</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dnssec.dynamic.zones">DNSSEC, Dynamic Zones, and Automatic Signing</a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2609321">Converting from insecure to secure</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2610277">Converting from insecure to secure</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563483">Dynamic DNS update method</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563520">Fully automatic zone signing</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563896">Private-type records</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563933">DNSKEY rollovers</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563946">Dynamic DNS update method</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2574561">Automatic key rollovers</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2574587">NSEC3PARAM rollovers via UPDATE</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2574597">Converting from NSEC to NSEC3</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2574606">Converting from NSEC3 to NSEC</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2574619">Converting from secure to insecure</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2574657">Periodic re-signing</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2574666">NSEC3 and OPTOUT</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563623">Private-type records</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563660">DNSKEY rollovers</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563673">Dynamic DNS update method</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563706">Automatic key rollovers</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563733">NSEC3PARAM rollovers via UPDATE</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563742">Converting from NSEC to NSEC3</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563752">Converting from NSEC3 to NSEC</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563901">Converting from secure to insecure</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563939">Periodic re-signing</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563948">NSEC3 and OPTOUT</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#rfc5011.support">Dynamic Trust Anchor Management</a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2608969">Validating Resolver</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2608992">Authoritative Server</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2574699">Validating Resolver</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2574722">Authoritative Server</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#pkcs11">PKCS #11 (Cryptoki) support</a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2612099">Prerequisites</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2610075">Building BIND 9 with PKCS#11</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2636483">PKCS #11 Tools</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2636514">Using the HSM</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2636712">Specifying the engine on the command line</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2636894">Running named with automatic zone re-signing</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2612577">Prerequisites</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2610758">Building BIND 9 with PKCS#11</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2612931">PKCS #11 Tools</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2612962">Using the HSM</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2637531">Specifying the engine on the command line</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2637577">Running named with automatic zone re-signing</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dlz-info">DLZ (Dynamically Loadable Zones)</a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2609154">Configuring DLZ</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2609227">Sample DLZ Driver</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2610109">Configuring DLZ</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2610797">Sample DLZ Driver</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2572873">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
<dd><dl>
from insecure to signed and back again. A secure zone can use
either NSEC or NSEC3 chains.</p>
<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
-<a name="id2609321"></a>Converting from insecure to secure</h3></div></div></div></div>
+<a name="id2610277"></a>Converting from insecure to secure</h3></div></div></div></div>
<p>Changing a zone from insecure to secure can be done in two
ways: using a dynamic DNS update, or the
<span><strong class="command">auto-dnssec</strong></span> zone option.</p>
configuration. If this has not been done, the configuration will
fail.</p>
<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
-<a name="id2563896"></a>Private-type records</h3></div></div></div></div>
+<a name="id2563623"></a>Private-type records</h3></div></div></div></div>
<p>The state of the signing process is signaled by
private-type records (with a default type value of 65534). When
signing is complete, these records will have a nonzero value for
<p>
</p>
<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
-<a name="id2563933"></a>DNSKEY rollovers</h3></div></div></div></div>
+<a name="id2563660"></a>DNSKEY rollovers</h3></div></div></div></div>
<p>As with insecure-to-secure conversions, rolling DNSSEC
keys can be done in two ways: using a dynamic DNS update, or the
<span><strong class="command">auto-dnssec</strong></span> zone option.</p>
<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
-<a name="id2563946"></a>Dynamic DNS update method</h3></div></div></div></div>
+<a name="id2563673"></a>Dynamic DNS update method</h3></div></div></div></div>
<p> To perform key rollovers via dynamic update, you need to add
the <code class="filename">K*</code> files for the new keys so that
<span><strong class="command">named</strong></span> can find them. You can then add the new
<span><strong class="command">named</strong></span> will clean out any signatures generated
by the old key after the update completes.</p>
<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
-<a name="id2574561"></a>Automatic key rollovers</h3></div></div></div></div>
+<a name="id2563706"></a>Automatic key rollovers</h3></div></div></div></div>
<p>When a new key reaches its activation date (as set by
<span><strong class="command">dnssec-keygen</strong></span> or <span><strong class="command">dnssec-settime</strong></span>),
if the <span><strong class="command">auto-dnssec</strong></span> zone option is set to
completes in 30 days, after which it will be safe to remove the
old key from the DNSKEY RRset.</p>
<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
-<a name="id2574587"></a>NSEC3PARAM rollovers via UPDATE</h3></div></div></div></div>
+<a name="id2563733"></a>NSEC3PARAM rollovers via UPDATE</h3></div></div></div></div>
<p>Add the new NSEC3PARAM record via dynamic update. When the
new NSEC3 chain has been generated, the NSEC3PARAM flag field
will be zero. At this point you can remove the old NSEC3PARAM
record. The old chain will be removed after the update request
completes.</p>
<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
-<a name="id2574597"></a>Converting from NSEC to NSEC3</h3></div></div></div></div>
+<a name="id2563742"></a>Converting from NSEC to NSEC3</h3></div></div></div></div>
<p>To do this, you just need to add an NSEC3PARAM record. When
the conversion is complete, the NSEC chain will have been removed
and the NSEC3PARAM record will have a zero flag field. The NSEC3
chain will be generated before the NSEC chain is
destroyed.</p>
<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
-<a name="id2574606"></a>Converting from NSEC3 to NSEC</h3></div></div></div></div>
+<a name="id2563752"></a>Converting from NSEC3 to NSEC</h3></div></div></div></div>
<p>To do this, use <span><strong class="command">nsupdate</strong></span> to
remove all NSEC3PARAM records with a zero flag
field. The NSEC chain will be generated before the NSEC3 chain is
removed.</p>
<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
-<a name="id2574619"></a>Converting from secure to insecure</h3></div></div></div></div>
+<a name="id2563901"></a>Converting from secure to insecure</h3></div></div></div></div>
<p>To convert a signed zone to unsigned using dynamic DNS,
delete all the DNSKEY records from the zone apex using
<span><strong class="command">nsupdate</strong></span>. All signatures, NSEC or NSEC3 chains,
<span><strong class="command">allow</strong></span> instead (or it will re-sign).
</p>
<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
-<a name="id2574657"></a>Periodic re-signing</h3></div></div></div></div>
+<a name="id2563939"></a>Periodic re-signing</h3></div></div></div></div>
<p>In any secure zone which supports dynamic updates, named
will periodically re-sign RRsets which have not been re-signed as
a result of some update action. The signature lifetimes will be
adjusted so as to spread the re-sign load over time rather than
all at once.</p>
<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
-<a name="id2574666"></a>NSEC3 and OPTOUT</h3></div></div></div></div>
+<a name="id2563948"></a>NSEC3 and OPTOUT</h3></div></div></div></div>
<p>
<span><strong class="command">named</strong></span> only supports creating new NSEC3 chains
where all the NSEC3 records in the zone have the same OPTOUT
configuration files.</p>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2608969"></a>Validating Resolver</h3></div></div></div>
+<a name="id2574699"></a>Validating Resolver</h3></div></div></div>
<p>To configure a validating resolver to use RFC 5011 to
maintain a trust anchor, configure the trust anchor using a
<span><strong class="command">managed-keys</strong></span> statement. Information about
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2608992"></a>Authoritative Server</h3></div></div></div>
+<a name="id2574722"></a>Authoritative Server</h3></div></div></div>
<p>To set up an authoritative zone for RFC 5011 trust anchor
maintenance, generate two (or more) key signing keys (KSKs) for
the zone. Sign the zone with one of them; this is the "active"
Debian Linux, Solaris x86 and Windows Server 2003.</p>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2612099"></a>Prerequisites</h3></div></div></div>
+<a name="id2612577"></a>Prerequisites</h3></div></div></div>
<p>See the HSM vendor documentation for information about
installing, initializing, testing and troubleshooting the
HSM.</p>
when we configure BIND 9.</p>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2609669"></a>Building OpenSSL for the AEP Keyper on Linux</h4></div></div></div>
+<a name="id2610420"></a>Building OpenSSL for the AEP Keyper on Linux</h4></div></div></div>
<p>The AEP Keyper is a highly secure key storage device,
but does not provide hardware cryptographic acceleration. It
can carry out cryptographic operations, but it is probably
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2609738"></a>Building OpenSSL for the SCA 6000 on Solaris</h4></div></div></div>
+<a name="id2610557"></a>Building OpenSSL for the SCA 6000 on Solaris</h4></div></div></div>
<p>The SCA-6000 PKCS #11 provider is installed as a system
library, libpkcs11. It is a true crypto accelerator, up to 4
times faster than any CPU, so the flavor shall be
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2609787"></a>Building OpenSSL for SoftHSM</h4></div></div></div>
+<a name="id2610606"></a>Building OpenSSL for SoftHSM</h4></div></div></div>
<p>SoftHSM is a software library provided by the OpenDNSSEC
project (http://www.opendnssec.org) which provides a PKCS#11
interface to a virtual HSM, implemented in the form of encrypted
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2610075"></a>Building BIND 9 with PKCS#11</h3></div></div></div>
+<a name="id2610758"></a>Building BIND 9 with PKCS#11</h3></div></div></div>
<p>When building BIND 9, the location of the custom-built
OpenSSL library must be specified via configure.</p>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2610084"></a>Configuring BIND 9 for Linux with the AEP Keyper</h4></div></div></div>
+<a name="id2610766"></a>Configuring BIND 9 for Linux with the AEP Keyper</h4></div></div></div>
<p>To link with the PKCS #11 provider, threads must be
enabled in the BIND 9 build.</p>
<p>The PKCS #11 library for the AEP Keyper is currently
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2612164"></a>Configuring BIND 9 for Solaris with the SCA 6000</h4></div></div></div>
+<a name="id2612778"></a>Configuring BIND 9 for Solaris with the SCA 6000</h4></div></div></div>
<p>To link with the PKCS #11 provider, threads must be
enabled in the BIND 9 build.</p>
<pre class="screen">
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2612200"></a>Configuring BIND 9 for SoftHSM</h4></div></div></div>
+<a name="id2612814"></a>Configuring BIND 9 for SoftHSM</h4></div></div></div>
<pre class="screen">
$ <strong class="userinput"><code>cd ../bind9</code></strong>
$ <strong class="userinput"><code>./configure --enable-threads \
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2636483"></a>PKCS #11 Tools</h3></div></div></div>
+<a name="id2612931"></a>PKCS #11 Tools</h3></div></div></div>
<p>BIND 9 includes a minimal set of tools to operate the
HSM, including
<span><strong class="command">pkcs11-keygen</strong></span> to generate a new key pair
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2636514"></a>Using the HSM</h3></div></div></div>
+<a name="id2612962"></a>Using the HSM</h3></div></div></div>
<p>First, we must set up the runtime environment so the
OpenSSL and PKCS #11 libraries can be loaded:</p>
<pre class="screen">
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2636712"></a>Specifying the engine on the command line</h3></div></div></div>
+<a name="id2637531"></a>Specifying the engine on the command line</h3></div></div></div>
<p>The OpenSSL engine can be specified in
<span><strong class="command">named</strong></span> and all of the BIND
<span><strong class="command">dnssec-*</strong></span> tools by using the "-E
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2636894"></a>Running named with automatic zone re-signing</h3></div></div></div>
+<a name="id2637577"></a>Running named with automatic zone re-signing</h3></div></div></div>
<p>If you want
<span><strong class="command">named</strong></span> to dynamically re-sign zones using HSM
keys, and/or to to sign new records inserted via nsupdate, then
</p>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2609154"></a>Configuring DLZ</h3></div></div></div>
+<a name="id2610109"></a>Configuring DLZ</h3></div></div></div>
<p>
A DLZ database is configured with a <span><strong class="command">dlz</strong></span>
statement in <code class="filename">named.conf</code>:
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2609227"></a>Sample DLZ Driver</h3></div></div></div>
+<a name="id2610797"></a>Sample DLZ Driver</h3></div></div></div>
<p>
For guidance in implementation of DLZ modules, the directory
<code class="filename">contrib/dlz/example</code> contains a basic
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576037"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576231"><span><strong class="command">logging</strong></span> Statement Definition and
Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578326"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578400"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578464"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578576"><span><strong class="command">masters</strong></span> Statement Definition and
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578362"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578436"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578500"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578544"><span><strong class="command">masters</strong></span> Statement Definition and
Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578597"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578565"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#options"><span><strong class="command">options</strong></span> Statement Definition and
Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span><strong class="command">server</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span><strong class="command">server</strong></span> Statement Definition and
Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#statschannels"><span><strong class="command">statistics-channels</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590679"><span><strong class="command">statistics-channels</strong></span> Statement Definition and
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591334"><span><strong class="command">statistics-channels</strong></span> Statement Definition and
Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#trusted-keys"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590819"><span><strong class="command">trusted-keys</strong></span> Statement Definition
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591542"><span><strong class="command">trusted-keys</strong></span> Statement Definition
and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590934"><span><strong class="command">managed-keys</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591589"><span><strong class="command">managed-keys</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#managed-keys"><span><strong class="command">managed-keys</strong></span> Statement Definition
and Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#view_statement_grammar"><span><strong class="command">view</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591376"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2592099"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span><strong class="command">zone</strong></span>
Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2593143"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2593798"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2596709">Zone File</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2597364">Zone File</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2598803">Discussion of MX Records</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2599458">Discussion of MX Records</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2599418">Inverse Mapping in IPv4</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2599545">Other Zone File Directives</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2
599886"><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2600210">Inverse Mapping in IPv4</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2600337">Other Zone File Directives</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2
600610"><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zonefile_format">Additional File Formats</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch06.html#statistics">BIND9 Statistics</a></span></dt>
</p>
</td>
</tr>
+<tr>
+<td>
+ <p><span><strong class="command">rate-limit</strong></span></p>
+ </td>
+<td>
+ <p>
+ The start, periodic, and final notices of the
+ rate limiting of a stream of responses are logged at
+ <span><strong class="command">info</strong></span> severity in this category.
+ These messages include a hash value of the domain name
+ of the response and the name itself,
+ except when there is insufficient memory to record
+ the name for the final notice
+ The final notice is normally delayed until about one
+ minute after rate limit stops.
+ A lack of memory can hurry the final notice,
+ in which case it starts with an asterisk (*).
+ Various internal events are logged at debug 1 level
+ and higher.
+ </p>
+ <p>
+ Rate limiting of individual requests
+ is logged in the <span><strong class="command">queries</strong></span> category
+ and can be controlled with the
+ <span><strong class="command">querylog</strong></span> option.
