From: Tinderbox User
-
-
@@ -1071,7 +1071,7 @@ options {
from insecure to signed and back again. A secure zone can use
either NSEC or NSEC3 chains.
Changing a zone from insecure to secure can be done in two ways: using a dynamic DNS update, or the auto-dnssec zone option.
@@ -1097,7 +1097,7 @@ options { well. An NSEC chain will be generated as part of the initial signing process. +Dynamic DNS update methodTo insert the keys via dynamic update:
% nsupdate
@@ -1133,7 +1133,7 @@ options {
While the initial signing and NSEC/NSEC3 chain generation
is happening, other updates are possible as well.
+Fully automatic zone signing
To enable automatic signing, add the
auto-dnssec option to the zone statement in
named.conf.
@@ -1189,7 +1189,7 @@ options {
configuration. If this has not been done, the configuration will
fail.
+Private-type records
The state of the signing process is signaled by
private-type records (with a default type value of 65534). When
signing is complete, these records will have a nonzero value for
@@ -1230,12 +1230,12 @@ options {
+DNSKEY rollovers
As with insecure-to-secure conversions, rolling DNSSEC
keys can be done in two ways: using a dynamic DNS update, or the
auto-dnssec zone option.
+Dynamic DNS update method
To perform key rollovers via dynamic update, you need to add
the K* files for the new keys so that
named can find them. You can then add the new
@@ -1257,7 +1257,7 @@ options {
named will clean out any signatures generated
by the old key after the update completes.
+Automatic key rollovers
When a new key reaches its activation date (as set by
dnssec-keygen or dnssec-settime),
if the auto-dnssec zone option is set to
@@ -1272,27 +1272,27 @@ options {
completes in 30 days, after which it will be safe to remove the
old key from the DNSKEY RRset.
+NSEC3PARAM rollovers via UPDATE
Add the new NSEC3PARAM record via dynamic update. When the
new NSEC3 chain has been generated, the NSEC3PARAM flag field
will be zero. At this point you can remove the old NSEC3PARAM
record. The old chain will be removed after the update request
completes.
+Converting from NSEC to NSEC3
To do this, you just need to add an NSEC3PARAM record. When
the conversion is complete, the NSEC chain will have been removed
and the NSEC3PARAM record will have a zero flag field. The NSEC3
chain will be generated before the NSEC chain is
destroyed.
+Converting from NSEC3 to NSEC
To do this, use nsupdate to
remove all NSEC3PARAM records with a zero flag
field. The NSEC chain will be generated before the NSEC3 chain is
removed.
+Converting from secure to insecure
To convert a signed zone to unsigned using dynamic DNS,
delete all the DNSKEY records from the zone apex using
nsupdate. All signatures, NSEC or NSEC3 chains,
@@ -1307,14 +1307,14 @@ options {
allow instead (or it will re-sign).
+Periodic re-signing
In any secure zone which supports dynamic updates, named
will periodically re-sign RRsets which have not been re-signed as
a result of some update action. The signature lifetimes will be
adjusted so as to spread the re-sign load over time rather than
all at once.
+NSEC3 and OPTOUT
named only supports creating new NSEC3 chains
where all the NSEC3 records in the zone have the same OPTOUT
@@ -1336,7 +1336,7 @@ options {
configuration files.
To configure a validating resolver to use RFC 5011 to
maintain a trust anchor, configure the trust anchor using a
managed-keys statement. Information about
@@ -1347,7 +1347,7 @@ options {
To set up an authoritative zone for RFC 5011 trust anchor
maintenance, generate two (or more) key signing keys (KSKs) for
the zone. Sign the zone with one of them; this is the "active"
@@ -1443,7 +1443,7 @@ $ dnssec-signzone -S -K keys example.net<
See the documentation provided by your HSM vendor for
information about installing, initializing, testing and
@@ -1452,7 +1452,7 @@ $ dnssec-signzone -S -K keys example.net<
Native PKCS#11 mode will only work with an HSM capable of carrying
out every cryptographic operation BIND 9 may
@@ -1486,7 +1486,7 @@ $ ./configure --enable-native-pkcs11 \
OpenSSL-based PKCS#11 mode uses a modified version of the
OpenSSL library; stock OpenSSL does not fully support PKCS#11.
