From: Tinderbox User
signing [( -list | -clear keyid/algorithm | -clear all | -nsec3param ( parameters | none ) ) ] zone [class [view]] signing [( -list | -clear keyid/algorithm | -clear all | -nsec3param ( parameters | none ) | -serial value ) ] zone [class [view]] List, edit, or remove the DNSSEC signing state records @@ -577,11 +577,18 @@ removes an existing NSEC3 chain and replaces it with NSEC.
++ rndc signing -serial value sets + the serial number of the zone to value. If the value + would cause the serial number to go backwards it will + be rejected. The primary use is to set the serial on + inline signed zones. +
There is currently no way to provide the shared secret for a
key_id without using the configuration file.
@@ -591,7 +598,7 @@
None
None
+ Errors reported when running rndc addzone + (e.g., when a zone file cannot be loaded) have been clarified + to make it easier to diagnose problems. +
None
+ The serial number of a dynamically updatable zone can
+ now be set using
+ rndc signing -serial number zonename.
+ This is particularly useful with inline-signing
+ zones that have been reset. Setting the serial number to a value
+ larger than that on the slaves will trigger an AXFR-style
+ transfer.
+
+ When answering recursive queries, SERVFAIL responses can now be
+ cached by the server for a limited time; subsequent queries for
+ the same query name and type will return another SERVFAIL until
+ the cache times out. This reduces the frequency of retries
+ when a query is persistently failing, which can be a burden
+ on recursive serviers. The SERVFAIL cache timeout is controlled
+ by servfail-ttl, which defaults to 10 seconds
+ and has an upper limit of 30.
+
+ The new rndc nta command can now be used to
+ set a "negative trust anchor" (NTA), disabling DNSSEC validation for
+ a specific domain; this can be used when responses from a domain
+ are known to be failing validation due to administrative error
+ rather than because of a spoofing attack. NTAs are strictly
+ temporary; by default they expire after one hour, but can be
+ configured to last up to one week. The default NTA lifetime
+ can be changed by setting the nta-lifetime in
+ named.conf.
+
+ The EDNS Client Subnet (ECS) option is now supported for
+ authoritative servers; if a query contains an ECS option then
+ ACLs containing geoip or ecs
+ elements can match against the the address encoded in the option.
+ This can be used to select a view for a query, so that different
+ answers can be provided depending on the client network.
+
+ The EDNS EXPIRE option has been implemented on the client + side, allowing a slave server to set the expiration timer + correctly when transferring zone data from another slave + server. +
+ A new masterfile-style zone option controls
+ the formatting of text zone files: When set to
+ full, the zone file will dumped in
+ single-line-per-record format.
+
+ dig +ednsopt can now be used to set + arbitrary EDNS options in DNS requests. +
+ dig +ednsflags can now be used to set + yet-to-be-defined EDNS flags in DNS requests. +
+ dig +ttlunits causes dig + to print TTL values with time-unit suffixes: w, d, h, m, s for + weeks, days, hours, minutes, and seconds. +
+ dig +dscp=value
+ can now be used to set the DSCP code point in outgoing query
+ packets.
+
+ serial-update-method can now be set to
+ date. On update, the serial number will
+ be set to the current date in YYYYMMDDNN format.
+
+ dnssec-signzone -N date also sets the serial + number to YYYYMMDDNN. +
+ named -L filename
+ causes named to send log messages to the specified file by
+ default instead of to the system log.
+
+ The rate limiter configured by the
+ serial-query-rate option no longer covers
+ NOTIFY messages; those are now separately controlled by
+ notify-rate and
+ startup-notify-rate (the latter of which
+ controls the rate of NOTIFY messages sent when the server
+ is first started up or reconfigured).