+ </p>
+ </td>
+</tr>
</tbody>
</table></div>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2577670"></a>The <span><strong class="command">query-errors</strong></span> Category</h4></div></div></div>
+<a name="id2577774"></a>The <span><strong class="command">query-errors</strong></span> Category</h4></div></div></div>
<p>
The <span><strong class="command">query-errors</strong></span> category is
specifically intended for debugging purposes: To identify
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2578326"></a><span><strong class="command">lwres</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2578362"></a><span><strong class="command">lwres</strong></span> Statement Grammar</h3></div></div></div>
<p>
This is the grammar of the <span><strong class="command">lwres</strong></span>
statement in the <code class="filename">named.conf</code> file:
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2578400"></a><span><strong class="command">lwres</strong></span> Statement Definition and Usage</h3></div></div></div>
+<a name="id2578436"></a><span><strong class="command">lwres</strong></span> Statement Definition and Usage</h3></div></div></div>
<p>
The <span><strong class="command">lwres</strong></span> statement configures the
name
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2578464"></a><span><strong class="command">masters</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2578500"></a><span><strong class="command">masters</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting">
<span><strong class="command">masters</strong></span> <em class="replaceable"><code>name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> |
<em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] };
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2578576"></a><span><strong class="command">masters</strong></span> Statement Definition and
+<a name="id2578544"></a><span><strong class="command">masters</strong></span> Statement Definition and
Usage</h3></div></div></div>
<p><span><strong class="command">masters</strong></span>
lists allow for a common set of masters to be easily used by
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2578597"></a><span><strong class="command">options</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2578565"></a><span><strong class="command">options</strong></span> Statement Grammar</h3></div></div></div>
<p>
This is the grammar of the <span><strong class="command">options</strong></span>
statement in the <code class="filename">named.conf</code> file:
[<span class="optional"> resolver-query-timeout <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> deny-answer-addresses { <em class="replaceable"><code>address_match_list</code></em> } [<span class="optional"> except-from { <em class="replaceable"><code>namelist</code></em> } </span>];</span>]
[<span class="optional"> deny-answer-aliases { <em class="replaceable"><code>namelist</code></em> } [<span class="optional"> except-from { <em class="replaceable"><code>namelist</code></em> } </span>];</span>]
+ [<span class="optional"> rate-limit {
+ [<span class="optional"> responses-per-second <em class="replaceable"><code>number</code></em> ; </span>]
+ [<span class="optional"> errors-per-second <em class="replaceable"><code>number</code></em> ; </span>]
+ [<span class="optional"> nxdomains-per-second <em class="replaceable"><code>number</code></em> ; </span>]
+ [<span class="optional"> all-per-second <em class="replaceable"><code>number</code></em> ; </span>]
+ [<span class="optional"> window <em class="replaceable"><code>number</code></em> ; </span>]
+ [<span class="optional"> log-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
+ [<span class="optional"> qps-scale <em class="replaceable"><code>number</code></em> ; </span>]
+ [<span class="optional"> IPv4-prefix-length <em class="replaceable"><code>number</code></em> ; </span>]
+ [<span class="optional"> IPv6-prefix-length <em class="replaceable"><code>number</code></em> ; </span>]
+ [<span class="optional"> slip <em class="replaceable"><code>number</code></em> ; </span>]
+ [<span class="optional"> exempt-clients { <em class="replaceable"><code>address_match_list</code></em> } ; </span>]
+ [<span class="optional"> max-table-size <em class="replaceable"><code>number</code></em> ; </span>]
+ [<span class="optional"> min-table-size <em class="replaceable"><code>number</code></em> ; </span>]
+ } ; </span>]
[<span class="optional"> response-policy { <em class="replaceable"><code>zone_name</code></em>
[<span class="optional"> policy given | disabled | passthru | nxdomain | nodata | cname <em class="replaceable"><code>domain</code></em> </span>]
[<span class="optional"> recursive-only <em class="replaceable"><code>yes_or_no</code></em> </span>] [<span class="optional"> max-policy-ttl <em class="replaceable"><code>number</code></em> </span>] ;
} [<span class="optional"> recursive-only <em class="replaceable"><code>yes_or_no</code></em> </span>] [<span class="optional"> max-policy-ttl <em class="replaceable"><code>number</code></em> </span>]
- [<span class="optional"> break-dnssec <em class="replaceable"><code>yes_or_no</code></em> </span>] ; </span>]
+ [<span class="optional"> break-dnssec <em class="replaceable"><code>yes_or_no</code></em> </span>] [<span class="optional"> min-ns-dots <em class="replaceable"><code>number</code></em> </span>]
+ [<span class="optional"> qname-wait-recurse <em class="replaceable"><code>yes_or_no</code></em> </span>] ; </span>]
};
</pre>
</div>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2584398"></a>Forwarding</h4></div></div></div>
+<a name="id2584602"></a>Forwarding</h4></div></div></div>
<p>
The forwarding facility can be used to create a large site-wide
cache on a few servers, reducing traffic over links to external
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2584457"></a>Dual-stack Servers</h4></div></div></div>
+<a name="id2584661"></a>Dual-stack Servers</h4></div></div></div>
<p>
Dual-stack servers are used as servers of last resort to work
around
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2585018"></a>Interfaces</h4></div></div></div>
+<a name="id2585222"></a>Interfaces</h4></div></div></div>
<p>
The interfaces and ports that the server will answer queries
from may be specified using the <span><strong class="command">listen-on</strong></span> option. <span><strong class="command">listen-on</strong></span> takes
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2586304"></a>UDP Port Lists</h4></div></div></div>
+<a name="id2586439"></a>UDP Port Lists</h4></div></div></div>
<p>
<span><strong class="command">use-v4-udp-ports</strong></span>,
<span><strong class="command">avoid-v4-udp-ports</strong></span>,
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2586432"></a>Operating System Resource Limits</h4></div></div></div>
+<a name="id2586567"></a>Operating System Resource Limits</h4></div></div></div>
<p>
The server's usage of many system resources can be limited.
Scaled values are allowed when specifying resource limits. For
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2586786"></a>Periodic Task Intervals</h4></div></div></div>
+<a name="id2586989"></a>Periodic Task Intervals</h4></div></div></div>
<div class="variablelist"><dl>
<dt><span class="term"><span><strong class="command">cleaning-interval</strong></span></span></dt>
<dd><p>
built-in view (see <a href="Bv9ARM.ch06.html#view_statement_grammar" title="view Statement Grammar">the section called “<span><strong class="command">view</strong></span> Statement Grammar”</a>) of
class
<span><strong class="command">CHAOS</strong></span> which is separate from the
- default view of
- class <span><strong class="command">IN</strong></span>; therefore, any global
- server options
- such as <span><strong class="command">allow-query</strong></span> do not apply
- the these zones.
- If you feel the need to disable these zones, use the options
+ default view of class <span><strong class="command">IN</strong></span>. Most global
+ configuration options (<span><strong class="command">allow-query</strong></span>,
+ etc) will apply to this view, but some are locally
+ overridden: <span><strong class="command">notify</strong></span>,
+ <span><strong class="command">recursion</strong></span> and
+ <span><strong class="command">allow-new-zones</strong></span> are
+ always set to <strong class="userinput"><code>no</code></strong>, and
+ <span><strong class="command">rate-limit</strong></span> is set to allow
+ three responses per second.
+ </p>
+<p>
+ If you need to disable these zones, use the options
below, or hide the built-in <span><strong class="command">CHAOS</strong></span>
view by
defining an explicit view of class <span><strong class="command">CHAOS</strong></span>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2589150"></a>Content Filtering</h4></div></div></div>
+<a name="id2589376"></a>Content Filtering</h4></div></div></div>
<p>
<acronym class="acronym">BIND</acronym> 9 provides the ability to filter
out DNS responses from external DNS servers containing
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2589276"></a>Response Policy Zone (RPZ) Rewriting</h4></div></div></div>
+<a name="id2589638"></a>Response Policy Zone (RPZ) Rewriting</h4></div></div></div>
<p>
<acronym class="acronym">BIND</acronym> 9 includes a limited
mechanism to modify DNS responses for requests
Response policy zones are named in the
<span><strong class="command">response-policy</strong></span> option for the view or among the
global options if there is no response-policy option for the view.
- RPZs are ordinary DNS zones containing RRsets
+ Response policy zones are ordinary DNS zones containing RRsets
that can be queried normally if allowed.
It is usually best to restrict those queries with something like
<span><strong class="command">allow-query { localhost; };</strong></span>.
They are encoded as subdomains of
<strong class="userinput"><code>rpz-nsdomain</code></strong> relativized
to the RPZ origin name.
- </p>
-<p>
NSIP triggers match IP addresses in A and
AAAA RRsets for domains that can be checked against NSDNAME
policy records.
NSIP triggers are encoded like IP triggers except as subdomains of
<strong class="userinput"><code>rpz-nsip</code></strong>.
+ NSDNAME and NSIP triggers are checked only for names with at
+ least <span><strong class="command">min-ns-dots</strong></span> dots.
+ The default value of <span><strong class="command">min-ns-dots</strong></span> is 1 to
+ exclude top level domains.
</p>
<p>
- The query response is checked against all RPZs, so
+ The query response is checked against all response policy zones, so
two or more policy records can be triggered by a response.
Because DNS responses can be rewritten according to at most one
policy record, a single record encoding an action (other than
When the processing of a response is restarted to resolve
DNAME or CNAME records and a policy record set has
not been triggered,
- all RPZs are again consulted for the DNAME or CNAME names
- and addresses.
- </p>
-<p>
- Authority verification issues and variations in authority data
- can cause inconsistent results for NSIP and NSDNAME policy records.
- Glue NS records often differ from authoritative NS records.
- So they are available
- only when <acronym class="acronym">BIND</acronym> is built with the
- <strong class="userinput"><code>--enable-rpz-nsip</code></strong> or
- <strong class="userinput"><code>--enable-rpz-nsdname</code></strong> options
- on the "configure" command line.
+ all response policy zones are again consulted for the
+ DNAME or CNAME names and addresses.
</p>
<p>
RPZ record sets are sets of any types of DNS record except
<p>
</p>
<p>
- The actions specified in an RPZ can be overridden with a
+ The actions specified in a policy zone can be overridden with a
<span><strong class="command">policy</strong></span> clause in the
<span><strong class="command">response-policy</strong></span> option.
- An organization using an RPZ provided by another organization might
- use this mechanism to redirect domains to its own walled garden.
+ An organization using a policy zone provided by another
+ organization might use this mechanism to redirect domains
+ to its own walled garden.
</p>
<div class="itemizedlist"><ul type="disc">
<li>
<p>
</p>
<p>
- By default, the actions encoded in an RPZ are applied
- only to queries that ask for recursion (RD=1).
- That default can be changed for a single RPZ or all RPZs in a view
+ By default, the actions encoded in a response policy zone
+ are applied only to queries that ask for recursion (RD=1).
+ That default can be changed for a single policy zone or
+ all response policy zones in a view
with a <span><strong class="command">recursive-only no</strong></span> clause.
This feature is useful for serving the same zone files
both inside and outside an RFC 1918 cloud and using RPZ to
on the externally visible name server or view.
</p>
<p>
- Also by default, RPZ actions are applied only to DNS requests that
- either do not request DNSSEC metadata (DO=0) or when no DNSSEC
- records are available for request name in the original zone (not
- the response policy zone).
- This default can be changed for all RPZs in a view with a
- <span><strong class="command">break-dnssec yes</strong></span> clause.
- In that case, RPZ actions are applied regardless of DNSSEC.
- The name of the clause option reflects the fact that results
- rewritten by RPZ actions cannot verify.
+ Also by default, RPZ actions are applied only to DNS requests
+ that either do not request DNSSEC metadata (DO=0) or when no
+ DNSSEC records are available for request name in the original
+ zone (not the response policy zone). This default can be
+ changed for all response policy zones in a view with a
+ <span><strong class="command">break-dnssec yes</strong></span> clause. In that case, RPZ
+ actions are applied regardless of DNSSEC. The name of the
+ clause option reflects the fact that results rewritten by RPZ
+ actions cannot verify.
+ </p>
+<p>
+ No DNS records are needed to trigger a QNAME action. The name
+ itself is sufficient, so in principle the query name need not
+ be recursively resolved. However, not resolving the requested
+ name leaks the fact that response policy rewriting is in use
+ and that the name is listed in a policy zone to operators of
+ servers for listed names. To prevent that information leak, by
+ default any recursion needed for a request is done before any
+ policy triggers are considered. Because listed domains often
+ have slow authoritative servers, this default behavior can cost
+ significant time. The <span><strong class="command">qname-wait-recurse no</strong></span>
+ option overrides the default behavior when recursion cannot
+ change the response. <span><strong class="command">qname-wait-recurse no</strong></span>
+ does not affect QNAME triggers in policy zones listed after
+ other zones containing IP, NSIP and NSDNAME triggers, because
+ those may depend on the A, AAAA, and NS records that would be
+ found during recursive resolution. It also does not affect
+ DNSSEC requests (DO=1) unless <span><strong class="command">break-dnssec yes</strong></span>
+ is in use, because the response would depend on whether or not
+ RRSIG records were found during resolution.
</p>
<p>
The TTL of a record modified by RPZ policies is set from the
48.zz.2.2001.rpz-nsip CNAME .
</pre>
<p>
- Note: RPZ may impact server performance. Each configured
- response policy zone requires the server to perform one to four
- additional database lookups before a query can be answered.
+ RPZ can affect server performance.
+ Each configured response policy zone requires the server to
+ perform one to four additional database lookups before a
+ query can be answered.
For example, a DNS server with four policy zones, each with all
- four kinds of response triggers — QNAME, IP, NSIP, and
- NSDNAME — requires a total of 17 times as many database
+ four kinds of response triggers, QNAME, IP, NSIP, and
+ NSDNAME, requires a total of 17 times as many database
lookups as a similar DNS server with no response policy zones.
A <acronym class="acronym">BIND9</acronym> server with adequate memory and one
response policy zone with QNAME and IP triggers might achieve a
- maximum queries-per-second rate about 20% lower. A server with
- four response policy zones with QNAME and IP triggers might
- have a maximum QPS rate about 50% lower.
+ maximum queries-per-second rate about 20% lower.
+ A server with four response policy zones with QNAME and IP
+ triggers might have a maximum QPS rate about 50% lower.
+ </p>
+<p>
+ Responses rewritten by RPZ are counted in the
+ <span><strong class="command">RPZRewrites</strong></span> statistics.
+ </p>
+</div>
+<div class="sect3" lang="en">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="id2590149"></a>Rate Limiting</h4></div></div></div>
+<p>
+ Excessive essentially identical UDP <span class="emphasis"><em>responses</em></span>
+ can be discarded by configuring a
+ <span><strong class="command">rate-limit</strong></span> clause in an
+ <span><strong class="command">options</strong></span> statement.
+ This mechanism keeps BIND 9 from being used
+ in amplifying reflection denial of service attacks
+ as well as partially protecting BIND 9 itself from
+ some denial of service attacks.
+ Very short truncated responses can be sent to provide
+ rate-limited responses to legitimate
+ clients within a range of attacked and forged IP addresses,
+ Legitimate clients react to truncated response by retrying
+ with TCP.
+ </p>
+<p>
+ Rate limiting works by setting
+ <span><strong class="command">responses-per-second</strong></span>
+ to a number of repetitions per second for responses for a given name
+ and record type to a DNS client.
+ </p>
+<p>
+ <span><strong class="command">Responses-per-second</strong></span> is a limit on
+ identical responses instead of a limit on all responses or
+ even all responses to a single client.
+ 10 identical responses per second is a generous limit except perhaps
+ when many clients are using a single IP address via network
+ address translation (NAT).
+ The default limit of zero specifies an unbounded limit to turn off
+ rate-limiting in a view or to only rate-limit NXDOMAIN or other
+ errors.
+ </p>
+<p>
+ The notion of "identical responses"
+ and "single DNS client" cannot be simplistic.
+ All responses to a CIDR block with prefix
+ length specified with <span><strong class="command">IPv4-prefix-length</strong></span>
+ (default 24) or <span><strong class="command">IPv6-prefix-length</strong></span>
+ (default 56) are assumed to come from a single DNS client.
+ Requests for a name that result in DNS NXDOMAIN
+ errors are considered identical.
+ This controls some attacks using random names, but
+ accommodates servers that expect many legitimate NXDOMAIN responses
+ such as anti-spam blacklists.
+ By default the limit on NXDOMAIN errors is the same as the
+ <span><strong class="command">responses-per-second</strong></span> value,
+ but it can be set separately with
+ <span><strong class="command">nxdomains-per-second</strong></span>.
+ All requests for all names or types that result in DNS errors
+ such as SERVFAIL and FORMERR (but not NXDOMAIN) are considered
+ identical.
+ This controls attacks using invalid requests or distant,
+ broken authoritative servers.
+ By default the limit on errors is the same as the
+ <span><strong class="command">responses-per-second</strong></span> value,
+ but it can be set separately with
+ <span><strong class="command">errors-per-second</strong></span>.
+ </p>
+<p>
+ Rate limiting uses a "credit" or "token bucket" scheme.
+ Each identical response has a conceptual account
+ that is given <span><strong class="command">responses-per-second</strong></span>,
+ <span><strong class="command">errors-per-second</strong></span>, and
+ <span><strong class="command">nxdomains-per-second</strong></span> credits every second.
+ A DNS request triggering some desired response debits
+ the account by one.
+ Responses are not sent while the account is negative.
+ The account cannot become more positive than
+ the per-second limit
+ or more negative than <span><strong class="command">window</strong></span>
+ times the per-second limit.
+ A DNS client that sends requests that are not
+ answered can be penalized for up to <span><strong class="command">window</strong></span>
+ seconds (default 15).
+ </p>
+<p>
+ Responses generated from local wildcards are counted and limited
+ as if they were for the parent domain name.
+ This prevents flooding by requesting random.wild.example.com.
+ For similar reasons, NXDOMAIN responses are counted and rate
+ limited by the valid domain name nearest to the
+ query name with an SOA record.
+ </p>
+<p>
+ Many attacks using DNS involve UDP requests with forged source
+ addresses.
+ Rate limiting prevents the use of BIND 9 to flood a network
+ with responses to requests with forged source addresses,
+ but could let a third party block responses to legitimate requests.
+ There is a mechanism that can answer some legitimate
+ requests from a client whose address is being forged in a flood.
+ Setting <span><strong class="command">slip</strong></span> to 2 (its default) causes every
+ other UDP request to be answered with a small response
+ claiming that the response would have been truncated.
+ The small size and relative infrequency of the response make
+ it unattractive for abuse.
+ <span><strong class="command">Slip</strong></span> must be between 0 and 10.