@@ -1544,7 +1544,7 @@ $ ./configure --enable-native-pkcs11 \
$ wget http://www.openssl.org/source/openssl-0.9.8y.tar.gz
@@ -1577,7 +1577,7 @@ $ patch -p1 -d openssl-0.9.8y \
The AEP Keyper is a highly secure key storage device,
but does not provide hardware cryptographic acceleration. It
@@ -1619,7 +1619,7 @@ $ ./Configure linux-generic32 -m32 -pthread \
The SCA-6000 PKCS#11 provider is installed as a system
library, libpkcs11. It is a true crypto accelerator, up to 4
@@ -1648,7 +1648,7 @@ $ ./Configure solaris64-x86_64-cc \
SoftHSM is a software library provided by the OpenDNSSEC
project (http://www.opendnssec.org) which provides a PKCS#11
@@ -1721,7 +1721,7 @@ $ ./Configure linux-x86_64 -pthread \
To link with the PKCS#11 provider, threads must be
enabled in the BIND 9 build.
@@ -1741,7 +1741,7 @@ $ ./configure CC="gcc -m32" --enable-threads \
To link with the PKCS#11 provider, threads must be
enabled in the BIND 9 build.
@@ -1763,7 +1763,7 @@ $ ./configure CC="cc -xarch=amd64" --enable-thre
$ cd ../bind9
$ ./configure --enable-threads \
@@ -1784,7 +1784,7 @@ $ ./configure --enable-threads \
BIND 9 includes a minimal set of tools to operate the
HSM, including
@@ -1807,7 +1807,7 @@ $ ./configure --enable-threads \
For OpenSSL-based PKCS#11, we must first set up the runtime
environment so the OpenSSL and PKCS#11 libraries can be loaded:
@@ -1928,7 +1928,7 @@ example.net.signed
When using OpenSSL-based PKCS#11, the "engine" to be used by
OpenSSL can be specified in named and all of
@@ -1960,7 +1960,7 @@ $ dnssec-signzone -E '' -S example.net
If you want named to dynamically re-sign zones
using HSM keys, and/or to to sign new records inserted via nsupdate,
@@ -2047,7 +2047,7 @@ $ dnssec-signzone -E '' -S example.net
A DLZ database is configured with a dlz
statement in named.conf:
@@ -2096,7 +2096,7 @@ $ dnssec-signzone -E '' -S example.net
For guidance in implementation of DLZ modules, the directory
contrib/dlz/example contains a basic
diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index fb251a9e6b2..b5d7ed40350 100644
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -57,13 +57,13 @@
BIND 9 DNS Library Support
@@ -648,7 +648,7 @@
GNU make is required to build the export libraries (other
part of BIND 9 can still be built with other types of make). In
the reminder of this document, "make" means GNU make. Note that
@@ -657,7 +657,7 @@
$ ./configure --enable-exportlib [other flags]
$ make
@@ -672,7 +672,7 @@ $ make
$ cd lib/export
$ make install
@@ -694,7 +694,7 @@ $ make install
Currently, win32 is not supported for the export
library. (Normal BIND 9 application can be built as
@@ -734,7 +734,7 @@ $ make
The IRS library supports an "advanced" configuration file
related to the DNS library for configuration parameters that
would be beyond the capability of the
@@ -752,14 +752,14 @@ $ make
Some sample application programs using this API are
provided for reference. The following is a brief description of
these applications.