+
+ The default number of tasks and client objects available
+ for serving lightweight resolver queries have been increased,
+ and are now configurable via the new lwres-tasks
+ and lwres-clients options in
+ named.conf. [RT #35857]
+
None
+ ACLs containing geoip asnum elements were + not correctly matched unless the full organization name was + specified in the ACL (as in + geoip asnum "AS1234 Example, Inc.";). + They can now match against the AS number alone (as in + geoip asnum "AS1234";). +
+ When using native PKCS#11 cryptography (i.e., + configure --enable-native-pkcs11) HSM PINs + of up to 256 characters can now be used. +
+ NXDOMAIN responses to queries of type DS are now cached separately + from those for other types. This helps when using "grafted" zones + of type forward, for which the parent zone does not contain a + delegation, such as local top-level domains. Previously a query + of type DS for such a zone could cause the zone apex to be cached + as NXDOMAIN, blocking all subsequent queries. (Note: This + change is only helpful when DNSSEC validation is not enabled. + "Grafted" zones without a delegation in the parent are not a + recommended configuration.) +
+ Update forwarding performance has been improved by allowing + a single TCP connection to be shared between multiple updates. +
+ By default, nsupdate will now check + the correctness of hostnames when adding records of type + A, AAAA, MX, SOA, NS, SRV or PTR. This behavior can be + disabled with check-names no. +
+ dig, host and + nslookup aborted when encountering + a name which, after appending search list elements, + exceeded 255 bytes. Such names are now skipped, but + processing of other names will continue. [RT #36892] +
+ The error message generated when
+ named-checkzone or
+ named-checkconf -z encounters a
+ $TTL directive without a value has
+ been clarified. [RT #37138]
+
+ Semicolon characters (;) included in TXT records were + incorrectly escaped with a backslash when the record was + displayed as text. This is actually only necessary when there + are no quotation marks. [RT #37159] +
+ When files opened for writing by named,
+ such as zone journal files, were referenced more than once
+ in named.conf, it could lead to file
+ corruption as multiple threads wrote to the same file. This
+ is now detected when loading named.conf
+ and reported as an error. [RT #37172]
+
+ When checking for updates to trust anchors listed in
+ managed-keys, named
+ now revalidates keys based on the current set of
+ active trust anchors, without relying on any cached
+ record of previous validation. [RT #37506]
+
+ Large-system tuning + (configure --with-tuning=large) caused + problems on some platforms by setting a socket receive + buffer size that was too large. This is now detected and + corrected at run time. [RT #37187] +
GNU make is required to build the export libraries (other part of BIND 9 can still be built with other types of make). In the reminder of this document, "make" means GNU make. Note that @@ -720,7 +904,7 @@
$./configure --enable-exportlib$[other flags]make@@ -735,7 +919,7 @@ $make$cd lib/export$make install@@ -757,7 +941,7 @@ $make install
Currently, win32 is not supported for the export library. (Normal BIND 9 application can be built as @@ -797,7 +981,7 @@ $
makeThe IRS library supports an "advanced" configuration file related to the DNS library for configuration parameters that would be beyond the capability of the @@ -815,14 +999,14 @@ $
makeSome sample application programs using this API are provided for reference. The following is a brief description of these applications.
It sends a query of a given name (of a given optional RR type) to a specified recursive server, and prints the result as a list of @@ -886,7 +1070,7 @@ $
makeSimilar to "sample", but accepts a list of (query) domain names as a separate file and resolves the names @@ -927,7 +1111,7 @@ $
makeIt sends a query to a specified server, and prints the response with minimal processing. It doesn't act as a @@ -968,7 +1152,7 @@ $
makeThis is a test program to check getaddrinfo() and getnameinfo() behavior. It takes a @@ -985,7 +1169,7 @@ $
makeIt accepts a single update command as a command-line argument, sends an update request message to the @@ -1080,7 +1264,7 @@ $
sample-update -a sample-update -k Kxxx.+nnn+mmIt checks a set of domains to see the name servers of the domains behave @@ -1137,7 +1321,7 @@ $
sample-update -a sample-update -k Kxxx.+nnn+mmAs of this writing, there is no formal "manual" of the libraries, except this document, header files (some of them provide pretty detailed explanations), and sample application diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html index 3046631cee8..54f5d4a178d 100644 --- a/doc/arm/Bv9ARM.html +++ b/doc/arm/Bv9ARM.html @@ -247,7 +247,7 @@
Security Fixes New Features Feature Changes -Bug Fixes +Bug Fixes Thank You Acknowledgments @@ -262,13 +262,13 @@BIND 9 DNS Library Support I. Manual pages diff --git a/doc/arm/man.arpaname.html b/doc/arm/man.arpaname.html index 6b3e314a91a..7200f5c0152 100644 --- a/doc/arm/man.arpaname.html +++ b/doc/arm/man.arpaname.html @@ -50,20 +50,20 @@
arpaname{ipaddress...}-diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html index 8d0b71464dd..f791c69c1a0 100644 --- a/doc/arm/man.ddns-confgen.html +++ b/doc/arm/man.ddns-confgen.html @@ -51,7 +51,7 @@DESCRIPTION
+DESCRIPTION
arpaname translates IP addresses (IPv4 and IPv6) to the corresponding IN-ADDR.ARPA or IP6.ARPA names.