+ A value of 0 does not "slip"
+ or sends no rate limiting truncated responses.
+ Some error responses includinge REFUSED and SERVFAIL
+ cannot be replaced with truncated responses and are instead
+ leaked at the <span><strong class="command">slip</strong></span> rate.
+ </p>
+<p>
+ When the approximate query per second rate exceeds
+ the <span><strong class="command">qps-scale</strong></span> value,
+ then the <span><strong class="command">responses-per-second</strong></span>,
+ <span><strong class="command">errors-per-second</strong></span>,
+ <span><strong class="command">nxdomains-per-second</strong></span> and
+ <span><strong class="command">all-per-second</strong></span> values are reduced by the
+ ratio of the current rate to the <span><strong class="command">qps-scale</strong></span> value.
+ This feature can tighten defenses during attacks.
+ For example, with
+ <span><strong class="command">qps-scale 250; responses-per-second 20;</strong></span> and
+ a total query rate of 1000 queries/second for all queries from
+ all DNS clients including via TCP,
+ then the effective responses/second limit changes to
+ (250/1000)*20 or 5.
+ Responses sent via TCP are not limited
+ but are counted to compute the query per second rate.
+ </p>
+<p>
+ Communities of DNS clients can be given their own parameters or no
+ rate limiting by putting
+ <span><strong class="command">rate-limit</strong></span> statements in <span><strong class="command">view</strong></span>
+ statements instead of the global <span><strong class="command">option</strong></span>
+ statement.
+ A <span><strong class="command">rate-limit</strong></span> statement in a view replaces
+ instead of being merged with a <span><strong class="command">rate-limit</strong></span>
+ statement among the main options.
+ DNS clients within a view can be exempted from rate limits
+ with the <span><strong class="command">exempt-clients</strong></span> clause.
+ </p>
+<p>
+ UDP responses of all kinds can be limited with the
+ <span><strong class="command">all-per-second</strong></span> phrase.
+ This rate limiting is unlike the rate limiting provided by
+ <span><strong class="command">responses-per-second</strong></span>,
+ <span><strong class="command">errors-per-second</strong></span>, and
+ <span><strong class="command">nxdomains-per-second</strong></span> on a DNS server
+ which are often invisible to the victim of a DNS reflection attack.
+ Unless the forged requests of the attack are the same as the
+ legitimate requests of the victim, the victim's requests are
+ not affected.
+ Responses affected by an <span><strong class="command">all-per-second</strong></span> limit
+ are always dropped; the <span><strong class="command">slip</strong></span> value has no
+ effect.
+ An <span><strong class="command">all-per-second</strong></span> limit should be
+ at least 4 times as large as the other limits,
+ because single DNS clients often send bursts of legitimate
+ requests.
+ For example, the receipt of a single mail message can prompt
+ requests from an SMTP server for NS, PTR, A, and AAAA records
+ as the incoming SMTP/TCP/IP connection is considered.
+ The SMTP server can need additional NS, A, AAAA, MX, TXT, and SPF
+ records as it considers the STMP <span><strong class="command">Mail From</strong></span>
+ command.
+ Web browsers often repeatedly resolve the same names that
+ are repeated in HTML <IMG> tags in a page.
+ <span><strong class="command">All-per-second</strong></span> is similar to the
+ rate limiting offered by firewalls but often inferior.
+ Attacks that justify ignoring the
+ contents of DNS responses are likely to be attacks on the
+ DNS server itself.
+ They usually should be discarded before the DNS server
+ spends resources make TCP connections or parsing DNS requesets,
+ but that rate limiting must be done before the
+ DNS server sees the requests.
+ </p>
+<p>
+ The maximum size of the table used to track requests and
+ rate limit responses is set with <span><strong class="command">max-table-size</strong></span>.
+ Each entry in the table is between 40 and 80 bytes.
+ The table needs approximately as many entries as the number
+ of requests received per second.
+ The default is 20,000.
+ To reduce the cold start of growing the table,
+ <span><strong class="command">min-table-size</strong></span> (default 500)
+ can set the minimum table size.
+ Enable <span><strong class="command">rate-limit</strong></span> category logging to monitor
+ expansions of the table and inform
+ choices for the initial and maximum table size.
+ </p>
+<p>
+ Use <span><strong class="command">log-only yes</strong></span> to test rate limiting parameters
+ without actually dropping any requests.
+ </p>
+<p>
+ Responses dropped by rate limits are included in the
+ <span><strong class="command">RateDropped</strong></span> and <span><strong class="command">QryDropped</strong></span>
+ statistics.
+ Responses that truncated by rate limits are included in
+ <span><strong class="command">RateSlipped</strong></span> and <span><strong class="command">RespTruncated</strong></span>.
</p>
</div>
</div>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2590679"></a><span><strong class="command">statistics-channels</strong></span> Statement Definition and
+<a name="id2591334"></a><span><strong class="command">statistics-channels</strong></span> Statement Definition and
Usage</h3></div></div></div>
<p>
The <span><strong class="command">statistics-channels</strong></span> statement
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2590819"></a><span><strong class="command">trusted-keys</strong></span> Statement Definition
+<a name="id2591542"></a><span><strong class="command">trusted-keys</strong></span> Statement Definition
and Usage</h3></div></div></div>
<p>
The <span><strong class="command">trusted-keys</strong></span> statement defines
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2590934"></a><span><strong class="command">managed-keys</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2591589"></a><span><strong class="command">managed-keys</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting"><span><strong class="command">managed-keys</strong></span> {
<em class="replaceable"><code>name</code></em> <code class="literal">initial-key</code> <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key-data</code></em> ;
[<span class="optional"> <em class="replaceable"><code>name</code></em> <code class="literal">initial-key</code> <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key-data</code></em> ; [<span class="optional">...</span>]</span>]
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2591376"></a><span><strong class="command">view</strong></span> Statement Definition and Usage</h3></div></div></div>
+<a name="id2592099"></a><span><strong class="command">view</strong></span> Statement Definition and Usage</h3></div></div></div>
<p>
The <span><strong class="command">view</strong></span> statement is a powerful
feature
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2593143"></a><span><strong class="command">zone</strong></span> Statement Definition and Usage</h3></div></div></div>
+<a name="id2593798"></a><span><strong class="command">zone</strong></span> Statement Definition and Usage</h3></div></div></div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2593150"></a>Zone Types</h4></div></div></div>
+<a name="id2593805"></a>Zone Types</h4></div></div></div>
<div class="informaltable"><table border="1">
<colgroup>
<col>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2593864"></a>Class</h4></div></div></div>
+<a name="id2594451"></a>Class</h4></div></div></div>
<p>
The zone's name may optionally be followed by a class. If
a class is not specified, class <code class="literal">IN</code> (for <code class="varname">Internet</code>),
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2593897"></a>Zone Options</h4></div></div></div>
+<a name="id2594484"></a>Zone Options</h4></div></div></div>
<div class="variablelist"><dl>
<dt><span class="term"><span><strong class="command">allow-notify</strong></span></span></dt>
<dd><p>
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2596709"></a>Zone File</h2></div></div></div>
+<a name="id2597364"></a>Zone File</h2></div></div></div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="types_of_resource_records_and_when_to_use_them"></a>Types of Resource Records and When to Use Them</h3></div></div></div>
</p>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2596795"></a>Resource Records</h4></div></div></div>
+<a name="id2597382"></a>Resource Records</h4></div></div></div>
<p>
A domain name identifies a node. Each node has a set of
resource information, which may be empty. The set of resource
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2598282"></a>Textual expression of RRs</h4></div></div></div>
+<a name="id2598937"></a>Textual expression of RRs</h4></div></div></div>
<p>
RRs are represented in binary form in the packets of the DNS
protocol, and are usually represented in highly encoded form
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2598803"></a>Discussion of MX Records</h3></div></div></div>
+<a name="id2599458"></a>Discussion of MX Records</h3></div></div></div>
<p>
As described above, domain servers store information as a
series of resource records, each of which contains a particular
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2599418"></a>Inverse Mapping in IPv4</h3></div></div></div>
+<a name="id2600210"></a>Inverse Mapping in IPv4</h3></div></div></div>
<p>
Reverse name resolution (that is, translation from IP address
to name) is achieved by means of the <span class="emphasis"><em>in-addr.arpa</em></span> domain
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2599545"></a>Other Zone File Directives</h3></div></div></div>
+<a name="id2600337"></a>Other Zone File Directives</h3></div></div></div>
<p>
The Master File Format was initially defined in RFC 1035 and
has subsequently been extended. While the Master File Format
</p>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2599568"></a>The <span><strong class="command">@</strong></span> (at-sign)</h4></div></div></div>
+<a name="id2600359"></a>The <span><strong class="command">@</strong></span> (at-sign)</h4></div></div></div>
<p>
When used in the label (or name) field, the asperand or
at-sign (@) symbol represents the current origin.
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2599584"></a>The <span><strong class="command">$ORIGIN</strong></span> Directive</h4></div></div></div>
+<a name="id2600375"></a>The <span><strong class="command">$ORIGIN</strong></span> Directive</h4></div></div></div>
<p>
Syntax: <span><strong class="command">$ORIGIN</strong></span>
<em class="replaceable"><code>domain-name</code></em>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2599713"></a>The <span><strong class="command">$INCLUDE</strong></span> Directive</h4></div></div></div>
+<a name="id2600504"></a>The <span><strong class="command">$INCLUDE</strong></span> Directive</h4></div></div></div>
<p>
Syntax: <span><strong class="command">$INCLUDE</strong></span>
<em class="replaceable"><code>filename</code></em>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2599782"></a>The <span><strong class="command">$TTL</strong></span> Directive</h4></div></div></div>
+<a name="id2600573"></a>The <span><strong class="command">$TTL</strong></span> Directive</h4></div></div></div>
<p>
Syntax: <span><strong class="command">$TTL</strong></span>
<em class="replaceable"><code>default-ttl</code></em>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2
599886"></a><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</h3></div></div></div>
+<a name="id2
600610"></a><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</h3></div></div></div>
<p>
Syntax: <span><strong class="command">$GENERATE</strong></span>
<em class="replaceable"><code>range</code></em>
</p>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2600812"></a>Name Server Statistics Counters</h4></div></div></div>
+<a name="id2601672"></a>Name Server Statistics Counters</h4></div></div></div>
<div class="informaltable"><table border="1">
<colgroup>
<col>
</p>
</td>
</tr>
+<tr>
+<td>
+ <p><span><strong class="command">RateDropped</strong></span></p>
+ </td>
+<td>
+ <p><span><strong class="command"></strong></span></p>
+ </td>
+<td>
+ <p>
+ Responses dropped by rate limits.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">RateSlipped</strong></span></p>
+ </td>
+<td>
+ <p><span><strong class="command"></strong></span></p>
+ </td>
+<td>
+ <p>
+ Responses truncated by rate limits.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">RPZRewrites</strong></span></p>
+ </td>
+<td>
+ <p><span><strong class="command"></strong></span></p>
+ </td>
+<td>
+ <p>
+ Response policy zone rewrites.
+ </p>
+ </td>
+</tr>
</tbody>
</table></div>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2602558"></a>Zone Maintenance Statistics Counters</h4></div></div></div>
+<a name="id2603173"></a>Zone Maintenance Statistics Counters</h4></div></div></div>
<div class="informaltable"><table border="1">
<colgroup>
<col>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2602941"></a>Resolver Statistics Counters</h4></div></div></div>
+<a name="id2603624"></a>Resolver Statistics Counters</h4></div></div></div>
<div class="informaltable"><table border="1">
<colgroup>
<col>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2603963"></a>Socket I/O Statistics Counters</h4></div></div></div>
+<a name="id2604714"></a>Socket I/O Statistics Counters</h4></div></div></div>
<p>
Socket I/O statistics counters are defined per socket
types, which are
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2604405"></a>Compatibility with <span class="emphasis"><em>BIND</em></span> 8 Counters</h4></div></div></div>
+<a name="id2605292"></a>Compatibility with <span class="emphasis"><em>BIND</em></span> 8 Counters</h4></div></div></div>
<p>
Most statistics counters that were available
in <span><strong class="command">BIND</strong></span> 8 are also supported in
<p><b>Table of Contents</b></p>
<dl>
<dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2604564"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2605451"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2604645">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2604705">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2605601">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2605660">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
</dl>
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2604564"></a><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span>
+<a name="id2605451"></a><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span>
</h2></div></div></div>
<p>
On UNIX servers, it is possible to run <acronym class="acronym">BIND</acronym>
</p>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2604645"></a>The <span><strong class="command">chroot</strong></span> Environment</h3></div></div></div>
+<a name="id2605601"></a>The <span><strong class="command">chroot</strong></span> Environment</h3></div></div></div>
<p>
In order for a <span><strong class="command">chroot</strong></span> environment
to
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2604705"></a>Using the <span><strong class="command">setuid</strong></span> Function</h3></div></div></div>
+<a name="id2605660"></a>Using the <span><strong class="command">setuid</strong></span> Function</h3></div></div></div>
<p>
Prior to running the <span><strong class="command">named</strong></span> daemon,
use
<div class="toc">
<p><b>Table of Contents</b></p>
<dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2604989">Common Problems</a></span></dt>
-<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch08.html#id2604995">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2605006">Incrementing and Changing the Serial Number</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2605024">Where Can I Get Help?</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2605809">Common Problems</a></span></dt>
+<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch08.html#id2605814">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd>
+<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2605826">Incrementing and Changing the Serial Number</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2605843">Where Can I Get Help?</a></span></dt>
</dl>
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2604989"></a>Common Problems</h2></div></div></div>
+<a name="id2605809"></a>Common Problems</h2></div></div></div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2604995"></a>It's not working; how can I figure out what's wrong?</h3></div></div></div>
+<a name="id2605814"></a>It's not working; how can I figure out what's wrong?</h3></div></div></div>
<p>
The best solution to solving installation and
configuration issues is to take preventative measures by setting
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2605006"></a>Incrementing and Changing the Serial Number</h2></div></div></div>
+<a name="id2605826"></a>Incrementing and Changing the Serial Number</h2></div></div></div>
<p>
Zone serial numbers are just numbers — they aren't
date related. A lot of people set them to a number that
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2605024"></a>Where Can I Get Help?</h2></div></div></div>
+<a name="id2605843"></a>Where Can I Get Help?</h2></div></div></div>
<p>
The Internet Systems Consortium
(<acronym class="acronym">ISC</acronym>) offers a wide range
<div class="toc">
<p><b>Table of Contents</b></p>
<dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2605154">Acknowledgments</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2605905">Acknowledgments</a></span></dt>
<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#historical_dns_information">A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></a></span></dt></dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id260
5257">General <acronym class="acronym">DNS</acronym> Reference Information</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id260
6076">General <acronym class="acronym">DNS</acronym> Reference Information</a></span></dt>
<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#ipv6addresses">IPv6 addresses (AAAA)</a></span></dt></dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch09.html#bibliography">Bibliography (and Suggested Reading)</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch09.html#rfcs">Request for Comments (RFCs)</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch09.html#internet_drafts">Internet Drafts</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id260
