diff --git a/doc/arm/Bv9ARM.ch02.html b/doc/arm/Bv9ARM.ch02.html index 759663702d..f2672fdf40 100644 --- a/doc/arm/Bv9ARM.ch02.html +++ b/doc/arm/Bv9ARM.ch02.html @@ -128,7 +128,7 @@
ISC BIND 9 compiles and runs on a large number - of Unix-like operating systems and on + of Unix-like operating systems and on Microsoft Windows Server 2003 and 2008, and Windows XP and Vista. For an up-to-date list of supported systems, see the README file in the top level diff --git a/doc/arm/Bv9ARM.ch04.html b/doc/arm/Bv9ARM.ch04.html index b2c721083d..07680c6482 100644 --- a/doc/arm/Bv9ARM.ch04.html +++ b/doc/arm/Bv9ARM.ch04.html @@ -49,8 +49,8 @@
Setting up different views, or visibility, of the DNS space to internal and external resolvers is usually referred to as a @@ -301,7 +301,7 @@
Let's say a company named Example, Inc.
(example.com)
@@ -761,7 +761,7 @@ allow-update { key host1-host2. ;};
BIND 9 partially supports DNSSEC SIG(0) transaction signatures as specified in RFC 2535 and RFC 2931. @@ -822,7 +822,7 @@ allow-update { key host1-host2. ;};
The dnssec-keygen program is used to
generate keys.
@@ -931,7 +931,7 @@ allow-update { key host1-host2. ;};
To enable named to validate answers from
other servers, the dnssec-enable option
must be set to yes, and the
- dnssec-validation options must be set to
+ dnssec-validation options must be set to
yes or auto.
@@ -1047,7 +1047,7 @@ options { including missing, expired, or invalid signatures, a key which does not match the DS RRset in the parent zone, or an insecure response from a zone which, according to its parent, should have - been secure. + been secure.
While the initial signing and NSEC/NSEC3 chain generation is happening, other updates are possible as well.
+Fully automatic zone signingTo enable automatic signing, add the
auto-dnssec option to the zone statement in
named.conf.
@@ -1205,7 +1205,7 @@ options {
configuration. If this has not been done, the configuration will
fail.
The state of the signing process is signaled by private-type records (with a default type value of 65534). When signing is complete, these records will have a nonzero value for @@ -1246,12 +1246,12 @@ options {
+DNSKEY rollovers
As with insecure-to-secure conversions, rolling DNSSEC keys can be done in two ways: using a dynamic DNS update, or the auto-dnssec zone option.
+Dynamic DNS update method To perform key rollovers via dynamic update, you need to add
the K* files for the new keys so that
named can find them. You can then add the new
@@ -1273,7 +1273,7 @@ options {
named will clean out any signatures generated
by the old key after the update completes.
When a new key reaches its activation date (as set by dnssec-keygen or dnssec-settime), if the auto-dnssec zone option is set to @@ -1288,27 +1288,27 @@ options { completes in 30 days, after which it will be safe to remove the old key from the DNSKEY RRset.
+NSEC3PARAM rollovers via UPDATEAdd the new NSEC3PARAM record via dynamic update. When the new NSEC3 chain has been generated, the NSEC3PARAM flag field will be zero. At this point you can remove the old NSEC3PARAM record. The old chain will be removed after the update request completes.
+Converting from NSEC to NSEC3To do this, you just need to add an NSEC3PARAM record. When the conversion is complete, the NSEC chain will have been removed and the NSEC3PARAM record will have a zero flag field. The NSEC3 chain will be generated before the NSEC chain is destroyed.
+Converting from NSEC3 to NSECTo do this, use nsupdate to remove all NSEC3PARAM records with a zero flag field. The NSEC chain will be generated before the NSEC3 chain is removed.
+Converting from secure to insecureTo convert a signed zone to unsigned using dynamic DNS, delete all the DNSKEY records from the zone apex using nsupdate. All signatures, NSEC or NSEC3 chains, @@ -1323,14 +1323,14 @@ options { allow instead (or it will re-sign).
+Periodic re-signingIn any secure zone which supports dynamic updates, named will periodically re-sign RRsets which have not been re-signed as a result of some update action. The signature lifetimes will be adjusted so as to spread the re-sign load over time rather than all at once.
+NSEC3 and OPTOUTnamed only supports creating new NSEC3 chains where all the NSEC3 records in the zone have the same OPTOUT @@ -1352,7 +1352,7 @@ options { configuration files.
To configure a validating resolver to use RFC 5011 to maintain a trust anchor, configure the trust anchor using a managed-keys statement. Information about @@ -1363,7 +1363,7 @@ options {
To set up an authoritative zone for RFC 5011 trust anchor
maintenance, generate two (or more) key signing keys (KSKs) for
the zone. Sign the zone with one of them; this is the "active"
@@ -1631,7 +1631,7 @@ $
The AEP Keyper is a highly secure key storage device,
but does not provide hardware cryptographic acceleration. It
@@ -1702,7 +1702,7 @@ $
SoftHSM (version 1) is a software library developed by the
OpenDNSSEC project
@@ -1777,7 +1777,7 @@ $
To link with the PKCS#11 provider, threads must be
enabled in the BIND 9 build.
