From: Tinderbox User dnssec-signzone
signs a zone. It generates
NSEC and RRSIG records and produces a signed version of the
@@ -43,7 +43,7 @@
The following command signs the Synopsis
-dnssec-signzone [-a] [-c ] [class-d ] [directory-D] [-E ] [engine-e ] [end-time-f ] [output-file-g] [-h] [-K ] [directory-k ] [key-L ] [serial-l ] [domain-M ] [domain-i ] [interval-I ] [input-format-j ] [jitter-N ] [soa-serial-format-o ] [origin-O ] [output-format-P] [-p] [-R] [-r ] [randomdev-S] [-s ] [start-time-T ] [ttl-t] [-u] [-v ] [level-V] [-X ] [extended end-time-x] [-z] [-3 ] [salt-H ] [iterations-A] {zonefile} [key...]dnssec-signzone [-a] [-c ] [class-d ] [directory-D] [-E ] [engine-e ] [end-time-f ] [output-file-g] [-h] [-K ] [directory-k ] [key-L ] [serial-l ] [domain-M ] [domain-i ] [interval-I ] [input-format-j ] [jitter-N ] [soa-serial-format-o ] [origin-O ] [output-format-P] [-p] [-Q] [-R] [-r ] [randomdev-S] [-s ] [start-time-T ] [ttl-t] [-u] [-v ] [level-V] [-X ] [extended end-time-x] [-z] [-3 ] [salt-H ] [iterations-A] {zonefile} [key...]DESCRIPTION
+DESCRIPTION
EXAMPLE
+EXAMPLE
example.com
zone with the DSA key generated by dnssec-keygen
@@ -524,14 +524,14 @@ db.example.com.signed
%
-
-
@@ -1080,7 +1080,7 @@ options {
from insecure to signed and back again. A secure zone can use
either NSEC or NSEC3 chains.
Changing a zone from insecure to secure can be done in two ways: using a dynamic DNS update, or the auto-dnssec zone option.
@@ -1106,7 +1106,7 @@ options { well. An NSEC chain will be generated as part of the initial signing process. +Dynamic DNS update methodTo insert the keys via dynamic update:
% nsupdate
@@ -1142,7 +1142,7 @@ options {
While the initial signing and NSEC/NSEC3 chain generation
is happening, other updates are possible as well.
+Fully automatic zone signing
To enable automatic signing, add the
auto-dnssec option to the zone statement in
named.conf.
@@ -1198,7 +1198,7 @@ options {
configuration. If this has not been done, the configuration will
fail.
+Private-type records
The state of the signing process is signaled by
private-type records (with a default type value of 65534). When
signing is complete, these records will have a nonzero value for
@@ -1239,12 +1239,12 @@ options {
+DNSKEY rollovers
As with insecure-to-secure conversions, rolling DNSSEC
keys can be done in two ways: using a dynamic DNS update, or the
auto-dnssec zone option.
+Dynamic DNS update method
To perform key rollovers via dynamic update, you need to add
the K* files for the new keys so that
named can find them. You can then add the new
@@ -1266,7 +1266,7 @@ options {
named will clean out any signatures generated
by the old key after the update completes.
+Automatic key rollovers
When a new key reaches its activation date (as set by
dnssec-keygen or dnssec-settime),
if the auto-dnssec zone option is set to
@@ -1281,27 +1281,27 @@ options {
completes in 30 days, after which it will be safe to remove the
old key from the DNSKEY RRset.
+NSEC3PARAM rollovers via UPDATE
Add the new NSEC3PARAM record via dynamic update. When the
new NSEC3 chain has been generated, the NSEC3PARAM flag field
will be zero. At this point you can remove the old NSEC3PARAM
record. The old chain will be removed after the update request
completes.
+Converting from NSEC to NSEC3
To do this, you just need to add an NSEC3PARAM record. When
the conversion is complete, the NSEC chain will have been removed
and the NSEC3PARAM record will have a zero flag field. The NSEC3
chain will be generated before the NSEC chain is
destroyed.
+Converting from NSEC3 to NSEC
To do this, use nsupdate to
remove all NSEC3PARAM records with a zero flag
field. The NSEC chain will be generated before the NSEC3 chain is
removed.
+Converting from secure to insecure
To convert a signed zone to unsigned using dynamic DNS,
delete all the DNSKEY records from the zone apex using
nsupdate. All signatures, NSEC or NSEC3 chains,
@@ -1316,14 +1316,14 @@ options {
allow instead (or it will re-sign).
+Periodic re-signing
In any secure zone which supports dynamic updates, named
will periodically re-sign RRsets which have not been re-signed as
a result of some update action. The signature lifetimes will be
adjusted so as to spread the re-sign load over time rather than
all at once.
+NSEC3 and OPTOUT
named only supports creating new NSEC3 chains
where all the NSEC3 records in the zone have the same OPTOUT
@@ -1345,7 +1345,7 @@ options {
configuration files.
To configure a validating resolver to use RFC 5011 to
maintain a trust anchor, configure the trust anchor using a
managed-keys statement. Information about
@@ -1356,7 +1356,7 @@ options {
To set up an authoritative zone for RFC 5011 trust anchor
maintenance, generate two (or more) key signing keys (KSKs) for
the zone. Sign the zone with one of them; this is the "active"
@@ -1452,7 +1452,7 @@ $ dnssec-signzone -S -K keys example.net<
See the documentation provided by your HSM vendor for
information about installing, initializing, testing and
@@ -1461,7 +1461,7 @@ $ dnssec-signzone -S -K keys example.net<
Native PKCS#11 mode will only work with an HSM capable of carrying
out every cryptographic operation BIND 9 may
@@ -1495,7 +1495,7 @@ $ ./configure --enable-native-pkcs11 \
OpenSSL-based PKCS#11 mode uses a modified version of the
OpenSSL library; stock OpenSSL does not fully support PKCS#11.
@@ -1553,7 +1553,7 @@ $ ./configure --enable-native-pkcs11 \
$ wget http://www.openssl.org/source/openssl-0.9.8y.tar.gz
@@ -1586,7 +1586,7 @@ $ patch -p1 -d openssl-0.9.8y \
The AEP Keyper is a highly secure key storage device,
but does not provide hardware cryptographic acceleration. It
@@ -1628,7 +1628,7 @@ $ ./Configure linux-generic32 -m32 -pthread \
The SCA-6000 PKCS#11 provider is installed as a system
library, libpkcs11. It is a true crypto accelerator, up to 4
@@ -1657,7 +1657,7 @@ $ ./Configure solaris64-x86_64-cc \
SoftHSM is a software library provided by the OpenDNSSEC
project (http://www.opendnssec.org) which provides a PKCS#11
@@ -1730,7 +1730,7 @@ $ ./Configure linux-x86_64 -pthread \
To link with the PKCS#11 provider, threads must be
enabled in the BIND 9 build.
@@ -1750,7 +1750,7 @@ $ ./configure CC="gcc -m32" --enable-threads \
To link with the PKCS#11 provider, threads must be
enabled in the BIND 9 build.