8537">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id260
9356">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch09.html#bind9.library">BIND 9 DNS Library Support</a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2610832">Prerequisite</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2610841">Compilation</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2610183">Installation</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2610214">Known Defects/Restrictions</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2610291">The dns.conf File</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2610317">Sample Applications</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2611632">Library References</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2611651">Prerequisite</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2611660">Compilation</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2611002">Installation</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2611033">Known Defects/Restrictions</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2611110">The dns.conf File</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2611137">Sample Applications</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2612178">Library References</a></span></dt>
</dl></dd>
</dl>
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2605154"></a>Acknowledgments</h2></div></div></div>
+<a name="id2605905"></a>Acknowledgments</h2></div></div></div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="historical_dns_information"></a>A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym>
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id260
5257"></a>General <acronym class="acronym">DNS</acronym> Reference Information</h2></div></div></div>
+<a name="id260
6076"></a>General <acronym class="acronym">DNS</acronym> Reference Information</h2></div></div></div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="ipv6addresses"></a>IPv6 addresses (AAAA)</h3></div></div></div>
</p>
<div class="bibliography">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2605581"></a>Bibliography</h4></div></div></div>
+<a name="id2606332"></a>Bibliography</h4></div></div></div>
<div class="bibliodiv">
<h3 class="title">Standards</h3>
<div class="biblioentry">
-<a name="id260
5592"></a><p>[<abbr class="abbrev">RFC974</abbr>] <span class="author"><span class="firstname">C.</span> <span class="surname">Partridge</span>. </span><span class="title"><i>Mail Routing and the Domain System</i>. </span><span class="pubdate">January 1986. </span></p>
+<a name="id260
6343"></a><p>[<abbr class="abbrev">RFC974</abbr>] <span class="author"><span class="firstname">C.</span> <span class="surname">Partridge</span>. </span><span class="title"><i>Mail Routing and the Domain System</i>. </span><span class="pubdate">January 1986. </span></p>
</div>
<div class="biblioentry">
-<a name="id260
5616"></a><p>[<abbr class="abbrev">RFC1034</abbr>] <span class="author"><span class="firstname">P.V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>Domain Names — Concepts and Facilities</i>. </span><span class="pubdate">November 1987. </span></p>
+<a name="id260
6435"></a><p>[<abbr class="abbrev">RFC1034</abbr>] <span class="author"><span class="firstname">P.V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>Domain Names — Concepts and Facilities</i>. </span><span class="pubdate">November 1987. </span></p>
</div>
<div class="biblioentry">
-<a name="id260
5639"></a><p>[<abbr class="abbrev">RFC1035</abbr>] <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>Domain Names — Implementation and
+<a name="id260
6458"></a><p>[<abbr class="abbrev">RFC1035</abbr>] <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>Domain Names — Implementation and
Specification</i>. </span><span class="pubdate">November 1987. </span></p>
</div>
</div>
<h3 class="title">
<a name="proposed_standards"></a>Proposed Standards</h3>
<div class="biblioentry">
-<a name="id260
5675"></a><p>[<abbr class="abbrev">RFC2181</abbr>] <span class="author"><span class="firstname">R., R. Bush</span> <span class="surname">Elz</span>. </span><span class="title"><i>Clarifications to the <acronym class="acronym">DNS</acronym>
+<a name="id260
6494"></a><p>[<abbr class="abbrev">RFC2181</abbr>] <span class="author"><span class="firstname">R., R. Bush</span> <span class="surname">Elz</span>. </span><span class="title"><i>Clarifications to the <acronym class="acronym">DNS</acronym>
Specification</i>. </span><span class="pubdate">July 1997. </span></p>
</div>
<div class="biblioentry">
-<a name="id260
5702"></a><p>[<abbr class="abbrev">RFC2308</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Andrews</span>. </span><span class="title"><i>Negative Caching of <acronym class="acronym">DNS</acronym>
+<a name="id260
6521"></a><p>[<abbr class="abbrev">RFC2308</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Andrews</span>. </span><span class="title"><i>Negative Caching of <acronym class="acronym">DNS</acronym>
Queries</i>. </span><span class="pubdate">March 1998. </span></p>
</div>
<div class="biblioentry">
-<a name="id260
5728"></a><p>[<abbr class="abbrev">RFC1995</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Ohta</span>. </span><span class="title"><i>Incremental Zone Transfer in <acronym class="acronym">DNS</acronym></i>. </span><span class="pubdate">August 1996. </span></p>
+<a name="id260
6547"></a><p>[<abbr class="abbrev">RFC1995</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Ohta</span>. </span><span class="title"><i>Incremental Zone Transfer in <acronym class="acronym">DNS</acronym></i>. </span><span class="pubdate">August 1996. </span></p>
</div>
<div class="biblioentry">
-<a name="id260
5752"></a><p>[<abbr class="abbrev">RFC1996</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>A Mechanism for Prompt Notification of Zone Changes</i>. </span><span class="pubdate">August 1996. </span></p>
+<a name="id260
6571"></a><p>[<abbr class="abbrev">RFC1996</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>A Mechanism for Prompt Notification of Zone Changes</i>. </span><span class="pubdate">August 1996. </span></p>
</div>
<div class="biblioentry">
-<a name="id260
5776"></a><p>[<abbr class="abbrev">RFC2136</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">Y.</span> <span class="surname">Rekhter</span>, and <span class="firstname">J.</span> <span class="surname">Bound</span>. </span><span class="title"><i>Dynamic Updates in the Domain Name System</i>. </span><span class="pubdate">April 1997. </span></p>
+<a name="id260
6595"></a><p>[<abbr class="abbrev">RFC2136</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">Y.</span> <span class="surname">Rekhter</span>, and <span class="firstname">J.</span> <span class="surname">Bound</span>. </span><span class="title"><i>Dynamic Updates in the Domain Name System</i>. </span><span class="pubdate">April 1997. </span></p>
</div>
<div class="biblioentry">
-<a name="id260
5831"></a><p>[<abbr class="abbrev">RFC2671</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Extension Mechanisms for DNS (EDNS0)</i>. </span><span class="pubdate">August 1997. </span></p>
+<a name="id260
6650"></a><p>[<abbr class="abbrev">RFC2671</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Extension Mechanisms for DNS (EDNS0)</i>. </span><span class="pubdate">August 1997. </span></p>
</div>
<div class="biblioentry">
-<a name="id260
5858"></a><p>[<abbr class="abbrev">RFC2672</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span>. </span><span class="title"><i>Non-Terminal DNS Name Redirection</i>. </span><span class="pubdate">August 1999. </span></p>
+<a name="id260
6677"></a><p>[<abbr class="abbrev">RFC2672</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span>. </span><span class="title"><i>Non-Terminal DNS Name Redirection</i>. </span><span class="pubdate">August 1999. </span></p>
</div>
<div class="biblioentry">
-<a name="id260
5884"></a><p>[<abbr class="abbrev">RFC2845</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>, <span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, and <span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Secret Key Transaction Authentication for <acronym class="acronym">DNS</acronym> (TSIG)</i>. </span><span class="pubdate">May 2000. </span></p>
+<a name="id260
6704"></a><p>[<abbr class="abbrev">RFC2845</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>, <span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, and <span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Secret Key Transaction Authentication for <acronym class="acronym">DNS</acronym> (TSIG)</i>. </span><span class="pubdate">May 2000. </span></p>
</div>
<div class="biblioentry">
-<a name="id260
5946"></a><p>[<abbr class="abbrev">RFC2930</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Secret Key Establishment for DNS (TKEY RR)</i>. </span><span class="pubdate">September 2000. </span></p>
+<a name="id260
6765"></a><p>[<abbr class="abbrev">RFC2930</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Secret Key Establishment for DNS (TKEY RR)</i>. </span><span class="pubdate">September 2000. </span></p>
</div>
<div class="biblioentry">
-<a name="id260
5976"></a><p>[<abbr class="abbrev">RFC2931</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>DNS Request and Transaction Signatures (SIG(0)s)</i>. </span><span class="pubdate">September 2000. </span></p>
+<a name="id260
6795"></a><p>[<abbr class="abbrev">RFC2931</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>DNS Request and Transaction Signatures (SIG(0)s)</i>. </span><span class="pubdate">September 2000. </span></p>
</div>
<div class="biblioentry">
-<a name="id2606
006"></a><p>[<abbr class="abbrev">RFC3007</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Secure Domain Name System (DNS) Dynamic Update</i>. </span><span class="pubdate">November 2000. </span></p>
+<a name="id2606
825"></a><p>[<abbr class="abbrev">RFC3007</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Secure Domain Name System (DNS) Dynamic Update</i>. </span><span class="pubdate">November 2000. </span></p>
</div>
<div class="biblioentry">
-<a name="id2606
033"></a><p>[<abbr class="abbrev">RFC3645</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Kwan</span>, <span class="firstname">P.</span> <span class="surname">Garg</span>, <span class="firstname">J.</span> <span class="surname">Gilroy</span>, <span class="firstname">L.</span> <span class="surname">Esibov</span>, <span class="firstname">J.</span> <span class="surname">Westhead</span>, and <span class="firstname">R.</span> <span class="surname">Hall</span>. </span><span class="title"><i>Generic Security Service Algorithm for Secret
+<a name="id2606
852"></a><p>[<abbr class="abbrev">RFC3645</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Kwan</span>, <span class="firstname">P.</span> <span class="surname">Garg</span>, <span class="firstname">J.</span> <span class="surname">Gilroy</span>, <span class="firstname">L.</span> <span class="surname">Esibov</span>, <span class="firstname">J.</span> <span class="surname">Westhead</span>, and <span class="firstname">R.</span> <span class="surname">Hall</span>. </span><span class="title"><i>Generic Security Service Algorithm for Secret
Key Transaction Authentication for DNS
(GSS-TSIG)</i>. </span><span class="pubdate">October 2003. </span></p>
</div>
<h3 class="title">
<acronym class="acronym">DNS</acronym> Security Proposed Standards</h3>
<div class="biblioentry">
-<a name="id2606
115"></a><p>[<abbr class="abbrev">RFC3225</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Conrad</span>. </span><span class="title"><i>Indicating Resolver Support of DNSSEC</i>. </span><span class="pubdate">December 2001. </span></p>
+<a name="id2606
934"></a><p>[<abbr class="abbrev">RFC3225</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Conrad</span>. </span><span class="title"><i>Indicating Resolver Support of DNSSEC</i>. </span><span class="pubdate">December 2001. </span></p>
</div>
<div class="biblioentry">
-<a name="id2606
141"></a><p>[<abbr class="abbrev">RFC3833</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Atkins</span> and <span class="firstname">R.</span> <span class="surname">Austein</span>. </span><span class="title"><i>Threat Analysis of the Domain Name System (DNS)</i>. </span><span class="pubdate">August 2004. </span></p>
+<a name="id2606
961"></a><p>[<abbr class="abbrev">RFC3833</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Atkins</span> and <span class="firstname">R.</span> <span class="surname">Austein</span>. </span><span class="title"><i>Threat Analysis of the Domain Name System (DNS)</i>. </span><span class="pubdate">August 2004. </span></p>
</div>
<div class="biblioentry">
-<a name="id2606
178"></a><p>[<abbr class="abbrev">RFC4033</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>DNS Security Introduction and Requirements</i>. </span><span class="pubdate">March 2005. </span></p>
+<a name="id2606
997"></a><p>[<abbr class="abbrev">RFC4033</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>DNS Security Introduction and Requirements</i>. </span><span class="pubdate">March 2005. </span></p>
</div>
<div class="biblioentry">
-<a name="id260
6243"></a><p>[<abbr class="abbrev">RFC4034</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Resource Records for the DNS Security Extensions</i>. </span><span class="pubdate">March 2005. </span></p>
+<a name="id260
7062"></a><p>[<abbr class="abbrev">RFC4034</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Resource Records for the DNS Security Extensions</i>. </span><span class="pubdate">March 2005. </span></p>
</div>
<div class="biblioentry">
-<a name="id260
6308"></a><p>[<abbr class="abbrev">RFC4035</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Protocol Modifications for the DNS
+<a name="id260
7127"></a><p>[<abbr class="abbrev">RFC4035</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Protocol Modifications for the DNS
Security Extensions</i>. </span><span class="pubdate">March 2005. </span></p>
</div>
</div>
<h3 class="title">Other Important RFCs About <acronym class="acronym">DNS</acronym>
Implementation</h3>
<div class="biblioentry">
-<a name="id260
6381"></a><p>[<abbr class="abbrev">RFC1535</abbr>] <span class="author"><span class="firstname">E.</span> <span class="surname">Gavron</span>. </span><span class="title"><i>A Security Problem and Proposed Correction With Widely
+<a name="id260
7201"></a><p>[<abbr class="abbrev">RFC1535</abbr>] <span class="author"><span class="firstname">E.</span> <span class="surname">Gavron</span>. </span><span class="title"><i>A Security Problem and Proposed Correction With Widely
Deployed <acronym class="acronym">DNS</acronym> Software.</i>. </span><span class="pubdate">October 1993. </span></p>
</div>
<div class="biblioentry">
-<a name="id260
6407"></a><p>[<abbr class="abbrev">RFC1536</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Kumar</span>, <span class="firstname">J.</span> <span class="surname">Postel</span>, <span class="firstname">C.</span> <span class="surname">Neuman</span>, <span class="firstname">P.</span> <span class="surname">Danzig</span>, and <span class="firstname">S.</span> <span class="surname">Miller</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Implementation
+<a name="id260
7226"></a><p>[<abbr class="abbrev">RFC1536</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Kumar</span>, <span class="firstname">J.</span> <span class="surname">Postel</span>, <span class="firstname">C.</span> <span class="surname">Neuman</span>, <span class="firstname">P.</span> <span class="surname">Danzig</span>, and <span class="firstname">S.</span> <span class="surname">Miller</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Implementation
Errors and Suggested Fixes</i>. </span><span class="pubdate">October 1993. </span></p>
</div>
<div class="biblioentry">
-<a name="id260
6475"></a><p>[<abbr class="abbrev">RFC1982</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Elz</span> and <span class="firstname">R.</span> <span class="surname">Bush</span>. </span><span class="title"><i>Serial Number Arithmetic</i>. </span><span class="pubdate">August 1996. </span></p>
+<a name="id260
7294"></a><p>[<abbr class="abbrev">RFC1982</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Elz</span> and <span class="firstname">R.</span> <span class="surname">Bush</span>. </span><span class="title"><i>Serial Number Arithmetic</i>. </span><span class="pubdate">August 1996. </span></p>
</div>
<div class="biblioentry">
-<a name="id260
6510"></a><p>[<abbr class="abbrev">RFC4074</abbr>] <span class="authorgroup"><span class="firstname">Y.</span> <span class="surname">Morishita</span> and <span class="firstname">T.</span> <span class="surname">Jinmei</span>. </span><span class="title"><i>Common Misbehaviour Against <acronym class="acronym">DNS</acronym>
+<a name="id260
7330"></a><p>[<abbr class="abbrev">RFC4074</abbr>] <span class="authorgroup"><span class="firstname">Y.</span> <span class="surname">Morishita</span> and <span class="firstname">T.</span> <span class="surname">Jinmei</span>. </span><span class="title"><i>Common Misbehaviour Against <acronym class="acronym">DNS</acronym>
Queries for IPv6 Addresses</i>. </span><span class="pubdate">May 2005. </span></p>
</div>
</div>
<div class="bibliodiv">
<h3 class="title">Resource Record Types</h3>
<div class="biblioentry">
-<a name="id260
6556"></a><p>[<abbr class="abbrev">RFC1183</abbr>] <span class="authorgroup"><span class="firstname">C.F.</span> <span class="surname">Everhart</span>, <span class="firstname">L. A.</span> <span class="surname">Mamakos</span>, <span class="firstname">R.</span> <span class="surname">Ullmann</span>, and <span class="firstname">P.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>New <acronym class="acronym">DNS</acronym> RR Definitions</i>. </span><span class="pubdate">October 1990. </span></p>
+<a name="id260
7376"></a><p>[<abbr class="abbrev">RFC1183</abbr>] <span class="authorgroup"><span class="firstname">C.F.</span> <span class="surname">Everhart</span>, <span class="firstname">L. A.</span> <span class="surname">Mamakos</span>, <span class="firstname">R.</span> <span class="surname">Ullmann</span>, and <span class="firstname">P.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>New <acronym class="acronym">DNS</acronym> RR Definitions</i>. </span><span class="pubdate">October 1990. </span></p>
