- dnssec-loadkeys-interval <integer>;
- dnssec-lookaside ( <string> trust-anchor
- <string> | auto | no ); // may occur multiple times
- dnssec-must-be-secure <string> <boolean>; // may occur multiple times
- dnssec-secure-to-insecure <boolean>;
- dnssec-update-mode ( maintain | no-resign );
- dnssec-validation ( yes | no | auto );
- dnstap { ( all | auth | client | forwarder |
- resolver ) [ ( query | response ) ]; ... }; // not configured
- dnstap-identity ( <quoted_string> | none |
- hostname ); // not configured
- dnstap-output ( file | unix ) <quoted_string> [
- size ( unlimited | <size> ) ] [ versions (
- unlimited | <integer> ) ] [ suffix ( increment
- | timestamp ) ]; // not configured
- dnstap-version ( <quoted_string> | none ); // not configured
- dscp <integer>;
- dual-stack-servers [ port <integer> ] { ( <quoted_string> [ port
- <integer> ] [ dscp <integer> ] | <ipv4_address> [ port
- <integer> ] [ dscp <integer> ] | <ipv6_address> [ port
- <integer> ] [ dscp <integer> ] ); ... };
- dump-file <quoted_string>;
- edns-udp-size <integer>;
- empty-contact <string>;
- empty-server <string>;
- empty-zones-enable <boolean>;
- fake-iquery <boolean>; // obsolete
- fetch-glue <boolean>; // obsolete
- fetch-quota-params <integer> <fixedpoint> <fixedpoint> <fixedpoint>;
- fetches-per-server <integer> [ ( drop | fail ) ];
- fetches-per-zone <integer> [ ( drop | fail ) ];
- files ( default | unlimited | <sizeval> );
- filter-aaaa { <address_match_element>; ... }; // not configured
- filter-aaaa-on-v4 ( break-dnssec | <boolean> ); // not configured
- filter-aaaa-on-v6 ( break-dnssec | <boolean> ); // not configured
- flush-zones-on-shutdown <boolean>;
- forward ( first | only );
- forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address>
- | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... };
- fstrm-set-buffer-hint <integer>; // not configured
- fstrm-set-flush-timeout <integer>; // not configured
- fstrm-set-input-queue-size <integer>; // not configured
- fstrm-set-output-notify-threshold <integer>; // not configured
- fstrm-set-output-queue-model ( mpsc | spsc ); // not configured
- fstrm-set-output-queue-size <integer>; // not configured
- fstrm-set-reopen-interval <integer>; // not configured
- geoip-directory ( <quoted_string> | none ); // not configured
- geoip-use-ecs <boolean>; // not configured
- glue-cache <boolean>;
- has-old-clients <boolean>; // obsolete
- heartbeat-interval <integer>;
- host-statistics <boolean>; // not implemented
- host-statistics-max <integer>; // not implemented
- hostname ( <quoted_string> | none );
- inline-signing <boolean>;
- interface-interval <integer>;
- ixfr-from-differences ( master | slave | <boolean> );
- keep-response-order { <address_match_element>; ... };
- key-directory <quoted_string>;
- lame-ttl <ttlval>;
- listen-on [ port <integer> ] [ dscp
- <integer> ] {
- <address_match_element>; ... }; // may occur multiple times
- listen-on-v6 [ port <integer> ] [ dscp
- <integer> ] {
- <address_match_element>; ... }; // may occur multiple times
- lmdb-mapsize <sizeval>; // non-operational
- lock-file ( <quoted_string> | none );
- maintain-ixfr-base <boolean>; // obsolete
- managed-keys-directory <quoted_string>;
- masterfile-format ( map | raw | text );
- masterfile-style ( full | relative );
- match-mapped-addresses <boolean>;
- max-acache-size ( unlimited | <sizeval> ); // obsolete
- max-cache-size ( default | unlimited | <sizeval> | <percentage> );
- max-cache-ttl <integer>;
- max-clients-per-query <integer>;
- max-ixfr-log-size ( default | unlimited | <sizeval> ); // obsolete
- max-journal-size ( default | unlimited | <sizeval> );
- max-ncache-ttl <integer>;
- max-records <integer>;
- max-recursion-depth <integer>;
- max-recursion-queries <integer>;
- max-refresh-time <integer>;
- max-retry-time <integer>;
- max-rsa-exponent-size <integer>;
- max-stale-ttl <ttlval>;
- max-transfer-idle-in <integer>;
- max-transfer-idle-out <integer>;
- max-transfer-time-in <integer>;
- max-transfer-time-out <integer>;
- max-udp-size <integer>;
- max-zone-ttl ( unlimited | <ttlval> );
- memstatistics <boolean>;
- memstatistics-file <quoted_string>;
- message-compression <boolean>;
- min-refresh-time <integer>;
- min-retry-time <integer>;
- min-roots <integer>; // not implemented
- minimal-any <boolean>;
- minimal-responses ( no-auth | no-auth-recursive | <boolean> );
- multi-master <boolean>;
- multiple-cnames <boolean>; // obsolete
- named-xfer <quoted_string>; // obsolete
- new-zones-directory <quoted_string>;
- no-case-compress { <address_match_element>; ... };
- nocookie-udp-size <integer>;
