From: Tinderbox User Date: Wed, 27 Feb 2013 01:07:46 +0000 (+0000) Subject: regen master X-Git-Tag: v9.10.0a1~484 X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=c7f299247ca4460807f44b43f84ba19719646cc9;p=thirdparty%2Fbind9.git regen master --- diff --git a/doc/arm/Bv9ARM.ch04.html b/doc/arm/Bv9ARM.ch04.html index 86727650e8a..ce7ab56bf9d 100644 --- a/doc/arm/Bv9ARM.ch04.html +++ b/doc/arm/Bv9ARM.ch04.html @@ -70,38 +70,38 @@
DNSSEC, Dynamic Zones, and Automatic Signing
-
Converting from insecure to secure
+
Converting from insecure to secure
Dynamic DNS update method
Fully automatic zone signing
-
Private-type records
-
DNSKEY rollovers
-
Dynamic DNS update method
-
Automatic key rollovers
-
NSEC3PARAM rollovers via UPDATE
-
Converting from NSEC to NSEC3
-
Converting from NSEC3 to NSEC
-
Converting from secure to insecure
-
Periodic re-signing
-
NSEC3 and OPTOUT
+
Private-type records
+
DNSKEY rollovers
+
Dynamic DNS update method
+
Automatic key rollovers
+
NSEC3PARAM rollovers via UPDATE
+
Converting from NSEC to NSEC3
+
Converting from NSEC3 to NSEC
+
Converting from secure to insecure
+
Periodic re-signing
+
NSEC3 and OPTOUT
Dynamic Trust Anchor Management
-
Validating Resolver
-
Authoritative Server
+
Validating Resolver
+
Authoritative Server
PKCS #11 (Cryptoki) support
-
Prerequisites
-
Building BIND 9 with PKCS#11
-
PKCS #11 Tools
-
Using the HSM
-
Specifying the engine on the command line
-
Running named with automatic zone re-signing
+
Prerequisites
+
Building BIND 9 with PKCS#11
+
PKCS #11 Tools
+
Using the HSM
+
Specifying the engine on the command line
+
Running named with automatic zone re-signing
DLZ (Dynamically Loadable Zones)
-
Configuring DLZ
-
Sample DLZ Driver
+
Configuring DLZ
+
Sample DLZ Driver
IPv6 Support in BIND 9
@@ -1070,7 +1070,7 @@ options { from insecure to signed and back again. A secure zone can use either NSEC or NSEC3 chains.

-Converting from insecure to secure

+Converting from insecure to secure

Changing a zone from insecure to secure can be done in two ways: using a dynamic DNS update, or the auto-dnssec zone option.

@@ -1188,7 +1188,7 @@ options { configuration. If this has not been done, the configuration will fail.

-Private-type records

+Private-type records

The state of the signing process is signaled by private-type records (with a default type value of 65534). When signing is complete, these records will have a nonzero value for @@ -1229,12 +1229,12 @@ options {

-DNSKEY rollovers

+DNSKEY rollovers

As with insecure-to-secure conversions, rolling DNSSEC keys can be done in two ways: using a dynamic DNS update, or the auto-dnssec zone option.

-Dynamic DNS update method

+Dynamic DNS update method

To perform key rollovers via dynamic update, you need to add the K* files for the new keys so that named can find them. You can then add the new @@ -1256,7 +1256,7 @@ options { named will clean out any signatures generated by the old key after the update completes.

-Automatic key rollovers

+Automatic key rollovers

When a new key reaches its activation date (as set by dnssec-keygen or dnssec-settime), if the auto-dnssec zone option is set to @@ -1271,27 +1271,27 @@ options { completes in 30 days, after which it will be safe to remove the old key from the DNSKEY RRset.

-NSEC3PARAM rollovers via UPDATE

+NSEC3PARAM rollovers via UPDATE

Add the new NSEC3PARAM record via dynamic update. When the new NSEC3 chain has been generated, the NSEC3PARAM flag field will be zero. At this point you can remove the old NSEC3PARAM record. The old chain will be removed after the update request completes.

-Converting from NSEC to NSEC3

+Converting from NSEC to NSEC3

To do this, you just need to add an NSEC3PARAM record. When the conversion is complete, the NSEC chain will have been removed and the NSEC3PARAM record will have a zero flag field. The NSEC3 chain will be generated before the NSEC chain is destroyed.

-Converting from NSEC3 to NSEC

+Converting from NSEC3 to NSEC

To do this, use nsupdate to remove all NSEC3PARAM records with a zero flag field. The NSEC chain will be generated before the NSEC3 chain is removed.

-Converting from secure to insecure

+Converting from secure to insecure

To convert a signed zone to unsigned using dynamic DNS, delete all the DNSKEY records from the zone apex using nsupdate. All signatures, NSEC or NSEC3 chains, @@ -1306,14 +1306,14 @@ options { allow instead (or it will re-sign).

-Periodic re-signing

+Periodic re-signing

In any secure zone which supports dynamic updates, named will periodically re-sign RRsets which have not been re-signed as a result of some update action. The signature lifetimes will be adjusted so as to spread the re-sign load over time rather than all at once.

-NSEC3 and OPTOUT

+NSEC3 and OPTOUT

named only supports creating new NSEC3 chains where all the NSEC3 records in the zone have the same OPTOUT @@ -1335,7 +1335,7 @@ options { configuration files.

-Validating Resolver

+Validating Resolver

To configure a validating resolver to use RFC 5011 to maintain a trust anchor, configure the trust anchor using a managed-keys statement. Information about @@ -1346,7 +1346,7 @@ options {

-Authoritative Server

+Authoritative Server

To set up an authoritative zone for RFC 5011 trust anchor maintenance, generate two (or more) key signing keys (KSKs) for the zone. Sign the zone with one of them; this is the "active" @@ -1420,7 +1420,7 @@ $ dnssec-signzone -S -K keys example.net< Debian Linux, Solaris x86 and Windows Server 2003.

-Prerequisites

+Prerequisites

See the HSM vendor documentation for information about installing, initializing, testing and troubleshooting the HSM.

@@ -1497,7 +1497,7 @@ $ patch -p1 -d openssl-0.9.8s \ when we configure BIND 9.

-Building OpenSSL for the AEP Keyper on Linux

+Building OpenSSL for the AEP Keyper on Linux

The AEP Keyper is a highly secure key storage device, but does not provide hardware cryptographic acceleration. It can carry out cryptographic operations, but it is probably @@ -1529,7 +1529,7 @@ $ ./Configure linux-generic32 -m32 -pthread \

-Building OpenSSL for the SCA 6000 on Solaris

+Building OpenSSL for the SCA 6000 on Solaris

The SCA-6000 PKCS #11 provider is installed as a system library, libpkcs11. It is a true crypto accelerator, up to 4 times faster than any CPU, so the flavor shall be @@ -1551,7 +1551,7 @@ $ ./Configure solaris64-x86_64-cc \

-Building OpenSSL for SoftHSM

+Building OpenSSL for SoftHSM

SoftHSM is a software library provided by the OpenDNSSEC project (http://www.opendnssec.org) which provides a PKCS#11 interface to a virtual HSM, implemented in the form of encrypted @@ -1611,12 +1611,12 @@ $ ./Configure linux-x86_64 -pthread \

-Building BIND 9 with PKCS#11

+Building BIND 9 with PKCS#11

When building BIND 9, the location of the custom-built OpenSSL library must be specified via configure.

-Configuring BIND 9 for Linux with the AEP Keyper

+Configuring BIND 9 for Linux with the AEP Keyper

To link with the PKCS #11 provider, threads must be enabled in the BIND 9 build.

The PKCS #11 library for the AEP Keyper is currently @@ -1632,7 +1632,7 @@ $ ./configure CC="gcc -m32" --enable-threads \

-Configuring BIND 9 for Solaris with the SCA 6000

+Configuring BIND 9 for Solaris with the SCA 6000

To link with the PKCS #11 provider, threads must be enabled in the BIND 9 build.

@@ -1650,7 +1650,7 @@ $ ./configure CC="cc -xarch=amd64" --enable-thre
 
 

 

-Configuring BIND 9 for SoftHSM

+Configuring BIND 9 for SoftHSM

 
 $ cd ../bind9
 $ ./configure --enable-threads \
@@ -1667,7 +1667,7 @@ $ ./configure --enable-threads \
 
 

 

-PKCS #11 Tools

+PKCS #11 Tools

 
BIND 9 includes a minimal set of tools to operate the
     HSM, including 
     pkcs11-keygen to generate a new key pair
@@ -1685,7 +1685,7 @@ $ ./configure --enable-threads \
 
 

 

-Using the HSM

+Using the HSM

 
First, we must set up the runtime environment so the
     OpenSSL and PKCS #11 libraries can be loaded:

 
@@ -1773,7 +1773,7 @@ example.net.signed
 
 

 

-Specifying the engine on the command line

+Specifying the engine on the command line

 
The OpenSSL engine can be specified in 
     named and all of the BIND 
     dnssec-* tools by using the "-E
@@ -1794,7 +1794,7 @@ $ dnssec-signzone -E '' -S example.net
 

 

-Running named with automatic zone re-signing

+Running named with automatic zone re-signing

 
If you want 
     named to dynamically re-sign zones using HSM
     keys, and/or to to sign new records inserted via nsupdate, then
@@ -1868,7 +1868,7 @@ $ dnssec-signzone -E '' -S example.net
 

 

-Configuring DLZ

+Configuring DLZ

 

       A DLZ database is configured with a dlz
       statement in named.conf:
@@ -1917,7 +1917,7 @@ $ dnssec-signzone -E '' -S example.net
 

 

-Sample DLZ Driver

+Sample DLZ Driver

 

       For guidance in implementation of DLZ modules, the directory
       contrib/dlz/example contains a basic
diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html
index 7918a949f91..6ca88d51cc2 100644
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@@ -66,40 +66,40 @@
 
logging Statement Grammar

 
logging Statement Definition and
           Usage

-
lwres Statement Grammar

-
lwres Statement Definition and Usage

-
masters Statement Grammar

-
masters Statement Definition and
+
lwres Statement Grammar

+
lwres Statement Definition and Usage

+
masters Statement Grammar

+
masters Statement Definition and
           Usage

-
options Statement Grammar

+
options Statement Grammar

 
options Statement Definition and
           Usage

 
server Statement Grammar

 
server Statement Definition and
             Usage

 
statistics-channels Statement Grammar

-
statistics-channels Statement Definition and
+
statistics-channels Statement Definition and
             Usage

 
trusted-keys Statement Grammar

-
trusted-keys Statement Definition
+
trusted-keys Statement Definition
             and Usage

