From: Tinderbox User
For more detailed information about the design of the DNS and
the DNS protocol, please refer to the standards documents listed in
- the section called “Request for Comments (RFCs)”.
+ the section called “Request for Comments (RFCs)”.
When acting as a master, BIND 9
@@ -1080,7 +1080,7 @@ options {
from insecure to signed and back again. A secure zone can use
either NSEC or NSEC3 chains. Changing a zone from insecure to secure can be done in two
ways: using a dynamic DNS update, or the
auto-dnssec zone option.
-
-
@@ -248,7 +248,7 @@
The incremental zone transfer (IXFR) protocol is a way for
slave servers to transfer only changed data, instead of having to
transfer the entire zone. The IXFR protocol is specified in RFC
- 1995. See Proposed Standards.
+ 1995. See Proposed Standards.
To insert the keys via dynamic update:
% nsupdate
@@ -1142,7 +1142,7 @@ options {
While the initial signing and NSEC/NSEC3 chain generation
is happening, other updates are possible as well.
+Fully automatic zone signing
To enable automatic signing, add the
auto-dnssec option to the zone statement in
named.conf.
@@ -1198,7 +1198,7 @@ options {
configuration. If this has not been done, the configuration will
fail.
+Private-type records
The state of the signing process is signaled by
private-type records (with a default type value of 65534). When
signing is complete, these records will have a nonzero value for
@@ -1239,12 +1239,12 @@ options {
+DNSKEY rollovers
As with insecure-to-secure conversions, rolling DNSSEC
keys can be done in two ways: using a dynamic DNS update, or the
auto-dnssec zone option.
+Dynamic DNS update method
To perform key rollovers via dynamic update, you need to add
the K* files for the new keys so that
named can find them. You can then add the new
@@ -1266,7 +1266,7 @@ options {
named will clean out any signatures generated
by the old key after the update completes.
+Automatic key rollovers
When a new key reaches its activation date (as set by
dnssec-keygen or dnssec-settime),
if the auto-dnssec zone option is set to
@@ -1281,27 +1281,27 @@ options {
completes in 30 days, after which it will be safe to remove the
old key from the DNSKEY RRset.
+NSEC3PARAM rollovers via UPDATE
Add the new NSEC3PARAM record via dynamic update. When the
new NSEC3 chain has been generated, the NSEC3PARAM flag field
will be zero. At this point you can remove the old NSEC3PARAM
record. The old chain will be removed after the update request
completes.
+Converting from NSEC to NSEC3
To do this, you just need to add an NSEC3PARAM record. When
the conversion is complete, the NSEC chain will have been removed
and the NSEC3PARAM record will have a zero flag field. The NSEC3
chain will be generated before the NSEC chain is
destroyed.
+Converting from NSEC3 to NSEC
To do this, use nsupdate to
remove all NSEC3PARAM records with a zero flag
field. The NSEC chain will be generated before the NSEC3 chain is
removed.
+Converting from secure to insecure
To convert a signed zone to unsigned using dynamic DNS,
delete all the DNSKEY records from the zone apex using
nsupdate. All signatures, NSEC or NSEC3 chains,
@@ -1316,14 +1316,14 @@ options {
allow instead (or it will re-sign).
+Periodic re-signing
In any secure zone which supports dynamic updates, named
will periodically re-sign RRsets which have not been re-signed as
a result of some update action. The signature lifetimes will be
adjusted so as to spread the re-sign load over time rather than
all at once.
+NSEC3 and OPTOUT
named only supports creating new NSEC3 chains
where all the NSEC3 records in the zone have the same OPTOUT
@@ -1345,7 +1345,7 @@ options {
configuration files.
To configure a validating resolver to use RFC 5011 to
maintain a trust anchor, configure the trust anchor using a
managed-keys statement. Information about
@@ -1356,7 +1356,7 @@ options {
To set up an authoritative zone for RFC 5011 trust anchor
maintenance, generate two (or more) key signing keys (KSKs) for
the zone. Sign the zone with one of them; this is the "active"
@@ -1452,7 +1452,7 @@ $ dnssec-signzone -S -K keys example.net<
See the documentation provided by your HSM vendor for
information about installing, initializing, testing and
@@ -1461,7 +1461,7 @@ $ dnssec-signzone -S -K keys example.net<
Native PKCS#11 mode will only work with an HSM capable of carrying
out every cryptographic operation BIND 9 may
@@ -1495,7 +1495,7 @@ $ ./configure --enable-native-pkcs11 \
OpenSSL-based PKCS#11 mode uses a modified version of the
OpenSSL library; stock OpenSSL does not fully support PKCS#11.
@@ -1553,7 +1553,7 @@ $ ./configure --enable-native-pkcs11 \
$ wget http://www.openssl.org/source/openssl-0.9.8y.tar.gz
@@ -1586,7 +1586,7 @@ $ patch -p1 -d openssl-0.9.8y \
The AEP Keyper is a highly secure key storage device,
but does not provide hardware cryptographic acceleration. It
@@ -1628,7 +1628,7 @@ $ ./Configure linux-generic32 -m32 -pthread \
The SCA-6000 PKCS#11 provider is installed as a system
library, libpkcs11. It is a true crypto accelerator, up to 4
@@ -1657,7 +1657,7 @@ $ ./Configure solaris64-x86_64-cc \
SoftHSM is a software library provided by the OpenDNSSEC
project (http://www.opendnssec.org) which provides a PKCS#11
@@ -1730,7 +1730,7 @@ $ ./Configure linux-x86_64 -pthread \
To link with the PKCS#11 provider, threads must be
enabled in the BIND 9 build.