@@ -1797,7 +1797,7 @@ $
To link with the PKCS#11 provider, threads must be
enabled in the BIND 9 build.
@@ -1819,7 +1819,7 @@ $
BIND 9 includes a minimal set of tools to operate the
HSM, including
@@ -1863,7 +1863,7 @@ $
For OpenSSL-based PKCS#11, we must first set up the runtime
environment so the OpenSSL and PKCS#11 libraries can be loaded:
@@ -1984,7 +1984,7 @@ example.net.signed
When using OpenSSL-based PKCS#11, the "engine" to be used by
OpenSSL can be specified in named and all of
@@ -2016,7 +2016,7 @@ $
If you want named to dynamically re-sign zones
using HSM keys, and/or to to sign new records inserted via nsupdate,
@@ -2103,7 +2103,7 @@ $
A DLZ database is configured with a dlz
statement in
For guidance in implementation of DLZ modules, the directory
patch -p1 -d openssl-0.9.8zc \
./Configure solaris64-x86_64-cc \
./Configure linux-x86_64 -pthread \
./configure CC="gcc -m32" --enable-threads \
./configure CC="cc -xarch=amd64" --enable-thre
$
cd ../bind9
$ ./configure --enable-threads \
@@ -1840,7 +1840,7 @@ $ ./configure --enable-threads \
./configure --enable-threads \
dnssec-signzone -E '' -S example.net
dnssec-signzone -E '' -S example.net
named.conf:
@@ -2152,7 +2152,7 @@ $ dnssec-signzone -E '' -S example.net
contrib/dlz/example contains a basic
@@ -2224,7 +2224,7 @@ $ dnssec-signzone -E '' -S example.netip6.arpa domain, as well as the older, deprecated
ip6.int domain.
- Older versions of BIND 9
+ Older versions of BIND 9
supported the "binary label" (also known as "bitstring") format,
but support of binary labels has been completely removed per
RFC 3363.
diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html
index c1b1c8f79b..90d5c5c63f 100644
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@@ -81,9 +81,9 @@
size_spec
- for details on how they interpret its use.
+ for details on how they interpret its use.
Numeric values can optionally be followed by a @@ -458,7 +458,7 @@ way to safely set a very large number.
- default
+ default
uses the limit that was in force when the server was started.
defines a named masters list for inclusion in stub and slave zones' - masters or + masters or also-notify lists.
@@ -2194,7 +2194,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]-masters@@ -2272,7 +2272,7 @@ badresp:1,adberr:0,findfail:0,valfail:0] [ forwarders { [name[portip_port] [dscpip_dscp] { (masters_list| +mastersname[portip_port] [dscpip_dscp] { (masters_list|ip_addr[portip_port] [keykey] ) ; [...] };
ip_addr [port ip_port] [dscp ip_dscp] ; ... ] }; ]
[ dual-stack-servers [port ip_port] [dscp ip_dscp] {
( domain_name [port ip_port] [dscp ip_dscp] |
- ip_addr [port ip_port] [dscp ip_dscp]) ;
+ ip_addr [port ip_port] [dscp ip_dscp]) ;
... }; ]
[ check-names ( master | slave | response )
( warn | fail | ignore ); ]
@@ -2320,7 +2320,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
[ query-source-v6 ( ( ip6_addr | * )
[ port ( ip_port | * ) ]
[ dscp ip_dscp] |
- [ address ( ip6_addr | * ) ]
+ [ address ( ip6_addr | * ) ]
[ port ( ip_port | * ) ] )
[ dscp ip_dscp] ; ]
[ use-queryport-pool yes_or_no; ]
@@ -2736,7 +2736,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
The pathname of a file to override the built-in trusted
keys provided by named.
See the discussion of dnssec-lookaside
- and dnssec-validation for details.
+ and dnssec-validation for details.
If not specified, the default is
/etc/bind.keys.
@@ -2989,7 +2989,7 @@ options {
Each dns64 supports an optional
mapped ACL that selects which
- IPv4 addresses are to be mapped in the corresponding
+ IPv4 addresses are to be mapped in the corresponding
A RRset. If not defined it defaults to
any;.
yes
or no; yes
has the same meaning as full.
- As of BIND 9.10,
+ As of BIND 9.10,
no has the same meaning
as none; previously, it
was the same as terse.
@@ -3532,7 +3532,7 @@ options {
If yes, then an empty EDNS(0)
- NSID (Name Server Identifier) option is sent with all
+ NSID (Name Server Identifier) option is sent with all
queries to authoritative name servers during iterative
resolution. If the authoritative server returns an NSID
option in its response, then its contents are logged in
@@ -3746,7 +3746,7 @@ options {
If yes,
the DNS client is at an IPv4 address, in filter-aaaa,
- and if the response does not include DNSSEC signatures,
+ and if the response does not include DNSSEC signatures,
then all AAAA records are deleted from the response.