It sends a query of a given name (of a given optional RR type) to a
specified recursive server, and prints the result as a list of
@@ -823,7 +823,7 @@ $ make
Similar to "sample", but accepts a list
of (query) domain names as a separate file and resolves the names
@@ -864,7 +864,7 @@ $ make
It sends a query to a specified server, and
prints the response with minimal processing. It doesn't act as a
@@ -905,7 +905,7 @@ $ make
This is a test program
to check getaddrinfo() and getnameinfo() behavior. It takes a
@@ -922,7 +922,7 @@ $ make
It accepts a single update command as a
command-line argument, sends an update request message to the
@@ -1017,7 +1017,7 @@ $ sample-update -a sample-update -k Kxxx.+nnn+mm
It checks a set
of domains to see the name servers of the domains behave
@@ -1074,7 +1074,7 @@ $ sample-update -a sample-update -k Kxxx.+nnn+mm
As of this writing, there is no formal "manual" of the
libraries, except this document, header files (some of them
provide pretty detailed explanations), and sample application
diff --git a/doc/arm/Bv9ARM.ch10.html b/doc/arm/Bv9ARM.ch10.html
index 0bec17ce22f..484c0615ba3 100644
--- a/doc/arm/Bv9ARM.ch10.html
+++ b/doc/arm/Bv9ARM.ch10.html
@@ -55,6 +55,9 @@
host — DNS lookup utility
+delve — DNS lookup and validation utility
+
+
dnssec-checkds — A DNSSEC delegation consistency checking tool.
diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html
index 8ae49e29a47..39d0809893e 100644
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -113,39 +113,39 @@
DNSSEC, Dynamic Zones, and Automatic Signing
-- Converting from insecure to secure
-- Dynamic DNS update method
-- Fully automatic zone signing
-- Private-type records
-- DNSKEY rollovers
-- Dynamic DNS update method
-- Automatic key rollovers
-- NSEC3PARAM rollovers via UPDATE
-- Converting from NSEC to NSEC3
-- Converting from NSEC3 to NSEC
-- Converting from secure to insecure
-- Periodic re-signing
-- NSEC3 and OPTOUT
+- Converting from insecure to secure
+- Dynamic DNS update method
+- Fully automatic zone signing
+- Private-type records
+- DNSKEY rollovers
+- Dynamic DNS update method
+- Automatic key rollovers
+- NSEC3PARAM rollovers via UPDATE
+- Converting from NSEC to NSEC3
+- Converting from NSEC3 to NSEC
+- Converting from secure to insecure
+- Periodic re-signing
+- NSEC3 and OPTOUT
Dynamic Trust Anchor Management
PKCS#11 (Cryptoki) support
-- Prerequisites
-- Native PKCS#11
-- OpenSSL-based PKCS#11
-- PKCS#11 Tools
-- Using the HSM
-- Specifying the engine on the command line
-- Running named with automatic zone re-signing
+- Prerequisites
+- Native PKCS#11
+- OpenSSL-based PKCS#11
+- PKCS#11 Tools
+- Using the HSM
+- Specifying the engine on the command line
+- Running named with automatic zone re-signing
DLZ (Dynamically Loadable Zones)
IPv6 Support in BIND 9
@@ -251,13 +251,13 @@
BIND 9 DNS Library Support
I. Manual pages
@@ -269,6 +269,9 @@
host — DNS lookup utility
+delve — DNS lookup and validation utility
+
+
dnssec-checkds — A DNSSEC delegation consistency checking tool.
diff --git a/doc/arm/man.arpaname.html b/doc/arm/man.arpaname.html
index c250c20be81..96af559b39e 100644
--- a/doc/arm/man.arpaname.html
+++ b/doc/arm/man.arpaname.html
@@ -50,20 +50,20 @@
arpaname {ipaddress ...}
-DESCRIPTION
+DESCRIPTION
arpaname translates IP addresses (IPv4 and
IPv6) to the corresponding IN-ADDR.ARPA or IP6.ARPA names.
diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html
index fefb429a96a..d6642e642f3 100644
--- a/doc/arm/man.ddns-confgen.html
+++ b/doc/arm/man.ddns-confgen.html
@@ -50,7 +50,7 @@
ddns-confgen [-a algorithm] [-h] [-k keyname] [-r randomfile] [ -s name | -z zone ] [-q] [name]
-DESCRIPTION
+DESCRIPTION
ddns-confgen
generates a key for use by nsupdate
and named. It simplifies configuration
@@ -77,7 +77,7 @@
diff --git a/doc/arm/man.delve.html b/doc/arm/man.delve.html
index c5f6cb6b1a7..e6fa25e5136 100644
--- a/doc/arm/man.delve.html
+++ b/doc/arm/man.delve.html
@@ -52,7 +52,7 @@
delve [queryopt...] [query...]
-DESCRIPTION
+DESCRIPTION
delve
(Domain Entity Lookup & Validation Engine) is a tool for sending
DNS queries and validating the results, using the the same internal
@@ -95,7 +95,7 @@
-QUERY OPTIONS
+QUERY OPTIONS
delve
provides a number of query options which affect the way results are
displayed, and in some cases the way lookups are performed.
@@ -445,12 +445,12 @@
-SEE ALSO
+SEE ALSO
dig(1),
named(8),
RFC4034,
diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html
index fa50f9851ae..dd39ee631a2 100644
--- a/doc/arm/man.dig.html
+++ b/doc/arm/man.dig.html
@@ -52,7 +52,7 @@
dig [global-queryopt...] [query...]
-DESCRIPTION
+DESCRIPTION
dig
(domain information groper) is a flexible tool
for interrogating DNS name servers. It performs DNS lookups and
@@ -99,7 +99,7 @@
-OPTIONS
+OPTIONS
The -b option sets the source IP address of the query
to address. This must be a valid
@@ -256,7 +256,7 @@
-QUERY OPTIONS
+QUERY OPTIONS
dig
provides a number of query options which affect
the way in which lookups are made and the results displayed. Some of
@@ -623,7 +623,7 @@
-MULTIPLE QUERIES
+MULTIPLE QUERIES
The BIND 9 implementation of dig
supports
@@ -669,7 +669,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
-IDN SUPPORT
+IDN SUPPORT
If dig has been built with IDN (internationalized
domain name) support, it can accept and display non-ASCII domain names.
@@ -683,14 +683,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
-SEE ALSO
+SEE ALSO
host(1),
named(8),
dnssec-keygen(8),
@@ -698,7 +698,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
-BUGS
+BUGS
There are probably too many query options.
diff --git a/doc/arm/man.dnssec-checkds.html b/doc/arm/man.dnssec-checkds.html
index aa567ba9027..12070f545af 100644
--- a/doc/arm/man.dnssec-checkds.html
+++ b/doc/arm/man.dnssec-checkds.html
@@ -22,7 +22,7 @@
-
+
@@ -31,7 +31,7 @@
dnssec-checkds
-Prev
+Prev
Manual pages
Next
@@ -51,7 +51,7 @@
dnssec-dsfromkey [-l domain] [-f file] [-d dig path] [-D dsfromkey path] {zone}
-DESCRIPTION
+DESCRIPTION
dnssec-checkds
verifies the correctness of Delegation Signer (DS) or DNSSEC
Lookaside Validation (DLV) resource records for keys in a specified
@@ -59,7 +59,7 @@
@@ -105,13 +105,13 @@
-Prev
+Prev
Up
Next
-host
+delve
Home
dnssec-coverage
diff --git a/doc/arm/man.dnssec-coverage.html b/doc/arm/man.dnssec-coverage.html
index 5800b83f095..257fce97a67 100644
--- a/doc/arm/man.dnssec-coverage.html
+++ b/doc/arm/man.dnssec-coverage.html
@@ -50,7 +50,7 @@
dnssec-coverage [-K directory] [-l length] [-f file] [-d DNSKEY TTL] [-m max TTL] [-r interval] [-c compilezone path] [-k] [-z] [zone]
-DESCRIPTION
+DESCRIPTION
dnssec-coverage
verifies that the DNSSEC keys for a given zone or a set of zones
have timing metadata set properly to ensure no future lapses in DNSSEC
@@ -78,7 +78,7 @@
diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html
index 6a1f7a12ec7..6780df2bd6a 100644
--- a/doc/arm/man.dnssec-dsfromkey.html
+++ b/doc/arm/man.dnssec-dsfromkey.html
@@ -51,14 +51,14 @@
dnssec-dsfromkey {-s} [-1] [-2] [-a alg] [-K directory] [-l domain] [-s] [-c class] [-T TTL] [-f file] [-A] [-v level] {dnsname}
-DESCRIPTION
+DESCRIPTION
dnssec-dsfromkey
outputs the Delegation Signer (DS) resource record (RR), as defined in
RFC 3658 and RFC 4509, for the given key(s).