-
managed-keys Statement Grammar

+
managed-keys Statement Grammar

 
managed-keys Statement Definition
             and Usage

 
view Statement Grammar

-
view Statement Definition and Usage

+
view Statement Definition and Usage

 
zone
             Statement Grammar

-
zone Statement Definition and Usage

+
zone Statement Definition and Usage
-
Zone File
+
Zone File
Types of Resource Records and When to Use Them
-
Discussion of MX Records
+
Discussion of MX Records
Setting TTLs
-
Inverse Mapping in IPv4
-
Other Zone File Directives
-
BIND Master File Extension: the $GENERATE Directive
+
Inverse Mapping in IPv4
+
Other Zone File Directives
+
BIND Master File Extension: the $GENERATE Directive
Additional File Formats
BIND9 Statistics
@@ -1769,12 +1769,40 @@ category notify { null; };

+ + +

rate-limit

+ + +

+ The start, periodic, and final notices of the + rate limiting of a stream of responses are logged at + info severity in this category. + These messages include a hash value of the domain name + of the response and the name itself, + except when there is insufficient memory to record + the name for the final notice + The final notice is normally delayed until about one + minute after rate limit stops. + A lack of memory can hurry the final notice, + in which case it starts with an asterisk (*). + Various internal events are logged at debug 1 level + and higher. +

+

+ Rate limiting of individual requests + is logged in the queries category + and can be controlled with the + querylog option. +

+ +

-The query-errors Category

+The query-errors Category

The query-errors category is specifically intended for debugging purposes: To identify @@ -2002,7 +2030,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]

-lwres Statement Grammar

+lwres Statement Grammar

This is the grammar of the lwres statement in the named.conf file: @@ -2018,7 +2046,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]

-lwres Statement Definition and Usage

+lwres Statement Definition and Usage

The lwres statement configures the name @@ -2069,7 +2097,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]

-masters Statement Grammar

+masters Statement Grammar
 masters name [port ip_port] { ( masters_list | 
       ip_addr [port ip_port] [key key] ) ; [...] };
@@ -2077,7 +2105,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 
 

 

-masters Statement Definition and
+masters Statement Definition and
           Usage

 
masters
           lists allow for a common set of masters to be easily used by
@@ -2087,7 +2115,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 

 

 

-options Statement Grammar

+options Statement Grammar

 

           This is the grammar of the options
           statement in the named.conf file:
@@ -2294,11 +2322,27 @@ badresp:1,adberr:0,findfail:0,valfail:0]
     [ resolver-query-timeout number ; ]
     [ deny-answer-addresses { address_match_list } [ except-from { namelist } ];]
     [ deny-answer-aliases { namelist } [ except-from { namelist } ];]
+    [ rate-limit {
+        [ responses-per-second number ; ]
+        [ errors-per-second number ; ]
+        [ nxdomains-per-second number ; ]
+        [ all-per-second number ; ]
+        [ window number ; ]
+        [ log-only yes_or_no ; ]
+        [ qps-scale number ; ]
+        [ IPv4-prefix-length number ; ]
+        [ IPv6-prefix-length number ; ]
+        [ slip number ; ]
+        [ exempt-clients  { address_match_list } ; ]
+        [ max-table-size number ; ]
+        [ min-table-size number ; ]
+      } ; ]
     [ response-policy { zone_name
         [ policy given | disabled | passthru | nxdomain | nodata | cname domain ]
         [ recursive-only yes_or_no ] [ max-policy-ttl number ] ;
     } [ recursive-only yes_or_no ] [ max-policy-ttl number ]
-        [ break-dnssec yes_or_no ] ; ]
+        [ break-dnssec yes_or_no ] [ min-ns-dots number ]
+        [ qname-wait-recurse yes_or_no ] ; ]
 };
@@ -3773,7 +3817,7 @@ options {

-Forwarding

+Forwarding

The forwarding facility can be used to create a large site-wide cache on a few servers, reducing traffic over links to external @@ -3817,7 +3861,7 @@ options {

-Dual-stack Servers

+Dual-stack Servers

Dual-stack servers are used as servers of last resort to work around @@ -4034,7 +4078,7 @@ options {

-Interfaces

+Interfaces

The interfaces and ports that the server will answer queries from may be specified using the listen-on option. listen-on takes @@ -4502,7 +4546,7 @@ avoid-v6-udp-ports {};

-UDP Port Lists

+UDP Port Lists

use-v4-udp-ports, avoid-v4-udp-ports, @@ -4544,7 +4588,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };

-Operating System Resource Limits

+Operating System Resource Limits

The server's usage of many system resources can be limited. Scaled values are allowed when specifying resource limits. For @@ -4706,7 +4750,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };

-Periodic Task Intervals

+Periodic Task Intervals
cleaning-interval

@@ -5320,12 +5364,18 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; built-in view (see the section called “view Statement Grammar”) of class CHAOS which is separate from the - default view of - class IN; therefore, any global - server options - such as allow-query do not apply - the these zones. - If you feel the need to disable these zones, use the options + default view of class IN. Most global + configuration options (allow-query, + etc) will apply to this view, but some are locally + overridden: notify, + recursion and + allow-new-zones are + always set to no, and + rate-limit is set to allow + three responses per second. +

+

+ If you need to disable these zones, use the options below, or hide the built-in CHAOS view by defining an explicit view of class CHAOS @@ -5640,7 +5690,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };

-Content Filtering

+Content Filtering

BIND 9 provides the ability to filter out DNS responses from external DNS servers containing @@ -5763,7 +5813,7 @@ deny-answer-aliases { "example.net"; };

-Response Policy Zone (RPZ) Rewriting

+Response Policy Zone (RPZ) Rewriting

BIND 9 includes a limited mechanism to modify DNS responses for requests @@ -5776,7 +5826,7 @@ deny-answer-aliases { "example.net"; }; Response policy zones are named in the response-policy option for the view or among the global options if there is no response-policy option for the view. - RPZs are ordinary DNS zones containing RRsets + Response policy zones are ordinary DNS zones containing RRsets that can be queried normally if allowed. It is usually best to restrict those queries with something like allow-query { localhost; };. @@ -5819,16 +5869,18 @@ deny-answer-aliases { "example.net"; }; They are encoded as subdomains of rpz-nsdomain relativized to the RPZ origin name. -

-

NSIP triggers match IP addresses in A and AAAA RRsets for domains that can be checked against NSDNAME policy records. NSIP triggers are encoded like IP triggers except as subdomains of rpz-nsip. + NSDNAME and NSIP triggers are checked only for names with at + least min-ns-dots dots. + The default value of min-ns-dots is 1 to + exclude top level domains.

- The query response is checked against all RPZs, so + The query response is checked against all response policy zones, so two or more policy records can be triggered by a response. Because DNS responses can be rewritten according to at most one policy record, a single record encoding an action (other than @@ -5860,18 +5912,8 @@ deny-answer-aliases { "example.net"; }; When the processing of a response is restarted to resolve DNAME or CNAME records and a policy record set has not been triggered, - all RPZs are again consulted for the DNAME or CNAME names - and addresses. -

-

- Authority verification issues and variations in authority data - can cause inconsistent results for NSIP and NSDNAME policy records. - Glue NS records often differ from authoritative NS records. - So they are available - only when BIND is built with the - --enable-rpz-nsip or - --enable-rpz-nsdname options - on the "configure" command line. + all response policy zones are again consulted for the + DNAME or CNAME names and addresses.

RPZ record sets are sets of any types of DNS record except @@ -5909,11 +5951,12 @@ deny-answer-aliases { "example.net"; };

- The actions specified in an RPZ can be overridden with a + The actions specified in a policy zone can be overridden with a policy clause in the response-policy option. - An organization using an RPZ provided by another organization might - use this mechanism to redirect domains to its own walled garden. + An organization using a policy zone provided by another + organization might use this mechanism to redirect domains + to its own walled garden.

  • @@ -5951,9 +5994,10 @@ deny-answer-aliases { "example.net"; };

    - By default, the actions encoded in an RPZ are applied - only to queries that ask for recursion (RD=1). - That default can be changed for a single RPZ or all RPZs in a view + By default, the actions encoded in a response policy zone + are applied only to queries that ask for recursion (RD=1). + That default can be changed for a single policy zone or + all response policy zones in a view with a recursive-only no clause. This feature is useful for serving the same zone files both inside and outside an RFC 1918 cloud and using RPZ to @@ -5961,15 +6005,36 @@ deny-answer-aliases { "example.net"; }; on the externally visible name server or view.

    - Also by default, RPZ actions are applied only to DNS requests that - either do not request DNSSEC metadata (DO=0) or when no DNSSEC - records are available for request name in the original zone (not - the response policy zone). - This default can be changed for all RPZs in a view with a - break-dnssec yes clause. - In that case, RPZ actions are applied regardless of DNSSEC. - The name of the clause option reflects the fact that results - rewritten by RPZ actions cannot verify. + Also by default, RPZ actions are applied only to DNS requests + that either do not request DNSSEC metadata (DO=0) or when no + DNSSEC records are available for request name in the original + zone (not the response policy zone). This default can be + changed for all response policy zones in a view with a + break-dnssec yes clause. In that case, RPZ + actions are applied regardless of DNSSEC. The name of the + clause option reflects the fact that results rewritten by RPZ + actions cannot verify. +

    +

    + No DNS records are needed to trigger a QNAME action. The name + itself is sufficient, so in principle the query name need not + be recursively resolved. However, not resolving the requested + name leaks the fact that response policy rewriting is in use + and that the name is listed in a policy zone to operators of + servers for listed names. To prevent that information leak, by + default any recursion needed for a request is done before any + policy triggers are considered. Because listed domains often + have slow authoritative servers, this default behavior can cost + significant time. The qname-wait-recurse no + option overrides the default behavior when recursion cannot + change the response. qname-wait-recurse no + does not affect QNAME triggers in policy zones listed after + other zones containing IP, NSIP and NSDNAME triggers, because + those may depend on the A, AAAA, and NS records that would be + found during recursive resolution. It also does not affect + DNSSEC requests (DO=1) unless break-dnssec yes + is in use, because the response would depend on whether or not + RRSIG records were found during resolution.

    The TTL of a record modified by RPZ policies is set from the @@ -6017,18 +6082,221 @@ ns.domain.com.rpz-nsdname CNAME . 48.zz.2.2001.rpz-nsip CNAME .