ddns-confgen[-a] [algorithm-h] [-k] [keyname-q] [-r] [ -srandomfilename| -zzone]-diff --git a/doc/arm/man.delv.html b/doc/arm/man.delv.html index f19f8ddfce2..6bd4c4ac34c 100644 --- a/doc/arm/man.delv.html +++ b/doc/arm/man.delv.html @@ -53,7 +53,7 @@DESCRIPTION
+DESCRIPTION
tsig-keygen and ddns-confgen are invocation methods for a utility that generates keys for use @@ -87,7 +87,7 @@
delv[queryopt...] [query...]-DESCRIPTION
+DESCRIPTION
delv (Domain Entity Lookup & Validation) is a tool for sending DNS queries and validating the results, using the the same internal @@ -96,7 +96,7 @@
-QUERY OPTIONS
+QUERY OPTIONS
delv provides a number of query options which affect the way results are displayed, and in some cases the way lookups are performed. @@ -465,12 +465,12 @@
-SEE ALSO
+SEE ALSO
dig(1), named(8), RFC4034, diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html index 5b805d1fac8..62f94a897f9 100644 --- a/doc/arm/man.dig.html +++ b/doc/arm/man.dig.html @@ -52,7 +52,7 @@
dig[global-queryopt...] [query...]-DESCRIPTION
+DESCRIPTION
dig (domain information groper) is a flexible tool for interrogating DNS name servers. It performs DNS lookups and @@ -99,7 +99,7 @@
-OPTIONS
+OPTIONS
The
-boption sets the source IP address of the query toaddress. This must be a valid @@ -260,7 +260,7 @@-QUERY OPTIONS
+QUERY OPTIONS
dig provides a number of query options which affect the way in which lookups are made and the results displayed. Some of @@ -672,7 +672,7 @@
-MULTIPLE QUERIES
+MULTIPLE QUERIES
The BIND 9 implementation of dig supports @@ -718,7 +718,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
-IDN SUPPORT
+IDN SUPPORT
If dig has been built with IDN (internationalized domain name) support, it can accept and display non-ASCII domain names. @@ -732,14 +732,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
-SEE ALSO
+SEE ALSO
host(1), named(8), dnssec-keygen(8), @@ -747,7 +747,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
-BUGS
+BUGS
There are probably too many query options.
diff --git a/doc/arm/man.dnssec-checkds.html b/doc/arm/man.dnssec-checkds.html index 210b7cdd7d2..60f971ed838 100644 --- a/doc/arm/man.dnssec-checkds.html +++ b/doc/arm/man.dnssec-checkds.html @@ -51,7 +51,7 @@
dnssec-dsfromkey[-l] [domain-f] [file-d] [dig path-D] {zone}dsfromkey path-diff --git a/doc/arm/man.dnssec-coverage.html b/doc/arm/man.dnssec-coverage.html index 9ee462e2f52..9901626ad38 100644 --- a/doc/arm/man.dnssec-coverage.html +++ b/doc/arm/man.dnssec-coverage.html @@ -50,7 +50,7 @@DESCRIPTION
+DESCRIPTION
dnssec-checkds verifies the correctness of Delegation Signer (DS) or DNSSEC Lookaside Validation (DLV) resource records for keys in a specified @@ -59,7 +59,7 @@
dnssec-coverage[-K] [directory-l] [length-f] [file-d] [DNSKEY TTL-m] [max TTL-r] [interval-c] [compilezone path-k] [-z] [zone]-diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html index 1a0e14d8de7..ee6d385c375 100644 --- a/doc/arm/man.dnssec-dsfromkey.html +++ b/doc/arm/man.dnssec-dsfromkey.html @@ -52,14 +52,14 @@DESCRIPTION
+DESCRIPTION
dnssec-coverage verifies that the DNSSEC keys for a given zone or a set of zones have timing metadata set properly to ensure no future lapses in DNSSEC @@ -78,7 +78,7 @@
dnssec-dsfromkey[-h] [-V]-DESCRIPTION
+DESCRIPTION
dnssec-dsfromkey outputs the Delegation Signer (DS) resource record (RR), as defined in RFC 3658 and RFC 4509, for the given key(s).