@@ -1750,7 +1750,7 @@ $ ./configure CC="gcc -m32" --enable-threads \
To link with the PKCS#11 provider, threads must be
enabled in the BIND 9 build.
@@ -1772,7 +1772,7 @@ $ ./configure CC="cc -xarch=amd64" --enable-thre
$ cd ../bind9
$ ./configure --enable-threads \
@@ -1793,7 +1793,7 @@ $ ./configure --enable-threads \
BIND 9 includes a minimal set of tools to operate the
HSM, including
@@ -1816,7 +1816,7 @@ $ ./configure --enable-threads \
For OpenSSL-based PKCS#11, we must first set up the runtime
environment so the OpenSSL and PKCS#11 libraries can be loaded:
@@ -1937,7 +1937,7 @@ example.net.signed
When using OpenSSL-based PKCS#11, the "engine" to be used by
OpenSSL can be specified in named and all of
@@ -1969,7 +1969,7 @@ $ dnssec-signzone -E '' -S example.net
If you want named to dynamically re-sign zones
using HSM keys, and/or to to sign new records inserted via nsupdate,
@@ -2056,7 +2056,7 @@ $ dnssec-signzone -E '' -S example.net
A DLZ database is configured with a dlz
statement in named.conf:
@@ -2105,7 +2105,7 @@ $ dnssec-signzone -E '' -S example.net
For guidance in implementation of DLZ modules, the directory
contrib/dlz/example contains a basic
@@ -2189,7 +2189,7 @@ $ dnssec-signzone -E '' -S example.net
For an overview of the format and structure of IPv6 addresses,
- see the section called “IPv6 addresses (AAAA)”.
+ see the section called “IPv6 addresses (AAAA)”.
diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html
index e436155a218..bb712e818ca 100644
--- a/doc/arm/Bv9ARM.ch08.html
+++ b/doc/arm/Bv9ARM.ch08.html
@@ -23,7 +23,7 @@
-
+
diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index be1a28d71f8..4cdb0687de4 100644
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -18,17 +18,17 @@
-Appendix A. Appendices
+Appendix A. Release Notes
-
+
diff --git a/doc/arm/Bv9ARM.ch10.html b/doc/arm/Bv9ARM.ch10.html
index f05ea39ca40..44fc8415652 100644
--- a/doc/arm/Bv9ARM.ch10.html
+++ b/doc/arm/Bv9ARM.ch10.html
@@ -18,118 +18,132 @@
-Manual pages
+Appendix B. A Brief History of the DNS and BIND
-
-
+
+
-
-
+
+
Table of Contents
-
--
-dig — DNS lookup utility
-
--
-host — DNS lookup utility
-
--
-delv — DNS lookup and validation utility
-
--
-dnssec-checkds — A DNSSEC delegation consistency checking tool.
-
--
-dnssec-coverage — checks future DNSKEY coverage for a zone
-
--
-dnssec-dsfromkey — DNSSEC DS RR generation tool
-
--
-dnssec-importkey — Import DNSKEY records from external systems so they can be managed.
-
--
-dnssec-keyfromlabel — DNSSEC key generation tool
-
--
-dnssec-keygen — DNSSEC key generation tool
-
--
-dnssec-revoke — Set the REVOKED bit on a DNSSEC key
-
--
-dnssec-settime — Set the key timing metadata for a DNSSEC key
-
--
-dnssec-signzone — DNSSEC zone signing tool
-
--
-dnssec-verify — DNSSEC zone verification tool
-
--
-named-checkconf — named configuration file syntax checking tool
-
--
-named-checkzone — zone file validity checking or converting tool
-
--
-named — Internet domain name server
-
--
-named-journalprint — print zone journal in human-readable form
-
--
-named-rrchecker — A syntax checker for individual DNS resource records
-
--
-nsupdate — Dynamic DNS update utility
-
--
-rndc — name server control utility
-
--
-
rndc.conf — rndc configuration file
-
--
-rndc-confgen — rndc key generation tool
-
--
-ddns-confgen — ddns key generation tool
-
--
-arpaname — translate IP addresses to the corresponding ARPA names
-
--
-genrandom — generate a file containing random data
-
--
-isc-hmac-fixup — fixes HMAC keys generated by older versions of BIND
-
--
-nsec3hash — generate NSEC3 hash
-
-
+
+
+
+
+
+ Although the "official" beginning of the Domain Name
+ System occurred in 1984 with the publication of RFC 920, the
+ core of the new system was described in 1983 in RFCs 882 and
+ 883. From 1984 to 1987, the ARPAnet (the precursor to today's
+ Internet) became a testbed of experimentation for developing the
+ new naming/addressing scheme in a rapidly expanding,
+ operational network environment. New RFCs were written and
+ published in 1987 that modified the original documents to
+ incorporate improvements based on the working model. RFC 1034,
+ "Domain Names-Concepts and Facilities", and RFC 1035, "Domain
+ Names-Implementation and Specification" were published and
+ became the standards upon which all DNS implementations are
+ built.