</div>
<div class="biblioentry">
-<a name="id260
6614"></a><p>[<abbr class="abbrev">RFC1706</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">R.</span> <span class="surname">Colella</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> NSAP Resource Records</i>. </span><span class="pubdate">October 1994. </span></p>
+<a name="id260
7433"></a><p>[<abbr class="abbrev">RFC1706</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">R.</span> <span class="surname">Colella</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> NSAP Resource Records</i>. </span><span class="pubdate">October 1994. </span></p>
</div>
<div class="biblioentry">
-<a name="id260
6651"></a><p>[<abbr class="abbrev">RFC2168</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Daniel</span> and <span class="firstname">M.</span> <span class="surname">Mealling</span>. </span><span class="title"><i>Resolution of Uniform Resource Identifiers using
+<a name="id260
7470"></a><p>[<abbr class="abbrev">RFC2168</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Daniel</span> and <span class="firstname">M.</span> <span class="surname">Mealling</span>. </span><span class="title"><i>Resolution of Uniform Resource Identifiers using
the Domain Name System</i>. </span><span class="pubdate">June 1997. </span></p>
</div>
<div class="biblioentry">
-<a name="id260
6686"></a><p>[<abbr class="abbrev">RFC1876</abbr>] <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Davis</span>, <span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">T.</span>, and <span class="firstname">I.</span> <span class="surname">Dickinson</span>. </span><span class="title"><i>A Means for Expressing Location Information in the
+<a name="id260
7506"></a><p>[<abbr class="abbrev">RFC1876</abbr>] <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Davis</span>, <span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">T.</span>, and <span class="firstname">I.</span> <span class="surname">Dickinson</span>. </span><span class="title"><i>A Means for Expressing Location Information in the
Domain
Name System</i>. </span><span class="pubdate">January 1996. </span></p>
</div>
<div class="biblioentry">
-<a name="id260
6741"></a><p>[<abbr class="abbrev">RFC2052</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>A <acronym class="acronym">DNS</acronym> RR for Specifying the
+<a name="id260
7628"></a><p>[<abbr class="abbrev">RFC2052</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>A <acronym class="acronym">DNS</acronym> RR for Specifying the
Location of
Services.</i>. </span><span class="pubdate">October 1996. </span></p>
</div>
<div class="biblioentry">
-<a name="id260
6779"></a><p>[<abbr class="abbrev">RFC2163</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Allocchio</span>. </span><span class="title"><i>Using the Internet <acronym class="acronym">DNS</acronym> to
+<a name="id260
7667"></a><p>[<abbr class="abbrev">RFC2163</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Allocchio</span>. </span><span class="title"><i>Using the Internet <acronym class="acronym">DNS</acronym> to
Distribute MIXER
Conformant Global Address Mapping</i>. </span><span class="pubdate">January 1998. </span></p>
</div>
<div class="biblioentry">
-<a name="id260
6805"></a><p>[<abbr class="abbrev">RFC2230</abbr>] <span class="author"><span class="firstname">R.</span> <span class="surname">Atkinson</span>. </span><span class="title"><i>Key Exchange Delegation Record for the <acronym class="acronym">DNS</acronym></i>. </span><span class="pubdate">October 1997. </span></p>
+<a name="id260
7692"></a><p>[<abbr class="abbrev">RFC2230</abbr>] <span class="author"><span class="firstname">R.</span> <span class="surname">Atkinson</span>. </span><span class="title"><i>Key Exchange Delegation Record for the <acronym class="acronym">DNS</acronym></i>. </span><span class="pubdate">October 1997. </span></p>
</div>
<div class="biblioentry">
-<a name="id260
6830"></a><p>[<abbr class="abbrev">RFC2536</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>DSA KEYs and SIGs in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
+<a name="id260
7718"></a><p>[<abbr class="abbrev">RFC2536</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>DSA KEYs and SIGs in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
</div>
<div class="biblioentry">
-<a name="id260
6857"></a><p>[<abbr class="abbrev">RFC2537</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>RSA/MD5 KEYs and SIGs in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
+<a name="id260
7745"></a><p>[<abbr class="abbrev">RFC2537</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>RSA/MD5 KEYs and SIGs in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
</div>
<div class="biblioentry">
-<a name="id260
6884"></a><p>[<abbr class="abbrev">RFC2538</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Storing Certificates in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
+<a name="id260
7771"></a><p>[<abbr class="abbrev">RFC2538</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Storing Certificates in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
</div>
<div class="biblioentry">
-<a name="id260
6923"></a><p>[<abbr class="abbrev">RFC2539</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Storage of Diffie-Hellman Keys in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
+<a name="id260
7811"></a><p>[<abbr class="abbrev">RFC2539</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Storage of Diffie-Hellman Keys in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
</div>
<div class="biblioentry">
-<a name="id260
6953"></a><p>[<abbr class="abbrev">RFC2540</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Detached Domain Name System (DNS) Information</i>. </span><span class="pubdate">March 1999. </span></p>
+<a name="id260
7841"></a><p>[<abbr class="abbrev">RFC2540</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Detached Domain Name System (DNS) Information</i>. </span><span class="pubdate">March 1999. </span></p>
</div>
<div class="biblioentry">
-<a name="id260
6983"></a><p>[<abbr class="abbrev">RFC2782</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span>. </span><span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="author"><span class="firstname">L.</span> <span class="surname">Esibov</span>. </span><span class="title"><i>A DNS RR for specifying the location of services (DNS SRV)</i>. </span><span class="pubdate">February 2000. </span></p>
+<a name="id260
7870"></a><p>[<abbr class="abbrev">RFC2782</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span>. </span><span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="author"><span class="firstname">L.</span> <span class="surname">Esibov</span>. </span><span class="title"><i>A DNS RR for specifying the location of services (DNS SRV)</i>. </span><span class="pubdate">February 2000. </span></p>
</div>
<div class="biblioentry">
-<a name="id2607
026"></a><p>[<abbr class="abbrev">RFC2915</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Mealling</span>. </span><span class="author"><span class="firstname">R.</span> <span class="surname">Daniel</span>. </span><span class="title"><i>The Naming Authority Pointer (NAPTR) DNS Resource Record</i>. </span><span class="pubdate">September 2000. </span></p>
+<a name="id2607
913"></a><p>[<abbr class="abbrev">RFC2915</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Mealling</span>. </span><span class="author"><span class="firstname">R.</span> <span class="surname">Daniel</span>. </span><span class="title"><i>The Naming Authority Pointer (NAPTR) DNS Resource Record</i>. </span><span class="pubdate">September 2000. </span></p>
</div>
<div class="biblioentry">
-<a name="id2607
059"></a><p>[<abbr class="abbrev">RFC3110</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)</i>. </span><span class="pubdate">May 2001. </span></p>
+<a name="id2607
946"></a><p>[<abbr class="abbrev">RFC3110</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)</i>. </span><span class="pubdate">May 2001. </span></p>
</div>
<div class="biblioentry">
-<a name="id2607
085"></a><p>[<abbr class="abbrev">RFC3123</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Koch</span>. </span><span class="title"><i>A DNS RR Type for Lists of Address Prefixes (APL RR)</i>. </span><span class="pubdate">June 2001. </span></p>
+<a name="id2607
973"></a><p>[<abbr class="abbrev">RFC3123</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Koch</span>. </span><span class="title"><i>A DNS RR Type for Lists of Address Prefixes (APL RR)</i>. </span><span class="pubdate">June 2001. </span></p>
</div>
<div class="biblioentry">
-<a name="id2607
109"></a><p>[<abbr class="abbrev">RFC3596</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">C.</span> <span class="surname">Huitema</span>, <span class="firstname">V.</span> <span class="surname">Ksinant</span>, and <span class="firstname">M.</span> <span class="surname">Souissi</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Extensions to support IP
+<a name="id2607
996"></a><p>[<abbr class="abbrev">RFC3596</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">C.</span> <span class="surname">Huitema</span>, <span class="firstname">V.</span> <span class="surname">Ksinant</span>, and <span class="firstname">M.</span> <span class="surname">Souissi</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Extensions to support IP
version 6</i>. </span><span class="pubdate">October 2003. </span></p>
</div>
<div class="biblioentry">
-<a name="id260
7166"></a><p>[<abbr class="abbrev">RFC3597</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Gustafsson</span>. </span><span class="title"><i>Handling of Unknown DNS Resource Record (RR) Types</i>. </span><span class="pubdate">September 2003. </span></p>
+<a name="id260
8054"></a><p>[<abbr class="abbrev">RFC3597</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Gustafsson</span>. </span><span class="title"><i>Handling of Unknown DNS Resource Record (RR) Types</i>. </span><span class="pubdate">September 2003. </span></p>
</div>
</div>
<div class="bibliodiv">
<h3 class="title">
<acronym class="acronym">DNS</acronym> and the Internet</h3>
<div class="biblioentry">
-<a name="id260
7198"></a><p>[<abbr class="abbrev">RFC1101</abbr>] <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Encoding of Network Names
+<a name="id260
8086"></a><p>[<abbr class="abbrev">RFC1101</abbr>] <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Encoding of Network Names
and Other Types</i>. </span><span class="pubdate">April 1989. </span></p>
</div>
<div class="biblioentry">
-<a name="id260
7224"></a><p>[<abbr class="abbrev">RFC1123</abbr>] <span class="author"><span class="surname">Braden</span>. </span><span class="title"><i>Requirements for Internet Hosts - Application and
+<a name="id260
8112"></a><p>[<abbr class="abbrev">RFC1123</abbr>] <span class="author"><span class="surname">Braden</span>. </span><span class="title"><i>Requirements for Internet Hosts - Application and
Support</i>. </span><span class="pubdate">October 1989. </span></p>
</div>
<div class="biblioentry">
-<a name="id260
7246"></a><p>[<abbr class="abbrev">RFC1591</abbr>] <span class="author"><span class="firstname">J.</span> <span class="surname">Postel</span>. </span><span class="title"><i>Domain Name System Structure and Delegation</i>. </span><span class="pubdate">March 1994. </span></p>
+<a name="id260
8134"></a><p>[<abbr class="abbrev">RFC1591</abbr>] <span class="author"><span class="firstname">J.</span> <span class="surname">Postel</span>. </span><span class="title"><i>Domain Name System Structure and Delegation</i>. </span><span class="pubdate">March 1994. </span></p>
</div>
<div class="biblioentry">
-<a name="id260
7270"></a><p>[<abbr class="abbrev">RFC2317</abbr>] <span class="authorgroup"><span class="firstname">H.</span> <span class="surname">Eidnes</span>, <span class="firstname">G.</span> <span class="surname">de Groot</span>, and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Classless IN-ADDR.ARPA Delegation</i>. </span><span class="pubdate">March 1998. </span></p>
+<a name="id260
8157"></a><p>[<abbr class="abbrev">RFC2317</abbr>] <span class="authorgroup"><span class="firstname">H.</span> <span class="surname">Eidnes</span>, <span class="firstname">G.</span> <span class="surname">de Groot</span>, and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Classless IN-ADDR.ARPA Delegation</i>. </span><span class="pubdate">March 1998. </span></p>
</div>
<div class="biblioentry">
-<a name="id260
7316"></a><p>[<abbr class="abbrev">RFC2826</abbr>] <span class="authorgroup"><span class="surname">Internet Architecture Board</span>. </span><span class="title"><i>IAB Technical Comment on the Unique DNS Root</i>. </span><span class="pubdate">May 2000. </span></p>
+<a name="id260
8203"></a><p>[<abbr class="abbrev">RFC2826</abbr>] <span class="authorgroup"><span class="surname">Internet Architecture Board</span>. </span><span class="title"><i>IAB Technical Comment on the Unique DNS Root</i>. </span><span class="pubdate">May 2000. </span></p>
</div>
<div class="biblioentry">
-<a name="id260
7339"></a><p>[<abbr class="abbrev">RFC2929</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, <span class="firstname">E.</span> <span class="surname">Brunner-Williams</span>, and <span class="firstname">B.</span> <span class="surname">Manning</span>. </span><span class="title"><i>Domain Name System (DNS) IANA Considerations</i>. </span><span class="pubdate">September 2000. </span></p>
+<a name="id260
8227"></a><p>[<abbr class="abbrev">RFC2929</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, <span class="firstname">E.</span> <span class="surname">Brunner-Williams</span>, and <span class="firstname">B.</span> <span class="surname">Manning</span>. </span><span class="title"><i>Domain Name System (DNS) IANA Considerations</i>. </span><span class="pubdate">September 2000. </span></p>
</div>
</div>
<div class="bibliodiv">
<h3 class="title">
<acronym class="acronym">DNS</acronym> Operations</h3>
<div class="biblioentry">
-<a name="id260
7465"></a><p>[<abbr class="abbrev">RFC1033</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Lottor</span>. </span><span class="title"><i>Domain administrators operations guide.</i>. </span><span class="pubdate">November 1987. </span></p>
+<a name="id260
8284"></a><p>[<abbr class="abbrev">RFC1033</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Lottor</span>. </span><span class="title"><i>Domain administrators operations guide.</i>. </span><span class="pubdate">November 1987. </span></p>
</div>
<div class="biblioentry">
-<a name="id260
7489"></a><p>[<abbr class="abbrev">RFC1537</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Beertema</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Data File
+<a name="id260
8308"></a><p>[<abbr class="abbrev">RFC1537</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Beertema</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Data File
Configuration Errors</i>. </span><span class="pubdate">October 1993. </span></p>
</div>
<div class="biblioentry">
-<a name="id260
7515"></a><p>[<abbr class="abbrev">RFC1912</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Barr</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Operational and
+<a name="id260
8334"></a><p>[<abbr class="abbrev">RFC1912</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Barr</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Operational and
Configuration Errors</i>. </span><span class="pubdate">February 1996. </span></p>
</div>
<div class="biblioentry">
-<a name="id260
7542"></a><p>[<abbr class="abbrev">RFC2010</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Operational Criteria for Root Name Servers.</i>. </span><span class="pubdate">October 1996. </span></p>
+<a name="id260
8361"></a><p>[<abbr class="abbrev">RFC2010</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Operational Criteria for Root Name Servers.</i>. </span><span class="pubdate">October 1996. </span></p>
</div>
<div class="biblioentry">
-<a name="id260
7578"></a><p>[<abbr class="abbrev">RFC2219</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Hamilton</span> and <span class="firstname">R.</span> <span class="surname">Wright</span>. </span><span class="title"><i>Use of <acronym class="acronym">DNS</acronym> Aliases for
+<a name="id260
8397"></a><p>[<abbr class="abbrev">RFC2219</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Hamilton</span> and <span class="firstname">R.</span> <span class="surname">Wright</span>. </span><span class="title"><i>Use of <acronym class="acronym">DNS</acronym> Aliases for
Network Services.</i>. </span><span class="pubdate">October 1997. </span></p>
</div>
</div>
<div class="bibliodiv">
<h3 class="title">Internationalized Domain Names</h3>
<div class="biblioentry">
-<a name="id260
7624"></a><p>[<abbr class="abbrev">RFC2825</abbr>] <span class="authorgroup"><span class="surname">IAB</span> and <span class="firstname">R.</span> <span class="surname">Daigle</span>. </span><span class="title"><i>A Tangled Web: Issues of I18N, Domain Names,
+<a name="id260
8443"></a><p>[<abbr class="abbrev">RFC2825</abbr>] <span class="authorgroup"><span class="surname">IAB</span> and <span class="firstname">R.</span> <span class="surname">Daigle</span>. </span><span class="title"><i>A Tangled Web: Issues of I18N, Domain Names,
and the Other Internet protocols</i>. </span><span class="pubdate">May 2000. </span></p>
</div>
<div class="biblioentry">
-<a name="id260
7656"></a><p>[<abbr class="abbrev">RFC3490</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Faltstrom</span>, <span class="firstname">P.</span> <span class="surname">Hoffman</span>, and <span class="firstname">A.</span> <span class="surname">Costello</span>. </span><span class="title"><i>Internationalizing Domain Names in Applications (IDNA)</i>. </span><span class="pubdate">March 2003. </span></p>
+<a name="id260
8475"></a><p>[<abbr class="abbrev">RFC3490</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Faltstrom</span>, <span class="firstname">P.</span> <span class="surname">Hoffman</span>, and <span class="firstname">A.</span> <span class="surname">Costello</span>. </span><span class="title"><i>Internationalizing Domain Names in Applications (IDNA)</i>. </span><span class="pubdate">March 2003. </span></p>
</div>