-FILES
+FILES
The keyfile can be designed by the key identification
Knnnn.+aaa+iiiii or the full file name
@@ -164,13 +164,13 @@
-SEE ALSO
+SEE ALSO
dnssec-keygen(8),
dnssec-signzone(8),
BIND 9 Administrator Reference Manual,
@@ -180,7 +180,7 @@
diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html
index 926350476f3..9c0f67c5ae3 100644
--- a/doc/arm/man.dnssec-keyfromlabel.html
+++ b/doc/arm/man.dnssec-keyfromlabel.html
@@ -50,7 +50,7 @@
dnssec-keyfromlabel {-l label} [-3] [-a algorithm] [-A date/offset] [-c class] [-D date/offset] [-E engine] [-f flag] [-G] [-I date/offset] [-k] [-K directory] [-L ttl] [-n nametype] [-P date/offset] [-p protocol] [-R date/offset] [-t type] [-v level] [-y] {name}
-DESCRIPTION
+DESCRIPTION
dnssec-keyfromlabel
gets keys with the given label from a crypto hardware and builds
key files for DNSSEC (Secure DNS), as defined in RFC 2535
@@ -63,7 +63,7 @@
-TIMING OPTIONS
+TIMING OPTIONS
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
@@ -274,7 +274,7 @@
-GENERATED KEY FILES
+GENERATED KEY FILES
When dnssec-keyfromlabel completes
successfully,
@@ -313,7 +313,7 @@
-SEE ALSO
+SEE ALSO
dnssec-keygen(8),
dnssec-signzone(8),
BIND 9 Administrator Reference Manual,
@@ -322,7 +322,7 @@
diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html
index 8572e494950..84fa923795d 100644
--- a/doc/arm/man.dnssec-keygen.html
+++ b/doc/arm/man.dnssec-keygen.html
@@ -50,7 +50,7 @@
dnssec-keygen [-a algorithm] [-b keysize] [-n nametype] [-3] [-A date/offset] [-C] [-c class] [-D date/offset] [-E engine] [-f flag] [-G] [-g generator] [-h] [-I date/offset] [-i interval] [-K directory] [-L ttl] [-k] [-P date/offset] [-p protocol] [-q] [-R date/offset] [-r randomdev] [-S key] [-s strength] [-t type] [-v level] [-z] {name}
-DESCRIPTION
+DESCRIPTION
dnssec-keygen
generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
and RFC 4034. It can also generate keys for use with
@@ -64,7 +64,7 @@
-TIMING OPTIONS
+TIMING OPTIONS
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
@@ -355,7 +355,7 @@
-EXAMPLE
+EXAMPLE
To generate a 768-bit DSA key for the domain
example.com, the following command would be
@@ -422,7 +422,7 @@
-SEE ALSO
+SEE ALSO
dnssec-signzone(8),
BIND 9 Administrator Reference Manual,
RFC 2539,
@@ -431,7 +431,7 @@
diff --git a/doc/arm/man.dnssec-revoke.html b/doc/arm/man.dnssec-revoke.html
index 01608df6a3b..cadbb5e6d2a 100644
--- a/doc/arm/man.dnssec-revoke.html
+++ b/doc/arm/man.dnssec-revoke.html
@@ -50,7 +50,7 @@
dnssec-revoke [-hr] [-v level] [-K directory] [-E engine] [-f] [-R] {keyfile}
-DESCRIPTION
+DESCRIPTION
dnssec-revoke
reads a DNSSEC key file, sets the REVOKED bit on the key as defined
in RFC 5011, and creates a new pair of key files containing the
@@ -58,7 +58,7 @@
diff --git a/doc/arm/man.dnssec-settime.html b/doc/arm/man.dnssec-settime.html