+
+
+ The first working domain name server, called "Jeeves", was
+ written in 1983-84 by Paul Mockapetris for operation on DEC
+ Tops-20
+ machines located at the University of Southern California's
+ Information
+ Sciences Institute (USC-ISI) and SRI International's Network
+ Information
+ Center (SRI-NIC). A DNS server for
+ Unix machines, the Berkeley Internet
+ Name Domain (BIND) package, was
+ written soon after by a group of
+ graduate students at the University of California at Berkeley
+ under
+ a grant from the US Defense Advanced Research Projects
+ Administration
+ (DARPA).
+
+
+ Versions of BIND through
+ 4.8.3 were maintained by the Computer
+ Systems Research Group (CSRG) at UC Berkeley. Douglas Terry, Mark
+ Painter, David Riggle and Songnian Zhou made up the initial BIND
+ project team. After that, additional work on the software package
+ was done by Ralph Campbell. Kevin Dunlap, a Digital Equipment
+ Corporation
+ employee on loan to the CSRG, worked on BIND for 2 years, from 1985
+ to 1987. Many other people also contributed to BIND development
+ during that time: Doug Kingston, Craig Partridge, Smoot
+ Carl-Mitchell,
+ Mike Muuss, Jim Bloom and Mike Schwartz. BIND maintenance was subsequently
+ handled by Mike Karels and Øivind Kure.
+
+
+ BIND versions 4.9 and 4.9.1 were
+ released by Digital Equipment
+ Corporation (now Compaq Computer Corporation). Paul Vixie, then
+ a DEC employee, became BIND's
+ primary caretaker. He was assisted
+ by Phil Almquist, Robert Elz, Alan Barrett, Paul Albitz, Bryan
+ Beecher, Andrew
+ Partan, Andy Cherenson, Tom Limoncelli, Berthold Paffrath, Fuat
+ Baran, Anant Kumar, Art Harkin, Win Treese, Don Lewis, Christophe
+ Wolfhugel, and others.
+
+
+ In 1994, BIND version 4.9.2 was sponsored by
+ Vixie Enterprises. Paul
+ Vixie became BIND's principal
+ architect/programmer.
+
+
+ BIND versions from 4.9.3 onward
+ have been developed and maintained
+ by the Internet Systems Consortium and its predecessor,
+ the Internet Software Consortium, with support being provided
+ by ISC's sponsors.
+
+
+ As co-architects/programmers, Bob Halley and
+ Paul Vixie released the first production-ready version of
+ BIND version 8 in May 1997.
+
+
+ BIND version 9 was released in September 2000 and is a
+ major rewrite of nearly all aspects of the underlying
+ BIND architecture.
+
+
+ BIND versions 4 and 8 are officially deprecated.
+ No additional development is done
+ on BIND version 4 or BIND version 8.
+
+
+ BIND development work is made
+ possible today by the sponsorship
+ of several corporations, and by the tireless work efforts of
+ numerous individuals.
+
diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html
index b8468663fb0..c2bd8ba066b 100644
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -114,39 +114,39 @@
DNSSEC, Dynamic Zones, and Automatic Signing
-- Converting from insecure to secure
-- Dynamic DNS update method
-- Fully automatic zone signing
-- Private-type records
-- DNSKEY rollovers
-- Dynamic DNS update method
-- Automatic key rollovers
-- NSEC3PARAM rollovers via UPDATE
-- Converting from NSEC to NSEC3
-- Converting from NSEC3 to NSEC
-- Converting from secure to insecure
-- Periodic re-signing
-- NSEC3 and OPTOUT
+- Converting from insecure to secure
+- Dynamic DNS update method
+- Fully automatic zone signing
+- Private-type records
+- DNSKEY rollovers
+- Dynamic DNS update method
+- Automatic key rollovers
+- NSEC3PARAM rollovers via UPDATE
+- Converting from NSEC to NSEC3
+- Converting from NSEC3 to NSEC
+- Converting from secure to insecure
+- Periodic re-signing
+- NSEC3 and OPTOUT
Dynamic Trust Anchor Management
PKCS#11 (Cryptoki) support
-- Prerequisites
-- Native PKCS#11
-- OpenSSL-based PKCS#11
-- PKCS#11 Tools
-- Using the HSM
-- Specifying the engine on the command line
-- Running named with automatic zone re-signing
+- Prerequisites
+- Native PKCS#11
+- OpenSSL-based PKCS#11
+- PKCS#11 Tools
+- Using the HSM
+- Specifying the engine on the command line
+- Running named with automatic zone re-signing
DLZ (Dynamically Loadable Zones)
IPv6 Support in BIND 9
@@ -238,9 +238,9 @@
- Incrementing and Changing the Serial Number
- Where Can I Get Help?