-FILES
+FILES
The keyfile can be designed by the key identification
Knnnn.+aaa+iiiiior the full file name @@ -173,13 +173,13 @@-diff --git a/doc/arm/man.dnssec-importkey.html b/doc/arm/man.dnssec-importkey.html index 8772b134869..1fcf92f6c43 100644 --- a/doc/arm/man.dnssec-importkey.html +++ b/doc/arm/man.dnssec-importkey.html @@ -51,7 +51,7 @@SEE ALSO
+SEE ALSO
dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, @@ -189,7 +189,7 @@
dnssec-importkey{-f} [filename-K] [directory-L] [ttl-P] [date/offset-D] [date/offset-h] [-v] [level-V] [dnsname]-DESCRIPTION
+DESCRIPTION
dnssec-importkey reads a public DNSKEY record and generates a pair of .key/.private files. The DNSKEY record may be read from an @@ -71,7 +71,7 @@
-TIMING OPTIONS
+TIMING OPTIONS
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as @@ -142,7 +142,7 @@
-FILES
+FILES
A keyfile can be designed by the key identification
Knnnn.+aaa+iiiiior the full file name @@ -151,7 +151,7 @@-diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html index d053246b0d4..ee6dbd59091 100644 --- a/doc/arm/man.dnssec-keyfromlabel.html +++ b/doc/arm/man.dnssec-keyfromlabel.html @@ -50,7 +50,7 @@SEE ALSO
+SEE ALSO
dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, @@ -159,7 +159,7 @@
dnssec-keyfromlabel{-llabel} [-3] [-a] [algorithm-A] [date/offset-c] [class-D] [date/offset-E] [engine-f] [flag-G] [-I] [date/offset-i] [interval-k] [-K] [directory-L] [ttl-n] [nametype-P] [date/offset-p] [protocol-R] [date/offset-S] [key-t] [type-v] [level-V] [-y] {name}-DESCRIPTION
+DESCRIPTION
dnssec-keyfromlabel generates a key pair of files that referencing a key object stored in a cryptographic hardware service module (HSM). The private key @@ -66,7 +66,7 @@
-TIMING OPTIONS
+TIMING OPTIONS
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as @@ -315,7 +315,7 @@
-GENERATED KEY FILES
+GENERATED KEY FILES
When dnssec-keyfromlabel completes successfully, @@ -354,7 +354,7 @@
-diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html index cc681dd14d5..5a948af740f 100644 --- a/doc/arm/man.dnssec-keygen.html +++ b/doc/arm/man.dnssec-keygen.html @@ -50,7 +50,7 @@SEE ALSO
+SEE ALSO
dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, @@ -363,7 +363,7 @@
dnssec-keygen[-a] [algorithm-b] [keysize-n] [nametype-3] [-A] [date/offset-C] [-c] [class-D] [date/offset-E] [engine-f] [flag-G] [-g] [generator-h] [-I] [date/offset-i] [interval-K] [directory-L] [ttl-k] [-P] [date/offset-p] [protocol-q] [-R] [date/offset-r] [randomdev-S] [key-s] [strength-t] [type-v] [level-V] [-z] {name}-DESCRIPTION
+DESCRIPTION
dnssec-keygen generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034. It can also generate keys for use with @@ -64,7 +64,7 @@
-TIMING OPTIONS
+TIMING OPTIONS
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as @@ -359,7 +359,7 @@
-EXAMPLE
+EXAMPLE
To generate a 768-bit DSA key for the domain
example.com, the following command would be @@ -426,7 +426,7 @@-diff --git a/doc/arm/man.dnssec-revoke.html b/doc/arm/man.dnssec-revoke.html index 0bdfd834314..b5fcf193c31 100644 --- a/doc/arm/man.dnssec-revoke.html +++ b/doc/arm/man.dnssec-revoke.html @@ -50,7 +50,7 @@SEE ALSO
+SEE ALSO
dnssec-signzone(8), BIND 9 Administrator Reference Manual, RFC 2539, @@ -435,7 +435,7 @@