index 83392ab9792..efdeaa689b4 100644
--- a/doc/arm/man.dnssec-settime.html
+++ b/doc/arm/man.dnssec-settime.html
@@ -50,7 +50,7 @@
dnssec-settime [-f] [-K directory] [-L ttl] [-P date/offset] [-A date/offset] [-R date/offset] [-I date/offset] [-D date/offset] [-h] [-v level] [-E engine] {keyfile}
-DESCRIPTION
+DESCRIPTION
dnssec-settime
reads a DNSSEC private key file and sets the key timing metadata
as specified by the -P, -A,
@@ -76,7 +76,7 @@
-TIMING OPTIONS
+TIMING OPTIONS
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
@@ -206,7 +206,7 @@
-PRINTING OPTIONS
+PRINTING OPTIONS
dnssec-settime can also be used to print the
timing metadata associated with a key.
@@ -232,7 +232,7 @@
-SEE ALSO
+SEE ALSO
dnssec-keygen(8),
dnssec-signzone(8),
BIND 9 Administrator Reference Manual,
@@ -240,7 +240,7 @@
diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html
index 5674a46bbc2..d67b64e39e5 100644
--- a/doc/arm/man.dnssec-signzone.html
+++ b/doc/arm/man.dnssec-signzone.html
@@ -50,7 +50,7 @@
dnssec-signzone [-a] [-c class] [-d directory] [-D] [-E engine] [-e end-time] [-f output-file] [-g] [-h] [-K directory] [-k key] [-L serial] [-l domain] [-i interval] [-I input-format] [-j jitter] [-N soa-serial-format] [-o origin] [-O output-format] [-P] [-p] [-R] [-r randomdev] [-S] [-s start-time] [-T ttl] [-t] [-u] [-v level] [-X extended end-time] [-x] [-z] [-3 salt] [-H iterations] [-A] {zonefile} [key...]
-DESCRIPTION
+DESCRIPTION
dnssec-signzone
signs a zone. It generates
NSEC and RRSIG records and produces a signed version of the
@@ -61,7 +61,7 @@
-EXAMPLE
+EXAMPLE
The following command signs the example.com
zone with the DSA key generated by dnssec-keygen
@@ -520,14 +520,14 @@ db.example.com.signed
%
diff --git a/doc/arm/man.dnssec-verify.html b/doc/arm/man.dnssec-verify.html
index f15f5871e61..81cffd0d741 100644
--- a/doc/arm/man.dnssec-verify.html
+++ b/doc/arm/man.dnssec-verify.html
@@ -50,7 +50,7 @@
dnssec-verify [-c class] [-E engine] [-I input-format] [-o origin] [-v level] [-x] [-z] {zonefile}
-DESCRIPTION
+DESCRIPTION
dnssec-verify
verifies that a zone is fully signed for each algorithm found
in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
@@ -58,7 +58,7 @@
diff --git a/doc/arm/man.genrandom.html b/doc/arm/man.genrandom.html
index 9e15fd90c3e..188cca907ba 100644
--- a/doc/arm/man.genrandom.html
+++ b/doc/arm/man.genrandom.html
@@ -50,7 +50,7 @@
genrandom [-n number] {size} {filename}
diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html
index 88413f29d60..5badecd7e47 100644
--- a/doc/arm/man.host.html
+++ b/doc/arm/man.host.html
@@ -23,7 +23,7 @@
-
+
@@ -50,7 +50,7 @@
host [-aCdlnrsTwv] [-c class] [-N ndots] [-R number] [-t type] [-W wait] [-m flag] [-4] [-6] {name} [server]
-DESCRIPTION
+DESCRIPTION
host
is a simple utility for performing DNS lookups.