- nosit-udp-size <integer>; // obsolete
- notify ( explicit | master-only | <boolean> );
- notify-delay <integer>;
- notify-rate <integer>;
- notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [
- dscp <integer> ];
- notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ]
- [ dscp <integer> ];
- notify-to-soa <boolean>;
- nsec3-test-zone <boolean>; // test only
- nta-lifetime <ttlval>;
- nta-recheck <ttlval>;
- nxdomain-redirect <string>;
- pid-file ( <quoted_string> | none );
- port <integer>;
- preferred-glue <string>;
- prefetch <integer> [ <integer> ];
- provide-ixfr <boolean>;
- query-source ( ( [ address ] ( <ipv4_address> | * ) [ port (
- <integer> | * ) ] ) | ( [ [ address ] ( <ipv4_address> | * ) ]
- port ( <integer> | * ) ) ) [ dscp <integer> ];
- query-source-v6 ( ( [ address ] ( <ipv6_address> | * ) [ port (
- <integer> | * ) ] ) | ( [ [ address ] ( <ipv6_address> | * ) ]
- port ( <integer> | * ) ) ) [ dscp <integer> ];
- querylog <boolean>;
- queryport-pool-ports <integer>; // obsolete
- queryport-pool-updateinterval <integer>; // obsolete
- random-device <quoted_string>;
- rate-limit {
- all-per-second <integer>;
- errors-per-second <integer>;
- exempt-clients { <address_match_element>; ... };
- ipv4-prefix-length <integer>;
- ipv6-prefix-length <integer>;
- log-only <boolean>;
- max-table-size <integer>;
- min-table-size <integer>;
- nodata-per-second <integer>;
- nxdomains-per-second <integer>;
- qps-scale <integer>;
- referrals-per-second <integer>;
- responses-per-second <integer>;
- slip <integer>;
- window <integer>;
- };
- recursing-file <quoted_string>;
- recursion <boolean>;
- recursive-clients <integer>;
- request-expire <boolean>;
- request-ixfr <boolean>;
- request-nsid <boolean>;
- request-sit <boolean>; // obsolete
- require-server-cookie <boolean>;
- reserved-sockets <integer>;
- resolver-nonbackoff-tries <integer>;
- resolver-query-timeout <integer>;
- resolver-retry-interval <integer>;
- response-padding { <address_match_element>; ... } block-size
- <integer>;
- response-policy { zone <quoted_string> [ log <boolean> ] [
- max-policy-ttl <integer> ] [ min-update-interval <integer> ] [
- policy ( cname | disabled | drop | given | no-op | nodata |
- nxdomain | passthru | tcp-only <quoted_string> ) ] [
- recursive-only <boolean> ]; ... } [ break-dnssec <boolean> ] [
- max-policy-ttl <integer> ] [ min-update-interval <integer> ] [
- min-ns-dots <integer> ] [ nsip-wait-recurse <boolean> ] [
- qname-wait-recurse <boolean> ] [ recursive-only <boolean> ];
- rfc2308-type1 <boolean>; // not yet implemented
- root-delegation-only [ exclude { <quoted_string>; ... } ];
- rrset-order { [ class <string> ] [ type <string> ] [ name
- <quoted_string> ] <string> <string>; ... };
- secroots-file <quoted_string>;
- send-cookie <boolean>;
- serial-queries <integer>; // obsolete
- serial-query-rate <integer>;
- serial-update-method ( date | increment | unixtime );
- server-id ( <quoted_string> | none | hostname );
- servfail-ttl <ttlval>;
- session-keyalg <string>;
- session-keyfile ( <quoted_string> | none );
- session-keyname <string>;
- sig-signing-nodes <integer>;
- sig-signing-signatures <integer>;
- sig-signing-type <integer>;
- sig-validity-interval <integer> [ <integer> ];
- sit-secret <string>; // obsolete
- sortlist { <address_match_element>; ... };
- stacksize ( default | unlimited | <sizeval> );
- stale-answer-enable <boolean>;
- stale-answer-ttl <ttlval>;
- startup-notify-rate <integer>;
- statistics-file <quoted_string>;
- statistics-interval <integer>; // not yet implemented
- suppress-initial-notify <boolean>; // not yet implemented
- synth-from-dnssec <boolean>;
- tcp-advertised-timeout <integer>;
- tcp-clients <integer>;
- tcp-idle-timeout <integer>;
- tcp-initial-timeout <integer>;
- tcp-keepalive-timeout <integer>;
- tcp-listen-queue <integer>;
- tkey-dhkey <quoted_string> <integer>;
- tkey-domain <quoted_string>;
- tkey-gssapi-credential <quoted_string>;
- tkey-gssapi-keytab <quoted_string>;
- topology { <address_match_element>; ... }; // not implemented
- transfer-format ( many-answers | one-answer );
- transfer-message-size <integer>;
- transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [
- dscp <integer> ];
- transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * )
- ] [ dscp <integer> ];
- transfers-in <integer>;
- transfers-out <integer>;
- transfers-per-ns <integer>;
- treat-cr-as-space <boolean>; // obsolete
- trust-anchor-telemetry <boolean>; // experimental
- try-tcp-refresh <boolean>;
- update-check-ksk <boolean>;
- use-alt-transfer-source <boolean>;
- use-id-pool <boolean>; // obsolete