-A. Appendices
+A. Release Notes
+B. A Brief History of the DNS and BIND
+
+C. General DNS Reference Information
+
+D. BIND 9 DNS Library Support
+
-I. Manual pages
+I. Manual pages
-
dig — DNS lookup utility
diff --git a/doc/arm/man.arpaname.html b/doc/arm/man.arpaname.html
index 9e0a8dc7a5d..14259e56719 100644
--- a/doc/arm/man.arpaname.html
+++ b/doc/arm/man.arpaname.html
@@ -21,7 +21,7 @@
arpaname
-
+
@@ -50,20 +50,20 @@
arpaname {ipaddress ...}
-DESCRIPTION
+DESCRIPTION
arpaname translates IP addresses (IPv4 and
IPv6) to the corresponding IN-ADDR.ARPA or IP6.ARPA names.
@@ -74,7 +74,7 @@
Prev
-Up
+Up
Next
diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html
index fd48f497e61..7708ba157ee 100644
--- a/doc/arm/man.ddns-confgen.html
+++ b/doc/arm/man.ddns-confgen.html
@@ -21,7 +21,7 @@
ddns-confgen
-
+
@@ -51,7 +51,7 @@
ddns-confgen [-a algorithm] [-h] [-k keyname] [-q] [-r randomfile] [ -s name | -z zone ]
-DESCRIPTION
+DESCRIPTION
tsig-keygen and ddns-confgen
are invocation methods for a utility that generates keys for use
@@ -87,7 +87,7 @@
@@ -178,7 +178,7 @@
Prev
-Up
+Up
Next
diff --git a/doc/arm/man.delv.html b/doc/arm/man.delv.html
index 4177808ef1d..58f5d4957cc 100644
--- a/doc/arm/man.delv.html
+++ b/doc/arm/man.delv.html
@@ -21,7 +21,7 @@
delv
-
+
@@ -53,7 +53,7 @@
delv [queryopt...] [query...]
-DESCRIPTION
+DESCRIPTION
delv
(Domain Entity Lookup & Validation) is a tool for sending
DNS queries and validating the results, using the the same internal
@@ -96,7 +96,7 @@
-QUERY OPTIONS
+QUERY OPTIONS
delv
provides a number of query options which affect the way results are
displayed, and in some cases the way lookups are performed.
@@ -471,12 +471,12 @@
-SEE ALSO
+SEE ALSO
dig(1),
named(8),
RFC4034,
@@ -493,7 +493,7 @@
Prev
-Up
+Up
Next
diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html
index 37258daa8fa..b15ddd6b75a 100644
--- a/doc/arm/man.dig.html
+++ b/doc/arm/man.dig.html
@@ -21,8 +21,8 @@
dig
-
-
+
+
@@ -31,7 +31,7 @@
dig
-Prev
+Prev
Manual pages
Next
@@ -52,7 +52,7 @@
dig [global-queryopt...] [query...]
-DESCRIPTION
+DESCRIPTION
dig
(domain information groper) is a flexible tool
for interrogating DNS name servers. It performs DNS lookups and
@@ -99,7 +99,7 @@
-OPTIONS
+OPTIONS
The -b option sets the source IP address of the query
to address. This must be a valid
@@ -260,7 +260,7 @@
-QUERY OPTIONS
+QUERY OPTIONS
dig
provides a number of query options which affect
the way in which lookups are made and the results displayed. Some of
@@ -688,7 +688,7 @@
-MULTIPLE QUERIES
+MULTIPLE QUERIES
The BIND 9 implementation of dig
supports
@@ -734,7 +734,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
-IDN SUPPORT
+IDN SUPPORT
If dig has been built with IDN (internationalized
domain name) support, it can accept and display non-ASCII domain names.
@@ -748,14 +748,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
-SEE ALSO
+SEE ALSO
host(1),
named(8),
dnssec-keygen(8),
@@ -763,7 +763,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
-BUGS
+BUGS
There are probably too many query options.
@@ -774,8 +774,8 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
-Prev
-Up
+Prev
+Up
Next
diff --git a/doc/arm/man.dnssec-checkds.html b/doc/arm/man.dnssec-checkds.html
index 230944321da..4778c778a82 100644
--- a/doc/arm/man.dnssec-checkds.html
+++ b/doc/arm/man.dnssec-checkds.html
@@ -21,7 +21,7 @@
dnssec-checkds
-
+
@@ -51,7 +51,7 @@
dnssec-dsfromkey [-l domain] [-f file] [-d dig path] [-D dsfromkey path] {zone}
-DESCRIPTION
+DESCRIPTION
dnssec-checkds
verifies the correctness of Delegation Signer (DS) or DNSSEC
Lookaside Validation (DLV) resource records for keys in a specified
@@ -59,7 +59,7 @@
@@ -106,7 +106,7 @@
Prev
-Up
+Up
Next
diff --git a/doc/arm/man.dnssec-coverage.html b/doc/arm/man.dnssec-coverage.html
index e805652e103..d7434373b6a 100644
--- a/doc/arm/man.dnssec-coverage.html
+++ b/doc/arm/man.dnssec-coverage.html
@@ -21,7 +21,7 @@
dnssec-coverage
-
+
@@ -50,7 +50,7 @@
dnssec-coverage [-K directory] [-l length] [-f file] [-d DNSKEY TTL] [-m max TTL] [-r interval] [-c compilezone path] [-k] [-z] [zone]
-DESCRIPTION
+DESCRIPTION
dnssec-coverage
verifies that the DNSSEC keys for a given zone or a set of zones
have timing metadata set properly to ensure no future lapses in DNSSEC
@@ -78,7 +78,7 @@
@@ -212,7 +212,7 @@
Prev
-Up
+Up
Next
diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html
index 2a659b9b725..8f317dc6414 100644
--- a/doc/arm/man.dnssec-dsfromkey.html
+++ b/doc/arm/man.dnssec-dsfromkey.html
@@ -21,7 +21,7 @@
dnssec-dsfromkey
-
+
@@ -52,14 +52,14 @@
dnssec-dsfromkey [-h] [-V]
-DESCRIPTION
+DESCRIPTION
dnssec-dsfromkey
outputs the Delegation Signer (DS) resource record (RR), as defined in
RFC 3658 and RFC 4509, for the given key(s).