    - Note: RPZ may impact server performance. Each configured - response policy zone requires the server to perform one to four - additional database lookups before a query can be answered. + RPZ can affect server performance. + Each configured response policy zone requires the server to + perform one to four additional database lookups before a + query can be answered. For example, a DNS server with four policy zones, each with all - four kinds of response triggers — QNAME, IP, NSIP, and - NSDNAME — requires a total of 17 times as many database + four kinds of response triggers, QNAME, IP, NSIP, and + NSDNAME, requires a total of 17 times as many database lookups as a similar DNS server with no response policy zones. A BIND9 server with adequate memory and one response policy zone with QNAME and IP triggers might achieve a - maximum queries-per-second rate about 20% lower. A server with - four response policy zones with QNAME and IP triggers might - have a maximum QPS rate about 50% lower. + maximum queries-per-second rate about 20% lower. + A server with four response policy zones with QNAME and IP + triggers might have a maximum QPS rate about 50% lower. +

    +

    + Responses rewritten by RPZ are counted in the + RPZRewrites statistics. +

    +
+
+

+Rate Limiting

+

+ Excessive essentially identical UDP responses + can be discarded by configuring a + rate-limit clause in an + options statement. + This mechanism keeps BIND 9 from being used + in amplifying reflection denial of service attacks + as well as partially protecting BIND 9 itself from + some denial of service attacks. + Very short truncated responses can be sent to provide + rate-limited responses to legitimate + clients within a range of attacked and forged IP addresses, + Legitimate clients react to truncated response by retrying + with TCP. +

+

+ Rate limiting works by setting + responses-per-second + to a number of repetitions per second for responses for a given name + and record type to a DNS client. +

+

+ Responses-per-second is a limit on + identical responses instead of a limit on all responses or + even all responses to a single client. + 10 identical responses per second is a generous limit except perhaps + when many clients are using a single IP address via network + address translation (NAT). + The default limit of zero specifies an unbounded limit to turn off + rate-limiting in a view or to only rate-limit NXDOMAIN or other + errors. +

+

+ The notion of "identical responses" + and "single DNS client" cannot be simplistic. + All responses to a CIDR block with prefix + length specified with IPv4-prefix-length + (default 24) or IPv6-prefix-length + (default 56) are assumed to come from a single DNS client. + Requests for a name that result in DNS NXDOMAIN + errors are considered identical. + This controls some attacks using random names, but + accommodates servers that expect many legitimate NXDOMAIN responses + such as anti-spam blacklists. + By default the limit on NXDOMAIN errors is the same as the + responses-per-second value, + but it can be set separately with + nxdomains-per-second. + All requests for all names or types that result in DNS errors + such as SERVFAIL and FORMERR (but not NXDOMAIN) are considered + identical. + This controls attacks using invalid requests or distant, + broken authoritative servers. + By default the limit on errors is the same as the + responses-per-second value, + but it can be set separately with + errors-per-second. +

+

+ Rate limiting uses a "credit" or "token bucket" scheme. + Each identical response has a conceptual account + that is given responses-per-second, + errors-per-second, and + nxdomains-per-second credits every second. + A DNS request triggering some desired response debits + the account by one. + Responses are not sent while the account is negative. + The account cannot become more positive than + the per-second limit + or more negative than window + times the per-second limit. + A DNS client that sends requests that are not + answered can be penalized for up to window + seconds (default 15). +

+

+ Responses generated from local wildcards are counted and limited + as if they were for the parent domain name. + This prevents flooding by requesting random.wild.example.com. + For similar reasons, NXDOMAIN responses are counted and rate + limited by the valid domain name nearest to the + query name with an SOA record. +

+

+ Many attacks using DNS involve UDP requests with forged source + addresses. + Rate limiting prevents the use of BIND 9 to flood a network + with responses to requests with forged source addresses, + but could let a third party block responses to legitimate requests. + There is a mechanism that can answer some legitimate + requests from a client whose address is being forged in a flood. + Setting slip to 2 (its default) causes every + other UDP request to be answered with a small response + claiming that the response would have been truncated. + The small size and relative infrequency of the response make + it unattractive for abuse. + Slip must be between 0 and 10. + A value of 0 does not "slip" + or sends no rate limiting truncated responses. + Some error responses includinge REFUSED and SERVFAIL + cannot be replaced with truncated responses and are instead + leaked at the slip rate. +

+

+ When the approximate query per second rate exceeds + the qps-scale value, + then the responses-per-second, + errors-per-second, + nxdomains-per-second and + all-per-second values are reduced by the + ratio of the current rate to the qps-scale value. + This feature can tighten defenses during attacks. + For example, with + qps-scale 250; responses-per-second 20; and + a total query rate of 1000 queries/second for all queries from + all DNS clients including via TCP, + then the effective responses/second limit changes to + (250/1000)*20 or 5. + Responses sent via TCP are not limited + but are counted to compute the query per second rate. +

+

+ Communities of DNS clients can be given their own parameters or no + rate limiting by putting + rate-limit statements in view + statements instead of the global option + statement. + A rate-limit statement in a view replaces + instead of being merged with a rate-limit + statement among the main options. + DNS clients within a view can be exempted from rate limits + with the exempt-clients clause. +

+

+ UDP responses of all kinds can be limited with the + all-per-second phrase. + This rate limiting is unlike the rate limiting provided by + responses-per-second, + errors-per-second, and + nxdomains-per-second on a DNS server + which are often invisible to the victim of a DNS reflection attack. + Unless the forged requests of the attack are the same as the + legitimate requests of the victim, the victim's requests are + not affected. + Responses affected by an all-per-second limit + are always dropped; the slip value has no + effect. + An all-per-second limit should be + at least 4 times as large as the other limits, + because single DNS clients often send bursts of legitimate + requests. + For example, the receipt of a single mail message can prompt + requests from an SMTP server for NS, PTR, A, and AAAA records + as the incoming SMTP/TCP/IP connection is considered. + The SMTP server can need additional NS, A, AAAA, MX, TXT, and SPF + records as it considers the STMP Mail From + command. + Web browsers often repeatedly resolve the same names that + are repeated in HTML <IMG> tags in a page. + All-per-second is similar to the + rate limiting offered by firewalls but often inferior. + Attacks that justify ignoring the + contents of DNS responses are likely to be attacks on the + DNS server itself. + They usually should be discarded before the DNS server + spends resources make TCP connections or parsing DNS requesets, + but that rate limiting must be done before the + DNS server sees the requests. +

+

+ The maximum size of the table used to track requests and + rate limit responses is set with max-table-size. + Each entry in the table is between 40 and 80 bytes. + The table needs approximately as many entries as the number + of requests received per second. + The default is 20,000. + To reduce the cold start of growing the table, + min-table-size (default 500) + can set the minimum table size. + Enable rate-limit category logging to monitor + expansions of the table and inform + choices for the initial and maximum table size. +

+

+ Use log-only yes to test rate limiting parameters + without actually dropping any requests. +

+

+ Responses dropped by rate limits are included in the + RateDropped and QryDropped + statistics. + Responses that truncated by rate limits are included in + RateSlipped and RespTruncated.

@@ -6241,7 +6509,7 @@ ns.domain.com.rpz-nsdname CNAME .

-statistics-channels Statement Definition and +statistics-channels Statement Definition and Usage

The statistics-channels statement @@ -6301,7 +6569,7 @@ ns.domain.com.rpz-nsdname CNAME .

-trusted-keys Statement Definition +trusted-keys Statement Definition and Usage

The trusted-keys statement defines @@ -6341,7 +6609,7 @@ ns.domain.com.rpz-nsdname CNAME .

-managed-keys Statement Grammar

+managed-keys Statement Grammar
managed-keys {
     name initial-key flags protocol algorithm key-data ;
     [ name initial-key flags protocol algorithm key-data ; [...]]
@@ -6479,7 +6747,7 @@ ns.domain.com.rpz-nsdname   CNAME   .
 
 

 

-view Statement Definition and Usage

+view Statement Definition and Usage

 

             The view statement is a powerful
             feature
@@ -6790,10 +7058,10 @@ zone zone_name [
 

 

-zone Statement Definition and Usage

+zone Statement Definition and Usage

 

 

-Zone Types

+Zone Types

 
@@ -7073,7 +7341,7 @@ zone zone_name [
 

 

-Class

+Class

 

               The zone's name may optionally be followed by a class. If
               a class is not specified, class IN (for Internet),
@@ -7095,7 +7363,7 @@ zone zone_name [
 

 

-Zone Options

+Zone Options

 

 
allow-notify

 

@@ -8006,7 +8274,7 @@ example.com. NS ns2.example.net.
 

 

 

-Zone File

+Zone File

 

 

 Types of Resource Records and When to Use Them

@@ -8019,7 +8287,7 @@ example.com. NS ns2.example.net.
           

 

 

-Resource Records

+Resource Records

 

               A domain name identifies a node.  Each node has a set of
               resource information, which may be empty.  The set of resource
@@ -8756,7 +9024,7 @@ example.com. NS ns2.example.net.
 
 

 

-Textual expression of RRs

+Textual expression of RRs

 

               RRs are represented in binary form in the packets of the DNS
               protocol, and are usually represented in highly encoded form
@@ -8959,7 +9227,7 @@ example.com. NS ns2.example.net.
 
 

 

-Discussion of MX Records

+Discussion of MX Records

 

             As described above, domain servers store information as a
             series of resource records, each of which contains a particular
@@ -9215,7 +9483,7 @@ example.com. NS ns2.example.net.
 
 

 

-Inverse Mapping in IPv4

+Inverse Mapping in IPv4

 

             Reverse name resolution (that is, translation from IP address
             to name) is achieved by means of the in-addr.arpa domain
@@ -9276,7 +9544,7 @@ example.com. NS ns2.example.net.
 
 

 

-Other Zone File Directives

+Other Zone File Directives

 

             The Master File Format was initially defined in RFC 1035 and
             has subsequently been extended. While the Master File Format
@@ -9291,7 +9559,7 @@ example.com. NS ns2.example.net.
           

 

 

-The @ (at-sign)

+The @ (at-sign)

 

               When used in the label (or name) field, the asperand or
               at-sign (@) symbol represents the current origin.
@@ -9302,7 +9570,7 @@ example.com. NS ns2.example.net.
 
 

 

-The $ORIGIN Directive

+The $ORIGIN Directive

 

               Syntax: $ORIGIN
               domain-name
@@ -9331,7 +9599,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 

 

-The $INCLUDE Directive

+The $INCLUDE Directive

 

               Syntax: $INCLUDE
               filename
@@ -9367,7 +9635,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 

 

-The $TTL Directive

+The $TTL Directive

 

               Syntax: $TTL
               default-ttl
@@ -9386,7 +9654,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 

 

-BIND Master File Extension: the  $GENERATE Directive

+BIND Master File Extension: the  $GENERATE Directive

 

             Syntax: $GENERATE
             range
@@ -9828,7 +10096,7 @@ HOST-127.EXAMPLE. MX 0 .
           

 

 

-Name Server Statistics Counters

+Name Server Statistics Counters

 

 
 

@@ -10380,12 +10648,51 @@ HOST-127.EXAMPLE. MX 0 .
                       

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+

 
 

                     
 

+                      
RateDropped

+                    		
+                      

+                    		
+                      

+                        Responses dropped by rate limits.
+                      

+                    

+                      
RateSlipped

+                    		
+                      

+                    		
+                      

+                        Responses truncated by rate limits.
+                      

+                    

+                      
RPZRewrites

+                    		
+                      

+                    		
+                      

+                        Response policy zone rewrites.
+                      

+                    

 
 

 
 

 

-Zone Maintenance Statistics Counters

+Zone Maintenance Statistics Counters

 
@@ -10539,7 +10846,7 @@ HOST-127.EXAMPLE. MX 0 .
 