It is normally used to convert names to IP addresses and vice versa.
@@ -202,7 +202,7 @@
dig
Home
- dnssec-checkds
-
+ delve
diff --git a/doc/arm/man.isc-hmac-fixup.html b/doc/arm/man.isc-hmac-fixup.html
index 9708b072318..ddb1f29c87a 100644
--- a/doc/arm/man.isc-hmac-fixup.html
+++ b/doc/arm/man.isc-hmac-fixup.html
@@ -50,7 +50,7 @@
isc-hmac-fixup {algorithm} {secret}
-DESCRIPTION
+DESCRIPTION
Versions of BIND 9 up to and including BIND 9.6 had a bug causing
HMAC-SHA* TSIG keys which were longer than the digest length of the
@@ -76,7 +76,7 @@
-SECURITY CONSIDERATIONS
+SECURITY CONSIDERATIONS
Secrets that have been converted by isc-hmac-fixup
are shortened, but as this is how the HMAC protocol works in
@@ -87,14 +87,14 @@
diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html
index cfa6f36e367..f9ef6671f07 100644
--- a/doc/arm/man.named-checkconf.html
+++ b/doc/arm/man.named-checkconf.html
@@ -50,7 +50,7 @@
named-checkconf [-h] [-v] [-j] [-t directory] {filename} [-p] [-x] [-z]
-DESCRIPTION
+DESCRIPTION
named-checkconf
checks the syntax, but not the semantics, of a
named configuration file. The file is parsed
@@ -70,7 +70,7 @@
-RETURN VALUES
+RETURN VALUES
named-checkconf
returns an exit status of 1 if
errors were detected and 0 otherwise.
diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html
index fa20f6329ef..a0f905bd759 100644
--- a/doc/arm/man.named-checkzone.html
+++ b/doc/arm/man.named-checkzone.html
@@ -51,7 +51,7 @@
named-compilezone [-d] [-j] [-q] [-v] [-c class] [-C mode] [-f format] [-F format] [-J filename] [-i mode] [-k mode] [-m mode] [-n mode] [-L serial] [-r mode] [-s style] [-t directory] [-T mode] [-w directory] [-D] [-W mode] {-o filename} {zonename} {filename}
-DESCRIPTION
+DESCRIPTION
named-checkzone
checks the syntax and integrity of a zone file. It performs the
same checks as named does when loading a
@@ -71,7 +71,7 @@
-RETURN VALUES
+RETURN VALUES
named-checkzone
returns an exit status of 1 if
errors were detected and 0 otherwise.