-FILES
+FILES
The keyfile can be designed by the key identification
Knnnn.+aaa+iiiii or the full file name
@@ -173,13 +173,13 @@
-SEE ALSO
+SEE ALSO
dnssec-keygen(8),
dnssec-signzone(8),
BIND 9 Administrator Reference Manual,
@@ -189,7 +189,7 @@
@@ -200,7 +200,7 @@
Prev
-Up
+Up
Next
diff --git a/doc/arm/man.dnssec-importkey.html b/doc/arm/man.dnssec-importkey.html
index 10980694b91..3c6b6b11152 100644
--- a/doc/arm/man.dnssec-importkey.html
+++ b/doc/arm/man.dnssec-importkey.html
@@ -21,7 +21,7 @@
dnssec-importkey
-
+
@@ -51,7 +51,7 @@
dnssec-importkey {-f filename} [-K directory] [-L ttl] [-P date/offset] [-D date/offset] [-h] [-v level] [-V] [dnsname]
-DESCRIPTION
+DESCRIPTION
dnssec-importkey
reads a public DNSKEY record and generates a pair of
.key/.private files. The DNSKEY record may be read from an
@@ -71,7 +71,7 @@
-TIMING OPTIONS
+TIMING OPTIONS
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
@@ -142,7 +142,7 @@
-FILES
+FILES
A keyfile can be designed by the key identification
Knnnn.+aaa+iiiii or the full file name
@@ -151,7 +151,7 @@
-SEE ALSO
+SEE ALSO
dnssec-keygen(8),
dnssec-signzone(8),
BIND 9 Administrator Reference Manual,
@@ -159,7 +159,7 @@
@@ -170,7 +170,7 @@
Prev
-Up
+Up
Next
diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html
index b3016b721fc..b4d606d4fa2 100644
--- a/doc/arm/man.dnssec-keyfromlabel.html
+++ b/doc/arm/man.dnssec-keyfromlabel.html
@@ -21,7 +21,7 @@
dnssec-keyfromlabel
-
+
@@ -50,7 +50,7 @@
dnssec-keyfromlabel {-l label} [-3] [-a algorithm] [-A date/offset] [-c class] [-D date/offset] [-E engine] [-f flag] [-G] [-I date/offset] [-i interval] [-k] [-K directory] [-L ttl] [-n nametype] [-P date/offset] [-p protocol] [-R date/offset] [-S key] [-t type] [-v level] [-V] [-y] {name}
-DESCRIPTION
+DESCRIPTION
dnssec-keyfromlabel
generates a key pair of files that referencing a key object stored
in a cryptographic hardware service module (HSM). The private key
@@ -66,7 +66,7 @@
-TIMING OPTIONS
+TIMING OPTIONS
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
@@ -315,7 +315,7 @@
-GENERATED KEY FILES
+GENERATED KEY FILES
When dnssec-keyfromlabel completes
successfully,
@@ -354,7 +354,7 @@
-SEE ALSO
+SEE ALSO
dnssec-keygen(8),
dnssec-signzone(8),
BIND 9 Administrator Reference Manual,
@@ -363,7 +363,7 @@
@@ -374,7 +374,7 @@
Prev
-Up
+Up
Next
diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html
index f1ba9912612..6b4bcf1d747 100644
--- a/doc/arm/man.dnssec-keygen.html
+++ b/doc/arm/man.dnssec-keygen.html
@@ -21,7 +21,7 @@
dnssec-keygen
-
+
@@ -50,7 +50,7 @@
dnssec-keygen [-a algorithm] [-b keysize] [-n nametype] [-3] [-A date/offset] [-C] [-c class] [-D date/offset] [-E engine] [-f flag] [-G] [-g generator] [-h] [-I date/offset] [-i interval] [-K directory] [-L ttl] [-k] [-P date/offset] [-p protocol] [-q] [-R date/offset] [-r randomdev] [-S key] [-s strength] [-t type] [-v level] [-V] [-z] {name}
-DESCRIPTION
+DESCRIPTION
dnssec-keygen
generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
and RFC 4034. It can also generate keys for use with
@@ -64,7 +64,7 @@
-TIMING OPTIONS
+TIMING OPTIONS
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
@@ -359,7 +359,7 @@
-EXAMPLE
+EXAMPLE
To generate a 768-bit DSA key for the domain
example.com, the following command would be
@@ -426,7 +426,7 @@
-SEE ALSO
+SEE ALSO
dnssec-signzone(8),
BIND 9 Administrator Reference Manual,
RFC 2539,
@@ -435,7 +435,7 @@
@@ -446,7 +446,7 @@
Prev
-Up
+Up
Next
diff --git a/doc/arm/man.dnssec-revoke.html b/doc/arm/man.dnssec-revoke.html
index 55d842c09de..fa1853d76d5 100644
--- a/doc/arm/man.dnssec-revoke.html
+++ b/doc/arm/man.dnssec-revoke.html
@@ -21,7 +21,7 @@
dnssec-revoke
-
+
@@ -50,7 +50,7 @@