- use-ixfr <boolean>; // obsolete
- use-queryport-pool <boolean>; // obsolete
- use-v4-udp-ports { <portrange>; ... };
- use-v6-udp-ports { <portrange>; ... };
- v6-bias <integer>;
- version ( <quoted_string> | none );
- zero-no-soa-ttl <boolean>;
- zero-no-soa-ttl-cache <boolean>;
- zone-statistics ( full | terse | none | <boolean> );
-};
-
-server <netprefix> {
- bogus <boolean>;
- edns <boolean>;
- edns-udp-size <integer>;
- edns-version <integer>;
- keys <server_key>;
- max-udp-size <integer>;
- notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [
- dscp <integer> ];
- notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ]
- [ dscp <integer> ];
- padding <integer>;
- provide-ixfr <boolean>;
- query-source ( ( [ address ] ( <ipv4_address> | * ) [ port (
- <integer> | * ) ] ) | ( [ [ address ] ( <ipv4_address> | * ) ]
- port ( <integer> | * ) ) ) [ dscp <integer> ];
- query-source-v6 ( ( [ address ] ( <ipv6_address> | * ) [ port (
- <integer> | * ) ] ) | ( [ [ address ] ( <ipv6_address> | * ) ]
- port ( <integer> | * ) ) ) [ dscp <integer> ];
- request-expire <boolean>;
- request-ixfr <boolean>;
- request-nsid <boolean>;
- request-sit <boolean>; // obsolete
- send-cookie <boolean>;
- support-ixfr <boolean>; // obsolete
- tcp-keepalive <boolean>;
- tcp-only <boolean>;
- transfer-format ( many-answers | one-answer );
- transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [
- dscp <integer> ];
- transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * )
- ] [ dscp <integer> ];
- transfers <integer>;
-}; // may occur multiple times
-
-statistics-channels {
- inet ( <ipv4_address> | <ipv6_address> |
- * ) [ port ( <integer> | * ) ] [
- allow { <address_match_element>; ...
- } ]; // may occur multiple times
-}; // may occur multiple times
-
-trusted-keys { <string> <integer> <integer>
- <integer> <quoted_string>; ... }; // may occur multiple times
-
-view <string> [ <class> ] {
- acache-cleaning-interval <integer>; // obsolete
- acache-enable <boolean>; // obsolete
- additional-from-auth <boolean>; // obsolete
- additional-from-cache <boolean>; // obsolete
- allow-new-zones <boolean>;
- allow-notify { <address_match_element>; ... };
- allow-query { <address_match_element>; ... };
- allow-query-cache { <address_match_element>; ... };
- allow-query-cache-on { <address_match_element>; ... };
- allow-query-on { <address_match_element>; ... };
- allow-recursion { <address_match_element>; ... };
- allow-recursion-on { <address_match_element>; ... };
- allow-transfer { <address_match_element>; ... };
- allow-update { <address_match_element>; ... };
- allow-update-forwarding { <address_match_element>; ... };
- allow-v6-synthesis { <address_match_element>; ... }; // obsolete
- also-notify [ port <integer> ] [ dscp <integer> ] { ( <masters> |
- <ipv4_address> [ port <integer> ] | <ipv6_address> [ port
- <integer> ] ) [ key <string> ]; ... };
- alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * )
- ] [ dscp <integer> ];
- alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> |
- * ) ] [ dscp <integer> ];
- attach-cache <string>;
- auth-nxdomain <boolean>; // default changed
- auto-dnssec ( allow | maintain | off );
- cache-file <quoted_string>;
- catalog-zones { zone <quoted_string> [ default-masters [ port
- <integer> ] [ dscp <integer> ] { ( <masters> | <ipv4_address> [
- port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key
- <string> ]; ... } ] [ zone-directory <quoted_string> ] [
- in-memory <boolean> ] [ min-update-interval <integer> ]; ... };
- check-dup-records ( fail | warn | ignore );
- check-integrity <boolean>;
- check-mx ( fail | warn | ignore );
- check-mx-cname ( fail | warn | ignore );
- check-names ( master | slave | response
- ) ( fail | warn | ignore ); // may occur multiple times
- check-sibling <boolean>;
- check-spf ( warn | ignore );
- check-srv-cname ( fail | warn | ignore );
- check-wildcard <boolean>;
- cleaning-interval <integer>;
- clients-per-query <integer>;
- deny-answer-addresses { <address_match_element>; ... } [
- except-from { <quoted_string>; ... } ];
- deny-answer-aliases { <quoted_string>; ... } [ except-from {
- <quoted_string>; ... } ];
- dialup ( notify | notify-passive | passive | refresh | <boolean> );
- disable-algorithms <string> { <string>;
- ... }; // may occur multiple times
- disable-ds-digests <string> { <string>;
- ... }; // may occur multiple times
- disable-empty-zone <string>; // may occur multiple times
- dlz <string> {
- database <string>;
- search <boolean>;
- }; // may occur multiple times
- dns64 <netprefix> {
- break-dnssec <boolean>;
- clients { <address_match_element>; ... };