dnssec-revoke[-hr] [-v] [level-V] [-K] [directory-E] [engine-f] [-R] {keyfile}-diff --git a/doc/arm/man.dnssec-settime.html b/doc/arm/man.dnssec-settime.html index 1b32d45be64..8e1d5acda8f 100644 --- a/doc/arm/man.dnssec-settime.html +++ b/doc/arm/man.dnssec-settime.html @@ -50,7 +50,7 @@DESCRIPTION
+DESCRIPTION
dnssec-revoke reads a DNSSEC key file, sets the REVOKED bit on the key as defined in RFC 5011, and creates a new pair of key files containing the @@ -58,7 +58,7 @@
dnssec-settime[-f] [-K] [directory-L] [ttl-P] [date/offset-A] [date/offset-R] [date/offset-I] [date/offset-D] [date/offset-h] [-V] [-v] [level-E] {keyfile}engine-DESCRIPTION
+DESCRIPTION
dnssec-settime reads a DNSSEC private key file and sets the key timing metadata as specified by the
-P,-A, @@ -76,7 +76,7 @@-TIMING OPTIONS
+TIMING OPTIONS
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as @@ -210,7 +210,7 @@
-PRINTING OPTIONS
+PRINTING OPTIONS
dnssec-settime can also be used to print the timing metadata associated with a key. @@ -236,7 +236,7 @@
-diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html index 0d516f5d56d..b3e850db277 100644 --- a/doc/arm/man.dnssec-signzone.html +++ b/doc/arm/man.dnssec-signzone.html @@ -50,7 +50,7 @@SEE ALSO
+SEE ALSO
dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, @@ -244,7 +244,7 @@
dnssec-signzone[-a] [-c] [class-d] [directory-D] [-E] [engine-e] [end-time-f] [output-file-g] [-h] [-K] [directory-k] [key-L] [serial-l] [domain-M] [domain-i] [interval-I] [input-format-j] [jitter-N] [soa-serial-format-o] [origin-O] [output-format-P] [-p] [-Q] [-R] [-r] [randomdev-S] [-s] [start-time-T] [ttl-t] [-u] [-v] [level-V] [-X] [extended end-time-x] [-z] [-3] [salt-H] [iterations-A] {zonefile} [key...]-DESCRIPTION
+DESCRIPTION
dnssec-signzone signs a zone. It generates NSEC and RRSIG records and produces a signed version of the @@ -61,7 +61,7 @@
-diff --git a/doc/arm/man.dnssec-verify.html b/doc/arm/man.dnssec-verify.html index 7fc141c462b..9877a4fa7b0 100644 --- a/doc/arm/man.dnssec-verify.html +++ b/doc/arm/man.dnssec-verify.html @@ -50,7 +50,7 @@EXAMPLE
+EXAMPLE
The following command signs the
example.comzone with the DSA key generated by dnssec-keygen @@ -542,14 +542,14 @@ db.example.com.signed %
dnssec-verify[-c] [class-E] [engine-I] [input-format-o] [origin-v] [level-V] [-x] [-z] {zonefile}-diff --git a/doc/arm/man.genrandom.html b/doc/arm/man.genrandom.html index 94bc00b7947..0aa2f7546e0 100644 --- a/doc/arm/man.genrandom.html +++ b/doc/arm/man.genrandom.html @@ -50,7 +50,7 @@DESCRIPTION
+DESCRIPTION
dnssec-verify verifies that a zone is fully signed for each algorithm found in the DNSKEY RRset for the zone, and that the NSEC / NSEC3 @@ -58,7 +58,7 @@
genrandom[-n] {numbersize} {filename}-diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html index 14585035695..08fb8aafefd 100644 --- a/doc/arm/man.host.html +++ b/doc/arm/man.host.html @@ -50,7 +50,7 @@DESCRIPTION
+DESCRIPTION
genrandom generates a file or a set of files containing a specified quantity @@ -59,7 +59,7 @@
host[-aCdlnrsTwv] [-c] [class-N] [ndots-R] [number-t] [type-W] [wait-m] [flag-4] [-6] [-v] [-V] {name} [server]-DESCRIPTION
+DESCRIPTION
host is a simple utility for performing DNS lookups. It is normally used to convert names to IP addresses and vice versa. @@ -214,7 +214,7 @@
-IDN SUPPORT
+IDN SUPPORT
If host has been built with IDN (internationalized domain name) support, it can accept and display non-ASCII domain names. @@ -228,12 +228,12 @@
-SEE ALSO
+SEE ALSO
dig(1), named(8).