dnssec-revoke [-hr] [-v level] [-V] [-K directory] [-E engine] [-f] [-R] {keyfile}
-DESCRIPTION
+DESCRIPTION
dnssec-revoke
reads a DNSSEC key file, sets the REVOKED bit on the key as defined
in RFC 5011, and creates a new pair of key files containing the
@@ -58,7 +58,7 @@
@@ -127,7 +127,7 @@
Prev
-Up
+Up
Next
diff --git a/doc/arm/man.dnssec-settime.html b/doc/arm/man.dnssec-settime.html
index 6ae85879040..4a3b9bfd3bc 100644
--- a/doc/arm/man.dnssec-settime.html
+++ b/doc/arm/man.dnssec-settime.html
@@ -21,7 +21,7 @@
dnssec-settime
-
+
@@ -50,7 +50,7 @@
dnssec-settime [-f] [-K directory] [-L ttl] [-P date/offset] [-A date/offset] [-R date/offset] [-I date/offset] [-D date/offset] [-h] [-V] [-v level] [-E engine] {keyfile}
-DESCRIPTION
+DESCRIPTION
dnssec-settime
reads a DNSSEC private key file and sets the key timing metadata
as specified by the -P, -A,
@@ -76,7 +76,7 @@
-TIMING OPTIONS
+TIMING OPTIONS
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
@@ -210,7 +210,7 @@
-PRINTING OPTIONS
+PRINTING OPTIONS
dnssec-settime can also be used to print the
timing metadata associated with a key.
@@ -236,7 +236,7 @@
-SEE ALSO
+SEE ALSO
dnssec-keygen(8),
dnssec-signzone(8),
BIND 9 Administrator Reference Manual,
@@ -244,7 +244,7 @@
@@ -255,7 +255,7 @@
Prev
-Up
+Up
Next
diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html
index e9ef1cb75a2..0ec695ee72d 100644
--- a/doc/arm/man.dnssec-signzone.html
+++ b/doc/arm/man.dnssec-signzone.html
@@ -21,7 +21,7 @@
dnssec-signzone
-
+
@@ -50,7 +50,7 @@
dnssec-signzone [-a] [-c class] [-d directory] [-D] [-E engine] [-e end-time] [-f output-file] [-g] [-h] [-K directory] [-k key] [-L serial] [-l domain] [-M domain] [-i interval] [-I input-format] [-j jitter] [-N soa-serial-format] [-o origin] [-O output-format] [-P] [-p] [-Q] [-R] [-r randomdev] [-S] [-s start-time] [-T ttl] [-t] [-u] [-v level] [-V] [-X extended end-time] [-x] [-z] [-3 salt] [-H iterations] [-A] {zonefile} [key...]
-DESCRIPTION
+DESCRIPTION
dnssec-signzone
signs a zone. It generates
NSEC and RRSIG records and produces a signed version of the
@@ -61,7 +61,7 @@
-EXAMPLE
+EXAMPLE
The following command signs the example.com
zone with the DSA key generated by dnssec-keygen
@@ -542,14 +542,14 @@ db.example.com.signed
%
@@ -560,7 +560,7 @@ db.example.com.signed
Prev
-Up
+Up
Next
diff --git a/doc/arm/man.dnssec-verify.html b/doc/arm/man.dnssec-verify.html
index f8b60dd6cc7..51452acbfc0 100644
--- a/doc/arm/man.dnssec-verify.html
+++ b/doc/arm/man.dnssec-verify.html
@@ -21,7 +21,7 @@
dnssec-verify
-
+
@@ -50,7 +50,7 @@
dnssec-verify [-c class] [-E engine] [-I input-format] [-o origin] [-v level] [-V] [-x] [-z] {zonefile}
-DESCRIPTION
+DESCRIPTION
dnssec-verify
verifies that a zone is fully signed for each algorithm found
in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
@@ -58,7 +58,7 @@
@@ -157,7 +157,7 @@
Prev
-Up
+Up
Next
diff --git a/doc/arm/man.genrandom.html b/doc/arm/man.genrandom.html
index 660f5984873..815dbf12775 100644
--- a/doc/arm/man.genrandom.html
+++ b/doc/arm/man.genrandom.html
@@ -21,7 +21,7 @@
genrandom
-
+
@@ -50,7 +50,7 @@
genrandom [-n number] {size} {filename}
-DESCRIPTION
+DESCRIPTION
genrandom
generates a file or a set of files containing a specified quantity
@@ -59,7 +59,7 @@
@@ -95,7 +95,7 @@
Prev
-Up
+Up
Next
diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html
index 350d39b11a6..4430fe5db09 100644
--- a/doc/arm/man.host.html
+++ b/doc/arm/man.host.html
@@ -21,7 +21,7 @@
host
-
+
@@ -50,7 +50,7 @@
host [-aCdlnrsTwv] [-c class] [-N ndots] [-R number] [-t type] [-W wait] [-m flag] [-4] [-6] [-v] [-V] {name} [server]
-DESCRIPTION
+DESCRIPTION
host
is a simple utility for performing DNS lookups.