- exclude { <address_match_element>; ... };
- mapped { <address_match_element>; ... };
- recursive-only <boolean>;
- suffix <ipv6_address>;
- }; // may occur multiple times
- dns64-contact <string>;
- dns64-server <string>;
- dnssec-accept-expired <boolean>;
- dnssec-dnskey-kskonly <boolean>;
- dnssec-enable <boolean>;
- dnssec-loadkeys-interval <integer>;
- dnssec-lookaside ( <string> trust-anchor
- <string> | auto | no ); // may occur multiple times
- dnssec-must-be-secure <string> <boolean>; // may occur multiple times
- dnssec-secure-to-insecure <boolean>;
- dnssec-update-mode ( maintain | no-resign );
- dnssec-validation ( yes | no | auto );
- dnstap { ( all | auth | client | forwarder |
- resolver ) [ ( query | response ) ]; ... }; // not configured
- dual-stack-servers [ port <integer> ] { ( <quoted_string> [ port
- <integer> ] [ dscp <integer> ] | <ipv4_address> [ port
- <integer> ] [ dscp <integer> ] | <ipv6_address> [ port
- <integer> ] [ dscp <integer> ] ); ... };
- dyndb <string> <quoted_string> {
- <unspecified-text> }; // may occur multiple times
- edns-udp-size <integer>;
- empty-contact <string>;
- empty-server <string>;
- empty-zones-enable <boolean>;
- fetch-glue <boolean>; // obsolete
- fetch-quota-params <integer> <fixedpoint> <fixedpoint> <fixedpoint>;
- fetches-per-server <integer> [ ( drop | fail ) ];
- fetches-per-zone <integer> [ ( drop | fail ) ];
- filter-aaaa { <address_match_element>; ... }; // not configured
- filter-aaaa-on-v4 ( break-dnssec | <boolean> ); // not configured
- filter-aaaa-on-v6 ( break-dnssec | <boolean> ); // not configured
- forward ( first | only );
- forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address>
- | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... };
- glue-cache <boolean>;
- inline-signing <boolean>;
- ixfr-from-differences ( master | slave | <boolean> );
- key <string> {
- algorithm <string>;
- secret <string>;
- }; // may occur multiple times
- key-directory <quoted_string>;
- lame-ttl <ttlval>;
- lmdb-mapsize <sizeval>; // non-operational
- maintain-ixfr-base <boolean>; // obsolete
- managed-keys { <string> <string>
- <integer> <integer> <integer>
- <quoted_string>; ... }; // may occur multiple times
- masterfile-format ( map | raw | text );
- masterfile-style ( full | relative );
- match-clients { <address_match_element>; ... };
- match-destinations { <address_match_element>; ... };
- match-recursive-only <boolean>;
- max-acache-size ( unlimited | <sizeval> ); // obsolete
- max-cache-size ( default | unlimited | <sizeval> | <percentage> );
- max-cache-ttl <integer>;
- max-clients-per-query <integer>;
- max-ixfr-log-size ( default | unlimited | <sizeval> ); // obsolete
- max-journal-size ( default | unlimited | <sizeval> );
- max-ncache-ttl <integer>;
- max-records <integer>;
- max-recursion-depth <integer>;
- max-recursion-queries <integer>;
- max-refresh-time <integer>;
- max-retry-time <integer>;
- max-stale-ttl <ttlval>;
- max-transfer-idle-in <integer>;
- max-transfer-idle-out <integer>;
- max-transfer-time-in <integer>;
- max-transfer-time-out <integer>;
- max-udp-size <integer>;
- max-zone-ttl ( unlimited | <ttlval> );
- message-compression <boolean>;
- min-refresh-time <integer>;
- min-retry-time <integer>;
- min-roots <integer>; // not implemented
- minimal-any <boolean>;
- minimal-responses ( no-auth | no-auth-recursive | <boolean> );
- multi-master <boolean>;
- new-zones-directory <quoted_string>;
- no-case-compress { <address_match_element>; ... };
- nocookie-udp-size <integer>;
- nosit-udp-size <integer>; // obsolete
- notify ( explicit | master-only | <boolean> );
- notify-delay <integer>;
- notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [
- dscp <integer> ];
- notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ]
- [ dscp <integer> ];
- notify-to-soa <boolean>;
- nsec3-test-zone <boolean>; // test only
- nta-lifetime <ttlval>;
- nta-recheck <ttlval>;
- nxdomain-redirect <string>;
- preferred-glue <string>;
- prefetch <integer> [ <integer> ];
- provide-ixfr <boolean>;
- query-source ( ( [ address ] ( <ipv4_address> | * ) [ port (
- <integer> | * ) ] ) | ( [ [ address ] ( <ipv4_address> | * ) ]
- port ( <integer> | * ) ) ) [ dscp <integer> ];
- query-source-v6 ( ( [ address ] ( <ipv6_address> | * ) [ port (
- <integer> | * ) ] ) | ( [ [ address ] ( <ipv6_address> | * ) ]
- port ( <integer> | * ) ) ) [ dscp <integer> ];
- queryport-pool-ports <integer>; // obsolete
- queryport-pool-updateinterval <integer>; // obsolete
- rate-limit {
- all-per-second <integer>;
- errors-per-second <integer>;