@@ -1772,7 +1772,7 @@ $ ./configure CC="cc -xarch=amd64" --enable-thre
$ cd ../bind9
$ ./configure --enable-threads \
@@ -1793,7 +1793,7 @@ $ ./configure --enable-threads \
BIND 9 includes a minimal set of tools to operate the
HSM, including
@@ -1816,7 +1816,7 @@ $ ./configure --enable-threads \
For OpenSSL-based PKCS#11, we must first set up the runtime
environment so the OpenSSL and PKCS#11 libraries can be loaded:
@@ -1937,7 +1937,7 @@ example.net.signed
When using OpenSSL-based PKCS#11, the "engine" to be used by
OpenSSL can be specified in named and all of
@@ -1969,7 +1969,7 @@ $ dnssec-signzone -E '' -S example.net
If you want named to dynamically re-sign zones
using HSM keys, and/or to to sign new records inserted via nsupdate,
@@ -2056,7 +2056,7 @@ $ dnssec-signzone -E '' -S example.net
A DLZ database is configured with a dlz
statement in named.conf:
@@ -2105,7 +2105,7 @@ $ dnssec-signzone -E '' -S example.net
For guidance in implementation of DLZ modules, the directory
contrib/dlz/example contains a basic
diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html
index 5115b571ac7..f3122b292d0 100644
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@@ -63,43 +63,43 @@
Usage
key Statement Grammar
key Statement Definition and Usage
-logging Statement Grammar
-logging Statement Definition and
+logging Statement Grammar
+logging Statement Definition and
Usage
-lwres Statement Grammar
-lwres Statement Definition and Usage
-masters Statement Grammar
-masters Statement Definition and
+lwres Statement Grammar
+lwres Statement Definition and Usage
+masters Statement Grammar
+masters Statement Definition and
Usage
-options Statement Grammar
+options Statement Grammar
options Statement Definition and
Usage
server Statement Grammar
server Statement Definition and
Usage
statistics-channels Statement Grammar
-statistics-channels Statement Definition and
+statistics-channels Statement Definition and
Usage
trusted-keys Statement Grammar
-trusted-keys Statement Definition
+trusted-keys Statement Definition
and Usage
-managed-keys Statement Grammar
+managed-keys Statement Grammar
managed-keys Statement Definition
and Usage
view Statement Grammar
-view Statement Definition and Usage
+view Statement Definition and Usage
zone
Statement Grammar
-zone Statement Definition and Usage
+zone Statement Definition and Usage
-Zone File
+Zone File
- Types of Resource Records and When to Use Them
-- Discussion of MX Records
+- Discussion of MX Records
- Setting TTLs
-- Inverse Mapping in IPv4
-- Other Zone File Directives
-- BIND Master File Extension: the $GENERATE Directive
+- Inverse Mapping in IPv4
+- Other Zone File Directives
+- BIND Master File Extension: the $GENERATE Directive
- Additional File Formats
BIND9 Statistics
@@ -1202,8 +1202,8 @@ geoip org "Internet Systems Consortium";
The algorithm_id is a string
- that specifies a security/authentication algorithm. Named
- supports hmac-md5,
+ that specifies a security/authentication algorithm. The
+ named server supports hmac-md5,
hmac-sha1, hmac-sha224,
hmac-sha256, hmac-sha384
and hmac-sha512 TSIG authentication.
@@ -1217,7 +1217,7 @@ geoip org "Internet Systems Consortium";
logging {
[ channel channel_name {
( file path_name
@@ -1241,7 +1241,7 @@ geoip org "Internet Systems Consortium";
The logging statement configures a
@@ -1275,7 +1275,7 @@ geoip org "Internet Systems Consortium";
All log output goes to one or more channels;
you can make as many of them as you want.
@@ -1888,7 +1888,7 @@ category notify { null; };
The query-errors category is
specifically intended for debugging purposes: To identify
@@ -2116,7 +2116,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
This is the grammar of the lwres
statement in the named.conf file:
@@ -2134,7 +2134,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
The lwres statement configures the
name
@@ -2210,7 +2210,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
masters name [port ip_port] [dscp ip_dscp] { ( masters_list |
ip_addr [port ip_port] [key key] ) ; [...] };
@@ -2218,7 +2218,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
masters
lists allow for a common set of masters to be easily used by
@@ -2228,7 +2228,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
This is the grammar of the options
statement in the named.conf file:
@@ -2239,6 +2239,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
[ hostname hostname_string; ]
[ server-id server_id_string; ]
[ directory path_name; ]
+ [ geoip-directory path_name; ]
[ key-directory path_name; ]
[ managed-keys-directory path_name; ]
[ named-xfer path_name; ]
@@ -2273,6 +2274,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
[ notify yes_or_no | explicit | master-only; ]
[ recursion yes_or_no; ]
[ request-sit yes_or_no; ]
+ [ sit-secret secret_string; ]
[ request-nsid yes_or_no; ]
[ rfc2308-type1 yes_or_no; ]
[ use-id-pool yes_or_no; ]
@@ -2300,7 +2302,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
[ check-mx-cname ( warn | fail | ignore ); ]
[ check-srv-cname ( warn | fail | ignore ); ]
[ check-sibling yes_or_no; ]
- [ check-spf ( warn | fail | ignore ); ]
+ [ check-spf ( warn | ignore ); ]
[ allow-new-zones { yes_or_no }; ]
[ allow-notify { address_match_list }; ]
[ allow-query { address_match_list }; ]
@@ -2312,6 +2314,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
[ allow-recursion-on { address_match_list }; ]
[ allow-update { address_match_list }; ]
[ allow-update-forwarding { address_match_list }; ]
+ [ automatic-interface-scan { yes_or_no }; ]
[ update-check-ksk yes_or_no; ]
[ dnssec-update-mode ( maintain | no-resign ); ]
[ dnssec-dnskey-kskonly yes_or_no; ]
@@ -2439,6 +2442,8 @@ badresp:1,adberr:0,findfail:0,valfail:0]
[ max-clients-per-query number ; ]
[ masterfile-format
(text|raw|map) ; ]
+ [ masterfile-style
+ (relative|full) ; ]
[ empty-server name ; ]
[ empty-contact name ; ]
[ empty-zones-enable yes_or_no ; ]
@@ -2470,7 +2475,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
} ; ]
[ response-policy {
zone zone_name ;
- [ policy given | disabled | passthru | drop | nxdomain | nodata | cname domain ; ]
+ [ policy given | disabled | passthru | drop | tcp-only | nxdomain | nodata | cname domain ; ]
[ recursive-only yes_or_no ; ]
[ max-policy-ttl number ; ] ;
[ recursive-only yes_or_no ; ]
@@ -2596,6 +2601,18 @@ badresp:1,adberr:0,findfail:0,valfail:0]
was started. The directory specified should be an absolute
path.
+
geoip-directory
+
+ Specifies the directory containing GeoIP
+ .dat database files for GeoIP
+ initialization. By default, this option is unset
+ and the GeoIP support will use libGeoIP's
+ built-in directory.
+ (For details, see the section called “acl Statement Definition and
+ Usage” about the
+ geoip ACL.)
+
key-directory
When performing dynamic update of secure zones, the
@@ -3989,10 +4006,13 @@ options {
The default is yes.
- Check that the two forms of Sender Policy Framework
- records (TXT records starting with "v=spf1" and SPF) either
- both exist or both don't exist. Warnings are
- emitted it they don't and be suppressed with
+ The use of the SPF record for publishing Sender
+ Policy Framework is deprecated as the migration
+ from using TXT records to SPF records was abandoned.
+ Enabling this option also checks that a TXT Sender
+ Policy Framework record exists (starts with "v=spf1")
+ if there is an SPF record. Warnings are emitted if the
+ TXT record does not exist and can be suppressed with
check-spf.
@@ -4015,11 +4035,11 @@ options {
check-spf
- When performing integrity checks, check that the
- two forms of Sender Policy Framwork records (TXT
- records starting with "v=spf1" and SPF) both exist
- or both don't exist and issue a warning if not
- met. The default is warn.