 

-Resolver Statistics Counters

+Resolver Statistics Counters

 
 

 
 
@@ -10922,7 +11229,7 @@ HOST-127.EXAMPLE. MX 0 .
 

 

-Socket I/O Statistics Counters

+Socket I/O Statistics Counters

               Socket I/O statistics counters are defined per socket
               types, which are
@@ -11077,7 +11384,7 @@ HOST-127.EXAMPLE. MX 0 .
 
 

 

-Compatibility with BIND 8 Counters

+Compatibility with BIND 8 Counters

               Most statistics counters that were available
               in BIND 8 are also supported in
diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html
index 617c3642606..f272efba02b 100644
--- a/doc/arm/Bv9ARM.ch07.html
+++ b/doc/arm/Bv9ARM.ch07.html
@@ -46,10 +46,10 @@
 
Table of Contents

 
Access Control Lists

-
Chroot and Setuid

+
Chroot and Setuid

 

-
The chroot Environment

-
Using the setuid Function

+
The chroot Environment

+
Using the setuid Function

 

 
Dynamic Update Security

 

@@ -114,7 +114,7 @@ zone "example.com" {
 

 

-Chroot and Setuid
+Chroot and Setuid
 

 

           On UNIX servers, it is possible to run BIND
@@ -140,7 +140,7 @@ zone "example.com" {
         

 

 

-The chroot Environment

+The chroot Environment

             In order for a chroot environment
             to
@@ -168,7 +168,7 @@ zone "example.com" {
 
 

 

-Using the setuid Function

+Using the setuid Function

             Prior to running the named daemon,
             use
diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html
index b99a9c502ee..f4cb3fc91e6 100644
--- a/doc/arm/Bv9ARM.ch08.html
+++ b/doc/arm/Bv9ARM.ch08.html
@@ -45,18 +45,18 @@
 

 
Table of Contents

 

-
Common Problems

-
It's not working; how can I figure out what's wrong?

-
Incrementing and Changing the Serial Number

-
Where Can I Get Help?

+
Common Problems

+
It's not working; how can I figure out what's wrong?

+
Incrementing and Changing the Serial Number

+
Where Can I Get Help?

 

 

 

-Common Problems

+Common Problems

 

-It's not working; how can I figure out what's wrong?

+It's not working; how can I figure out what's wrong?

             The best solution to solving installation and
             configuration issues is to take preventative measures by setting
@@ -68,7 +68,7 @@
 
 

 

-Incrementing and Changing the Serial Number

+Incrementing and Changing the Serial Number

           Zone serial numbers are just numbers — they aren't
           date related.  A lot of people set them to a number that
@@ -95,7 +95,7 @@
 
 

 

-Where Can I Get Help?

+Where Can I Get Help?

           The Internet Systems Consortium
           (ISC) offers a wide range
diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index 84bc225b000..74430f963f6 100644
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -45,31 +45,31 @@
 

 
Table of Contents

 

-
Acknowledgments

+
Acknowledgments

 
A Brief History of the DNS and BIND

-
General DNS Reference Information

+
General DNS Reference Information

 
IPv6 addresses (AAAA)

 
Bibliography (and Suggested Reading)

 

 
Request for Comments (RFCs)

 
Internet Drafts

-
Other Documents About BIND

+
Other Documents About BIND

 

 
BIND 9 DNS Library Support

 

-
Prerequisite

-
Compilation

-
Installation

-
Known Defects/Restrictions

-
The dns.conf File

-
Sample Applications

-
Library References

+
Prerequisite

+
Compilation

+
Installation

+
Known Defects/Restrictions

+
The dns.conf File

+
Sample Applications

+
Library References

 

 

 

 

-Acknowledgments

+Acknowledgments

 

 A Brief History of the DNS and BIND
@@ -172,7 +172,7 @@
 

 

 

-General DNS Reference Information

+General DNS Reference Information

 

 

 IPv6 addresses (AAAA)

@@ -260,17 +260,17 @@
           

 

 

-Bibliography

+Bibliography

 
Standards

 

-
[RFC974] C. Partridge. Mail Routing and the Domain System. January 1986. 

+
[RFC974] C. Partridge. Mail Routing and the Domain System. January 1986. 

 

 

-
[RFC1034] P.V. Mockapetris. Domain Names — Concepts and Facilities. November 1987. 

+
[RFC1034] P.V. Mockapetris. Domain Names — Concepts and Facilities. November 1987. 

 

 

-
[RFC1035] P. V. Mockapetris. Domain Names — Implementation and
+
[RFC1035] P. V. Mockapetris. Domain Names — Implementation and
                   Specification. November 1987. 

 

 

@@ -278,42 +278,42 @@
 

 Proposed Standards

 

-
[RFC2181] R., R. Bush Elz. Clarifications to the DNS
+
[RFC2181] R., R. Bush Elz. Clarifications to the DNS
                   Specification. July 1997. 

 

 

-
[RFC2308] M. Andrews. Negative Caching of DNS
+
[RFC2308] M. Andrews. Negative Caching of DNS
                   Queries. March 1998. 

 

 

-
[RFC1995] M. Ohta. Incremental Zone Transfer in DNS. August 1996. 

+
[RFC1995] M. Ohta. Incremental Zone Transfer in DNS. August 1996. 

 

 

-
[RFC1996] P. Vixie. A Mechanism for Prompt Notification of Zone Changes. August 1996. 

+
[RFC1996] P. Vixie. A Mechanism for Prompt Notification of Zone Changes. August 1996. 

 

 

-
[RFC2136] P. Vixie, S. Thomson, Y. Rekhter, and J. Bound. Dynamic Updates in the Domain Name System. April 1997. 

+
[RFC2136] P. Vixie, S. Thomson, Y. Rekhter, and J. Bound. Dynamic Updates in the Domain Name System. April 1997. 

 

 

-
[RFC2671] P. Vixie. Extension Mechanisms for DNS (EDNS0). August 1997. 

+
[RFC2671] P. Vixie. Extension Mechanisms for DNS (EDNS0). August 1997. 

 

 

-
[RFC2672] M. Crawford. Non-Terminal DNS Name Redirection. August 1999. 

+
[RFC2672] M. Crawford. Non-Terminal DNS Name Redirection. August 1999. 

 

 

-
[RFC2845] P. Vixie, O. Gudmundsson, D. Eastlake, 3rd, and B. Wellington. Secret Key Transaction Authentication for DNS (TSIG). May 2000. 

+
[RFC2845] P. Vixie, O. Gudmundsson, D. Eastlake, 3rd, and B. Wellington. Secret Key Transaction Authentication for DNS (TSIG). May 2000. 

 

 

-
[RFC2930] D. Eastlake, 3rd. Secret Key Establishment for DNS (TKEY RR). September 2000. 

+
[RFC2930] D. Eastlake, 3rd. Secret Key Establishment for DNS (TKEY RR). September 2000. 

 

 

-
[RFC2931] D. Eastlake, 3rd. DNS Request and Transaction Signatures (SIG(0)s). September 2000. 

+
[RFC2931] D. Eastlake, 3rd. DNS Request and Transaction Signatures (SIG(0)s). September 2000. 

 

 

-
[RFC3007] B. Wellington. Secure Domain Name System (DNS) Dynamic Update. November 2000. 

+
[RFC3007] B. Wellington. Secure Domain Name System (DNS) Dynamic Update. November 2000. 

 

 

-
[RFC3645] S. Kwan, P. Garg, J. Gilroy, L. Esibov, J. Westhead, and R. Hall. Generic Security Service Algorithm for Secret
+
[RFC3645] S. Kwan, P. Garg, J. Gilroy, L. Esibov, J. Westhead, and R. Hall. Generic Security Service Algorithm for Secret
                        Key Transaction Authentication for DNS
                        (GSS-TSIG). October 2003. 

 

@@ -322,19 +322,19 @@
 

 DNS Security Proposed Standards

 

-
[RFC3225] D. Conrad. Indicating Resolver Support of DNSSEC. December 2001. 

+
[RFC3225] D. Conrad. Indicating Resolver Support of DNSSEC. December 2001. 

 

 

-
[RFC3833] D. Atkins and R. Austein. Threat Analysis of the Domain Name System (DNS). August 2004. 

+
[RFC3833] D. Atkins and R. Austein. Threat Analysis of the Domain Name System (DNS). August 2004. 

 

 

-
[RFC4033] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. DNS Security Introduction and Requirements. March 2005. 

+
[RFC4033] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. DNS Security Introduction and Requirements. March 2005. 

 

 

-
[RFC4034] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Resource Records for the DNS Security Extensions. March 2005. 

+
[RFC4034] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Resource Records for the DNS Security Extensions. March 2005. 

 

 

-
[RFC4035] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Protocol Modifications for the DNS
+
[RFC4035] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Protocol Modifications for the DNS
                        Security Extensions. March 2005. 

 

 
@@ -342,146 +342,146 @@
 
Other Important RFCs About DNS
                 Implementation

 

-
[RFC1535] E. Gavron. A Security Problem and Proposed Correction With Widely
+
[RFC1535] E. Gavron. A Security Problem and Proposed Correction With Widely
                   Deployed DNS Software.. October 1993. 

 

 

-
[RFC1536] A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. Common DNS Implementation
+
[RFC1536] A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. Common DNS Implementation
                   Errors and Suggested Fixes. October 1993. 

 

 

-
[RFC1982] R. Elz and R. Bush. Serial Number Arithmetic. August 1996. 

+
[RFC1982] R. Elz and R. Bush. Serial Number Arithmetic. August 1996. 

 

 

-
[RFC4074] Y. Morishita and T. Jinmei. Common Misbehaviour Against DNS
+
[RFC4074] Y. Morishita and T. Jinmei. Common Misbehaviour Against DNS
                 Queries for IPv6 Addresses. May 2005. 

 

 
 

 
Resource Record Types

 

-
[RFC1183] C.F. Everhart, L. A. Mamakos, R. Ullmann, and P. Mockapetris. New DNS RR Definitions. October 1990. 

+
[RFC1183] C.F. Everhart, L. A. Mamakos, R. Ullmann, and P. Mockapetris. New DNS RR Definitions. October 1990. 

 

 

-
[RFC1706] B. Manning and R. Colella. DNS NSAP Resource Records. October 1994. 

+
[RFC1706] B. Manning and R. Colella. DNS NSAP Resource Records. October 1994. 

 

 

-
[RFC2168] R. Daniel and M. Mealling. Resolution of Uniform Resource Identifiers using
+
[RFC2168] R. Daniel and M. Mealling. Resolution of Uniform Resource Identifiers using
                   the Domain Name System. June 1997. 