- exempt-clients { <address_match_element>; ... };
- ipv4-prefix-length <integer>;
- ipv6-prefix-length <integer>;
- log-only <boolean>;
- max-table-size <integer>;
- min-table-size <integer>;
- nodata-per-second <integer>;
- nxdomains-per-second <integer>;
- qps-scale <integer>;
- referrals-per-second <integer>;
- responses-per-second <integer>;
- slip <integer>;
- window <integer>;
- };
- recursion <boolean>;
- request-expire <boolean>;
- request-ixfr <boolean>;
- request-nsid <boolean>;
- request-sit <boolean>; // obsolete
- require-server-cookie <boolean>;
- resolver-nonbackoff-tries <integer>;
- resolver-query-timeout <integer>;
- resolver-retry-interval <integer>;
- response-padding { <address_match_element>; ... } block-size
- <integer>;
- response-policy { zone <quoted_string> [ log <boolean> ] [
- max-policy-ttl <integer> ] [ min-update-interval <integer> ] [
- policy ( cname | disabled | drop | given | no-op | nodata |
- nxdomain | passthru | tcp-only <quoted_string> ) ] [
- recursive-only <boolean> ]; ... } [ break-dnssec <boolean> ] [
- max-policy-ttl <integer> ] [ min-update-interval <integer> ] [
- min-ns-dots <integer> ] [ nsip-wait-recurse <boolean> ] [
- qname-wait-recurse <boolean> ] [ recursive-only <boolean> ];
- rfc2308-type1 <boolean>; // not yet implemented
- root-delegation-only [ exclude { <quoted_string>; ... } ];
- rrset-order { [ class <string> ] [ type <string> ] [ name
- <quoted_string> ] <string> <string>; ... };
- send-cookie <boolean>;
- serial-update-method ( date | increment | unixtime );
- server <netprefix> {
- bogus <boolean>;
- edns <boolean>;
- edns-udp-size <integer>;
- edns-version <integer>;
- keys <server_key>;
- max-udp-size <integer>;
- notify-source ( <ipv4_address> | * ) [ port ( <integer> | *
- ) ] [ dscp <integer> ];
- notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer>
- | * ) ] [ dscp <integer> ];
- padding <integer>;
- provide-ixfr <boolean>;
- query-source ( ( [ address ] ( <ipv4_address> | * ) [ port
- ( <integer> | * ) ] ) | ( [ [ address ] (
- <ipv4_address> | * ) ] port ( <integer> | * ) ) ) [
- dscp <integer> ];
- query-source-v6 ( ( [ address ] ( <ipv6_address> | * ) [
- port ( <integer> | * ) ] ) | ( [ [ address ] (
- <ipv6_address> | * ) ] port ( <integer> | * ) ) ) [
- dscp <integer> ];
- request-expire <boolean>;
- request-ixfr <boolean>;
- request-nsid <boolean>;
- request-sit <boolean>; // obsolete
- send-cookie <boolean>;
- support-ixfr <boolean>; // obsolete
- tcp-keepalive <boolean>;
- tcp-only <boolean>;
- transfer-format ( many-answers | one-answer );
- transfer-source ( <ipv4_address> | * ) [ port ( <integer> |
- * ) ] [ dscp <integer> ];
- transfer-source-v6 ( <ipv6_address> | * ) [ port (
- <integer> | * ) ] [ dscp <integer> ];
- transfers <integer>;
- }; // may occur multiple times
- servfail-ttl <ttlval>;
- sig-signing-nodes <integer>;
- sig-signing-signatures <integer>;
- sig-signing-type <integer>;
- sig-validity-interval <integer> [ <integer> ];
- sortlist { <address_match_element>; ... };
- stale-answer-enable <boolean>;
- stale-answer-ttl <ttlval>;
- suppress-initial-notify <boolean>; // not yet implemented
- synth-from-dnssec <boolean>;
- topology { <address_match_element>; ... }; // not implemented
- transfer-format ( many-answers | one-answer );
- transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [
- dscp <integer> ];
- transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * )
- ] [ dscp <integer> ];
- trust-anchor-telemetry <boolean>; // experimental
- trusted-keys { <string> <integer>
- <integer> <integer> <quoted_string>;
- ... }; // may occur multiple times
- try-tcp-refresh <boolean>;
- update-check-ksk <boolean>;
- use-alt-transfer-source <boolean>;
- use-queryport-pool <boolean>; // obsolete
- v6-bias <integer>;
- zero-no-soa-ttl <boolean>;
- zero-no-soa-ttl-cache <boolean>;
- zone <string> [ <class> ] {
- allow-notify { <address_match_element>; ... };
- allow-query { <address_match_element>; ... };
- allow-query-on { <address_match_element>; ... };
- allow-transfer { <address_match_element>; ... };
- allow-update { <address_match_element>; ... };
- allow-update-forwarding { <address_match_element>; ... };
- also-notify [ port <integer> ] [ dscp <integer> ] { (
- <masters> | <ipv4_address> [ port <integer> ] |
- <ipv6_address> [ port <integer> ] ) [ key <string> ];
- ... };
- alt-transfer-source ( <ipv4_address> | * ) [ port (
- <integer> | * ) ] [ dscp <integer> ];
- alt-transfer-source-v6 ( <ipv6_address> | * ) [ port (
- <integer> | * ) ] [ dscp <integer> ];
- auto-dnssec ( allow | maintain | off );
- check-dup-records ( fail | warn | ignore );