+ If check-integrity is set then
+ check that there is a TXT Sender Policy Framework
+ record present (starts with "v=spf1") if there is an
+ SPF record present. The default is
+ warn.
zero-no-soa-ttl
@@ -4129,7 +4149,7 @@ options {
The forwarding facility can be used to create a large site-wide
cache on a few servers, reducing traffic over links to external
@@ -4173,7 +4193,7 @@ options {
Dual-stack servers are used as servers of last resort to work
around
@@ -4441,7 +4461,7 @@ options {
The interfaces and ports that the server will answer queries
from may be specified using the listen-on option. listen-on takes
@@ -4906,7 +4926,7 @@ avoid-v6-udp-ports {};
use-v4-udp-ports,
avoid-v4-udp-ports,
@@ -4948,7 +4968,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
The server's usage of many system resources can be limited.
Scaled values are allowed when specifying resource limits. For
@@ -5109,7 +5129,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
- cleaning-interval
@@ -5702,6 +5722,28 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
file.
+- masterfile-style
+-
+
+ Specifies the formatting of zone files during dump
+ when the masterfile-format is
+ text. (This option is ignored
+ with any other masterfile-format.)
+
+
+ When set to relative,
+ records are printed in a multi-line format with owner
+ names expressed relative to a shared origin. When set
+ to full, records are printed in
+ a single-line format with absolute owner names.
+ The full format is most suitable
+ when a zone file needs to be processed automatically
+ by a script. The relative format
+ is more human-readable, and is thus suitable when a
+ zone is to be edited by hand. The default is
+ relative.
+
+
-
clients-per-query, max-clients-per-query
@@ -5710,7 +5752,8 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
initial value (minimum) and maximum number of recursive
simultaneous clients for any given query
(<qname,qtype,qclass>) that the server will accept
- before dropping additional clients. named will attempt to
+ before dropping additional clients.
+ named will attempt to
self tune this value and changes will be logged. The
default values are 10 and 100.
@@ -5859,7 +5902,8 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
- Named has some built-in empty zones (SOA and NS records only).
+ The named server has some built-in
+ empty zones (SOA and NS records only).
These are for zones that should normally be answered locally
and which queries should not be sent to the Internet's root
servers. The official servers which cover these namespaces
@@ -5871,9 +5915,10 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
IPv6 unknown address.
- Named will attempt to determine if a built-in zone already exists
- or is active (covered by a forward-only forwarding declaration)
- and will not create an empty zone in that case.
+ The server will attempt to determine if a built-in zone
+ already exists or is active (covered by a forward-only
+ forwarding declaration) and will not create an empty
+ zone in that case.
The current list of empty zones is:
@@ -6125,7 +6170,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
BIND 9 provides the ability to filter
out DNS responses from external DNS servers containing
@@ -6248,7 +6293,7 @@ deny-answer-aliases { "example.net"; };
BIND 9 includes a limited
mechanism to modify DNS responses for requests
@@ -6393,7 +6438,7 @@ deny-answer-aliases { "example.net"; };
Any of the policies can be used with any of the triggers.
For example, while the TCP-only policy is
commonly used with client-IP triggers,
- it cn be used with any type of trigger to force the use of
+ it can be used with any type of trigger to force the use of
TCP for responses with owner names in a zone.
@@ -6619,7 +6664,7 @@ example.com CNAME rpz-tcp-only.
Excessive almost identical UDP responses
can be controlled by configuring a
@@ -6891,7 +6936,7 @@ rate-limit {
as it considers the STMP Mail From
command. Web browsers often repeatedly resolve the
same names that are repeated in HTML <IMG> tags
- in a page. All-per-second is similar
+ in a page. all-per-second is similar
to the rate limiting offered by firewalls but often
inferior. Attacks that justify ignoring the contents
of DNS responses are likely to be attacks on the DNS
@@ -7159,9 +7204,9 @@ rate-limit {
whether the local server will add a SIT EDNS option
to requests sent to the server. This overrides
request-sit set at the view or
- option level. Named may determine that SIT is not
- supported by the remote server and not add a SIT
- EDNS option to requests.
+ option level. The named server may
+ determine that SIT is not supported by the remote server
+ and not add a SIT EDNS option to requests.
@@ -7176,7 +7221,7 @@ rate-limit {
The statistics-channels statement
@@ -7292,7 +7337,7 @@ rate-limit {
The trusted-keys statement defines
@@ -7336,7 +7381,7 @@ rate-limit {
managed-keys {
name initial-key flags protocol algorithm key-data ;
[ name initial-key flags protocol algorithm key-data ; [...]]
@@ -7474,7 +7519,7 @@ rate-limit {
The view statement is a powerful
feature
@@ -7611,7 +7656,7 @@ view "external" {
[ check-names (warn|fail|ignore) ; ]
[ check-mx (warn|fail|ignore) ; ]
[ check-wildcard yes_or_no; ]
- [ check-spf ( warn | fail | ignore ); ]
+ [ check-spf ( warn | ignore ); ]
[ check-integrity yes_or_no ; ]
[ dialup dialup_option ; ]
[ file string ; ]
@@ -7796,10 +7841,10 @@ zone zone_name [
@@ -8117,7 +8162,7 @@ zone zone_name [
The zone's name may optionally be followed by a class. If
a class is not specified, class IN (for Internet),
@@ -8139,7 +8184,7 @@ zone zone_name [
- allow-notify
@@ -9070,7 +9115,7 @@ example.com. NS ns2.example.net.
When multiple views are in use, a zone may be
referenced by more than one of them. Often, the views
@@ -9121,7 +9166,7 @@ view external {
@@ -9134,7 +9179,7 @@ view external {
A domain name identifies a node. Each node has a set of
resource information, which may be empty. The set of resource
@@ -9871,7 +9916,7 @@ view external {
RRs are represented in binary form in the packets of the DNS
protocol, and are usually represented in highly encoded form
@@ -10074,7 +10119,7 @@ view external {
As described above, domain servers store information as a
series of resource records, each of which contains a particular
@@ -10329,7 +10374,7 @@ view external {
Reverse name resolution (that is, translation from IP address
to name) is achieved by means of the in-addr.arpa domain
@@ -10390,7 +10435,7 @@ view external {
The Master File Format was initially defined in RFC 1035 and
has subsequently been extended. While the Master File Format
@@ -10405,7 +10450,7 @@ view external {
When used in the label (or name) field, the asperand or
at-sign (@) symbol represents the current origin.
@@ -10416,7 +10461,7 @@ view external {
Syntax: $ORIGIN
domain-name
@@ -10445,7 +10490,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
Syntax: $INCLUDE
filename
@@ -10481,7 +10526,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
Syntax: $TTL
default-ttl
@@ -10500,7 +10545,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
Syntax: $GENERATE
range
@@ -10943,7 +10988,7 @@ HOST-127.EXAMPLE. MX 0 .
@@ -11539,7 +11584,7 @@ HOST-127.EXAMPLE. MX 0 .
@@ -11693,7 +11738,7 @@ HOST-127.EXAMPLE. MX 0 .
@@ -12076,7 +12121,7 @@ HOST-127.EXAMPLE. MX 0 .
Socket I/O statistics counters are defined per socket
types, which are
@@ -12231,7 +12276,7 @@ HOST-127.EXAMPLE. MX 0 .