 

 

-
[RFC1876] C. Davis, P. Vixie, T., and I. Dickinson. A Means for Expressing Location Information in the
+
[RFC1876] C. Davis, P. Vixie, T., and I. Dickinson. A Means for Expressing Location Information in the
                   Domain
                   Name System. January 1996. 

 

 

-
[RFC2052] A. Gulbrandsen and P. Vixie. A DNS RR for Specifying the
+
[RFC2052] A. Gulbrandsen and P. Vixie. A DNS RR for Specifying the
                   Location of
                   Services.. October 1996. 

 

 

-
[RFC2163] A. Allocchio. Using the Internet DNS to
+
[RFC2163] A. Allocchio. Using the Internet DNS to
                   Distribute MIXER
                   Conformant Global Address Mapping. January 1998. 

 

 

-
[RFC2230] R. Atkinson. Key Exchange Delegation Record for the DNS. October 1997. 

+
[RFC2230] R. Atkinson. Key Exchange Delegation Record for the DNS. October 1997. 

 

 

-
[RFC2536] D. Eastlake, 3rd. DSA KEYs and SIGs in the Domain Name System (DNS). March 1999. 

+
[RFC2536] D. Eastlake, 3rd. DSA KEYs and SIGs in the Domain Name System (DNS). March 1999. 

 

 

-
[RFC2537] D. Eastlake, 3rd. RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999. 

+
[RFC2537] D. Eastlake, 3rd. RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999. 

 

 

-
[RFC2538] D. Eastlake, 3rd and O. Gudmundsson. Storing Certificates in the Domain Name System (DNS). March 1999. 

+
[RFC2538] D. Eastlake, 3rd and O. Gudmundsson. Storing Certificates in the Domain Name System (DNS). March 1999. 

 

 

-
[RFC2539] D. Eastlake, 3rd. Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999. 

+
[RFC2539] D. Eastlake, 3rd. Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999. 

 

 

-
[RFC2540] D. Eastlake, 3rd. Detached Domain Name System (DNS) Information. March 1999. 

+
[RFC2540] D. Eastlake, 3rd. Detached Domain Name System (DNS) Information. March 1999. 

 

 

-
[RFC2782] A. Gulbrandsen. P. Vixie. L. Esibov. A DNS RR for specifying the location of services (DNS SRV). February 2000. 

+
[RFC2782] A. Gulbrandsen. P. Vixie. L. Esibov. A DNS RR for specifying the location of services (DNS SRV). February 2000. 

 

 

-
[RFC2915] M. Mealling. R. Daniel. The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000. 

+
[RFC2915] M. Mealling. R. Daniel. The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000. 

 

 

-
[RFC3110] D. Eastlake, 3rd. RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001. 

+
[RFC3110] D. Eastlake, 3rd. RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001. 

 

 

-
[RFC3123] P. Koch. A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001. 

+
[RFC3123] P. Koch. A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001. 

 

 

-
[RFC3596] S. Thomson, C. Huitema, V. Ksinant, and M. Souissi. DNS Extensions to support IP
+
[RFC3596] S. Thomson, C. Huitema, V. Ksinant, and M. Souissi. DNS Extensions to support IP
                   version 6. October 2003. 

 

 

-
[RFC3597] A. Gustafsson. Handling of Unknown DNS Resource Record (RR) Types. September 2003. 

+
[RFC3597] A. Gustafsson. Handling of Unknown DNS Resource Record (RR) Types. September 2003. 

 

 

 

 

 DNS and the Internet

 

-
[RFC1101] P. V. Mockapetris. DNS Encoding of Network Names
+
[RFC1101] P. V. Mockapetris. DNS Encoding of Network Names
                   and Other Types. April 1989. 

 

 

-
[RFC1123] Braden. Requirements for Internet Hosts - Application and
+
[RFC1123] Braden. Requirements for Internet Hosts - Application and
                   Support. October 1989. 

 

 

-
[RFC1591] J. Postel. Domain Name System Structure and Delegation. March 1994. 

+
[RFC1591] J. Postel. Domain Name System Structure and Delegation. March 1994. 

 

 

-
[RFC2317] H. Eidnes, G. de Groot, and P. Vixie. Classless IN-ADDR.ARPA Delegation. March 1998. 

+
[RFC2317] H. Eidnes, G. de Groot, and P. Vixie. Classless IN-ADDR.ARPA Delegation. March 1998. 

 

 

-
[RFC2826] Internet Architecture Board. IAB Technical Comment on the Unique DNS Root. May 2000. 

+
[RFC2826] Internet Architecture Board. IAB Technical Comment on the Unique DNS Root. May 2000. 

 

 

-
[RFC2929] D. Eastlake, 3rd, E. Brunner-Williams, and B. Manning. Domain Name System (DNS) IANA Considerations. September 2000. 

+
[RFC2929] D. Eastlake, 3rd, E. Brunner-Williams, and B. Manning. Domain Name System (DNS) IANA Considerations. September 2000. 

 

 

 

 

 DNS Operations

 

-
[RFC1033] M. Lottor. Domain administrators operations guide.. November 1987. 

+
[RFC1033] M. Lottor. Domain administrators operations guide.. November 1987. 

 

 

-
[RFC1537] P. Beertema. Common DNS Data File
+
[RFC1537] P. Beertema. Common DNS Data File
                   Configuration Errors. October 1993. 

 

 

-
[RFC1912] D. Barr. Common DNS Operational and
+
[RFC1912] D. Barr. Common DNS Operational and
                   Configuration Errors. February 1996. 

 

 

-
[RFC2010] B. Manning and P. Vixie. Operational Criteria for Root Name Servers.. October 1996. 

+
[RFC2010] B. Manning and P. Vixie. Operational Criteria for Root Name Servers.. October 1996. 

 

 

-
[RFC2219] M. Hamilton and R. Wright. Use of DNS Aliases for
+
[RFC2219] M. Hamilton and R. Wright. Use of DNS Aliases for
                   Network Services.. October 1997. 

 

 

 

 
Internationalized Domain Names

 

-
[RFC2825] IAB and R. Daigle. A Tangled Web: Issues of I18N, Domain Names,
+
[RFC2825] IAB and R. Daigle. A Tangled Web: Issues of I18N, Domain Names,
                        and the Other Internet protocols. May 2000. 

 

 

-
[RFC3490] P. Faltstrom, P. Hoffman, and A. Costello. Internationalizing Domain Names in Applications (IDNA). March 2003. 

+
[RFC3490] P. Faltstrom, P. Hoffman, and A. Costello. Internationalizing Domain Names in Applications (IDNA). March 2003. 

 

 

-
[RFC3491] P. Hoffman and M. Blanchet. Nameprep: A Stringprep Profile for Internationalized Domain Names. March 2003. 

+
[RFC3491] P. Hoffman and M. Blanchet. Nameprep: A Stringprep Profile for Internationalized Domain Names. March 2003. 

 

 

-
[RFC3492] A. Costello. Punycode: A Bootstring encoding of Unicode
+
[RFC3492] A. Costello. Punycode: A Bootstring encoding of Unicode
                        for Internationalized Domain Names in
                        Applications (IDNA). March 2003. 

 

@@ -497,47 +497,47 @@
                 

 

 

-
[RFC1464] R. Rosenbaum. Using the Domain Name System To Store Arbitrary String
+
[RFC1464] R. Rosenbaum. Using the Domain Name System To Store Arbitrary String
                   Attributes. May 1993. 

 

 

-
[RFC1713] A. Romao. Tools for DNS Debugging. November 1994. 

+
[RFC1713] A. Romao. Tools for DNS Debugging. November 1994. 

 

 

-
[RFC1794] T. Brisco. DNS Support for Load
+
[RFC1794] T. Brisco. DNS Support for Load
                   Balancing. April 1995. 

 

 

-
[RFC2240] O. Vaughan. A Legal Basis for Domain Name Allocation. November 1997. 

+
[RFC2240] O. Vaughan. A Legal Basis for Domain Name Allocation. November 1997. 

 

 

-
[RFC2345] J. Klensin, T. Wolf, and G. Oglesby. Domain Names and Company Name Retrieval. May 1998. 

+
[RFC2345] J. Klensin, T. Wolf, and G. Oglesby. Domain Names and Company Name Retrieval. May 1998. 

 

 

-
[RFC2352] O. Vaughan. A Convention For Using Legal Names as Domain Names. May 1998. 

+
[RFC2352] O. Vaughan. A Convention For Using Legal Names as Domain Names. May 1998. 

 

 

-
[RFC3071] J. Klensin. Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001. 

+
[RFC3071] J. Klensin. Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001. 

 

 

-
[RFC3258] T. Hardie. Distributing Authoritative Name Servers via
+
[RFC3258] T. Hardie. Distributing Authoritative Name Servers via
                        Shared Unicast Addresses. April 2002. 

 

 

-
[RFC3901] A. Durand and J. Ihren. DNS IPv6 Transport Operational Guidelines. September 2004. 

+
[RFC3901] A. Durand and J. Ihren. DNS IPv6 Transport Operational Guidelines. September 2004. 

 

 
 

 
Obsolete and Unimplemented Experimental RFC

 

-
[RFC1712] C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. DNS Encoding of Geographical
+
[RFC1712] C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. DNS Encoding of Geographical
                   Location. November 1994. 

 

 

-
[RFC2673] M. Crawford. Binary Labels in the Domain Name System. August 1999. 

+
[RFC2673] M. Crawford. Binary Labels in the Domain Name System. August 1999. 

 

 

-
[RFC2874] M. Crawford and C. Huitema. DNS Extensions to Support IPv6 Address Aggregation
+
[RFC2874] M. Crawford and C. Huitema. DNS Extensions to Support IPv6 Address Aggregation
                        and Renumbering. July 2000. 

 

 

@@ -551,39 +551,39 @@
                 

 
 

-
[RFC2065] D. Eastlake, 3rd and C. Kaufman. Domain Name System Security Extensions. January 1997. 

+
[RFC2065] D. Eastlake, 3rd and C. Kaufman. Domain Name System Security Extensions. January 1997. 

 

 

-
[RFC2137] D. Eastlake, 3rd. Secure Domain Name System Dynamic Update. April 1997. 

+
[RFC2137] D. Eastlake, 3rd. Secure Domain Name System Dynamic Update. April 1997. 

 

 

-
[RFC2535] D. Eastlake, 3rd. Domain Name System Security Extensions. March 1999. 

+
[RFC2535] D. Eastlake, 3rd. Domain Name System Security Extensions. March 1999. 

 

 

-
[RFC3008] B. Wellington. Domain Name System Security (DNSSEC)
+
[RFC3008] B. Wellington. Domain Name System Security (DNSSEC)
                        Signing Authority. November 2000. 

 

 

-
[RFC3090] E. Lewis. DNS Security Extension Clarification on Zone Status. March 2001. 

+
[RFC3090] E. Lewis. DNS Security Extension Clarification on Zone Status. March 2001. 