diff --git a/doc/arm/man.named-journalprint.html b/doc/arm/man.named-journalprint.html
index 0a175843835..e75a346a5b0 100644
--- a/doc/arm/man.named-journalprint.html
+++ b/doc/arm/man.named-journalprint.html
@@ -50,7 +50,7 @@
named-journalprint {journal}
-DESCRIPTION
+DESCRIPTION
named-journalprint
prints the contents of a zone journal file in a human-readable
@@ -76,7 +76,7 @@
diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html
index 6f9a2a1efac..bc9c128dd26 100644
--- a/doc/arm/man.named.html
+++ b/doc/arm/man.named.html
@@ -50,7 +50,7 @@
named [-4] [-6] [-c config-file] [-d debug-level] [-D string] [-E engine-name] [-f] [-g] [-m flag] [-n #cpus] [-p port] [-s] [-S #max-socks] [-t directory] [-U #listeners] [-u user] [-v] [-V] [-x cache-file]
-DESCRIPTION
+DESCRIPTION
named
is a Domain Name System (DNS) server,
part of the BIND 9 distribution from ISC. For more
@@ -65,7 +65,7 @@
-SIGNALS
+SIGNALS
In routine operation, signals should not be used to control
the nameserver; rndc should be used
@@ -292,7 +292,7 @@
-CONFIGURATION
+CONFIGURATION
The named configuration file is too complex
to describe in detail here. A complete description is provided
@@ -309,7 +309,7 @@
diff --git a/doc/arm/man.nsec3hash.html b/doc/arm/man.nsec3hash.html
index d8d59140df2..65c3087d8fb 100644
--- a/doc/arm/man.nsec3hash.html
+++ b/doc/arm/man.nsec3hash.html
@@ -48,7 +48,7 @@
nsec3hash {salt} {algorithm} {iterations} {domain}
-DESCRIPTION
+DESCRIPTION
nsec3hash generates an NSEC3 hash based on
a set of NSEC3 parameters. This can be used to check the validity
@@ -56,7 +56,7 @@
diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html
index 0fa598c0f2f..9f82369bda4 100644
--- a/doc/arm/man.nsupdate.html
+++ b/doc/arm/man.nsupdate.html
@@ -50,7 +50,7 @@
nsupdate [-d] [-D] [[-g] | [-o] | [-l] | [-y [hmac:]keyname:secret] | [-k keyfile]] [-t timeout] [-u udptimeout] [-r udpretries] [-R randomdev] [-v] [-T] [-P] [filename]
-DESCRIPTION
+DESCRIPTION
nsupdate
is used to submit Dynamic DNS Update requests as defined in RFC 2136
to a name server.
@@ -226,7 +226,7 @@
-BUGS
+BUGS
The TSIG key is redundantly stored in two separate files.
This is a consequence of nsupdate using the DST library
diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html
index ab80427bffe..1f191d69313 100644
--- a/doc/arm/man.rndc-confgen.html
+++ b/doc/arm/man.rndc-confgen.html
@@ -50,7 +50,7 @@
rndc-confgen [-a] [-A algorithm] [-b keysize] [-c keyfile] [-h] [-k keyname] [-p port] [-r randomfile] [-s address] [-t chrootdir] [-u user]
-DESCRIPTION
+DESCRIPTION
rndc-confgen
generates configuration files
for rndc. It can be used as a
@@ -66,7 +66,7 @@
diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html
index 7de076f4745..acb844918dc 100644
--- a/doc/arm/man.rndc.conf.html
+++ b/doc/arm/man.rndc.conf.html
@@ -50,7 +50,7 @@
rndc.conf
-DESCRIPTION
+DESCRIPTION
rndc.conf is the configuration file
for rndc, the BIND 9 name server control
utility. This file has a similar structure and syntax to
@@ -136,7 +136,7 @@
-NAME SERVER CONFIGURATION
+NAME SERVER CONFIGURATION
The name server must be configured to accept rndc connections and
to recognize the key specified in the rndc.conf
@@ -220,7 +220,7 @@
diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html
index 346c956b119..52573372e2e 100644
--- a/doc/arm/man.rndc.html
+++ b/doc/arm/man.rndc.html
@@ -50,7 +50,7 @@
rndc [-b source-address] [-c config-file] [-k key-file] [-s server] [-p port] [-V] [-y key_id] {command}
-DESCRIPTION
+DESCRIPTION
rndc
controls the operation of a name
server. It supersedes the ndc utility
@@ -81,7 +81,7 @@
-COMMANDS
+COMMANDS
A list of commands supported by rndc can
be seen by running rndc without arguments.
@@ -530,7 +530,7 @@