Most statistics counters that were available
in BIND 8 are also supported in
diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html
index 87700dfded5..13cb5486396 100644
--- a/doc/arm/Bv9ARM.ch07.html
+++ b/doc/arm/Bv9ARM.ch07.html
@@ -46,10 +46,10 @@
Table of Contents
@@ -114,7 +114,7 @@ zone "example.com" {
On UNIX servers, it is possible to run BIND
@@ -140,7 +140,7 @@ zone "example.com" {
In order for a chroot environment
to
@@ -168,7 +168,7 @@ zone "example.com" {
Prior to running the named daemon,
use
diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html
index 3023a6308a5..e8ef6c0e7dd 100644
--- a/doc/arm/Bv9ARM.ch08.html
+++ b/doc/arm/Bv9ARM.ch08.html
@@ -45,18 +45,18 @@
Table of Contents
The best solution to solving installation and
configuration issues is to take preventative measures by setting
@@ -68,7 +68,7 @@
Zone serial numbers are just numbers — they aren't
date related. A lot of people set them to a number that
@@ -95,7 +95,7 @@
The Internet Systems Consortium
(ISC) offers a wide range
diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index 6d3e33fa49d..512357019cc 100644
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -45,31 +45,31 @@
Table of Contents
Standards
-[RFC974] Mail Routing and the Domain System. January 1986.
+[RFC974] Mail Routing and the Domain System. January 1986.
@@ -278,42 +278,42 @@
Proposed Standards
-[RFC1995] Incremental Zone Transfer in DNS. August 1996.
+[RFC1995] Incremental Zone Transfer in DNS. August 1996.
-[RFC1996] A Mechanism for Prompt Notification of Zone Changes. August 1996.
+[RFC1996] A Mechanism for Prompt Notification of Zone Changes. August 1996.
-[RFC2136] Dynamic Updates in the Domain Name System. April 1997.
+[RFC2136] Dynamic Updates in the Domain Name System. April 1997.
-[RFC2671] Extension Mechanisms for DNS (EDNS0). August 1997.
+[RFC2671] Extension Mechanisms for DNS (EDNS0). August 1997.
-[RFC2672] Non-Terminal DNS Name Redirection. August 1999.
+[RFC2672] Non-Terminal DNS Name Redirection. August 1999.
-[RFC2845] Secret Key Transaction Authentication for DNS (TSIG). May 2000.
+[RFC2845] Secret Key Transaction Authentication for DNS (TSIG). May 2000.
-[RFC2930] Secret Key Establishment for DNS (TKEY RR). September 2000.
+[RFC2930] Secret Key Establishment for DNS (TKEY RR). September 2000.
-[RFC2931] DNS Request and Transaction Signatures (SIG(0)s). September 2000.
+[RFC2931] DNS Request and Transaction Signatures (SIG(0)s). September 2000.
-[RFC3007] Secure Domain Name System (DNS) Dynamic Update. November 2000.
+[RFC3007] Secure Domain Name System (DNS) Dynamic Update. November 2000.
-[RFC3645] Generic Security Service Algorithm for Secret
+[RFC3645] Generic Security Service Algorithm for Secret
Key Transaction Authentication for DNS
(GSS-TSIG). October 2003.
@@ -322,19 +322,19 @@
DNS Security Proposed Standards
-[RFC3225] Indicating Resolver Support of DNSSEC. December 2001.
+[RFC3225] Indicating Resolver Support of DNSSEC. December 2001.
-[RFC3833] Threat Analysis of the Domain Name System (DNS). August 2004.
+[RFC3833] Threat Analysis of the Domain Name System (DNS). August 2004.
-[RFC4033] DNS Security Introduction and Requirements. March 2005.
+[RFC4033] DNS Security Introduction and Requirements. March 2005.
-[RFC4034] Resource Records for the DNS Security Extensions. March 2005.
+[RFC4034] Resource Records for the DNS Security Extensions. March 2005.
-[RFC4035] Protocol Modifications for the DNS
+[RFC4035] Protocol Modifications for the DNS
Security Extensions. March 2005.
@@ -342,146 +342,146 @@
Other Important RFCs About DNS
Implementation
-[RFC1535] A Security Problem and Proposed Correction With Widely
- Deployed DNS Software.. October 1993.
+[RFC1535] A Security Problem and Proposed Correction With Widely
+ Deployed DNS Software. October 1993.
-[RFC1536] Common DNS Implementation
+[RFC1536] Common DNS Implementation
Errors and Suggested Fixes. October 1993.
-[RFC4074] Common Misbehaviour Against DNS
+[RFC4074] Common Misbehaviour Against DNS
Queries for IPv6 Addresses. May 2005.
Resource Record Types
-[RFC1706] DNS NSAP Resource Records. October 1994.
+[RFC1706] DNS NSAP Resource Records. October 1994.
-[RFC2168] Resolution of Uniform Resource Identifiers using
+[RFC2168] Resolution of Uniform Resource Identifiers using
the Domain Name System. June 1997.
-[RFC1876] A Means for Expressing Location Information in the
+[RFC1876] A Means for Expressing Location Information in the
Domain
Name System. January 1996.
-[RFC2052] A DNS RR for Specifying the
+[RFC2052] A DNS RR for Specifying the
Location of
- Services.. October 1996.
+ Services. October 1996.
-[RFC2163] Using the Internet DNS to
+[RFC2163] Using the Internet DNS to
Distribute MIXER
Conformant Global Address Mapping. January 1998.
-[RFC2230] Key Exchange Delegation Record for the DNS. October 1997.
+[RFC2230] Key Exchange Delegation Record for the DNS. October 1997.
-[RFC2536] DSA KEYs and SIGs in the Domain Name System (DNS). March 1999.
+[RFC2536] DSA KEYs and SIGs in the Domain Name System (DNS). March 1999.
-[RFC2537] RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999.
+[RFC2537] RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999.
-[RFC2538] Storing Certificates in the Domain Name System (DNS). March 1999.
+[RFC2538] Storing Certificates in the Domain Name System (DNS). March 1999.
-[RFC2539] Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999.
+[RFC2539] Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999.
-[RFC2540] Detached Domain Name System (DNS) Information. March 1999.
+[RFC2540] Detached Domain Name System (DNS) Information. March 1999.
-[RFC2782] A DNS RR for specifying the location of services (DNS SRV). February 2000.
+[RFC2782] A DNS RR for specifying the location of services (DNS SRV). February 2000.
-[RFC2915] The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000.
+[RFC2915] The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000.
-[RFC3110] RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001.
+[RFC3110] RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001.
-[RFC3123] A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001.
+[RFC3123] A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001.
DNS and the Internet
-[RFC1101] DNS Encoding of Network Names
+[RFC1101] DNS Encoding of Network Names
and Other Types. April 1989.
-[RFC1123] Requirements for Internet Hosts - Application and
+[RFC1123] Requirements for Internet Hosts - Application and
Support. October 1989.
-[RFC1591] Domain Name System Structure and Delegation. March 1994.
+[RFC1591] Domain Name System Structure and Delegation. March 1994.
-[RFC2317] Classless IN-ADDR.ARPA Delegation. March 1998.
+[RFC2317] Classless IN-ADDR.ARPA Delegation. March 1998.
DNS Operations
-[RFC1033] Domain administrators operations guide.. November 1987.
+[RFC1033] Domain administrators operations guide. November 1987.
-[RFC1912] Common DNS Operational and
+[RFC1912] Common DNS Operational and
Configuration Errors. February 1996.
Internationalized Domain Names
-[RFC2825] A Tangled Web: Issues of I18N, Domain Names,
+[RFC2825] A Tangled Web: Issues of I18N, Domain Names,
and the Other Internet protocols. May 2000.
-[RFC3490] Internationalizing Domain Names in Applications (IDNA). March 2003.
+[RFC3490] Internationalizing Domain Names in Applications (IDNA). March 2003.
@@ -497,47 +497,47 @@
-[RFC1464] Using the Domain Name System To Store Arbitrary String
+[RFC1464] Using the Domain Name System To Store Arbitrary String
Attributes. May 1993.
-[RFC1713] Tools for DNS Debugging. November 1994.