- check-integrity <boolean>;
- check-mx ( fail | warn | ignore );
- check-mx-cname ( fail | warn | ignore );
- check-names ( fail | warn | ignore );
- check-sibling <boolean>;
- check-spf ( warn | ignore );
- check-srv-cname ( fail | warn | ignore );
- check-wildcard <boolean>;
- database <string>;
- delegation-only <boolean>;
- dialup ( notify | notify-passive | passive | refresh |
- <boolean> );
- dlz <string>;
- dnssec-dnskey-kskonly <boolean>;
- dnssec-loadkeys-interval <integer>;
- dnssec-secure-to-insecure <boolean>;
- dnssec-update-mode ( maintain | no-resign );
- file <quoted_string>;
- forward ( first | only );
- forwarders [ port <integer> ] [ dscp <integer> ] { (
- <ipv4_address> | <ipv6_address> ) [ port <integer> ] [
- dscp <integer> ]; ... };
- in-view <string>;
- inline-signing <boolean>;
- ixfr-base <quoted_string>; // obsolete
- ixfr-from-differences <boolean>;
- ixfr-tmp-file <quoted_string>; // obsolete
- journal <quoted_string>;
- key-directory <quoted_string>;
- maintain-ixfr-base <boolean>; // obsolete
- masterfile-format ( map | raw | text );
- masterfile-style ( full | relative );
- masters [ port <integer> ] [ dscp <integer> ] { ( <masters>
- | <ipv4_address> [ port <integer> ] | <ipv6_address> [
- port <integer> ] ) [ key <string> ]; ... };
- max-ixfr-log-size ( default | unlimited |
- <sizeval> ); // obsolete
- max-journal-size ( default | unlimited | <sizeval> );
- max-records <integer>;
- max-refresh-time <integer>;
- max-retry-time <integer>;
- max-transfer-idle-in <integer>;
- max-transfer-idle-out <integer>;
- max-transfer-time-in <integer>;
- max-transfer-time-out <integer>;
- max-zone-ttl ( unlimited | <ttlval> );
- min-refresh-time <integer>;
- min-retry-time <integer>;
- multi-master <boolean>;
- notify ( explicit | master-only | <boolean> );
- notify-delay <integer>;
- notify-source ( <ipv4_address> | * ) [ port ( <integer> | *
- ) ] [ dscp <integer> ];
- notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer>
- | * ) ] [ dscp <integer> ];
- notify-to-soa <boolean>;
- nsec3-test-zone <boolean>; // test only
- pubkey <integer>
- <integer>
- <integer>
- <quoted_string>; // obsolete, may occur multiple times
- request-expire <boolean>;
- request-ixfr <boolean>;
- serial-update-method ( date | increment | unixtime );
- server-addresses { ( <ipv4_address> | <ipv6_address> ) [
- port <integer> ]; ... };
- server-names { <quoted_string>; ... };
- sig-signing-nodes <integer>;
- sig-signing-signatures <integer>;
- sig-signing-type <integer>;
- sig-validity-interval <integer> [ <integer> ];
- transfer-source ( <ipv4_address> | * ) [ port ( <integer> |
- * ) ] [ dscp <integer> ];
- transfer-source-v6 ( <ipv6_address> | * ) [ port (
- <integer> | * ) ] [ dscp <integer> ];
- try-tcp-refresh <boolean>;
- type ( delegation-only | forward | hint | master | redirect
- | slave | static-stub | stub );
- update-check-ksk <boolean>;
- update-policy ( local | { ( deny | grant ) <string> (
- 6to4-self | external | krb5-self | krb5-subdomain |
- ms-self | ms-subdomain | name | self | selfsub |
- selfwild | subdomain | tcp-self | wildcard | zonesub )
- [ <string> ] <rrtypelist>; ... };
- use-alt-transfer-source <boolean>;
- zero-no-soa-ttl <boolean>;
- zone-statistics ( full | terse | none | <boolean> );
- }; // may occur multiple times
- zone-statistics ( full | terse | none | <boolean> );
-}; // may occur multiple times
-
-zone <string> [ <class> ] {
- allow-notify { <address_match_element>; ... };
- allow-query { <address_match_element>; ... };
- allow-query-on { <address_match_element>; ... };
- allow-transfer { <address_match_element>; ... };
- allow-update { <address_match_element>; ... };
- allow-update-forwarding { <address_match_element>; ... };
- also-notify [ port <integer> ] [ dscp <integer> ] { ( <masters> |
- <ipv4_address> [ port <integer> ] | <ipv6_address> [ port
- <integer> ] ) [ key <string> ]; ... };
- alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * )
- ] [ dscp <integer> ];
- alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> |
- * ) ] [ dscp <integer> ];
- auto-dnssec ( allow | maintain | off );
- check-dup-records ( fail | warn | ignore );
- check-integrity <boolean>;
- check-mx ( fail | warn | ignore );
- check-mx-cname ( fail | warn | ignore );
- check-names ( fail | warn | ignore );
- check-sibling <boolean>;
- check-spf ( warn | ignore );
- check-srv-cname ( fail | warn | ignore );
- check-wildcard <boolean>;
- database <string>;
- delegation-only <boolean>;
- dialup ( notify | notify-passive | passive | refresh | <boolean> );
- dlz <string>;
- dnssec-dnskey-kskonly <boolean>;