<div class="biblioentry">
-<a name="id260
7702"></a><p>[<abbr class="abbrev">RFC3491</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Hoffman</span> and <span class="firstname">M.</span> <span class="surname">Blanchet</span>. </span><span class="title"><i>Nameprep: A Stringprep Profile for Internationalized Domain Names</i>. </span><span class="pubdate">March 2003. </span></p>
+<a name="id260
8521"></a><p>[<abbr class="abbrev">RFC3491</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Hoffman</span> and <span class="firstname">M.</span> <span class="surname">Blanchet</span>. </span><span class="title"><i>Nameprep: A Stringprep Profile for Internationalized Domain Names</i>. </span><span class="pubdate">March 2003. </span></p>
</div>
<div class="biblioentry">
-<a name="id260
7737"></a><p>[<abbr class="abbrev">RFC3492</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Costello</span>. </span><span class="title"><i>Punycode: A Bootstring encoding of Unicode
+<a name="id260
8556"></a><p>[<abbr class="abbrev">RFC3492</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Costello</span>. </span><span class="title"><i>Punycode: A Bootstring encoding of Unicode
for Internationalized Domain Names in
Applications (IDNA)</i>. </span><span class="pubdate">March 2003. </span></p>
</div>
</p>
</div>
<div class="biblioentry">
-<a name="id260
7782"></a><p>[<abbr class="abbrev">RFC1464</abbr>] <span class="author"><span class="firstname">R.</span> <span class="surname">Rosenbaum</span>. </span><span class="title"><i>Using the Domain Name System To Store Arbitrary String
+<a name="id260
8601"></a><p>[<abbr class="abbrev">RFC1464</abbr>] <span class="author"><span class="firstname">R.</span> <span class="surname">Rosenbaum</span>. </span><span class="title"><i>Using the Domain Name System To Store Arbitrary String
Attributes</i>. </span><span class="pubdate">May 1993. </span></p>
</div>
<div class="biblioentry">
-<a name="id260
7804"></a><p>[<abbr class="abbrev">RFC1713</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Romao</span>. </span><span class="title"><i>Tools for <acronym class="acronym">DNS</acronym> Debugging</i>. </span><span class="pubdate">November 1994. </span></p>
+<a name="id260
8624"></a><p>[<abbr class="abbrev">RFC1713</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Romao</span>. </span><span class="title"><i>Tools for <acronym class="acronym">DNS</acronym> Debugging</i>. </span><span class="pubdate">November 1994. </span></p>
</div>
<div class="biblioentry">
-<a name="id260
7830"></a><p>[<abbr class="abbrev">RFC1794</abbr>] <span class="author"><span class="firstname">T.</span> <span class="surname">Brisco</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Support for Load
+<a name="id260
8649"></a><p>[<abbr class="abbrev">RFC1794</abbr>] <span class="author"><span class="firstname">T.</span> <span class="surname">Brisco</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Support for Load
Balancing</i>. </span><span class="pubdate">April 1995. </span></p>
</div>
<div class="biblioentry">
-<a name="id260
7856"></a><p>[<abbr class="abbrev">RFC2240</abbr>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Legal Basis for Domain Name Allocation</i>. </span><span class="pubdate">November 1997. </span></p>
+<a name="id260
8675"></a><p>[<abbr class="abbrev">RFC2240</abbr>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Legal Basis for Domain Name Allocation</i>. </span><span class="pubdate">November 1997. </span></p>
</div>
<div class="biblioentry">
-<a name="id260
7879"></a><p>[<abbr class="abbrev">RFC2345</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>, <span class="firstname">T.</span> <span class="surname">Wolf</span>, and <span class="firstname">G.</span> <span class="surname">Oglesby</span>. </span><span class="title"><i>Domain Names and Company Name Retrieval</i>. </span><span class="pubdate">May 1998. </span></p>
+<a name="id260
8698"></a><p>[<abbr class="abbrev">RFC2345</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>, <span class="firstname">T.</span> <span class="surname">Wolf</span>, and <span class="firstname">G.</span> <span class="surname">Oglesby</span>. </span><span class="title"><i>Domain Names and Company Name Retrieval</i>. </span><span class="pubdate">May 1998. </span></p>
</div>
<div class="biblioentry">
-<a name="id260
7925"></a><p>[<abbr class="abbrev">RFC2352</abbr>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Convention For Using Legal Names as Domain Names</i>. </span><span class="pubdate">May 1998. </span></p>
+<a name="id260
8744"></a><p>[<abbr class="abbrev">RFC2352</abbr>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Convention For Using Legal Names as Domain Names</i>. </span><span class="pubdate">May 1998. </span></p>
</div>
<div class="biblioentry">
-<a name="id260
7948"></a><p>[<abbr class="abbrev">RFC3071</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>. </span><span class="title"><i>Reflections on the DNS, RFC 1591, and Categories of Domains</i>. </span><span class="pubdate">February 2001. </span></p>
+<a name="id260
8768"></a><p>[<abbr class="abbrev">RFC3071</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>. </span><span class="title"><i>Reflections on the DNS, RFC 1591, and Categories of Domains</i>. </span><span class="pubdate">February 2001. </span></p>
</div>
<div class="biblioentry">
-<a name="id260
7975"></a><p>[<abbr class="abbrev">RFC3258</abbr>] <span class="authorgroup"><span class="firstname">T.</span> <span class="surname">Hardie</span>. </span><span class="title"><i>Distributing Authoritative Name Servers via
+<a name="id260
8794"></a><p>[<abbr class="abbrev">RFC3258</abbr>] <span class="authorgroup"><span class="firstname">T.</span> <span class="surname">Hardie</span>. </span><span class="title"><i>Distributing Authoritative Name Servers via
Shared Unicast Addresses</i>. </span><span class="pubdate">April 2002. </span></p>
</div>
<div class="biblioentry">
-<a name="id2608
001"></a><p>[<abbr class="abbrev">RFC3901</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Durand</span> and <span class="firstname">J.</span> <span class="surname">Ihren</span>. </span><span class="title"><i>DNS IPv6 Transport Operational Guidelines</i>. </span><span class="pubdate">September 2004. </span></p>
+<a name="id2608
820"></a><p>[<abbr class="abbrev">RFC3901</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Durand</span> and <span class="firstname">J.</span> <span class="surname">Ihren</span>. </span><span class="title"><i>DNS IPv6 Transport Operational Guidelines</i>. </span><span class="pubdate">September 2004. </span></p>
</div>
</div>
<div class="bibliodiv">
<h3 class="title">Obsolete and Unimplemented Experimental RFC</h3>
<div class="biblioentry">
-<a name="id2608
044"></a><p>[<abbr class="abbrev">RFC1712</abbr>] <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Farrell</span>, <span class="firstname">M.</span> <span class="surname">Schulze</span>, <span class="firstname">S.</span> <span class="surname">Pleitner</span>, and <span class="firstname">D.</span> <span class="surname">Baldoni</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Encoding of Geographical
+<a name="id2608
864"></a><p>[<abbr class="abbrev">RFC1712</abbr>] <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Farrell</span>, <span class="firstname">M.</span> <span class="surname">Schulze</span>, <span class="firstname">S.</span> <span class="surname">Pleitner</span>, and <span class="firstname">D.</span> <span class="surname">Baldoni</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Encoding of Geographical
Location</i>. </span><span class="pubdate">November 1994. </span></p>
</div>
<div class="biblioentry">
-<a name="id2608
102"></a><p>[<abbr class="abbrev">RFC2673</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span>. </span><span class="title"><i>Binary Labels in the Domain Name System</i>. </span><span class="pubdate">August 1999. </span></p>
+<a name="id2608
921"></a><p>[<abbr class="abbrev">RFC2673</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span>. </span><span class="title"><i>Binary Labels in the Domain Name System</i>. </span><span class="pubdate">August 1999. </span></p>
</div>
<div class="biblioentry">
-<a name="id2608
129"></a><p>[<abbr class="abbrev">RFC2874</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span> and <span class="firstname">C.</span> <span class="surname">Huitema</span>. </span><span class="title"><i>DNS Extensions to Support IPv6 Address Aggregation
+<a name="id2608
948"></a><p>[<abbr class="abbrev">RFC2874</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span> and <span class="firstname">C.</span> <span class="surname">Huitema</span>. </span><span class="title"><i>DNS Extensions to Support IPv6 Address Aggregation
and Renumbering</i>. </span><span class="pubdate">July 2000. </span></p>
</div>
</div>
</p>
</div>
<div class="biblioentry">
-<a name="id2608
177"></a><p>[<abbr class="abbrev">RFC2065</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">C.</span> <span class="surname">Kaufman</span>. </span><span class="title"><i>Domain Name System Security Extensions</i>. </span><span class="pubdate">January 1997. </span></p>
+<a name="id2608
996"></a><p>[<abbr class="abbrev">RFC2065</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">C.</span> <span class="surname">Kaufman</span>. </span><span class="title"><i>Domain Name System Security Extensions</i>. </span><span class="pubdate">January 1997. </span></p>
</div>
<div class="biblioentry">
-<a name="id260
8216"></a><p>[<abbr class="abbrev">RFC2137</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Secure Domain Name System Dynamic Update</i>. </span><span class="pubdate">April 1997. </span></p>
+<a name="id260
9035"></a><p>[<abbr class="abbrev">RFC2137</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Secure Domain Name System Dynamic Update</i>. </span><span class="pubdate">April 1997. </span></p>
</div>
<div class="biblioentry">
-<a name="id260
8243"></a><p>[<abbr class="abbrev">RFC2535</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Domain Name System Security Extensions</i>. </span><span class="pubdate">March 1999. </span></p>
+<a name="id260
9062"></a><p>[<abbr class="abbrev">RFC2535</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Domain Name System Security Extensions</i>. </span><span class="pubdate">March 1999. </span></p>
</div>
<div class="biblioentry">
-<a name="id260
8273"></a><p>[<abbr class="abbrev">RFC3008</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Domain Name System Security (DNSSEC)
+<a name="id260
9092"></a><p>[<abbr class="abbrev">RFC3008</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Domain Name System Security (DNSSEC)
Signing Authority</i>. </span><span class="pubdate">November 2000. </span></p>
</div>
<div class="biblioentry">
-<a name="id260
8298"></a><p>[<abbr class="abbrev">RFC3090</abbr>] <span class="authorgroup"><span class="firstname">E.</span> <span class="surname">Lewis</span>. </span><span class="title"><i>DNS Security Extension Clarification on Zone Status</i>. </span><span class="pubdate">March 2001. </span></p>
+<a name="id260
9117"></a><p>[<abbr class="abbrev">RFC3090</abbr>] <span class="authorgroup"><span class="firstname">E.</span> <span class="surname">Lewis</span>. </span><span class="title"><i>DNS Security Extension Clarification on Zone Status</i>. </span><span class="pubdate">March 2001. </span></p>
</div>
<div class="biblioentry">
-<a name="id260
8325"></a><p>[<abbr class="abbrev">RFC3445</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Massey</span> and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Limiting the Scope of the KEY Resource Record (RR)</i>. </span><span class="pubdate">December 2002. </span></p>
+<a name="id260
9144"></a><p>[<abbr class="abbrev">RFC3445</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Massey</span> and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Limiting the Scope of the KEY Resource Record (RR)</i>. </span><span class="pubdate">December 2002. </span></p>
</div>
<div class="biblioentry">
-<a name="id260
8361"></a><p>[<abbr class="abbrev">RFC3655</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span> and <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Redefinition of DNS Authenticated Data (AD) bit</i>. </span><span class="pubdate">November 2003. </span></p>
+<a name="id260
9180"></a><p>[<abbr class="abbrev">RFC3655</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span> and <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Redefinition of DNS Authenticated Data (AD) bit</i>. </span><span class="pubdate">November 2003. </span></p>
</div>
<div class="biblioentry">
-<a name="id260
8397"></a><p>[<abbr class="abbrev">RFC3658</abbr>] <span class="authorgroup"><span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Delegation Signer (DS) Resource Record (RR)</i>. </span><span class="pubdate">December 2003. </span></p>
+<a name="id260
9217"></a><p>[<abbr class="abbrev">RFC3658</abbr>] <span class="authorgroup"><span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Delegation Signer (DS) Resource Record (RR)</i>. </span><span class="pubdate">December 2003. </span></p>
</div>
<div class="biblioentry">
-<a name="id260
8424"></a><p>[<abbr class="abbrev">RFC3755</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Weiler</span>. </span><span class="title"><i>Legacy Resolver Compatibility for Delegation Signer (DS)</i>. </span><span class="pubdate">May 2004. </span></p>
+<a name="id260
9243"></a><p>[<abbr class="abbrev">RFC3755</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Weiler</span>. </span><span class="title"><i>Legacy Resolver Compatibility for Delegation Signer (DS)</i>. </span><span class="pubdate">May 2004. </span></p>
</div>
<div class="biblioentry">
-<a name="id260
8451"></a><p>[<abbr class="abbrev">RFC3757</abbr>] <span class="authorgroup"><span class="firstname">O.</span> <span class="surname">Kolkman</span>, <span class="firstname">J.</span> <span class="surname">Schlyter</span>, and <span class="firstname">E.</span> <span class="surname">Lewis</span>. </span><span class="title"><i>Domain Name System KEY (DNSKEY) Resource Record
+<a name="id260
9270"></a><p>[<abbr class="abbrev">RFC3757</abbr>] <span class="authorgroup"><span class="firstname">O.</span> <span class="surname">Kolkman</span>, <span class="firstname">J.</span> <span class="surname">Schlyter</span>, and <span class="firstname">E.</span> <span class="surname">Lewis</span>. </span><span class="title"><i>Domain Name System KEY (DNSKEY) Resource Record
(RR) Secure Entry Point (SEP) Flag</i>. </span><span class="pubdate">April 2004. </span></p>
</div>
<div class="biblioentry">
-<a name="id260
8496"></a><p>[<abbr class="abbrev">RFC3845</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Schlyter</span>. </span><span class="title"><i>DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format</i>. </span><span class="pubdate">August 2004. </span></p>
+<a name="id260
9315"></a><p>[<abbr class="abbrev">RFC3845</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Schlyter</span>. </span><span class="title"><i>DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format</i>. </span><span class="pubdate">August 2004. </span></p>
</div>
</div>
</div>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id260
8537"></a>Other Documents About <acronym class="acronym">BIND</acronym>
+<a name="id260
9356"></a>Other Documents About <acronym class="acronym">BIND</acronym>
</h3></div></div></div>
<p></p>
<div class="bibliography">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2608547"></a>Bibliography</h4></div></div></div>
+<a name="id2609366"></a>Bibliography</h4></div></div></div>
<div class="biblioentry">
-<a name="id260
8549"></a><p><span class="authorgroup"><span class="firstname">Paul</span> <span class="surname">Albitz</span> and <span class="firstname">Cricket</span> <span class="surname">Liu</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></i>. </span><span class="copyright">Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. </span></p>
+<a name="id260
9368"></a><p><span class="authorgroup"><span class="firstname">Paul</span> <span class="surname">Albitz</span> and <span class="firstname">Cricket</span> <span class="surname">Liu</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></i>. </span><span class="copyright">Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. </span></p>
</div>
</div>
</div>
</ul></div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2610832"></a>Prerequisite</h3></div></div></div>
+<a name="id2611651"></a>Prerequisite</h3></div></div></div>
<p>GNU make is required to build the export libraries (other
part of BIND 9 can still be built with other types of make). In
the reminder of this document, "make" means GNU make. Note that
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2610841"></a>Compilation</h3></div></div></div>
+<a name="id2611660"></a>Compilation</h3></div></div></div>
<pre class="screen">
$ <strong class="userinput"><code>./configure --enable-exportlib <em class="replaceable"><code>[other flags]</code></em></code></strong>
$ <strong class="userinput"><code>make</code></strong>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2610183"></a>Installation</h3></div></div></div>
+<a name="id2611002"></a>Installation</h3></div></div></div>
<pre class="screen">
$ <strong class="userinput"><code>cd lib/export</code></strong>
$ <strong class="userinput"><code>make install</code></strong>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2610214"></a>Known Defects/Restrictions</h3></div></div></div>
+<a name="id2611033"></a>Known Defects/Restrictions</h3></div></div></div>
<div class="itemizedlist"><ul type="disc">
<li><p>Currently, win32 is not supported for the export
library. (Normal BIND 9 application can be built as
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2610291"></a>The dns.conf File</h3></div></div></div>
+<a name="id2611110"></a>The dns.conf File</h3></div></div></div>
<p>The IRS library supports an "advanced" configuration file
related to the DNS library for configuration parameters that
would be beyond the capability of the
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2610317"></a>Sample Applications</h3></div></div></div>
+<a name="id2611137"></a>Sample Applications</h3></div></div></div>
<p>Some sample application programs using this API are
provided for reference. The following is a brief description of
these applications.