+[RFC1713] Tools for DNS Debugging. November 1994.
-[RFC2240] A Legal Basis for Domain Name Allocation. November 1997.
+[RFC2240] A Legal Basis for Domain Name Allocation. November 1997.
-[RFC2345] Domain Names and Company Name Retrieval. May 1998.
+[RFC2345] Domain Names and Company Name Retrieval. May 1998.
-[RFC2352] A Convention For Using Legal Names as Domain Names. May 1998.
+[RFC2352] A Convention For Using Legal Names as Domain Names. May 1998.
-[RFC3071] Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001.
+[RFC3071] Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001.
-[RFC3258] Distributing Authoritative Name Servers via
+[RFC3258] Distributing Authoritative Name Servers via
Shared Unicast Addresses. April 2002.
-[RFC3901] DNS IPv6 Transport Operational Guidelines. September 2004.
+[RFC3901] DNS IPv6 Transport Operational Guidelines. September 2004.
Obsolete and Unimplemented Experimental RFC
-[RFC1712] DNS Encoding of Geographical
+[RFC1712] DNS Encoding of Geographical
Location. November 1994.
@@ -551,39 +551,39 @@
-[RFC2065] Domain Name System Security Extensions. January 1997.
+[RFC2065] Domain Name System Security Extensions. January 1997.
-[RFC2137] Secure Domain Name System Dynamic Update. April 1997.
+[RFC2137] Secure Domain Name System Dynamic Update. April 1997.
-[RFC2535] Domain Name System Security Extensions. March 1999.
+[RFC2535] Domain Name System Security Extensions. March 1999.
-[RFC3008] Domain Name System Security (DNSSEC)
+[RFC3008] Domain Name System Security (DNSSEC)
Signing Authority. November 2000.
-[RFC3090] DNS Security Extension Clarification on Zone Status. March 2001.
+[RFC3090] DNS Security Extension Clarification on Zone Status. March 2001.
-[RFC3445] Limiting the Scope of the KEY Resource Record (RR). December 2002.
+[RFC3445] Limiting the Scope of the KEY Resource Record (RR). December 2002.
-[RFC3655] Redefinition of DNS Authenticated Data (AD) bit. November 2003.
+[RFC3655] Redefinition of DNS Authenticated Data (AD) bit. November 2003.
-[RFC3658] Delegation Signer (DS) Resource Record (RR). December 2003.
+[RFC3658] Delegation Signer (DS) Resource Record (RR). December 2003.
-[RFC3755] Legacy Resolver Compatibility for Delegation Signer (DS). May 2004.
+[RFC3755] Legacy Resolver Compatibility for Delegation Signer (DS). May 2004.
-[RFC3757] Domain Name System KEY (DNSKEY) Resource Record
+[RFC3757] Domain Name System KEY (DNSKEY) Resource Record
(RR) Secure Entry Point (SEP) Flag. April 2004.
-[RFC3845] DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004.
+[RFC3845] DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004.
@@ -604,14 +604,14 @@
-DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates.
+DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates.
@@ -648,7 +648,7 @@
GNU make is required to build the export libraries (other
part of BIND 9 can still be built with other types of make). In
the reminder of this document, "make" means GNU make. Note that
@@ -657,7 +657,7 @@
$ ./configure --enable-exportlib [other flags]
$ make
@@ -672,7 +672,7 @@ $ make
$ cd lib/export
$ make install
@@ -694,7 +694,7 @@ $ make install
Currently, win32 is not supported for the export
library. (Normal BIND 9 application can be built as
@@ -734,7 +734,7 @@ $ make
The IRS library supports an "advanced" configuration file
related to the DNS library for configuration parameters that
would be beyond the capability of the
@@ -752,14 +752,14 @@ $ make
Some sample application programs using this API are
provided for reference. The following is a brief description of
these applications.
It sends a query of a given name (of a given optional RR type) to a
specified recursive server, and prints the result as a list of
@@ -823,7 +823,7 @@ $ make
Similar to "sample", but accepts a list
of (query) domain names as a separate file and resolves the names
@@ -864,7 +864,7 @@ $ make
It sends a query to a specified server, and
prints the response with minimal processing. It doesn't act as a
@@ -905,7 +905,7 @@ $ make
This is a test program
to check getaddrinfo() and getnameinfo() behavior. It takes a
@@ -922,7 +922,7 @@ $ make
It accepts a single update command as a
command-line argument, sends an update request message to the
@@ -1017,7 +1017,7 @@ $ sample-update -a sample-update -k Kxxx.+nnn+mm
It checks a set
of domains to see the name servers of the domains behave
@@ -1074,7 +1074,7 @@ $ sample-update -a sample-update -k Kxxx.+nnn+mm
As of this writing, there is no formal "manual" of the
libraries, except this document, header files (some of them
provide pretty detailed explanations), and sample application
diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html
index ad13583dfa8..edfe1d93c34 100644
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -113,39 +113,39 @@
DNSSEC, Dynamic Zones, and Automatic Signing
-- Converting from insecure to secure
-- Dynamic DNS update method
-- Fully automatic zone signing
-- Private-type records
-- DNSKEY rollovers
-- Dynamic DNS update method
-- Automatic key rollovers
-- NSEC3PARAM rollovers via UPDATE
-- Converting from NSEC to NSEC3
-- Converting from NSEC3 to NSEC
-- Converting from secure to insecure
-- Periodic re-signing
-- NSEC3 and OPTOUT
+- Converting from insecure to secure
+- Dynamic DNS update method
+- Fully automatic zone signing
+- Private-type records
+- DNSKEY rollovers
+- Dynamic DNS update method
+- Automatic key rollovers
+- NSEC3PARAM rollovers via UPDATE
+- Converting from NSEC to NSEC3
+- Converting from NSEC3 to NSEC
+- Converting from secure to insecure
+- Periodic re-signing
+- NSEC3 and OPTOUT
Dynamic Trust Anchor Management
PKCS#11 (Cryptoki) support
-- Prerequisites
-- Native PKCS#11
-- OpenSSL-based PKCS#11
-- PKCS#11 Tools
-- Using the HSM
-- Specifying the engine on the command line
-- Running named with automatic zone re-signing
+- Prerequisites
+- Native PKCS#11
+- OpenSSL-based PKCS#11
+- PKCS#11 Tools
+- Using the HSM
+- Specifying the engine on the command line
+- Running named with automatic zone re-signing
DLZ (Dynamically Loadable Zones)
IPv6 Support in BIND 9
@@ -178,43 +178,43 @@
Usage
- key Statement Grammar
- key Statement Definition and Usage
-- logging Statement Grammar
-- logging Statement Definition and
+
- logging Statement Grammar
+- logging Statement Definition and
Usage
-- lwres Statement Grammar
-- lwres Statement Definition and Usage
-- masters Statement Grammar
-- masters Statement Definition and
+
- lwres Statement Grammar
+- lwres Statement Definition and Usage
+- masters Statement Grammar
+- masters Statement Definition and
Usage
-- options Statement Grammar
+- options Statement Grammar
- options Statement Definition and
Usage
- server Statement Grammar
- server Statement Definition and
Usage
- statistics-channels Statement Grammar
-- statistics-channels Statement Definition and
+
- statistics-channels Statement Definition and
Usage
- trusted-keys Statement Grammar
-- trusted-keys Statement Definition
+
- trusted-keys Statement Definition
and Usage
-- managed-keys Statement Grammar
+- managed-keys Statement Grammar
- managed-keys Statement Definition
and Usage
- view Statement Grammar
-- view Statement Definition and Usage
+- view Statement Definition and Usage
- zone
Statement Grammar
-- zone Statement Definition and Usage
+- zone Statement Definition and Usage
-Zone File
+Zone File
- Types of Resource Records and When to Use Them
-- Discussion of MX Records
+- Discussion of MX Records
- Setting TTLs
-- Inverse Mapping in IPv4
-- Other Zone File Directives
-- BIND Master File Extension: the $GENERATE Directive
+- Inverse Mapping in IPv4
+- Other Zone File Directives
+- BIND Master File Extension: the $GENERATE Directive
- Additional File Formats
BIND9 Statistics
@@ -223,41 +223,41 @@
7. BIND 9 Security Considerations
8. Troubleshooting
A. Appendices
I. Manual pages
diff --git a/doc/arm/man.arpaname.html b/doc/arm/man.arpaname.html
index 19af0c9d781..7679d48a640 100644
--- a/doc/arm/man.arpaname.html
+++ b/doc/arm/man.arpaname.html
@@ -50,20 +50,20 @@
arpaname {ipaddress ...}
-DESCRIPTION
+DESCRIPTION
arpaname translates IP addresses (IPv4 and
IPv6) to the corresponding IN-ADDR.ARPA or IP6.ARPA names.
diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html
index 8be73c57ff3..9ea8342ec61 100644
--- a/doc/arm/man.ddns-confgen.html
+++ b/doc/arm/man.ddns-confgen.html
@@ -51,7 +51,7 @@
ddns-confgen [-a algorithm] [-h] [-k keyname] [-q] [-r randomfile] [ -s name | -z zone ]
-DESCRIPTION
+DESCRIPTION
tsig-keygen and ddns-confgen
are invocation methods for a utility that generates keys for use
@@ -87,7 +87,7 @@
diff --git a/doc/arm/man.delv.html b/doc/arm/man.delv.html
index 4741d31cd5b..2f602a7edb7 100644
--- a/doc/arm/man.delv.html
+++ b/doc/arm/man.delv.html
@@ -53,7 +53,7 @@
delv [queryopt...] [query...]
-DESCRIPTION
+DESCRIPTION
delv
(Domain Entity Lookup & Validation) is a tool for sending
DNS queries and validating the results, using the the same internal
@@ -96,7 +96,7 @@
-QUERY OPTIONS
+QUERY OPTIONS
delv
provides a number of query options which affect the way results are
displayed, and in some cases the way lookups are performed.
@@ -465,12 +465,12 @@
-SEE ALSO
+SEE ALSO
dig(1),
named(8),
RFC4034,
diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html
index 66783cec33f..5118533ecf7 100644
--- a/doc/arm/man.dig.html
+++ b/doc/arm/man.dig.html
@@ -52,7 +52,7 @@
dig [global-queryopt...] [query...]
-DESCRIPTION
+DESCRIPTION
dig
(domain information groper) is a flexible tool
for interrogating DNS name servers. It performs DNS lookups and
@@ -99,7 +99,7 @@
-OPTIONS
+OPTIONS
The -b option sets the source IP address of the query
to address. This must be a valid
@@ -260,7 +260,7 @@
-QUERY OPTIONS
+QUERY OPTIONS
dig
provides a number of query options which affect
the way in which lookups are made and the results displayed. Some of
@@ -655,7 +655,7 @@
-MULTIPLE QUERIES
+MULTIPLE QUERIES
The BIND 9 implementation of dig
supports
@@ -701,7 +701,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
-IDN SUPPORT
+IDN SUPPORT
If dig has been built with IDN (internationalized
domain name) support, it can accept and display non-ASCII domain names.
@@ -715,14 +715,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
-SEE ALSO
+SEE ALSO
host(1),
named(8),
dnssec-keygen(8),
@@ -730,7 +730,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
-BUGS
+BUGS
There are probably too many query options.
diff --git a/doc/arm/man.dnssec-checkds.html b/doc/arm/man.dnssec-checkds.html
index f573b222eaf..1b049c52abd 100644
--- a/doc/arm/man.dnssec-checkds.html
+++ b/doc/arm/man.dnssec-checkds.html
@@ -51,7 +51,7 @@
dnssec-dsfromkey [-l domain] [-f file] [-d dig path] [-D dsfromkey path] {zone}
-DESCRIPTION
+DESCRIPTION
dnssec-checkds
verifies the correctness of Delegation Signer (DS) or DNSSEC
Lookaside Validation (DLV) resource records for keys in a specified
@@ -59,7 +59,7 @@
diff --git a/doc/arm/man.dnssec-coverage.html b/doc/arm/man.dnssec-coverage.html
index aebe0dcac05..91e3226388a 100644
--- a/doc/arm/man.dnssec-coverage.html
+++ b/doc/arm/man.dnssec-coverage.html
@@ -50,7 +50,7 @@
dnssec-coverage [-K directory] [-l length] [-f file] [-d DNSKEY TTL] [-m max TTL] [-r interval] [-c compilezone path] [-k] [-z] [zone]
-DESCRIPTION
+DESCRIPTION
dnssec-coverage
verifies that the DNSSEC keys for a given zone or a set of zones
have timing metadata set properly to ensure no future lapses in DNSSEC
@@ -78,7 +78,7 @@
diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html
index 7378efeeb8a..741508b5495 100644
--- a/doc/arm/man.dnssec-dsfromkey.html
+++ b/doc/arm/man.dnssec-dsfromkey.html
@@ -52,14 +52,14 @@
dnssec-dsfromkey [-h] [-V]
-DESCRIPTION
+DESCRIPTION
dnssec-dsfromkey
outputs the Delegation Signer (DS) resource record (RR), as defined in
RFC 3658 and RFC 4509, for the given key(s).