- dnssec-loadkeys-interval <integer>;
- dnssec-secure-to-insecure <boolean>;
- dnssec-update-mode ( maintain | no-resign );
- file <quoted_string>;
- forward ( first | only );
- forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address>
- | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... };
- in-view <string>;
- inline-signing <boolean>;
- ixfr-base <quoted_string>; // obsolete
- ixfr-from-differences <boolean>;
- ixfr-tmp-file <quoted_string>; // obsolete
- journal <quoted_string>;
- key-directory <quoted_string>;
- maintain-ixfr-base <boolean>; // obsolete
- masterfile-format ( map | raw | text );
- masterfile-style ( full | relative );
- masters [ port <integer> ] [ dscp <integer> ] { ( <masters> |
- <ipv4_address> [ port <integer> ] | <ipv6_address> [ port
- <integer> ] ) [ key <string> ]; ... };
- max-ixfr-log-size ( default | unlimited | <sizeval> ); // obsolete
- max-journal-size ( default | unlimited | <sizeval> );
- max-records <integer>;
- max-refresh-time <integer>;
- max-retry-time <integer>;
- max-transfer-idle-in <integer>;
- max-transfer-idle-out <integer>;
- max-transfer-time-in <integer>;
- max-transfer-time-out <integer>;
- max-zone-ttl ( unlimited | <ttlval> );
- min-refresh-time <integer>;
- min-retry-time <integer>;
- multi-master <boolean>;
- notify ( explicit | master-only | <boolean> );
- notify-delay <integer>;
- notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [
- dscp <integer> ];
- notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ]
- [ dscp <integer> ];
- notify-to-soa <boolean>;
- nsec3-test-zone <boolean>; // test only
- pubkey <integer> <integer>
- <integer> <quoted_string>; // obsolete, may occur multiple times
- request-expire <boolean>;
- request-ixfr <boolean>;
- serial-update-method ( date | increment | unixtime );
- server-addresses { ( <ipv4_address> | <ipv6_address> ) [ port
- <integer> ]; ... };
- server-names { <quoted_string>; ... };
- sig-signing-nodes <integer>;
- sig-signing-signatures <integer>;
- sig-signing-type <integer>;
- sig-validity-interval <integer> [ <integer> ];
- transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [
- dscp <integer> ];
- transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * )
- ] [ dscp <integer> ];
- try-tcp-refresh <boolean>;
- type ( delegation-only | forward | hint | master | redirect | slave
- | static-stub | stub );
- update-check-ksk <boolean>;
- update-policy ( local | { ( deny | grant ) <string> ( 6to4-self |
- external | krb5-self | krb5-subdomain | ms-self | ms-subdomain
- | name | self | selfsub | selfwild | subdomain | tcp-self |
- wildcard | zonesub ) [ <string> ] <rrtypelist>; ... };
- use-alt-transfer-source <boolean>;
- zero-no-soa-ttl <boolean>;
- zone-statistics ( full | terse | none | <boolean> );
-}; // may occur multiple times
-
+++ /dev/null
-.\" Copyright (C) 2009, 2014-2017 Internet Systems Consortium, Inc. ("ISC")
-.\"
-.\" This Source Code Form is subject to the terms of the Mozilla Public
-.\" License, v. 2.0. If a copy of the MPL was not distributed with this
-.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
-.\"
-.hy 0
-.ad l
-'\" t
-.\" Title: isc-config.sh
-.\" Author:
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
-.\" Date: 2009-02-18
-.\" Manual: BIND9
-.\" Source: ISC
-.\" Language: English
-.\"
-.TH "ISC\-CONFIG\&.SH" "1" "2009\-02\-18" "ISC" "BIND9"
-.\" -----------------------------------------------------------------
-.\" * Define some portability stuff
-.\" -----------------------------------------------------------------
-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-.\" http://bugs.debian.org/507673
-.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-.ie \n(.g .ds Aq \(aq
-.el .ds Aq '
-.\" -----------------------------------------------------------------
-.\" * set default formatting
-.\" -----------------------------------------------------------------
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.\" -----------------------------------------------------------------
-.\" * MAIN CONTENT STARTS HERE *
-.\" -----------------------------------------------------------------
-.SH "NAME"
-isc-config.sh \- Get information about the installed version of ISC BIND
-.SH "SYNOPSIS"
-.HP \w'\fBisc\-config\&.sh\fR\ 'u
-\fBisc\-config\&.sh\fR [\fB\-\-cflags\fR] [\fB\-\-exec\-prefix\fR] [\fB\-\-libs\fR] [\fB\-\-prefix\fR] [\fB\-\-version\fR] [libraries...]
-.SH "DESCRIPTION"
-.PP
-\fBisc\-config\&.sh\fR
-prints information related to the installed version of ISC BIND, such as the compiler and linker flags required to compile and link programs that use ISC BIND libraries\&.