diff --git a/doc/arm/man.isc-hmac-fixup.html b/doc/arm/man.isc-hmac-fixup.html index 456488ed359..7f2b489370a 100644 --- a/doc/arm/man.isc-hmac-fixup.html +++ b/doc/arm/man.isc-hmac-fixup.html @@ -50,7 +50,7 @@
isc-hmac-fixup{algorithm} {secret}-DESCRIPTION
+DESCRIPTION
Versions of BIND 9 up to and including BIND 9.6 had a bug causing HMAC-SHA* TSIG keys which were longer than the digest length of the @@ -76,7 +76,7 @@
-diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html index b0261a2fcb0..f9d4de65427 100644 --- a/doc/arm/man.named-checkconf.html +++ b/doc/arm/man.named-checkconf.html @@ -50,7 +50,7 @@SECURITY CONSIDERATIONS
+SECURITY CONSIDERATIONS
Secrets that have been converted by isc-hmac-fixup are shortened, but as this is how the HMAC protocol works in @@ -87,14 +87,14 @@
named-checkconf[-h] [-v] [-j] [-t] {filename} [directory-p] [-x] [-z]-DESCRIPTION
+DESCRIPTION
named-checkconf checks the syntax, but not the semantics, of a named configuration file. The file is parsed @@ -70,7 +70,7 @@
-diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html index 3b54f1f26a8..1080744acf4 100644 --- a/doc/arm/man.named-checkzone.html +++ b/doc/arm/man.named-checkzone.html @@ -51,7 +51,7 @@RETURN VALUES
+RETURN VALUES
named-checkconf returns an exit status of 1 if errors were detected and 0 otherwise.
named-compilezone[-d] [-j] [-q] [-v] [-c] [class-C] [mode-f] [format-F] [format-J] [filename-i] [mode-k] [mode-m] [mode-n] [mode-l] [ttl-L] [serial-r] [mode-s] [style-t] [directory-T] [mode-w] [directory-D] [-W] {mode-o} {zonename} {filename}filename-DESCRIPTION
+DESCRIPTION
named-checkzone checks the syntax and integrity of a zone file. It performs the same checks as named does when loading a @@ -71,7 +71,7 @@
-diff --git a/doc/arm/man.named-journalprint.html b/doc/arm/man.named-journalprint.html index b83b5cb97e5..af6b75e8b5e 100644 --- a/doc/arm/man.named-journalprint.html +++ b/doc/arm/man.named-journalprint.html @@ -50,7 +50,7 @@RETURN VALUES
+RETURN VALUES
named-checkzone returns an exit status of 1 if errors were detected and 0 otherwise.
named-journalprint{journal}-diff --git a/doc/arm/man.named-rrchecker.html b/doc/arm/man.named-rrchecker.html index 34baeb7889f..bf310d8537a 100644 --- a/doc/arm/man.named-rrchecker.html +++ b/doc/arm/man.named-rrchecker.html @@ -50,7 +50,7 @@DESCRIPTION
+DESCRIPTION
named-journalprint prints the contents of a zone journal file in a human-readable @@ -76,7 +76,7 @@
named-rrchecker[-h] [-o] [origin-p] [-u] [-C] [-T] [-P]-DESCRIPTION
+DESCRIPTION
named-rrchecker read a individual DNS resource record from standard input and checks if it is syntactically correct. @@ -78,7 +78,7 @@
-SEE ALSO
+SEE ALSO
RFC 1034, RFC 1035, diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html index 5414c04cefb..652748992e1 100644 --- a/doc/arm/man.named.html +++ b/doc/arm/man.named.html @@ -50,7 +50,7 @@
named[-4] [-6] [-c] [config-file-d] [debug-level-D] [string-E] [engine-name-f] [-g] [-L] [logfile-m] [flag-n] [#cpus-p] [port-s] [-S] [#max-socks-t] [directory-U] [#listeners-u] [user-v] [-V] [-x]cache-file-DESCRIPTION
+DESCRIPTION
named is a Domain Name System (DNS) server, part of the BIND 9 distribution from ISC. For more @@ -65,7 +65,7 @@
-SIGNALS
+SIGNALS
In routine operation, signals should not be used to control the nameserver; rndc should be used @@ -302,7 +302,7 @@
-diff --git a/doc/arm/man.nsec3hash.html b/doc/arm/man.nsec3hash.html index 615402a7853..9df9b1f74ad 100644 --- a/doc/arm/man.nsec3hash.html +++ b/doc/arm/man.nsec3hash.html @@ -48,7 +48,7 @@CONFIGURATION
+CONFIGURATION
The named configuration file is too complex to describe in detail here. A complete description is provided @@ -319,7 +319,7 @@
nsec3hash{salt} {algorithm} {iterations} {domain}-diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html index 4d607443a4f..f695943ffd4 100644 --- a/doc/arm/man.nsupdate.html +++ b/doc/arm/man.nsupdate.html @@ -50,7 +50,7 @@DESCRIPTION
+DESCRIPTION
nsec3hash generates an NSEC3 hash based on a set of NSEC3 parameters. This can be used to check the validity @@ -56,7 +56,7 @@
nsupdate[-d] [-D] [[-g] | [-o] | [-l] | [-y] | [[hmac:]keyname:secret-k]] [keyfile-t] [timeout-u] [udptimeout-r] [udpretries-R] [randomdev-v] [-T] [-P] [-V] [filename]-DESCRIPTION
+DESCRIPTION
nsupdate is used to submit Dynamic DNS Update requests as defined in RFC 2136 to a name server. @@ -236,7 +236,7 @@