-FILES
+FILES
The keyfile can be designed by the key identification
Knnnn.+aaa+iiiii or the full file name
@@ -173,13 +173,13 @@
-SEE ALSO
+SEE ALSO
dnssec-keygen(8),
dnssec-signzone(8),
BIND 9 Administrator Reference Manual,
@@ -189,7 +189,7 @@
diff --git a/doc/arm/man.dnssec-importkey.html b/doc/arm/man.dnssec-importkey.html
index 589e15e4348..fa68c37a088 100644
--- a/doc/arm/man.dnssec-importkey.html
+++ b/doc/arm/man.dnssec-importkey.html
@@ -51,7 +51,7 @@
dnssec-importkey {-f filename} [-K directory] [-L ttl] [-P date/offset] [-D date/offset] [-h] [-v level] [-V] [dnsname]
-DESCRIPTION
+DESCRIPTION
dnssec-importkey
reads a public DNSKEY record and generates a pair of
.key/.private files. The DNSKEY record may be read from an
@@ -71,7 +71,7 @@
-TIMING OPTIONS
+TIMING OPTIONS
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
@@ -142,7 +142,7 @@
-FILES
+FILES
A keyfile can be designed by the key identification
Knnnn.+aaa+iiiii or the full file name
@@ -151,7 +151,7 @@
-SEE ALSO
+SEE ALSO
dnssec-keygen(8),
dnssec-signzone(8),
BIND 9 Administrator Reference Manual,
@@ -159,7 +159,7 @@
diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html
index 79c83076ab8..14d9295cc35 100644
--- a/doc/arm/man.dnssec-keyfromlabel.html
+++ b/doc/arm/man.dnssec-keyfromlabel.html
@@ -50,7 +50,7 @@
dnssec-keyfromlabel {-l label} [-3] [-a algorithm] [-A date/offset] [-c class] [-D date/offset] [-E engine] [-f flag] [-G] [-I date/offset] [-i interval] [-k] [-K directory] [-L ttl] [-n nametype] [-P date/offset] [-p protocol] [-R date/offset] [-S key] [-t type] [-v level] [-V] [-y] {name}
-DESCRIPTION
+DESCRIPTION
dnssec-keyfromlabel
generates a key pair of files that referencing a key object stored
in a cryptographic hardware service module (HSM). The private key
@@ -66,7 +66,7 @@
-TIMING OPTIONS
+TIMING OPTIONS
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
@@ -315,7 +315,7 @@
-GENERATED KEY FILES
+GENERATED KEY FILES
When dnssec-keyfromlabel completes
successfully,
@@ -354,7 +354,7 @@
-SEE ALSO
+SEE ALSO
dnssec-keygen(8),
dnssec-signzone(8),
BIND 9 Administrator Reference Manual,
@@ -363,7 +363,7 @@
diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html
index eba5bb33f76..23b9fd2ca18 100644
--- a/doc/arm/man.dnssec-keygen.html
+++ b/doc/arm/man.dnssec-keygen.html
@@ -50,7 +50,7 @@
dnssec-keygen [-a algorithm] [-b keysize] [-n nametype] [-3] [-A date/offset] [-C] [-c class] [-D date/offset] [-E engine] [-f flag] [-G] [-g generator] [-h] [-I date/offset] [-i interval] [-K directory] [-L ttl] [-k] [-P date/offset] [-p protocol] [-q] [-R date/offset] [-r randomdev] [-S key] [-s strength] [-t type] [-v level] [-V] [-z] {name}
-DESCRIPTION
+DESCRIPTION
dnssec-keygen
generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
and RFC 4034. It can also generate keys for use with
@@ -64,7 +64,7 @@
-TIMING OPTIONS
+TIMING OPTIONS
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
@@ -359,7 +359,7 @@
-EXAMPLE
+EXAMPLE
To generate a 768-bit DSA key for the domain
example.com, the following command would be
@@ -426,7 +426,7 @@
-SEE ALSO
+SEE ALSO
dnssec-signzone(8),
BIND 9 Administrator Reference Manual,
RFC 2539,
@@ -435,7 +435,7 @@
diff --git a/doc/arm/man.dnssec-revoke.html b/doc/arm/man.dnssec-revoke.html
index f49ee0ea87b..ebcbf68b37f 100644
--- a/doc/arm/man.dnssec-revoke.html
+++ b/doc/arm/man.dnssec-revoke.html
@@ -50,7 +50,7 @@
dnssec-revoke [-hr] [-v level] [-V] [-K directory] [-E engine] [-f] [-R] {keyfile}
-DESCRIPTION
+DESCRIPTION
dnssec-revoke
reads a DNSSEC key file, sets the REVOKED bit on the key as defined
in RFC 5011, and creates a new pair of key files containing the
@@ -58,7 +58,7 @@
diff --git a/doc/arm/man.dnssec-settime.html b/doc/arm/man.dnssec-settime.html
index ca8f91322b5..7bb6a451737 100644
--- a/doc/arm/man.dnssec-settime.html
+++ b/doc/arm/man.dnssec-settime.html
@@ -50,7 +50,7 @@
dnssec-settime [-f] [-K directory] [-L ttl] [-P date/offset] [-A date/offset] [-R date/offset] [-I date/offset] [-D date/offset] [-h] [-V] [-v level] [-E engine] {keyfile}
-DESCRIPTION
+DESCRIPTION
dnssec-settime
reads a DNSSEC private key file and sets the key timing metadata
as specified by the -P, -A,
@@ -76,7 +76,7 @@
-TIMING OPTIONS
+TIMING OPTIONS
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
@@ -210,7 +210,7 @@
-PRINTING OPTIONS
+PRINTING OPTIONS
dnssec-settime can also be used to print the
timing metadata associated with a key.
@@ -236,7 +236,7 @@
-SEE ALSO
+SEE ALSO
dnssec-keygen(8),
dnssec-signzone(8),
BIND 9 Administrator Reference Manual,
@@ -244,7 +244,7 @@
diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html
index 6608c97d8db..8fdb5fd51f7 100644
--- a/doc/arm/man.dnssec-signzone.html
+++ b/doc/arm/man.dnssec-signzone.html
@@ -47,10 +47,10 @@
Synopsis
-dnssec-signzone [-a] [-c class] [-d directory] [-D] [-E engine] [-e end-time] [-f output-file] [-g] [-h] [-K directory] [-k key] [-L serial] [-l domain] [-M domain] [-i interval] [-I input-format] [-j jitter] [-N soa-serial-format] [-o origin] [-O output-format] [-P] [-p] [-R] [-r randomdev] [-S] [-s start-time] [-T ttl] [-t] [-u] [-v level] [-V] [-X extended end-time] [-x] [-z] [-3 salt] [-H iterations] [-A] {zonefile} [key...]
+dnssec-signzone [-a] [-c class] [-d directory] [-D] [-E engine] [-e end-time] [-f output-file] [-g] [-h] [-K directory] [-k key] [-L serial] [-l domain] [-M domain] [-i interval] [-I input-format] [-j jitter] [-N soa-serial-format] [-o origin] [-O output-format] [-P] [-p] [-Q] [-R] [-r randomdev] [-S] [-s start-time] [-T ttl] [-t] [-u] [-v level] [-V] [-X extended end-time] [-x] [-z] [-3 salt] [-H iterations] [-A] {zonefile} [key...]
-DESCRIPTION
+DESCRIPTION
dnssec-signzone
signs a zone. It generates
NSEC and RRSIG records and produces a signed version of the
@@ -61,7 +61,7 @@
-EXAMPLE
+EXAMPLE
The following command signs the example.com
zone with the DSA key generated by dnssec-keygen
@@ -542,14 +542,14 @@ db.example.com.signed
%
diff --git a/doc/arm/man.dnssec-verify.html b/doc/arm/man.dnssec-verify.html
index decc5b22158..29fab13ab72 100644
--- a/doc/arm/man.dnssec-verify.html
+++ b/doc/arm/man.dnssec-verify.html
@@ -50,7 +50,7 @@
dnssec-verify [-c class] [-E engine] [-I input-format] [-o origin] [-v level] [-V] [-x] [-z] {zonefile}
-DESCRIPTION
+DESCRIPTION
dnssec-verify
verifies that a zone is fully signed for each algorithm found
in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
@@ -58,7 +58,7 @@
diff --git a/doc/arm/man.genrandom.html b/doc/arm/man.genrandom.html
index 263ae5ef8e7..1797584c3a7 100644
--- a/doc/arm/man.genrandom.html
+++ b/doc/arm/man.genrandom.html
@@ -50,7 +50,7 @@
genrandom [-n number] {size} {filename}
-DESCRIPTION
+DESCRIPTION
genrandom
generates a file or a set of files containing a specified quantity
@@ -59,7 +59,7 @@
diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html
index d8bd153baa7..7ec0fe4d1e2 100644
--- a/doc/arm/man.host.html
+++ b/doc/arm/man.host.html
@@ -50,7 +50,7 @@
host [-aCdlnrsTwv] [-c class] [-N ndots] [-R number] [-t type] [-W wait] [-m flag] [-4] [-6] [-v] [-V] {name} [server]
-DESCRIPTION
+DESCRIPTION
host
is a simple utility for performing DNS lookups.
It is normally used to convert names to IP addresses and vice versa.
@@ -214,7 +214,7 @@
-IDN SUPPORT
+IDN SUPPORT
If host has been built with IDN (internationalized
domain name) support, it can accept and display non-ASCII domain names.