</p>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2610326"></a>sample: a simple stub resolver utility</h4></div></div></div>
+<a name="id2611145"></a>sample: a simple stub resolver utility</h4></div></div></div>
<p>
It sends a query of a given name (of a given optional RR type) to a
specified recursive server, and prints the result as a list of
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2610417"></a>sample-async: a simple stub resolver, working asynchronously</h4></div></div></div>
+<a name="id2611236"></a>sample-async: a simple stub resolver, working asynchronously</h4></div></div></div>
<p>
Similar to "sample", but accepts a list
of (query) domain names as a separate file and resolves the names
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2610470"></a>sample-request: a simple DNS transaction client</h4></div></div></div>
+<a name="id2611289"></a>sample-request: a simple DNS transaction client</h4></div></div></div>
<p>
It sends a query to a specified server, and
prints the response with minimal processing. It doesn't act as a
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2610602"></a>sample-gai: getaddrinfo() and getnameinfo() test code</h4></div></div></div>
+<a name="id2611353"></a>sample-gai: getaddrinfo() and getnameinfo() test code</h4></div></div></div>
<p>
This is a test program
to check getaddrinfo() and getnameinfo() behavior. It takes a
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2610617"></a>sample-update: a simple dynamic update client program</h4></div></div></div>
+<a name="id2611368"></a>sample-update: a simple dynamic update client program</h4></div></div></div>
<p>
It accepts a single update command as a
command-line argument, sends an update request message to the
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2611499"></a>nsprobe: domain/name server checker in terms of RFC 4074</h4></div></div></div>
+<a name="id2612045"></a>nsprobe: domain/name server checker in terms of RFC 4074</h4></div></div></div>
<p>
It checks a set
of domains to see the name servers of the domains behave
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2611632"></a>Library References</h3></div></div></div>
+<a name="id2612178"></a>Library References</h3></div></div></div>
<p>As of this writing, there is no formal "manual" of the
libraries, except this document, header files (some of them
provide pretty detailed explanations), and sample application
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dnssec.dynamic.zones">DNSSEC, Dynamic Zones, and Automatic Signing</a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2609321">Converting from insecure to secure</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2610277">Converting from insecure to secure</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563483">Dynamic DNS update method</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563520">Fully automatic zone signing</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563896">Private-type records</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563933">DNSKEY rollovers</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563946">Dynamic DNS update method</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2574561">Automatic key rollovers</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2574587">NSEC3PARAM rollovers via UPDATE</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2574597">Converting from NSEC to NSEC3</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2574606">Converting from NSEC3 to NSEC</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2574619">Converting from secure to insecure</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2574657">Periodic re-signing</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2574666">NSEC3 and OPTOUT</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563623">Private-type records</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563660">DNSKEY rollovers</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563673">Dynamic DNS update method</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563706">Automatic key rollovers</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563733">NSEC3PARAM rollovers via UPDATE</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563742">Converting from NSEC to NSEC3</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563752">Converting from NSEC3 to NSEC</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563901">Converting from secure to insecure</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563939">Periodic re-signing</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563948">NSEC3 and OPTOUT</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#rfc5011.support">Dynamic Trust Anchor Management</a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2608969">Validating Resolver</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2608992">Authoritative Server</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2574699">Validating Resolver</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2574722">Authoritative Server</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#pkcs11">PKCS #11 (Cryptoki) support</a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2612099">Prerequisites</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2610075">Building BIND 9 with PKCS#11</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2636483">PKCS #11 Tools</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2636514">Using the HSM</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2636712">Specifying the engine on the command line</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2636894">Running named with automatic zone re-signing</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2612577">Prerequisites</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2610758">Building BIND 9 with PKCS#11</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2612931">PKCS #11 Tools</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2612962">Using the HSM</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2637531">Specifying the engine on the command line</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2637577">Running named with automatic zone re-signing</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dlz-info">DLZ (Dynamically Loadable Zones)</a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2609154">Configuring DLZ</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2609227">Sample DLZ Driver</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2610109">Configuring DLZ</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2610797">Sample DLZ Driver</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2572873">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576037"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576231"><span><strong class="command">logging</strong></span> Statement Definition and
Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578326"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578400"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578464"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578576"><span><strong class="command">masters</strong></span> Statement Definition and
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578362"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578436"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578500"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578544"><span><strong class="command">masters</strong></span> Statement Definition and
Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578597"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578565"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#options"><span><strong class="command">options</strong></span> Statement Definition and
Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span><strong class="command">server</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span><strong class="command">server</strong></span> Statement Definition and
Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#statschannels"><span><strong class="command">statistics-channels</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590679"><span><strong class="command">statistics-channels</strong></span> Statement Definition and
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591334"><span><strong class="command">statistics-channels</strong></span> Statement Definition and
Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#trusted-keys"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590819"><span><strong class="command">trusted-keys</strong></span> Statement Definition
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591542"><span><strong class="command">trusted-keys</strong></span> Statement Definition
and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590934"><span><strong class="command">managed-keys</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591589"><span><strong class="command">managed-keys</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#managed-keys"><span><strong class="command">managed-keys</strong></span> Statement Definition
and Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#view_statement_grammar"><span><strong class="command">view</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591376"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2592099"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span><strong class="command">zone</strong></span>
Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2593143"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2593798"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2596709">Zone File</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2597364">Zone File</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2598803">Discussion of MX Records</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2599458">Discussion of MX Records</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2599418">Inverse Mapping in IPv4</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2599545">Other Zone File Directives</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2
599886"><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2600210">Inverse Mapping in IPv4</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2600337">Other Zone File Directives</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2
600610"><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zonefile_format">Additional File Formats</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch06.html#statistics">BIND9 Statistics</a></span></dt>
<dt><span class="chapter"><a href="Bv9ARM.ch07.html">7. <acronym class="acronym">BIND</acronym> 9 Security Considerations</a></span></dt>
<dd><dl>
<dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2604564"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2605451"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2604645">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2604705">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2605601">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2605660">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
</dl></dd>
<dt><span class="chapter"><a href="Bv9ARM.ch08.html">8. Troubleshooting</a></span></dt>
<dd><dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2604989">Common Problems</a></span></dt>
-<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch08.html#id2604995">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2605006">Incrementing and Changing the Serial Number</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2605024">Where Can I Get Help?</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2605809">Common Problems</a></span></dt>
+<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch08.html#id2605814">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd>
+<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2605826">Incrementing and Changing the Serial Number</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2605843">Where Can I Get Help?</a></span></dt>
</dl></dd>
<dt><span class="appendix"><a href="Bv9ARM.ch09.html">A. Appendices</a></span></dt>
<dd><dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2605154">Acknowledgments</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2605905">Acknowledgments</a></span></dt>
<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#historical_dns_information">A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></a></span></dt></dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id260
5257">General <acronym class="acronym">DNS</acronym> Reference Information</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id260
6076">General <acronym class="acronym">DNS</acronym> Reference Information</a></span></dt>
<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#ipv6addresses">IPv6 addresses (AAAA)</a></span></dt></dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch09.html#bibliography">Bibliography (and Suggested Reading)</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch09.html#rfcs">Request for Comments (RFCs)</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch09.html#internet_drafts">Internet Drafts</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id260
8537">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id260
9356">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch09.html#bind9.library">BIND 9 DNS Library Support</a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2610832">Prerequisite</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2610841">Compilation</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2610183">Installation</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2610214">Known Defects/Restrictions</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2610291">The dns.conf File</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2610317">Sample Applications</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2611632">Library References</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2611651">Prerequisite</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2611660">Compilation</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2611002">Installation</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2611033">Known Defects/Restrictions</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2611110">The dns.conf File</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2611137">Sample Applications</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2612178">Library References</a></span></dt>
</dl></dd>
</dl></dd>
<dt><span class="reference"><a href="Bv9ARM.ch10.html">I. Manual pages</a></span></dt>
<div class="cmdsynopsis"><p><code class="command">arpaname</code> {<em class="replaceable"><code>ipaddress </code></em>...}</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2618667"></a><h2>DESCRIPTION</h2>
+<a name="id2616210"></a><h2>DESCRIPTION</h2>
<p>
<span><strong class="command">arpaname</strong></span> translates IP addresses (IPv4 and
IPv6) to the corresponding IN-ADDR.ARPA or IP6.ARPA names.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2618682"></a><h2>SEE ALSO</h2>
+<a name="id2616225"></a><h2>SEE ALSO</h2>
<p>
<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2618696"></a><h2>AUTHOR</h2>
+<a name="id2616238"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
<div class="cmdsynopsis"><p><code class="command">ddns-confgen</code> [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [ -s <em class="replaceable"><code>name</code></em> | -z <em class="replaceable"><code>zone</code></em> ] [<code class="option">-q</code>] [name]</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2655962"></a><h2>DESCRIPTION</h2>
+<a name="id2651866"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">ddns-confgen</strong></span>
generates a key for use by <span><strong class="command">nsupdate</strong></span>
and <span><strong class="command">named</strong></span>. It simplifies configuration
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2656118"></a><h2>OPTIONS</h2>
+<a name="id2651954"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd><p>
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2657138"></a><h2>SEE ALSO</h2>
+<a name="id2652632"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">nsupdate</span>(1)</span>,
<span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>,
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2657176"></a><h2>AUTHOR</h2>
+<a name="id2652670"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
<div class="cmdsynopsis"><p><code class="command">dig</code> [global-queryopt...] [query...]</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2611825"></a><h2>DESCRIPTION</h2>
+<a name="id2611893"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dig</strong></span>
(domain information groper) is a flexible tool
for interrogating DNS name servers. It performs DNS lookups and
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2611927"></a><h2>SIMPLE USAGE</h2>
+<a name="id2612337"></a><h2>SIMPLE USAGE</h2>
<p>
A typical invocation of <span><strong class="command">dig</strong></span> looks like:
</p>
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2612394"></a><h2>OPTIONS</h2>
+<a name="id2613145"></a><h2>OPTIONS</h2>
<p>
The <code class="option">-b</code> option sets the source IP address of the query
to <em class="parameter"><code>address</code></em>. This must be a valid
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2664414"></a><h2>QUERY OPTIONS</h2>
+<a name="id2664961"></a><h2>QUERY OPTIONS</h2>
<p><span><strong class="command">dig</strong></span>
provides a number of query options which affect
the way in which lookups are made and the results displayed. Some of
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2665622"></a><h2>MULTIPLE QUERIES</h2>
+<a name="id2666100"></a><h2>MULTIPLE QUERIES</h2>
<p>
The BIND 9 implementation of <span><strong class="command">dig </strong></span>
supports
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2665776"></a><h2>IDN SUPPORT</h2>
+<a name="id2666253"></a><h2>IDN SUPPORT</h2>
<p>
If <span><strong class="command">dig</strong></span> has been built with IDN (internationalized
domain name) support, it can accept and display non-ASCII domain names.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2665804"></a><h2>FILES</h2>
+<a name="id2666282"></a><h2>FILES</h2>
<p><code class="filename">/etc/resolv.conf</code>
</p>
<p><code class="filename">${HOME}/.digrc</code>
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2665826"></a><h2>SEE ALSO</h2>
+<a name="id2666304"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">host</span>(1)</span>,
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2665863"></a><h2>BUGS</h2>
+<a name="id2666341"></a><h2>BUGS</h2>
<p>
There are probably too many query options.
</p>
<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> {-s} [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-s</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-A</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {dnsname}</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2614251"></a><h2>DESCRIPTION</h2>
+<a name="id2614934"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-dsfromkey</strong></span>
outputs the Delegation Signer (DS) resource record (RR), as defined in
RFC 3658 and RFC 4509, for the given key(s).
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2614265"></a><h2>OPTIONS</h2>
+<a name="id2614948"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-1</span></dt>
<dd><p>
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2614568"></a><h2>EXAMPLE</h2>
+<a name="id2615933"></a><h2>EXAMPLE</h2>
<p>
To build the SHA-256 DS RR from the
<strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2614604"></a><h2>FILES</h2>
+<a name="id2615970"></a><h2>FILES</h2>
<p>
The keyfile can be designed by the key identification
<code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2614646"></a><h2>CAVEAT</h2>
+<a name="id2616011"></a><h2>CAVEAT</h2>
<p>
A keyfile error can give a "file not found" even if the file exists.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2614656"></a><h2>SEE ALSO</h2>
+<a name="id2616021"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2614695"></a><h2>AUTHOR</h2>
+<a name="id2616060"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
<div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code> {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-3</code>] [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-k</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-y</code>] {name}</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2615325"></a><h2>DESCRIPTION</h2>
+<a name="id2616554"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-keyfromlabel</strong></span>
gets keys with the given label from a crypto hardware and builds
key files for DNSSEC (Secure DNS), as defined in RFC 2535
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2615346"></a><h2>OPTIONS</h2>
+<a name="id2616574"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2617243"></a><h2>TIMING OPTIONS</h2>
+<a name="id2618336"></a><h2>TIMING OPTIONS</h2>
<p>
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2617478"></a><h2>GENERATED KEY FILES</h2>
+<a name="id2618570"></a><h2>GENERATED KEY FILES</h2>
<p>
When <span><strong class="command">dnssec-keyfromlabel</strong></span> completes
successfully,
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2668840"></a><h2>SEE ALSO</h2>
+<a name="id2669728"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2668873"></a><h2>AUTHOR</h2>
+<a name="id2669761"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-3</code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-C</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-k</code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-q</code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] {name}</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2616230"></a><h2>DESCRIPTION</h2>
+<a name="id2617595"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-keygen</strong></span>
generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
and RFC 4034. It can also generate keys for use with
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2616250"></a><h2>OPTIONS</h2>
+<a name="id2617616"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2670370"></a><h2>TIMING OPTIONS</h2>
+<a name="id2670233"></a><h2>TIMING OPTIONS</h2>
<p>
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2670628"></a><h2>GENERATED KEYS</h2>
+<a name="id2670355"></a><h2>GENERATED KEYS</h2>
<p>
When <span><strong class="command">dnssec-keygen</strong></span> completes
successfully,
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2670736"></a><h2>EXAMPLE</h2>
+<a name="id2670667"></a><h2>EXAMPLE</h2>
<p>
To generate a 768-bit DSA key for the domain
<strong class="userinput"><code>example.com</code></strong>, the following command would be
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2670792"></a><h2>SEE ALSO</h2>
+<a name="id2670724"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 2539</em>,
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2670823"></a><h2>AUTHOR</h2>
+<a name="id2670755"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
<div class="cmdsynopsis"><p><code class="command">dnssec-revoke</code> [<code class="option">-hr</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f</code>] [<code class="option">-R</code>] {keyfile}</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2616864"></a><h2>DESCRIPTION</h2>
+<a name="id2618775"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-revoke</strong></span>
reads a DNSSEC key file, sets the REVOKED bit on the key as defined
in RFC 5011, and creates a new pair of key files containing the
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2616877"></a><h2>OPTIONS</h2>
+<a name="id2618789"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-h</span></dt>
<dd><p>
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2616998"></a><h2>SEE ALSO</h2>
+<a name="id2618909"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 5011</em>.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2617569"></a><h2>AUTHOR</h2>
+<a name="id2618934"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
<div class="cmdsynopsis"><p><code class="command">dnssec-settime</code> [<code class="option">-f</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] {keyfile}</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2617805"></a><h2>DESCRIPTION</h2>
+<a name="id2619102"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-settime</strong></span>
reads a DNSSEC private key file and sets the key timing metadata
as specified by the <code class="option">-P</code>, <code class="option">-A</code>,
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2617864"></a><h2>OPTIONS</h2>
+<a name="id2619161"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-f</span></dt>
<dd><p>
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2618054"></a><h2>TIMING OPTIONS</h2>
+<a name="id2619351"></a><h2>TIMING OPTIONS</h2>
<p>
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2618261"></a><h2>PRINTING OPTIONS</h2>
+<a name="id2619626"></a><h2>PRINTING OPTIONS</h2>
<p>
<span><strong class="command">dnssec-settime</strong></span> can also be used to print the
timing metadata associated with a key.
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2619911"></a><h2>SEE ALSO</h2>
+<a name="id2619774"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2620012"></a><h2>AUTHOR</h2>
+<a name="id2621173"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code> [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-P</code>] [<code class="option">-p</code>] [<code class="option">-R</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S</code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-t</code>] [<code class="option">-u</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-X <em class="replaceable"><code>extended end-time</code></em></code>] [<code class="option">-x</code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2673737"></a><h2>DESCRIPTION</h2>
+<a name="id2674488"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-signzone</strong></span>
signs a zone. It generates
NSEC and RRSIG records and produces a signed version of the
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2673756"></a><h2>OPTIONS</h2>
+<a name="id2674507"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-a</span></dt>
<dd><p>
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2675132"></a><h2>EXAMPLE</h2>
+<a name="id2675883"></a><h2>EXAMPLE</h2>
<p>
The following command signs the <strong class="userinput"><code>example.com</code></strong>
zone with the DSA key generated by <span><strong class="command">dnssec-keygen</strong></span>
%</pre>
</div>
<div class="refsect1" lang="en">
-<a name="id2675211"></a><h2>SEE ALSO</h2>
+<a name="id2675962"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 4033</em>.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2675304"></a><h2>AUTHOR</h2>
+<a name="id2675987"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
<div class="cmdsynopsis"><p><code class="command">dnssec-verify</code> [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-x</code>] [<code class="option">-z</code>] {zonefile}</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2621035"></a><h2>DESCRIPTION</h2>
+<a name="id2621308"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-verify</strong></span>
verifies that a zone is fully signed for each algorithm found
in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2621049"></a><h2>OPTIONS</h2>
+<a name="id2621322"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
<dd><p>
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2628708"></a><h2>SEE ALSO</h2>
+<a name="id2621472"></a><h2>SEE ALSO</h2>
<p>
<span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2628733"></a><h2>AUTHOR</h2>
+<a name="id2621497"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
<div class="cmdsynopsis"><p><code class="command">genrandom</code> [<code class="option">-n <em class="replaceable"><code>number</code></em></code>] {<em class="replaceable"><code>size</code></em>} {<em class="replaceable"><code>filename</code></em>}</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2657568"></a><h2>DESCRIPTION</h2>
+<a name="id2655178"></a><h2>DESCRIPTION</h2>
<p>
<span><strong class="command">genrandom</strong></span>
generates a file or a set of files containing a specified quantity
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2657582"></a><h2>ARGUMENTS</h2>
+<a name="id2655193"></a><h2>ARGUMENTS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-n <em class="replaceable"><code>number</code></em></span></dt>
<dd><p>
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2657643"></a><h2>SEE ALSO</h2>
+<a name="id2655254"></a><h2>SEE ALSO</h2>
<p>
<span class="citerefentry"><span class="refentrytitle">rand</span>(3)</span>,
<span class="citerefentry"><span class="refentrytitle">arc4random</span>(3)</span>
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2657670"></a><h2>AUTHOR</h2>
+<a name="id2655281"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
<div class="cmdsynopsis"><p><code class="command">host</code> [<code class="option">-aCdlnrsTwv</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-N <em class="replaceable"><code>ndots</code></em></code>] [<code class="option">-R <em class="replaceable"><code>number</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-W <em class="replaceable"><code>wait</code></em></code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-4</code>] [<code class="option">-6</code>] {name} [server]</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2612704"></a><h2>DESCRIPTION</h2>
+<a name="id2613659"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">host</strong></span>
is a simple utility for performing DNS lookups.