-BUGS
+BUGS
The TSIG key is redundantly stored in two separate files. This is a consequence of nsupdate using the DST library diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html index 37365002fed..73dcc50c2b7 100644 --- a/doc/arm/man.rndc-confgen.html +++ b/doc/arm/man.rndc-confgen.html @@ -50,7 +50,7 @@
rndc-confgen[-a] [-A] [algorithm-b] [keysize-c] [keyfile-h] [-k] [keyname-p] [port-r] [randomfile-s] [address-t] [chrootdir-u]user-diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html index 8e3da26e266..6595c52f539 100644 --- a/doc/arm/man.rndc.conf.html +++ b/doc/arm/man.rndc.conf.html @@ -50,7 +50,7 @@DESCRIPTION
+DESCRIPTION
rndc-confgen generates configuration files for rndc. It can be used as a @@ -66,7 +66,7 @@
rndc.conf-DESCRIPTION
+DESCRIPTION
rndc.confis the configuration file for rndc, the BIND 9 name server control utility. This file has a similar structure and syntax to @@ -136,7 +136,7 @@-diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html index 0f802c2106c..59bde211d99 100644 --- a/doc/arm/man.rndc.html +++ b/doc/arm/man.rndc.html @@ -50,7 +50,7 @@NAME SERVER CONFIGURATION
+NAME SERVER CONFIGURATION
The name server must be configured to accept rndc connections and to recognize the key specified in the
rndc.conf@@ -220,7 +220,7 @@
rndc[-b] [source-address-c] [config-file-k] [key-file-s] [server-p] [port-q] [-V] [-y] {command}key_id-DESCRIPTION
+DESCRIPTION
rndc controls the operation of a name server. It supersedes the ndc utility @@ -81,7 +81,7 @@
-COMMANDS
+COMMANDS
A list of commands supported by rndc can be seen by running rndc without arguments. @@ -533,7 +533,7 @@ of the rndc delzone command.)
-+ signing [( -list | -clearkeyid/algorithm| -clearall| -nsec3param (parameters|none) ) ]zone[class[view]]signing [( -list | -clearkeyid/algorithm| -clearall| -nsec3param (parameters|none) | -serialvalue) ]zone[class[view]]List, edit, or remove the DNSSEC signing state records @@ -595,11 +595,18 @@ removes an existing NSEC3 chain and replaces it with NSEC.
++ rndc signing -serial value sets + the serial number of the zone to value. If the value + would cause the serial number to go backwards it will + be rejected. The primary use is to set the serial on + inline signed zones. +
-diff --git a/doc/arm/notes.html b/doc/arm/notes.html index e5452d6ed6e..bf4e31a7ff8 100644 --- a/doc/arm/notes.html +++ b/doc/arm/notes.html @@ -26,14 +26,14 @@LIMITATIONS
+LIMITATIONS
There is currently no way to provide the shared secret for a
key_idwithout using the configuration file. @@ -609,7 +616,7 @@
- @@ -45,21 +45,21 @@
Table of Contents
@@ -82,22 +82,206 @@+-+
None
+
- +
None
- +
+ Errors reported when running rndc addzone + (e.g., when a zone file cannot be loaded) have been clarified + to make it easier to diagnose problems. +
-+
None
+
- +
+ The serial number of a dynamically updatable zone can + now be set using + rndc signing -serial
numberzonename. + This is particularly useful withinline-signing+ zones that have been reset. Setting the serial number to a value + larger than that on the slaves will trigger an AXFR-style + transfer. +- +
+ When answering recursive queries, SERVFAIL responses can now be + cached by the server for a limited time; subsequent queries for + the same query name and type will return another SERVFAIL until + the cache times out. This reduces the frequency of retries + when a query is persistently failing, which can be a burden + on recursive serviers. The SERVFAIL cache timeout is controlled + by
servfail-ttl, which defaults to 10 seconds + and has an upper limit of 30. +- +
+ The new rndc nta command can now be used to + set a "negative trust anchor" (NTA), disabling DNSSEC validation for + a specific domain; this can be used when responses from a domain + are known to be failing validation due to administrative error + rather than because of a spoofing attack. NTAs are strictly + temporary; by default they expire after one hour, but can be + configured to last up to one week. The default NTA lifetime + can be changed by setting the
nta-lifetimein +named.conf. +- +
+ The EDNS Client Subnet (ECS) option is now supported for + authoritative servers; if a query contains an ECS option then + ACLs containing
geoiporecs+ elements can match against the the address encoded in the option. + This can be used to select a view for a query, so that different + answers can be provided depending on the client network. +- +