 

 

-
[RFC3445] D. Massey and S. Rose. Limiting the Scope of the KEY Resource Record (RR). December 2002. 

+
[RFC3445] D. Massey and S. Rose. Limiting the Scope of the KEY Resource Record (RR). December 2002. 

 

 

-
[RFC3655] B. Wellington and O. Gudmundsson. Redefinition of DNS Authenticated Data (AD) bit. November 2003. 

+
[RFC3655] B. Wellington and O. Gudmundsson. Redefinition of DNS Authenticated Data (AD) bit. November 2003. 

 

 

-
[RFC3658] O. Gudmundsson. Delegation Signer (DS) Resource Record (RR). December 2003. 

+
[RFC3658] O. Gudmundsson. Delegation Signer (DS) Resource Record (RR). December 2003. 

 

 

-
[RFC3755] S. Weiler. Legacy Resolver Compatibility for Delegation Signer (DS). May 2004. 

+
[RFC3755] S. Weiler. Legacy Resolver Compatibility for Delegation Signer (DS). May 2004. 

 

 

-
[RFC3757] O. Kolkman, J. Schlyter, and E. Lewis. Domain Name System KEY (DNSKEY) Resource Record
+
[RFC3757] O. Kolkman, J. Schlyter, and E. Lewis. Domain Name System KEY (DNSKEY) Resource Record
                       (RR) Secure Entry Point (SEP) Flag. April 2004. 

 

 

-
[RFC3845] J. Schlyter. DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004. 

+
[RFC3845] J. Schlyter. DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004. 

 

 
 
@@ -604,14 +604,14 @@
 
 

 

-Other Documents About BIND
+Other Documents About BIND
 

 

 

 

-Bibliography

+Bibliography

 

-
Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. 

+
Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. 

 

 
 
@@ -648,7 +648,7 @@
 
 

 

-Prerequisite

+Prerequisite

 
GNU make is required to build the export libraries (other
   part of BIND 9 can still be built with other types of make). In
   the reminder of this document, "make" means GNU make. Note that
@@ -657,7 +657,7 @@
 
 

 

-Compilation

+Compilation

 
 $ ./configure --enable-exportlib [other flags]
 $ make
@@ -672,7 +672,7 @@ $ make
 
 

 

-Installation

+Installation

 
 $ cd lib/export
 $ make install
@@ -694,7 +694,7 @@ $ make install
 
 

 

-Known Defects/Restrictions

+Known Defects/Restrictions

 
    
 
  • Currently, win32 is not supported for the export
       library. (Normal BIND 9 application can be built as
@@ -734,7 +734,7 @@ $ make
 

 

 

-The dns.conf File

+The dns.conf File

 
The IRS library supports an "advanced" configuration file
   related to the DNS library for configuration parameters that
   would be beyond the capability of the
@@ -752,14 +752,14 @@ $ make
 
 

 

-Sample Applications

+Sample Applications

 
Some sample application programs using this API are
   provided for reference. The following is a brief description of
   these applications.
   

 

 

-sample: a simple stub resolver utility

+sample: a simple stub resolver utility

 

   It sends a query of a given name (of a given optional RR type) to a
   specified recursive server, and prints the result as a list of
@@ -823,7 +823,7 @@ $ make
 
 

 

-sample-async: a simple stub resolver, working asynchronously

+sample-async: a simple stub resolver, working asynchronously

 

   Similar to "sample", but accepts a list
   of (query) domain names as a separate file and resolves the names
@@ -864,7 +864,7 @@ $ make
 
 

 

-sample-request: a simple DNS transaction client

+sample-request: a simple DNS transaction client

 

   It sends a query to a specified server, and
   prints the response with minimal processing. It doesn't act as a
@@ -905,7 +905,7 @@ $ make
 
 

 

-sample-gai: getaddrinfo() and getnameinfo() test code

+sample-gai: getaddrinfo() and getnameinfo() test code

 

   This is a test program
   to check getaddrinfo() and getnameinfo() behavior. It takes a
@@ -922,7 +922,7 @@ $ make
 
 

 

-sample-update: a simple dynamic update client program

+sample-update: a simple dynamic update client program

 

   It accepts a single update command as a
   command-line argument, sends an update request message to the
@@ -1017,7 +1017,7 @@ $ sample-update -a sample-update -k Kxxx.+nnn+mm
 
 

 

-nsprobe: domain/name server checker in terms of RFC 4074

+nsprobe: domain/name server checker in terms of RFC 4074

 

   It checks a set
   of domains to see the name servers of the domains behave
@@ -1074,7 +1074,7 @@ $ sample-update -a sample-update -k Kxxx.+nnn+mm
 
 

 

-Library References

+Library References

 
As of this writing, there is no formal "manual" of the
   libraries, except this document, header files (some of them
   provide pretty detailed explanations), and sample application
diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html
index f12e71c1c8f..337cfeaafe3 100644
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -113,38 +113,38 @@
 
 
DNSSEC, Dynamic Zones, and Automatic Signing

 

-
Converting from insecure to secure

+
Converting from insecure to secure

 
Dynamic DNS update method

 
Fully automatic zone signing

-
Private-type records

-
DNSKEY rollovers

-
Dynamic DNS update method

-
Automatic key rollovers

-
NSEC3PARAM rollovers via UPDATE

-
Converting from NSEC to NSEC3

-
Converting from NSEC3 to NSEC

-
Converting from secure to insecure

-
Periodic re-signing

-
NSEC3 and OPTOUT

+
Private-type records

+
DNSKEY rollovers

+
Dynamic DNS update method

+
Automatic key rollovers

+
NSEC3PARAM rollovers via UPDATE

+
Converting from NSEC to NSEC3

+
Converting from NSEC3 to NSEC

+
Converting from secure to insecure

+
Periodic re-signing

+
NSEC3 and OPTOUT

 

 
Dynamic Trust Anchor Management

 

-
Validating Resolver

-
Authoritative Server

+
Validating Resolver

+
Authoritative Server

 

 
PKCS #11 (Cryptoki) support

 

-
Prerequisites

-
Building BIND 9 with PKCS#11

-
PKCS #11 Tools

-
Using the HSM

-
Specifying the engine on the command line

-
Running named with automatic zone re-signing

+
Prerequisites

+
Building BIND 9 with PKCS#11

+
PKCS #11 Tools

+
Using the HSM

+
Specifying the engine on the command line

+
Running named with automatic zone re-signing

 

 
DLZ (Dynamically Loadable Zones)

 

-
Configuring DLZ

-
Sample DLZ Driver

+
Configuring DLZ

+
Sample DLZ Driver

 

 
IPv6 Support in BIND 9

 

@@ -180,40 +180,40 @@
 
logging Statement Grammar

 
logging Statement Definition and
           Usage

-
lwres Statement Grammar

-
lwres Statement Definition and Usage

-
masters Statement Grammar

-
masters Statement Definition and
+
lwres Statement Grammar

+
lwres Statement Definition and Usage

+
masters Statement Grammar

+
masters Statement Definition and
           Usage

-
options Statement Grammar

+
options Statement Grammar

 
options Statement Definition and
           Usage

 
server Statement Grammar

 
server Statement Definition and
             Usage

 
statistics-channels Statement Grammar

-
statistics-channels Statement Definition and
+
statistics-channels Statement Definition and
             Usage

 
trusted-keys Statement Grammar

-
trusted-keys Statement Definition
+
trusted-keys Statement Definition
             and Usage

-
managed-keys Statement Grammar

+
managed-keys Statement Grammar

 
managed-keys Statement Definition
             and Usage

 
view Statement Grammar

-
view Statement Definition and Usage

+
view Statement Definition and Usage

 
zone
             Statement Grammar

-
zone Statement Definition and Usage

+
zone Statement Definition and Usage

 

-
Zone File

+
Zone File

 

 
Types of Resource Records and When to Use Them

-
Discussion of MX Records

+
Discussion of MX Records

 
Setting TTLs

-
Inverse Mapping in IPv4

-
Other Zone File Directives

-
BIND Master File Extension: the  $GENERATE Directive

+
Inverse Mapping in IPv4

+
Other Zone File Directives

+
BIND Master File Extension: the  $GENERATE Directive

 
Additional File Formats

 

 
BIND9 Statistics

@@ -222,41 +222,41 @@
 
7. BIND 9 Security Considerations

 

 
Access Control Lists

-
Chroot and Setuid

+
Chroot and Setuid

 

-
The chroot Environment

-
Using the setuid Function

+
The chroot Environment

+
Using the setuid Function

 

 
Dynamic Update Security

 

 
8. Troubleshooting

 

-
Common Problems

-
It's not working; how can I figure out what's wrong?

-
Incrementing and Changing the Serial Number

-
Where Can I Get Help?

+
Common Problems

+
It's not working; how can I figure out what's wrong?

+
Incrementing and Changing the Serial Number

+
Where Can I Get Help?

 

 
A. Appendices

 

-
Acknowledgments

+
Acknowledgments

 
A Brief History of the DNS and BIND

-
General DNS Reference Information

+
General DNS Reference Information

 
IPv6 addresses (AAAA)

 
Bibliography (and Suggested Reading)

 

 
Request for Comments (RFCs)

 
Internet Drafts

-
Other Documents About BIND

+
Other Documents About BIND

 

 
BIND 9 DNS Library Support

 

-
Prerequisite

-
Compilation

-
Installation

-
Known Defects/Restrictions

-
The dns.conf File

-
Sample Applications

-
Library References

+
Prerequisite

+
Compilation

+
Installation

+
Known Defects/Restrictions

+
The dns.conf File

+
Sample Applications

+
Library References

 

 

 
I. Manual pages

diff --git a/doc/arm/man.arpaname.html b/doc/arm/man.arpaname.html
index 8aeff28a6ef..fcae887ba36 100644
--- a/doc/arm/man.arpaname.html
+++ b/doc/arm/man.arpaname.html
@@ -50,20 +50,20 @@
 
arpaname  {ipaddress ...}

 
 

-
DESCRIPTION

+
DESCRIPTION

 

       arpaname translates IP addresses (IPv4 and
       IPv6) to the corresponding IN-ADDR.ARPA or IP6.ARPA names.
     