-.PP
-The optional libraries are used to report specific details for compiling and linking for the listed libraries\&. The allowed choices are:
-\fBisc\fR,
-\fBisccc\fR,
-\fBisccfg\fR,
-\fBdns\fR,
-\fBbind9\fR\&. Multiple libraries may be listed on the command line\&. (Some libraries require other libraries, so are implied\&.)
-.SH "OPTIONS"
-.PP
-\-\-cflags
-.RS 4
-Prints the compiler command line options required to compile files that use ISC BIND\&. Use the
-\fBlibraries\fR
-command line argument(s) to print additional specific flags to pass to the C compiler\&.
-.RE
-.PP
-\-\-exec\-prefix
-.RS 4
-Prints the directory prefix used in the ISC BIND installation for architecture dependent files to standard output\&.
-.RE
-.PP
-\-\-libs
-.RS 4
-Prints the linker command line options used to link with the ISC BIND libraries\&. Use the
-\fBlibraries\fR
-command line argument(s) to print additional specific flags\&.
-.RE
-.PP
-\-\-prefix
-.RS 4
-Prints the directory prefix used in the ISC BIND installation for architecture independent files to standard output\&.
-.RE
-.PP
-\-\-version
-.RS 4
-Prints the version of the installed ISC BIND suite\&.
-.RE
-.SH "RETURN VALUES"
-.PP
-\fBisc\-config\&.sh\fR
-returns an exit status of 1 if invoked with invalid arguments or no arguments at all\&. It returns 0 if information was successfully printed\&.
-.SH "AUTHOR"
-.PP
-\fBInternet Systems Consortium, Inc\&.\fR
-.SH "COPYRIGHT"
-.br
-Copyright \(co 2009, 2014-2017 Internet Systems Consortium, Inc. ("ISC")
-.br
+++ /dev/null
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<!--
- - Copyright (C) 2009, 2014-2017 Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
--->
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>isc-config.sh</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
-<a name="man.isc-config.sh"></a><div class="titlepage"></div>
-
-
-
-
-
-
-
- <div class="refnamediv">
-<h2>Name</h2>
-<p>
- <span class="application">isc-config.sh</span>
- — Get information about the installed version of ISC BIND
- </p>
-</div>
-
- <div class="refsynopsisdiv">
-<h2>Synopsis</h2>
- <div class="cmdsynopsis"><p>
- <code class="command">isc-config.sh</code>
- [<code class="option">--cflags</code>]
- [<code class="option">--exec-prefix</code>]
- [<code class="option">--libs</code>]
- [<code class="option">--prefix</code>]
- [<code class="option">--version</code>]
- [libraries...]
- </p></div>
- </div>
-
- <div class="refsection">
-<a name="id-1.7"></a><h2>DESCRIPTION</h2>
-
- <p><span class="command"><strong>isc-config.sh</strong></span>
- prints information related to the installed version of ISC BIND,
- such as the compiler and linker flags required to compile
- and link programs that use ISC BIND libraries.
- </p>
- <p>
- The optional libraries are used to report specific details
- for compiling and linking for the listed libraries.
- The allowed choices are:
- <code class="option">isc</code>,
- <code class="option">isccc</code>,
- <code class="option">isccfg</code>,
- <code class="option">dns</code>,
- <code class="option">bind9</code>.
- Multiple libraries may be listed on the command line.
- (Some libraries require other libraries, so are implied.)
- </p>
-
- </div>
-
- <div class="refsection">
-<a name="id-1.8"></a><h2>OPTIONS</h2>
-
-
- <div class="variablelist"><dl class="variablelist">
-<dt><span class="term">--cflags</span></dt>
-<dd>
- <p>
- Prints the compiler command line options required to
- compile files that use ISC BIND.
- Use the <code class="option">libraries</code> command line argument(s)
- to print additional specific flags to pass to the C compiler.
- </p>
- </dd>
-<dt><span class="term">--exec-prefix</span></dt>
-<dd>
- <p>
- Prints the directory prefix used in the ISC BIND installation
- for architecture dependent files to standard output.
- </p>
- </dd>
-<dt><span class="term">--libs</span></dt>
-<dd>
- <p>
- Prints the linker command line options used to
- link with the ISC BIND libraries.
- Use the <code class="option">libraries</code> command line argument(s)
- to print additional specific flags.
- </p>
- </dd>
-<dt><span class="term">--prefix</span></dt>
-<dd>
- <p>
- Prints the directory prefix used in the ISC BIND installation
- for architecture independent files to standard output.
- </p>
- </dd>
-<dt><span class="term">--version</span></dt>
-<dd>
- <p>
- Prints the version of the installed ISC BIND suite.
- </p>
- </dd>
-</dl></div>
-
- </div>
-
- <div class="refsection">
-<a name="id-1.9"></a><h2>RETURN VALUES</h2>
-
- <p><span class="command"><strong>isc-config.sh</strong></span>
- returns an exit status of 1 if
- invoked with invalid arguments or no arguments at all.
- It returns 0 if information was successfully printed.
- </p>
- </div>
-
-</div></body>
-</html>
projects / thirdparty / bind9.git / commitdiff