+ The EDNS EXPIRE option has been implemented on the client + side, allowing a slave server to set the expiration timer + correctly when transferring zone data from another slave + server. +
- +
+ A new
masterfile-stylezone option controls + the formatting of text zone files: When set to +full, the zone file will dumped in + single-line-per-record format. +- +
+ dig +ednsopt can now be used to set + arbitrary EDNS options in DNS requests. +
- +
+ dig +ednsflags can now be used to set + yet-to-be-defined EDNS flags in DNS requests. +
- +
+ dig +ttlunits causes dig + to print TTL values with time-unit suffixes: w, d, h, m, s for + weeks, days, hours, minutes, and seconds. +
- +
+ dig +dscp=
value+ can now be used to set the DSCP code point in outgoing query + packets. +- +
+
serial-update-methodcan now be set to +date. On update, the serial number will + be set to the current date in YYYYMMDDNN format. +- +
+ dnssec-signzone -N date also sets the serial + number to YYYYMMDDNN. +
- +
+ named -L
filename+ causes named to send log messages to the specified file by + default instead of to the system log. +- +
+ The rate limiter configured by the +
serial-query-rateoption no longer covers + NOTIFY messages; those are now separately controlled by +notify-rateand +startup-notify-rate(the latter of which + controls the rate of NOTIFY messages sent when the server + is first started up or reconfigured). +- +
+ The default number of tasks and client objects available + for serving lightweight resolver queries have been increased, + and are now configurable via the new
lwres-tasks+ andlwres-clientsoptions in +named.conf. [RT #35857] +-+
None
+
- +
+ ACLs containing geoip asnum elements were + not correctly matched unless the full organization name was + specified in the ACL (as in + geoip asnum "AS1234 Example, Inc.";). + They can now match against the AS number alone (as in + geoip asnum "AS1234";). +
- +
+ When using native PKCS#11 cryptography (i.e., + configure --enable-native-pkcs11) HSM PINs + of up to 256 characters can now be used. +
- +
+ NXDOMAIN responses to queries of type DS are now cached separately + from those for other types. This helps when using "grafted" zones + of type forward, for which the parent zone does not contain a + delegation, such as local top-level domains. Previously a query + of type DS for such a zone could cause the zone apex to be cached + as NXDOMAIN, blocking all subsequent queries. (Note: This + change is only helpful when DNSSEC validation is not enabled. + "Grafted" zones without a delegation in the parent are not a + recommended configuration.) +
- +
+ Update forwarding performance has been improved by allowing + a single TCP connection to be shared between multiple updates. +
- +
+ By default, nsupdate will now check + the correctness of hostnames when adding records of type + A, AAAA, MX, SOA, NS, SRV or PTR. This behavior can be + disabled with check-names no. +
+
- +
+ dig, host and + nslookup aborted when encountering + a name which, after appending search list elements, + exceeded 255 bytes. Such names are now skipped, but + processing of other names will continue. [RT #36892] +
- +
+ The error message generated when + named-checkzone or + named-checkconf -z encounters a +
$TTLdirective without a value has + been clarified. [RT #37138] +- +
+ Semicolon characters (;) included in TXT records were + incorrectly escaped with a backslash when the record was + displayed as text. This is actually only necessary when there + are no quotation marks. [RT #37159] +
- +
+ When files opened for writing by named, + such as zone journal files, were referenced more than once + in
named.conf, it could lead to file + corruption as multiple threads wrote to the same file. This + is now detected when loadingnamed.conf+ and reported as an error. [RT #37172] +- +
+ When checking for updates to trust anchors listed in +
managed-keys, named + now revalidates keys based on the current set of + active trust anchors, without relying on any cached + record of previous validation. [RT #37506] +- +
+ Large-system tuning + (configure --with-tuning=large) caused + problems on some platforms by setting a socket receive + buffer size that was too large. This is now detected and + corrected at run time. [RT #37187] +