 

 

-
SEE ALSO

+
SEE ALSO

 

       BIND 9 Administrator Reference Manual.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html
index 76f85f64f4e..80e60e6e447 100644
--- a/doc/arm/man.ddns-confgen.html
+++ b/doc/arm/man.ddns-confgen.html
@@ -50,7 +50,7 @@
 
ddns-confgen  [-a algorithm] [-h] [-k keyname] [-r randomfile] [ -s name  |   -z zone ] [-q] [name]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
ddns-confgen
       generates a key for use by nsupdate
       and named.  It simplifies configuration
@@ -77,7 +77,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a algorithm

 

@@ -144,7 +144,7 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 
nsupdate(1),
       named.conf(5),
       named(8),
@@ -152,7 +152,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html
index 394eca2d2d3..e68b09f9500 100644
--- a/doc/arm/man.dig.html
+++ b/doc/arm/man.dig.html
@@ -52,7 +52,7 @@
 
dig  [global-queryopt...] [query...]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dig
       (domain information groper) is a flexible tool
       for interrogating DNS name servers.  It performs DNS lookups and
@@ -99,7 +99,7 @@
     

 

 

-
SIMPLE USAGE

+
SIMPLE USAGE

 

       A typical invocation of dig looks like:
       

@@ -152,7 +152,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

       The -b option sets the source IP address of the query
       to address.  This must be a valid
@@ -256,7 +256,7 @@
     

 

 

-
QUERY OPTIONS

+
QUERY OPTIONS

 
dig
       provides a number of query options which affect
       the way in which lookups are made and the results displayed.  Some of
@@ -607,7 +607,7 @@
     

 

 

-
MULTIPLE QUERIES

+
MULTIPLE QUERIES

 

       The BIND 9 implementation of dig 
       supports
@@ -653,7 +653,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     

 

 

-
IDN SUPPORT

+
IDN SUPPORT

 

       If dig has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names.
@@ -667,14 +667,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     

 

 

-
FILES

+
FILES

 
/etc/resolv.conf
     

 
${HOME}/.digrc
     

 

 

-
SEE ALSO

+
SEE ALSO

 
host(1),
       named(8),
       dnssec-keygen(8),
@@ -682,7 +682,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     

 

 

-
BUGS

+
BUGS

 

       There are probably too many query options.
     

diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html
index ed712f6ff2f..890a0bbca07 100644
--- a/doc/arm/man.dnssec-dsfromkey.html
+++ b/doc/arm/man.dnssec-dsfromkey.html
@@ -51,14 +51,14 @@
 
dnssec-dsfromkey  {-s} [-1] [-2] [-a alg] [-K directory] [-l domain] [-s] [-c class] [-T TTL] [-f file] [-A] [-v level] {dnsname}

 

 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-dsfromkey
       outputs the Delegation Signer (DS) resource record (RR), as defined in
       RFC 3658 and RFC 4509, for the given key(s).
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-1

 

@@ -135,7 +135,7 @@
 

 

 

-
EXAMPLE

+
EXAMPLE

 

       To build the SHA-256 DS RR from the
       Kexample.com.+003+26160
@@ -150,7 +150,7 @@
     

 

 

-
FILES

+
FILES

 

       The keyfile can be designed by the key identification
       Knnnn.+aaa+iiiii or the full file name
@@ -164,13 +164,13 @@
     

 

 

-
CAVEAT

+
CAVEAT

 

       A keyfile error can give a "file not found" even if the file exists.
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -180,7 +180,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html
index c1b269cc49b..8f0efa59723 100644
--- a/doc/arm/man.dnssec-keyfromlabel.html
+++ b/doc/arm/man.dnssec-keyfromlabel.html
@@ -50,7 +50,7 @@
 
dnssec-keyfromlabel  {-l label} [-3] [-a algorithm] [-A date/offset] [-c class] [-D date/offset] [-E engine] [-f flag] [-G] [-I date/offset] [-k] [-K directory] [-L ttl] [-n nametype] [-P date/offset] [-p protocol] [-R date/offset] [-t type] [-v level] [-y] {name}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-keyfromlabel
       gets keys with the given label from a crypto hardware and builds
       key files for DNSSEC (Secure DNS), as defined in RFC 2535
@@ -63,7 +63,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a algorithm

 

@@ -192,7 +192,7 @@
 

 

 

-
TIMING OPTIONS

+
TIMING OPTIONS

 

       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -239,7 +239,7 @@
 

 
 

-
GENERATED KEY FILES

+
GENERATED KEY FILES

 

       When dnssec-keyfromlabel completes
       successfully,
@@ -278,7 +278,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -286,7 +286,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html
index 0bbe1af7fe9..94bac2e0cf9 100644
--- a/doc/arm/man.dnssec-keygen.html
+++ b/doc/arm/man.dnssec-keygen.html
@@ -50,7 +50,7 @@
 
dnssec-keygen  [-a algorithm] [-b keysize] [-n nametype] [-3] [-A date/offset] [-C] [-c class] [-D date/offset] [-E engine] [-f flag] [-G] [-g generator] [-h] [-I date/offset] [-i interval] [-K directory] [-L ttl] [-k] [-P date/offset] [-p protocol] [-q] [-R date/offset] [-r randomdev] [-S key] [-s strength] [-t type] [-v level] [-z] {name}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-keygen
       generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
       and RFC 4034.  It can also generate keys for use with
@@ -64,7 +64,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a algorithm

 

@@ -274,7 +274,7 @@
 

 

 

-
TIMING OPTIONS

+
TIMING OPTIONS

 

       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -345,7 +345,7 @@
 

 
 

-
GENERATED KEYS

+
GENERATED KEYS

 

       When dnssec-keygen completes
       successfully,
@@ -391,7 +391,7 @@
     

 

 

-
EXAMPLE

+
EXAMPLE

 

       To generate a 768-bit DSA key for the domain
       example.com, the following command would be
@@ -412,7 +412,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
       RFC 2539,
@@ -421,7 +421,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-revoke.html b/doc/arm/man.dnssec-revoke.html
index 2cc25fdd586..e61beb49666 100644
--- a/doc/arm/man.dnssec-revoke.html
+++ b/doc/arm/man.dnssec-revoke.html
@@ -50,7 +50,7 @@
 
dnssec-revoke  [-hr] [-v level] [-K directory] [-E engine] [-f] [-R] {keyfile}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-revoke
       reads a DNSSEC key file, sets the REVOKED bit on the key as defined
       in RFC 5011, and creates a new pair of key files containing the
@@ -58,7 +58,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-h

 

@@ -96,14 +96,14 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       BIND 9 Administrator Reference Manual,
       RFC 5011.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-settime.html b/doc/arm/man.dnssec-settime.html
index d89d7c152cd..35731db4557 100644
--- a/doc/arm/man.dnssec-settime.html
+++ b/doc/arm/man.dnssec-settime.html
@@ -50,7 +50,7 @@
 
dnssec-settime  [-f] [-K directory] [-L ttl] [-P date/offset] [-A date/offset] [-R date/offset] [-I date/offset] [-D date/offset] [-h] [-v level] [-E engine] {keyfile}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-settime
       reads a DNSSEC private key file and sets the key timing metadata
       as specified by the -P, -A,
@@ -76,7 +76,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-f

 

@@ -118,7 +118,7 @@
 

 

 

-
TIMING OPTIONS

+
TIMING OPTIONS

 

       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -197,7 +197,7 @@
 

 
 

-
PRINTING OPTIONS

+
PRINTING OPTIONS

 

       dnssec-settime can also be used to print the
       timing metadata associated with a key.
@@ -223,7 +223,7 @@
 

 
 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -231,7 +231,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html
index ff74dc26760..6643eb99843 100644
--- a/doc/arm/man.dnssec-signzone.html
+++ b/doc/arm/man.dnssec-signzone.html
@@ -50,7 +50,7 @@
 
dnssec-signzone  [-a] [-c class] [-d directory] [-D] [-E engine] [-e end-time] [-f output-file] [-g] [-h] [-K directory] [-k key] [-L serial] [-l domain] [-i interval] [-I input-format] [-j jitter] [-N soa-serial-format] [-o origin] [-O output-format] [-P] [-p] [-R] [-r randomdev] [-S] [-s start-time] [-T ttl] [-t] [-u] [-v level] [-X extended end-time] [-x] [-z] [-3 salt] [-H iterations] [-A] {zonefile} [key...]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-signzone
       signs a zone.  It generates
       NSEC and RRSIG records and produces a signed version of the
@@ -61,7 +61,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a

 

@@ -466,7 +466,7 @@
 

 

 

-
EXAMPLE

+
EXAMPLE

 

       The following command signs the example.com
       zone with the DSA key generated by dnssec-keygen
@@ -496,14 +496,14 @@ db.example.com.signed
 %

 
 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       BIND 9 Administrator Reference Manual,
       RFC 4033.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-verify.html b/doc/arm/man.dnssec-verify.html
index 724eac8ed85..85d37525c7f 100644
--- a/doc/arm/man.dnssec-verify.html
+++ b/doc/arm/man.dnssec-verify.html
@@ -50,7 +50,7 @@
 
dnssec-verify  [-c class] [-E engine] [-I input-format] [-o origin] [-v level] [-x] [-z] {zonefile}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-verify
       verifies that a zone is fully signed for each algorithm found
       in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
@@ -58,7 +58,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-c class

 

@@ -120,7 +120,7 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 

       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -128,7 +128,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.genrandom.html b/doc/arm/man.genrandom.html
index 95aaefda080..ba1a7a2c4d4 100644
--- a/doc/arm/man.genrandom.html
+++ b/doc/arm/man.genrandom.html
@@ -50,7 +50,7 @@
 
genrandom  [-n number] {size} {filename}

 
 

-
DESCRIPTION

+
DESCRIPTION

 

       genrandom
       generates a file or a set of files containing a specified quantity
@@ -59,7 +59,7 @@
     

 

 

-
ARGUMENTS

+
ARGUMENTS

 

 
-n number

 

@@ -77,14 +77,14 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 

       rand(3),
       arc4random(3)
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html
index 556dcf2d7d1..e8704fb0d9e 100644
--- a/doc/arm/man.host.html
+++ b/doc/arm/man.host.html
@@ -50,7 +50,7 @@
 
host  [-aCdlnrsTwv] [-c class] [-N ndots] [-R number] [-t type] [-W wait] [-m flag] [-4] [-6] {name} [server]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
host
       is a simple utility for performing DNS lookups.
       It is normally used to convert names to IP addresses and vice versa.
@@ -202,7 +202,7 @@
     

 

 

-
IDN SUPPORT

+
IDN SUPPORT

 

       If host has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names. 
@@ -216,12 +216,12 @@
     

 

 

-
FILES

+
FILES

 
/etc/resolv.conf
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dig(1),
       named(8).
     

diff --git a/doc/arm/man.isc-hmac-fixup.html b/doc/arm/man.isc-hmac-fixup.html
index 0fc202ad3f0..311a9de8287 100644
--- a/doc/arm/man.isc-hmac-fixup.html
+++ b/doc/arm/man.isc-hmac-fixup.html
@@ -50,7 +50,7 @@
 
isc-hmac-fixup  {algorithm} {secret}

 

 

-
DESCRIPTION

+
DESCRIPTION

 

       Versions of BIND 9 up to and including BIND 9.6 had a bug causing
       HMAC-SHA* TSIG keys which were longer than the digest length of the
@@ -76,7 +76,7 @@
     

 

 

-
SECURITY CONSIDERATIONS

+
SECURITY CONSIDERATIONS

 