It is normally used to convert names to IP addresses and vice versa.
@@ -214,7 +214,7 @@
-IDN SUPPORT
+IDN SUPPORT
If host has been built with IDN (internationalized
domain name) support, it can accept and display non-ASCII domain names.
@@ -228,12 +228,12 @@
-SEE ALSO
+SEE ALSO
dig(1),
named(8).
@@ -245,7 +245,7 @@
Prev
-Up
+Up
Next
diff --git a/doc/arm/man.isc-hmac-fixup.html b/doc/arm/man.isc-hmac-fixup.html
index d75c77fd90f..0ec4bec7f01 100644
--- a/doc/arm/man.isc-hmac-fixup.html
+++ b/doc/arm/man.isc-hmac-fixup.html
@@ -21,7 +21,7 @@
isc-hmac-fixup
-
+
@@ -50,7 +50,7 @@
isc-hmac-fixup {algorithm} {secret}
-DESCRIPTION
+DESCRIPTION
Versions of BIND 9 up to and including BIND 9.6 had a bug causing
HMAC-SHA* TSIG keys which were longer than the digest length of the
@@ -76,7 +76,7 @@
-SECURITY CONSIDERATIONS
+SECURITY CONSIDERATIONS
Secrets that have been converted by isc-hmac-fixup
are shortened, but as this is how the HMAC protocol works in
@@ -87,14 +87,14 @@
@@ -105,7 +105,7 @@
Prev
-Up
+Up
Next
diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html
index 07a61213bca..e503db0b754 100644
--- a/doc/arm/man.named-checkconf.html
+++ b/doc/arm/man.named-checkconf.html
@@ -21,7 +21,7 @@
named-checkconf
-
+
@@ -50,7 +50,7 @@
named-checkconf [-h] [-v] [-j] [-t directory] {filename} [-p] [-x] [-z]
-DESCRIPTION
+DESCRIPTION
named-checkconf
checks the syntax, but not the semantics, of a
named configuration file. The file is parsed
@@ -70,7 +70,7 @@
-RETURN VALUES
+RETURN VALUES
named-checkconf
returns an exit status of 1 if
errors were detected and 0 otherwise.
@@ -144,7 +144,7 @@
Prev
-Up
+Up
Next
diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html
index c9f7ad82d53..b7742719523 100644
--- a/doc/arm/man.named-checkzone.html
+++ b/doc/arm/man.named-checkzone.html
@@ -21,7 +21,7 @@
named-checkzone
-
+
@@ -51,7 +51,7 @@
named-compilezone [-d] [-j] [-q] [-v] [-c class] [-C mode] [-f format] [-F format] [-J filename] [-i mode] [-k mode] [-m mode] [-n mode] [-l ttl] [-L serial] [-r mode] [-s style] [-t directory] [-T mode] [-w directory] [-D] [-W mode] {-o filename} {zonename} {filename}
-DESCRIPTION
+DESCRIPTION
named-checkzone
checks the syntax and integrity of a zone file. It performs the
same checks as named does when loading a
@@ -71,7 +71,7 @@
-RETURN VALUES
+RETURN VALUES
named-checkzone
returns an exit status of 1 if
errors were detected and 0 otherwise.
@@ -331,7 +331,7 @@
Prev
-Up
+Up
Next
diff --git a/doc/arm/man.named-journalprint.html b/doc/arm/man.named-journalprint.html
index f497d60b36f..72c2e7923aa 100644
--- a/doc/arm/man.named-journalprint.html
+++ b/doc/arm/man.named-journalprint.html
@@ -21,7 +21,7 @@
named-journalprint
-
+
@@ -50,7 +50,7 @@
named-journalprint {journal}
-DESCRIPTION
+DESCRIPTION
named-journalprint
prints the contents of a zone journal file in a human-readable
@@ -76,7 +76,7 @@
@@ -95,7 +95,7 @@
Prev
-Up
+Up
Next
diff --git a/doc/arm/man.named-rrchecker.html b/doc/arm/man.named-rrchecker.html
index c05b6c674db..f42d3ac3597 100644
--- a/doc/arm/man.named-rrchecker.html
+++ b/doc/arm/man.named-rrchecker.html
@@ -21,7 +21,7 @@
named-rrchecker
-
+
@@ -50,7 +50,7 @@
named-rrchecker [-h] [-o origin] [-p] [-u] [-C] [-T] [-P]
-DESCRIPTION
+DESCRIPTION
named-rrchecker
read a individual DNS resource record from standard input and checks if it
is syntactically correct.