@@ -228,12 +228,12 @@
-SEE ALSO
+SEE ALSO
dig(1),
named(8).
diff --git a/doc/arm/man.isc-hmac-fixup.html b/doc/arm/man.isc-hmac-fixup.html
index c678e25dade..506836869f9 100644
--- a/doc/arm/man.isc-hmac-fixup.html
+++ b/doc/arm/man.isc-hmac-fixup.html
@@ -50,7 +50,7 @@
isc-hmac-fixup {algorithm} {secret}
-DESCRIPTION
+DESCRIPTION
Versions of BIND 9 up to and including BIND 9.6 had a bug causing
HMAC-SHA* TSIG keys which were longer than the digest length of the
@@ -76,7 +76,7 @@
-SECURITY CONSIDERATIONS
+SECURITY CONSIDERATIONS
Secrets that have been converted by isc-hmac-fixup
are shortened, but as this is how the HMAC protocol works in
@@ -87,14 +87,14 @@
diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html
index b3027cef353..0b9f777c704 100644
--- a/doc/arm/man.named-checkconf.html
+++ b/doc/arm/man.named-checkconf.html
@@ -50,7 +50,7 @@
named-checkconf [-h] [-v] [-j] [-t directory] {filename} [-p] [-x] [-z]
-DESCRIPTION
+DESCRIPTION
named-checkconf
checks the syntax, but not the semantics, of a
named configuration file. The file is parsed
@@ -70,7 +70,7 @@
-RETURN VALUES
+RETURN VALUES
named-checkconf
returns an exit status of 1 if
errors were detected and 0 otherwise.
diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html
index d58e8373b4b..b04ad62af8b 100644
--- a/doc/arm/man.named-checkzone.html
+++ b/doc/arm/man.named-checkzone.html
@@ -51,7 +51,7 @@
named-compilezone [-d] [-j] [-q] [-v] [-c class] [-C mode] [-f format] [-F format] [-J filename] [-i mode] [-k mode] [-m mode] [-n mode] [-l ttl] [-L serial] [-r mode] [-s style] [-t directory] [-T mode] [-w directory] [-D] [-W mode] {-o filename} {zonename} {filename}
-DESCRIPTION
+DESCRIPTION
named-checkzone
checks the syntax and integrity of a zone file. It performs the
same checks as named does when loading a
@@ -71,7 +71,7 @@
-RETURN VALUES
+RETURN VALUES
named-checkzone
returns an exit status of 1 if
errors were detected and 0 otherwise.
diff --git a/doc/arm/man.named-journalprint.html b/doc/arm/man.named-journalprint.html
index 5f243eeb910..ad1d46f7b2b 100644
--- a/doc/arm/man.named-journalprint.html
+++ b/doc/arm/man.named-journalprint.html
@@ -50,7 +50,7 @@
named-journalprint {journal}
-DESCRIPTION
+DESCRIPTION
named-journalprint
prints the contents of a zone journal file in a human-readable
@@ -76,7 +76,7 @@
diff --git a/doc/arm/man.named-rrchecker.html b/doc/arm/man.named-rrchecker.html
index 89b6bfb3d4e..5be195928f2 100644
--- a/doc/arm/man.named-rrchecker.html
+++ b/doc/arm/man.named-rrchecker.html
@@ -50,7 +50,7 @@
named-rrchecker [-h] [-o origin] [-p] [-u] [-C] [-T] [-P]
-DESCRIPTION
+DESCRIPTION
named-rrchecker
read a individual DNS resource record from standard input and checks if it
is syntactically correct.
@@ -78,7 +78,7 @@
-SEE ALSO
+SEE ALSO
RFC 1034,
RFC 1035,
diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html
index 57f17e6a975..5067adb260c 100644
--- a/doc/arm/man.named.html
+++ b/doc/arm/man.named.html
@@ -50,7 +50,7 @@
named [-4] [-6] [-c config-file] [-d debug-level] [-D string] [-E engine-name] [-f] [-g] [-L logfile] [-m flag] [-n #cpus] [-p port] [-s] [-S #max-socks] [-t directory] [-U #listeners] [-u user] [-v] [-V] [-x cache-file]
-DESCRIPTION
+DESCRIPTION
named
is a Domain Name System (DNS) server,
part of the BIND 9 distribution from ISC. For more
@@ -65,7 +65,7 @@
-SIGNALS
+SIGNALS
In routine operation, signals should not be used to control
the nameserver; rndc should be used
@@ -302,7 +302,7 @@
-CONFIGURATION
+CONFIGURATION
The named configuration file is too complex
to describe in detail here. A complete description is provided
@@ -319,7 +319,7 @@
diff --git a/doc/arm/man.nsec3hash.html b/doc/arm/man.nsec3hash.html
index 0ca8b3dac49..3e8c89199c0 100644
--- a/doc/arm/man.nsec3hash.html
+++ b/doc/arm/man.nsec3hash.html
@@ -48,7 +48,7 @@
nsec3hash {salt} {algorithm} {iterations} {domain}
-DESCRIPTION
+DESCRIPTION
nsec3hash generates an NSEC3 hash based on
a set of NSEC3 parameters. This can be used to check the validity
@@ -56,7 +56,7 @@
diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html
index 53db308f346..5d8bab1e044 100644
--- a/doc/arm/man.nsupdate.html
+++ b/doc/arm/man.nsupdate.html
@@ -50,7 +50,7 @@
nsupdate [-d] [-D] [[-g] | [-o] | [-l] | [-y [hmac:]keyname:secret] | [-k keyfile]] [-t timeout] [-u udptimeout] [-r udpretries] [-R randomdev] [-v] [-T] [-P] [-V] [filename]
-DESCRIPTION
+DESCRIPTION
nsupdate
is used to submit Dynamic DNS Update requests as defined in RFC 2136
to a name server.
@@ -236,7 +236,7 @@
-BUGS
+BUGS
The TSIG key is redundantly stored in two separate files.
This is a consequence of nsupdate using the DST library
diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html
index b5d8c92d198..5d78e223833 100644
--- a/doc/arm/man.rndc-confgen.html
+++ b/doc/arm/man.rndc-confgen.html
@@ -50,7 +50,7 @@
rndc-confgen [-a] [-A algorithm] [-b keysize] [-c keyfile] [-h] [-k keyname] [-p port] [-r randomfile] [-s address] [-t chrootdir] [-u user]
-DESCRIPTION
+DESCRIPTION
rndc-confgen
generates configuration files
for rndc. It can be used as a
@@ -66,7 +66,7 @@
diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html
index bdf924038d0..f1ad9d33c2a 100644
--- a/doc/arm/man.rndc.conf.html
+++ b/doc/arm/man.rndc.conf.html
@@ -50,7 +50,7 @@
rndc.conf
-DESCRIPTION
+DESCRIPTION
rndc.conf is the configuration file
for rndc, the BIND 9 name server control
utility. This file has a similar structure and syntax to
@@ -136,7 +136,7 @@
-NAME SERVER CONFIGURATION
+NAME SERVER CONFIGURATION
The name server must be configured to accept rndc connections and
to recognize the key specified in the rndc.conf
@@ -220,7 +220,7 @@
diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html
index f44a773c48f..258a3f0773b 100644
--- a/doc/arm/man.rndc.html
+++ b/doc/arm/man.rndc.html
@@ -50,7 +50,7 @@
rndc [-b source-address] [-c config-file] [-k key-file] [-s server] [-p port] [-q] [-V] [-y key_id] {command}
-DESCRIPTION
+DESCRIPTION
rndc
controls the operation of a name
server. It supersedes the ndc utility
@@ -81,7 +81,7 @@
-COMMANDS
+COMMANDS
A list of commands supported by rndc can
be seen by running rndc without arguments.
@@ -599,7 +599,7 @@