       Secrets that have been converted by isc-hmac-fixup
       are shortened, but as this is how the HMAC protocol works in
@@ -87,14 +87,14 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 

       BIND 9 Administrator Reference Manual,
       RFC 2104.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html
index 62ddb2ec721..890bed48c9f 100644
--- a/doc/arm/man.named-checkconf.html
+++ b/doc/arm/man.named-checkconf.html
@@ -50,7 +50,7 @@
 
named-checkconf  [-h] [-v] [-j] [-t directory] {filename} [-p] [-z]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
named-checkconf
       checks the syntax, but not the semantics, of a
       named configuration file.  The file is parsed
@@ -70,7 +70,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-h

 

@@ -109,21 +109,21 @@
 

 

 

-
RETURN VALUES

+
RETURN VALUES

 
named-checkconf
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     

 

 

-
SEE ALSO

+
SEE ALSO

 
named(8),
       named-checkzone(8),
       BIND 9 Administrator Reference Manual.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html
index e7cf890743f..d5a7c292275 100644
--- a/doc/arm/man.named-checkzone.html
+++ b/doc/arm/man.named-checkzone.html
@@ -51,7 +51,7 @@
 
named-compilezone  [-d] [-j] [-q] [-v] [-c class] [-C mode] [-f format] [-F format] [-J filename] [-i mode] [-k mode] [-m mode] [-n mode] [-L serial] [-r mode] [-s style] [-t directory] [-w directory] [-D] [-W mode] {-o filename} {zonename} {filename}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
named-checkzone
       checks the syntax and integrity of a zone file.  It performs the
       same checks as named does when loading a
@@ -71,7 +71,7 @@
      

 

 

-
OPTIONS

+
OPTIONS

 

 
-d

 

@@ -290,14 +290,14 @@
 

 

 

-
RETURN VALUES

+
RETURN VALUES

 
named-checkzone
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     

 

 

-
SEE ALSO

+
SEE ALSO

 
named(8),
       named-checkconf(8),
       RFC 1035,
@@ -305,7 +305,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.named-journalprint.html b/doc/arm/man.named-journalprint.html
index b1732172b8c..56d8b9847a5 100644
--- a/doc/arm/man.named-journalprint.html
+++ b/doc/arm/man.named-journalprint.html
@@ -50,7 +50,7 @@
 
named-journalprint  {journal}

 
 

-
DESCRIPTION

+
DESCRIPTION

 

       named-journalprint
       prints the contents of a zone journal file in a human-readable
@@ -76,7 +76,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 

       named(8),
       nsupdate(8),
@@ -84,7 +84,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html
index 1a82d24b09f..e0f8b3d0f89 100644
--- a/doc/arm/man.named.html
+++ b/doc/arm/man.named.html
@@ -50,7 +50,7 @@
 
named  [-4] [-6] [-c config-file] [-d debug-level] [-E engine-name] [-f] [-g] [-m flag] [-n #cpus] [-p port] [-s] [-S #max-socks] [-t directory] [-U #listeners] [-u user] [-v] [-V] [-x cache-file]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
named
       is a Domain Name System (DNS) server,
       part of the BIND 9 distribution from ISC.  For more
@@ -65,7 +65,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-4

 

@@ -256,7 +256,7 @@
 

 

 

-
SIGNALS

+
SIGNALS

 

       In routine operation, signals should not be used to control
       the nameserver; rndc should be used
@@ -277,7 +277,7 @@
     

 

 

-
CONFIGURATION

+
CONFIGURATION

 

       The named configuration file is too complex
       to describe in detail here.  A complete description is provided
@@ -294,7 +294,7 @@
     

 

 

-
FILES

+
FILES

 

 
/etc/named.conf

 

@@ -307,7 +307,7 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 
RFC 1033,
       RFC 1034,
       RFC 1035,
@@ -320,7 +320,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.nsec3hash.html b/doc/arm/man.nsec3hash.html
index 2f7d3d2511b..1d7aeba32f9 100644
--- a/doc/arm/man.nsec3hash.html
+++ b/doc/arm/man.nsec3hash.html
@@ -48,7 +48,7 @@
 
nsec3hash  {salt} {algorithm} {iterations} {domain}

 
 

-
DESCRIPTION

+
DESCRIPTION

 

       nsec3hash generates an NSEC3 hash based on
       a set of NSEC3 parameters.  This can be used to check the validity
@@ -56,7 +56,7 @@
     

 

 

-
ARGUMENTS

+
ARGUMENTS

 

 
salt

 

@@ -80,14 +80,14 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 

       BIND 9 Administrator Reference Manual,
       RFC 5155.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html
index 04eea8bfec0..1b673b53d26 100644
--- a/doc/arm/man.nsupdate.html
+++ b/doc/arm/man.nsupdate.html
@@ -50,7 +50,7 @@
 
nsupdate  [-d] [-D] [[-g] |  [-o] |  [-l] |  [-y [hmac:]keyname:secret] |  [-k keyfile]] [-t timeout] [-u udptimeout] [-r udpretries] [-R randomdev] [-v] [-T] [-P] [filename]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
nsupdate
       is used to submit Dynamic DNS Update requests as defined in RFC 2136
       to a name server.
@@ -226,7 +226,7 @@
     

 

 

-
INPUT FORMAT

+
INPUT FORMAT

 
nsupdate
       reads input from
       filename
@@ -514,7 +514,7 @@
     

 

 

-
EXAMPLES

+
EXAMPLES

 

       The examples below show how
       nsupdate
@@ -568,7 +568,7 @@
     

 

 

-
FILES

+
FILES

 

 
/etc/resolv.conf

 

@@ -591,7 +591,7 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 

       RFC 2136,
       RFC 3007,
@@ -606,7 +606,7 @@
     

 

 

-
BUGS

+
BUGS

 

       The TSIG key is redundantly stored in two separate files.
       This is a consequence of nsupdate using the DST library
diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html
index 200d02b3852..b2504576034 100644
--- a/doc/arm/man.rndc-confgen.html
+++ b/doc/arm/man.rndc-confgen.html
@@ -50,7 +50,7 @@
 
rndc-confgen  [-a] [-b keysize] [-c keyfile] [-h] [-k keyname] [-p port] [-r randomfile] [-s address] [-t chrootdir] [-u user]

 

 

-
DESCRIPTION

+
DESCRIPTION

 
rndc-confgen
       generates configuration files
       for rndc.  It can be used as a
@@ -66,7 +66,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a

 

@@ -173,7 +173,7 @@
 

 

 

-
EXAMPLES

+
EXAMPLES

 

       To allow rndc to be used with
       no manual configuration, run
@@ -190,7 +190,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc(8),
       rndc.conf(5),
       named(8),
@@ -198,7 +198,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html
index 537e34c5f9d..475d3426875 100644
--- a/doc/arm/man.rndc.conf.html
+++ b/doc/arm/man.rndc.conf.html
@@ -50,7 +50,7 @@
 
rndc.conf 

 
 

-
DESCRIPTION

+
DESCRIPTION

 
rndc.conf is the configuration file
       for rndc, the BIND 9 name server control
       utility.  This file has a similar structure and syntax to
@@ -135,7 +135,7 @@
     

 

 

-
EXAMPLE

+
EXAMPLE

 
       options {
         default-server  localhost;
@@ -209,7 +209,7 @@
     

 

 

-
NAME SERVER CONFIGURATION

+
NAME SERVER CONFIGURATION

 

       The name server must be configured to accept rndc connections and
       to recognize the key specified in the rndc.conf
@@ -219,7 +219,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc(8),
       rndc-confgen(8),
       mmencode(1),
@@ -227,7 +227,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html
index b94ed0488f7..8fb01b6bfed 100644
--- a/doc/arm/man.rndc.html
+++ b/doc/arm/man.rndc.html
@@ -50,7 +50,7 @@
 
rndc  [-b source-address] [-c config-file] [-k key-file] [-s server] [-p port] [-V] [-y key_id] {command}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
rndc
       controls the operation of a name
       server.  It supersedes the ndc utility
@@ -79,7 +79,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-b source-address

 

@@ -151,7 +151,7 @@
     

 

 

-
LIMITATIONS

+
LIMITATIONS

 
rndc
       does not yet support all the commands of
       the BIND 8 ndc utility.
@@ -165,7 +165,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc.conf(5),
       rndc-confgen(8),
       named(8),
@@ -175,7 +175,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/misc/options b/doc/misc/options
index a5efa90b37b..f7f3422538b 100644
--- a/doc/misc/options
+++ b/doc/misc/options
@@ -197,6 +197,22 @@ options {
         queryport-pool-ports ; // obsolete
         queryport-pool-updateinterval ; // obsolete
         random-device ;
+        rate-limit {
+                IPv4-prefix-length ;
+                IPv6-prefix-length ;
+                all-per-second ;
+                errors-per-second ;
+                exempt-clients { ; ... };
+                log-only ;
+                max-table-size ;
+                min-table-size ;
+                nxdomains-per-second ;
+                qps-scale ;
+                responses-per-second ;
+                responses-per-second ;
+                slip ;
+                window ;
+        };
         recursing-file ;
         recursion ;
         recursive-clients ;
@@ -209,7 +225,8 @@ options {
             | passthru | no-op | nxdomain | nodata | cname 
             ) ] [ recursive-only  ] [ max-policy-ttl  ];
             ... } [ recursive-only  ] [ break-dnssec  ] [
-            max-policy-ttl  ];
+            max-policy-ttl  ] [ min-ns-dots  ] [
+            qname-wait-recurse  ];
         rfc2308-type1 ; // not yet implemented
         root-delegation-only [ exclude { ; ... } ];
         rrset-order { [ class  ] [ type  ] [ name
@@ -414,6 +431,22 @@ view   {
         query-source-v6 ;
         queryport-pool-ports ; // obsolete
         queryport-pool-updateinterval ; // obsolete
+        rate-limit {
+                IPv4-prefix-length ;
+                IPv6-prefix-length ;
+                all-per-second ;
+                errors-per-second ;
+                exempt-clients { ; ... };
+                log-only ;
+                max-table-size ;
+                min-table-size ;
+                nxdomains-per-second ;
+                qps-scale ;
+                responses-per-second ;
+                responses-per-second ;
+                slip ;
+                window ;
+        };
         recursion ;
         request-ixfr ;
         request-ixfr ;
@@ -423,7 +456,8 @@ view   {
             | passthru | no-op | nxdomain | nodata | cname 
             ) ] [ recursive-only  ] [ max-policy-ttl  ];
             ... } [ recursive-only  ] [ break-dnssec  ] [
-            max-policy-ttl  ];
+            max-policy-ttl  ] [ min-ns-dots  ] [
+            qname-wait-recurse  ];
         rfc2308-type1 ; // not yet implemented
         root-delegation-only [ exclude { ; ... } ];
         rrset-order { [ class  ] [ type  ] [ name