@@ -78,7 +78,7 @@
-SEE ALSO
+SEE ALSO
RFC 1034,
RFC 1035,
@@ -92,7 +92,7 @@
Prev
-Up
+Up
Next
diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html
index 99b7a100b3d..e0b0ab108bd 100644
--- a/doc/arm/man.named.html
+++ b/doc/arm/man.named.html
@@ -21,7 +21,7 @@
named
-
+
@@ -50,7 +50,7 @@
named [-4] [-6] [-c config-file] [-d debug-level] [-D string] [-E engine-name] [-f] [-g] [-L logfile] [-m flag] [-n #cpus] [-p port] [-s] [-S #max-socks] [-t directory] [-U #listeners] [-u user] [-v] [-V] [-X lock-file] [-x cache-file]
-DESCRIPTION
+DESCRIPTION
named
is a Domain Name System (DNS) server,
part of the BIND 9 distribution from ISC. For more
@@ -65,7 +65,7 @@
-SIGNALS
+SIGNALS
In routine operation, signals should not be used to control
the nameserver; rndc should be used
@@ -309,7 +309,7 @@
-CONFIGURATION
+CONFIGURATION
The named configuration file is too complex
to describe in detail here. A complete description is provided
@@ -326,7 +326,7 @@
@@ -363,7 +363,7 @@
Prev
-Up
+Up
Next
diff --git a/doc/arm/man.nsec3hash.html b/doc/arm/man.nsec3hash.html
index 51dd739dc55..17a7206a4cc 100644
--- a/doc/arm/man.nsec3hash.html
+++ b/doc/arm/man.nsec3hash.html
@@ -21,7 +21,7 @@
nsec3hash
-
+
@@ -48,7 +48,7 @@
nsec3hash {salt} {algorithm} {iterations} {domain}
-DESCRIPTION
+DESCRIPTION
nsec3hash generates an NSEC3 hash based on
a set of NSEC3 parameters. This can be used to check the validity
@@ -56,7 +56,7 @@
@@ -98,7 +98,7 @@
Prev
-Up
+Up
diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html
index d6f30c5a4de..cb466af8f91 100644
--- a/doc/arm/man.nsupdate.html
+++ b/doc/arm/man.nsupdate.html
@@ -21,7 +21,7 @@
nsupdate
-
+
@@ -50,7 +50,7 @@
nsupdate [-d] [-D] [[-g] | [-o] | [-l] | [-y [hmac:]keyname:secret] | [-k keyfile]] [-t timeout] [-u udptimeout] [-r udpretries] [-R randomdev] [-v] [-T] [-P] [-V] [filename]
-DESCRIPTION
+DESCRIPTION
nsupdate
is used to submit Dynamic DNS Update requests as defined in RFC 2136
to a name server.
@@ -236,7 +236,7 @@
-BUGS
+BUGS
The TSIG key is redundantly stored in two separate files.
This is a consequence of nsupdate using the DST library
@@ -656,7 +656,7 @@
Prev
-Up
+Up
Next
diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html
index a7500a08201..0ff735b323e 100644
--- a/doc/arm/man.rndc-confgen.html
+++ b/doc/arm/man.rndc-confgen.html
@@ -21,7 +21,7 @@
rndc-confgen
-
+
@@ -50,7 +50,7 @@
rndc-confgen [-a] [-A algorithm] [-b keysize] [-c keyfile] [-h] [-k keyname] [-p port] [-r randomfile] [-s address] [-t chrootdir] [-u user]
@@ -216,7 +216,7 @@
Prev
-Up
+Up
Next
diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html
index 58236efd022..391e4106d1f 100644
--- a/doc/arm/man.rndc.conf.html
+++ b/doc/arm/man.rndc.conf.html
@@ -21,7 +21,7 @@
rndc.conf
-
+
@@ -50,7 +50,7 @@
rndc.conf
-DESCRIPTION
+DESCRIPTION
rndc.conf is the configuration file
for rndc, the BIND 9 name server control
utility. This file has a similar structure and syntax to
@@ -136,7 +136,7 @@
-NAME SERVER CONFIGURATION
+NAME SERVER CONFIGURATION
The name server must be configured to accept rndc connections and
to recognize the key specified in the rndc.conf
@@ -220,7 +220,7 @@
@@ -239,7 +239,7 @@
Prev
-Up
+Up
Next
diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html
index db7d0d528df..3c9b1ebce13 100644
--- a/doc/arm/man.rndc.html
+++ b/doc/arm/man.rndc.html
@@ -21,7 +21,7 @@
rndc
-
+
@@ -50,7 +50,7 @@
rndc [-b source-address] [-c config-file] [-k key-file] [-s server] [-p port] [-q] [-V] [-y key_id] {command}
-DESCRIPTION
+DESCRIPTION
rndc
controls the operation of a name
server. It supersedes the ndc utility
@@ -81,7 +81,7 @@
-COMMANDS
+COMMANDS
A list of commands supported by rndc can
be seen by running rndc without arguments.
@@ -620,7 +620,7 @@
-LIMITATIONS
+LIMITATIONS
There is currently no way to provide the shared secret for a
key_id without using the configuration file.
@@ -630,7 +630,7 @@
@@ -651,7 +651,7 @@
Prev
-Up
+Up
Next
diff --git a/doc/arm/notes.html b/doc/arm/notes.html
index 4753abc405f..5b480846b28 100644
--- a/doc/arm/notes.html
+++ b/doc/arm/notes.html
@@ -19,30 +19,9 @@
-
-
+