It is normally used to convert names to IP addresses and vice versa.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2613900"></a><h2>IDN SUPPORT</h2>
+<a name="id2614037"></a><h2>IDN SUPPORT</h2>
<p>
If <span><strong class="command">host</strong></span> has been built with IDN (internationalized
domain name) support, it can accept and display non-ASCII domain names.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2613929"></a><h2>FILES</h2>
+<a name="id2614066"></a><h2>FILES</h2>
<p><code class="filename">/etc/resolv.conf</code>
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2613943"></a><h2>SEE ALSO</h2>
+<a name="id2614148"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>,
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>.
</p>
<div class="cmdsynopsis"><p><code class="command">isc-hmac-fixup</code> {<em class="replaceable"><code>algorithm</code></em>} {<em class="replaceable"><code>secret</code></em>}</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2619488"></a><h2>DESCRIPTION</h2>
+<a name="id2616962"></a><h2>DESCRIPTION</h2>
<p>
Versions of BIND 9 up to and including BIND 9.6 had a bug causing
HMAC-SHA* TSIG keys which were longer than the digest length of the
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2619515"></a><h2>SECURITY CONSIDERATIONS</h2>
+<a name="id2616989"></a><h2>SECURITY CONSIDERATIONS</h2>
<p>
Secrets that have been converted by <span><strong class="command">isc-hmac-fixup</strong></span>
are shortened, but as this is how the HMAC protocol works in
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2657761"></a><h2>SEE ALSO</h2>
+<a name="id2656190"></a><h2>SEE ALSO</h2>
<p>
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 2104</em>.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2657778"></a><h2>AUTHOR</h2>
+<a name="id2656208"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
<div class="cmdsynopsis"><p><code class="command">named-checkconf</code> [<code class="option">-h</code>] [<code class="option">-v</code>] [<code class="option">-j</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] {filename} [<code class="option">-p</code>] [<code class="option">-z</code>]</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2628834"></a><h2>DESCRIPTION</h2>
+<a name="id2622007"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">named-checkconf</strong></span>
checks the syntax, but not the semantics, of a
<span><strong class="command">named</strong></span> configuration file. The file is parsed
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2628904"></a><h2>OPTIONS</h2>
+<a name="id2622077"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-h</span></dt>
<dd><p>
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2629038"></a><h2>RETURN VALUES</h2>
+<a name="id2622212"></a><h2>RETURN VALUES</h2>
<p><span><strong class="command">named-checkconf</strong></span>
returns an exit status of 1 if
errors were detected and 0 otherwise.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2629052"></a><h2>SEE ALSO</h2>
+<a name="id2622226"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">named-checkzone</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2629082"></a><h2>AUTHOR</h2>
+<a name="id2622256"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
<div class="cmdsynopsis"><p><code class="command">named-compilezone</code> [<code class="option">-d</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-C <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-J <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>] [<code class="option">-r <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {<code class="option">-o <em class="replaceable"><code>filename</code></em></code>} {zonename} {filename}</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2640269"></a><h2>DESCRIPTION</h2>
+<a name="id2638017"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">named-checkzone</strong></span>
checks the syntax and integrity of a zone file. It performs the
same checks as <span><strong class="command">named</strong></span> does when loading a
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2677115"></a><h2>OPTIONS</h2>
+<a name="id2638067"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-d</span></dt>
<dd><p>
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2678029"></a><h2>RETURN VALUES</h2>
+<a name="id2678849"></a><h2>RETURN VALUES</h2>
<p><span><strong class="command">named-checkzone</strong></span>
returns an exit status of 1 if
errors were detected and 0 otherwise.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2678043"></a><h2>SEE ALSO</h2>
+<a name="id2678931"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">named-checkconf</span>(8)</span>,
<em class="citetitle">RFC 1035</em>,
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2678076"></a><h2>AUTHOR</h2>
+<a name="id2678964"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
<div class="cmdsynopsis"><p><code class="command">named-journalprint</code> {<em class="replaceable"><code>journal</code></em>}</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2615545"></a><h2>DESCRIPTION</h2>
+<a name="id2615340"></a><h2>DESCRIPTION</h2>
<p>
<span><strong class="command">named-journalprint</strong></span>
prints the contents of a zone journal file in a human-readable
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2641328"></a><h2>SEE ALSO</h2>
+<a name="id2642488"></a><h2>SEE ALSO</h2>
<p>
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">nsupdate</span>(8)</span>,
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2641358"></a><h2>AUTHOR</h2>
+<a name="id2642519"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
<div class="cmdsynopsis"><p><code class="command">named</code> [<code class="option">-4</code>] [<code class="option">-6</code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>debug-level</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine-name</code></em></code>] [<code class="option">-f</code>] [<code class="option">-g</code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-n <em class="replaceable"><code>#cpus</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-s</code>] [<code class="option">-S <em class="replaceable"><code>#max-socks</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-U <em class="replaceable"><code>#listeners</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>] [<code class="option">-v</code>] [<code class="option">-V</code>] [<code class="option">-x <em class="replaceable"><code>cache-file</code></em></code>]</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2640651"></a><h2>DESCRIPTION</h2>
+<a name="id2641948"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">named</strong></span>
is a Domain Name System (DNS) server,
part of the BIND 9 distribution from ISC. For more
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2640682"></a><h2>OPTIONS</h2>
+<a name="id2641979"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-4</span></dt>
<dd><p>
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2642978"></a><h2>SIGNALS</h2>
+<a name="id2679159"></a><h2>SIGNALS</h2>
<p>
In routine operation, signals should not be used to control
the nameserver; <span><strong class="command">rndc</strong></span> should be used
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2678185"></a><h2>CONFIGURATION</h2>
+<a name="id2679277"></a><h2>CONFIGURATION</h2>
<p>
The <span><strong class="command">named</strong></span> configuration file is too complex
to describe in detail here. A complete description is provided
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2678234"></a><h2>FILES</h2>
+<a name="id2679326"></a><h2>FILES</h2>
<div class="variablelist"><dl>
<dt><span class="term"><code class="filename">/etc/named.conf</code></span></dt>
<dd><p>
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2678346"></a><h2>SEE ALSO</h2>
+<a name="id2679370"></a><h2>SEE ALSO</h2>
<p><em class="citetitle">RFC 1033</em>,
<em class="citetitle">RFC 1034</em>,
<em class="citetitle">RFC 1035</em>,
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2678417"></a><h2>AUTHOR</h2>
+<a name="id2679441"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
<div class="cmdsynopsis"><p><code class="command">nsec3hash</code> {<em class="replaceable"><code>salt</code></em>} {<em class="replaceable"><code>algorithm</code></em>} {<em class="replaceable"><code>iterations</code></em>} {<em class="replaceable"><code>domain</code></em>}</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2657826"></a><h2>DESCRIPTION</h2>
+<a name="id2656256"></a><h2>DESCRIPTION</h2>
<p>
<span><strong class="command">nsec3hash</strong></span> generates an NSEC3 hash based on
a set of NSEC3 parameters. This can be used to check the validity
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2657841"></a><h2>ARGUMENTS</h2>
+<a name="id2656270"></a><h2>ARGUMENTS</h2>
<div class="variablelist"><dl>
<dt><span class="term">salt</span></dt>
<dd><p>
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2657902"></a><h2>SEE ALSO</h2>
+<a name="id2656401"></a><h2>SEE ALSO</h2>
<p>
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 5155</em>.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2657920"></a><h2>AUTHOR</h2>
+<a name="id2656418"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
<div class="cmdsynopsis"><p><code class="command">nsupdate</code> [<code class="option">-d</code>] [<code class="option">-D</code>] [[<code class="option">-g</code>] | [<code class="option">-o</code>] | [<code class="option">-l</code>] | [<code class="option">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]keyname:secret</code></em></code>] | [<code class="option">-k <em class="replaceable"><code>keyfile</code></em></code>]] [<code class="option">-t <em class="replaceable"><code>timeout</code></em></code>] [<code class="option">-u <em class="replaceable"><code>udptimeout</code></em></code>] [<code class="option">-r <em class="replaceable"><code>udpretries</code></em></code>] [<code class="option">-R <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-v</code>] [<code class="option">-T</code>] [<code class="option">-P</code>] [filename]</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2641891"></a><h2>DESCRIPTION</h2>
+<a name="id2642846"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">nsupdate</strong></span>
is used to submit Dynamic DNS Update requests as defined in RFC 2136
to a name server.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2678713"></a><h2>INPUT FORMAT</h2>
+<a name="id2679669"></a><h2>INPUT FORMAT</h2>
<p><span><strong class="command">nsupdate</strong></span>
reads input from
<em class="parameter"><code>filename</code></em>
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2679847"></a><h2>EXAMPLES</h2>
+<a name="id2680803"></a><h2>EXAMPLES</h2>
<p>
The examples below show how
<span><strong class="command">nsupdate</strong></span>
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2679897"></a><h2>FILES</h2>
+<a name="id2680921"></a><h2>FILES</h2>
<div class="variablelist"><dl>
<dt><span class="term"><code class="constant">/etc/resolv.conf</code></span></dt>
<dd><p>
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2679980"></a><h2>SEE ALSO</h2>
+<a name="id2681004"></a><h2>SEE ALSO</h2>
<p>
<em class="citetitle">RFC 2136</em>,
<em class="citetitle">RFC 3007</em>,
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2680038"></a><h2>BUGS</h2>
+<a name="id2681062"></a><h2>BUGS</h2>
<p>
The TSIG key is redundantly stored in two separate files.
This is a consequence of nsupdate using the DST library
<div class="cmdsynopsis"><p><code class="command">rndc-confgen</code> [<code class="option">-a</code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-c <em class="replaceable"><code>keyfile</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [<code class="option">-s <em class="replaceable"><code>address</code></em></code>] [<code class="option">-t <em class="replaceable"><code>chrootdir</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>]</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2651066"></a><h2>DESCRIPTION</h2>
+<a name="id2645673"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">rndc-confgen</strong></span>
generates configuration files
for <span><strong class="command">rndc</strong></span>. It can be used as a
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2651201"></a><h2>OPTIONS</h2>
+<a name="id2645739"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-a</span></dt>
<dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2656980"></a><h2>EXAMPLES</h2>
+<a name="id2651723"></a><h2>EXAMPLES</h2>
<p>
To allow <span><strong class="command">rndc</strong></span> to be used with
no manual configuration, run
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2657036"></a><h2>SEE ALSO</h2>
+<a name="id2656012"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2657484"></a><h2>AUTHOR</h2>
+<a name="id2656051"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
<div class="cmdsynopsis"><p><code class="command">rndc.conf</code> </p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2618357"></a><h2>DESCRIPTION</h2>
+<a name="id2615694"></a><h2>DESCRIPTION</h2>
<p><code class="filename">rndc.conf</code> is the configuration file
for <span><strong class="command">rndc</strong></span>, the BIND 9 name server control
utility. This file has a similar structure and syntax to
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2645221"></a><h2>EXAMPLE</h2>
+<a name="id2645016"></a><h2>EXAMPLE</h2>
<pre class="programlisting">
options {
default-server localhost;
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2645547"></a><h2>NAME SERVER CONFIGURATION</h2>
+<a name="id2645138"></a><h2>NAME SERVER CONFIGURATION</h2>
<p>
The name server must be configured to accept rndc connections and
to recognize the key specified in the <code class="filename">rndc.conf</code>
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2645573"></a><h2>SEE ALSO</h2>
+<a name="id2645163"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">mmencode</span>(1)</span>,
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2645611"></a><h2>AUTHOR</h2>
+<a name="id2651277"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
<div class="cmdsynopsis"><p><code class="command">rndc</code> [<code class="option">-b <em class="replaceable"><code>source-address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key-file</code></em></code>] [<code class="option">-s <em class="replaceable"><code>server</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-V</code>] [<code class="option">-y <em class="replaceable"><code>key_id</code></em></code>] {command}</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2643107"></a><h2>DESCRIPTION</h2>
+<a name="id2644131"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">rndc</strong></span>
controls the operation of a name
server. It supersedes the <span><strong class="command">ndc</strong></span> utility
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2643157"></a><h2>OPTIONS</h2>
+<a name="id2644181"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-b <em class="replaceable"><code>source-address</code></em></span></dt>
<dd><p>
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2644269"></a><h2>LIMITATIONS</h2>
+<a name="id2644611"></a><h2>LIMITATIONS</h2>
<p><span><strong class="command">rndc</strong></span>
does not yet support all the commands of
the BIND 8 <span><strong class="command">ndc</strong></span> utility.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2644300"></a><h2>SEE ALSO</h2>
+<a name="id2644642"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
<span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2644356"></a><h2>AUTHOR</h2>
+<a name="id2644697"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
queryport-pool-ports <integer>; // obsolete
queryport-pool-updateinterval <integer>; // obsolete
random-device <quoted_string>;
+ rate-limit {
+ IPv4-prefix-length <integer>;
+ IPv6-prefix-length <integer>;
+ all-per-second <integer>;
+ errors-per-second <integer>;
+ exempt-clients { <address_match_element>; ... };
+ log-only <boolean>;
+ max-table-size <integer>;
+ min-table-size <integer>;
+ nxdomains-per-second <integer>;
+ qps-scale <integer>;
+ responses-per-second <integer>;
+ responses-per-second <integer>;
+ slip <integer>;
+ window <integer>;
+ };
recursing-file <quoted_string>;
recursion <boolean>;
recursive-clients <integer>;
| passthru | no-op | nxdomain | nodata | cname <quoted_string>
) ] [ recursive-only <boolean> ] [ max-policy-ttl <integer> ];
... } [ recursive-only <boolean> ] [ break-dnssec <boolean> ] [
- max-policy-ttl <integer> ];
+ max-policy-ttl <integer> ] [ min-ns-dots <integer> ] [
+ qname-wait-recurse <boolean> ];
rfc2308-type1 <boolean>; // not yet implemented
root-delegation-only [ exclude { <quoted_string>; ... } ];
rrset-order { [ class <string> ] [ type <string> ] [ name
query-source-v6 <querysource6>;
queryport-pool-ports <integer>; // obsolete
queryport-pool-updateinterval <integer>; // obsolete
+ rate-limit {
+ IPv4-prefix-length <integer>;
+ IPv6-prefix-length <integer>;
+ all-per-second <integer>;
+ errors-per-second <integer>;
+ exempt-clients { <address_match_element>; ... };
+ log-only <boolean>;
+ max-table-size <integer>;
+ min-table-size <integer>;
+ nxdomains-per-second <integer>;
+ qps-scale <integer>;
+ responses-per-second <integer>;
+ responses-per-second <integer>;
+ slip <integer>;
+ window <integer>;
+ };
recursion <boolean>;
request-ixfr <boolean>;
request-ixfr <boolean>;
| passthru | no-op | nxdomain | nodata | cname <quoted_string>
) ] [ recursive-only <boolean> ] [ max-policy-ttl <integer> ];
... } [ recursive-only <boolean> ] [ break-dnssec <boolean> ] [
- max-policy-ttl <integer> ];
+ max-policy-ttl <integer> ] [ min-ns-dots <integer> ] [
+ qname-wait-recurse <boolean> ];
rfc2308-type1 <boolean>; // not yet implemented
root-delegation-only [ exclude { <quoted_string>; ... } ];
rrset-order { [ class <string> ] [ type <string> ] [ name
projects / thirdparty / bind9.git / commitdiff