This filtering applies to all responses and not only
authoritative responses.
@@ -3758,8 +3758,8 @@ options {
because the DNSSEC protocol is designed detect deletions.
- This mechanism can erroneously cause other servers to - not give AAAA records to their clients. + This mechanism can erroneously cause other servers to + not give AAAA records to their clients. A recursing server with both IPv6 and IPv4 network connections that queries an authoritative server using this mechanism via IPv4 will be denied AAAA records even if its client is @@ -4390,7 +4390,7 @@ options {
The interfaces and ports that the server will answer queries from may be specified using the listen-on option. listen-on takes @@ -4549,7 +4549,7 @@ avoid-v6-udp-ports {};
Note: BIND 9.5.0 introduced - the use-queryport-pool + the use-queryport-pool option to support a pool of such random ports, but this option is now obsolete because reusing the same ports in the pool may not be sufficiently secure. @@ -5014,7 +5014,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
A "soft quota" is also set. When this lower
quota is exceeded, incoming requests are accepted, but
- for each one, a pending request will be dropped.
+ for each one, a pending request will be dropped.
If recursive-clients is greater than
1000, the soft quota is set to
recursive-clients minus 100;
@@ -5230,7 +5230,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
or the value 0, will place no limit on cache size;
records will be purged from the cache only when their
TTLs expire.
- Any positive values less than 2MB will be ignored
+ Any positive values less than 2MB will be ignored
and reset to 2MB.
In a server with multiple views, the limit applies
separately to the cache of each view.
@@ -5245,7 +5245,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
waiting for
some data before being passed to accept. Nonzero values
less than 10 will be silently raised. A value of 0 may also
- be used; on most platforms this sets the listen queue
+ be used; on most platforms this sets the listen queue
length to a system-defined default value.
BIND 9 provides the ability to filter
out DNS responses from external DNS servers containing
@@ -6436,7 +6436,7 @@ deny-answer-aliases { "example.net"; };
to the standard IPv6 text representation,
prefixlength.W8.W7.W6.W5.W4.W3.W2.W1.rpz-client-ip.
Each of W8,...,W1 is a one to four digit hexadecimal number
- representing 16 bits of the IPv6 address as in the standard
+ representing 16 bits of the IPv6 address as in the standard
text representation of IPv6 addresses, but reversed as in
IP6.ARPA. (Note that this representation of IPv6
address is different from IP6.ARPA where each hex
@@ -7197,7 +7197,7 @@ example.com CNAME rpz-tcp-only.
whether the local server will add a NSID EDNS option
to requests sent to the server. This overrides
request-nsid set at the view or
- option level.
+ option level.
The request-sit clause determines @@ -7278,16 +7278,16 @@ example.com CNAME rpz-tcp-only. port 8888, then the statistics are accessible in XML format at http://127.0.0.1:8888/ or http://127.0.0.1:8888/xml. A CSS file is - included which can format the XML statistics into tables - when viewed with a stylesheet-capable browser, and into + included which can format the XML statistics into tables + when viewed with a stylesheet-capable browser, and into charts and graphs using the Google Charts API when using a javascript-capable browser.
Applications that depend on a particular XML schema - can request + can request http://127.0.0.1:8888/xml/v2 for version 2 - of the statistics XML schema or + of the statistics XML schema or http://127.0.0.1:8888/xml/v3 for version 3. If the requested schema is supported by the server, then it will respond; if not, it will return a "page not found" @@ -7337,7 +7337,7 @@ example.com CNAME rpz-tcp-only.
The trusted-keys statement defines @@ -7377,7 +7377,7 @@ example.com CNAME rpz-tcp-only.
managed-keys {nameinitial-keyflagsprotocolalgorithmkey-data; [nameinitial-keyflagsprotocolalgorithmkey-data; [...]] @@ -7389,7 +7389,7 @@ example.com CNAME rpz-tcp-only. managed-keys Statement Definition and Usage- The managed-keys statement, like + The managed-keys statement, like trusted-keys, defines DNSSEC security roots. The difference is that managed-keys can be kept up to date @@ -7435,7 +7435,7 @@ example.com CNAME rpz-tcp-only.
@@ -8095,7 +8095,7 @@ zoneinitial-key. The difference is, whereas the keys listed in a trusted-keys continue to be trusted until they are removed from -named.conf, an initializing key listed +named.conf, an initializing key listed in a managed-keys statement is only trusted once: for as long as it takes to load the managed key database and start the RFC 5011 key maintenance @@ -7806,7 +7806,7 @@ zonezone_name[ allow-query {address_match_list}; ] [ server-addresses { [ip_addr; ... ] }; ] - [ server-names { [namelist] }; ] + [ server-names { [namelist] }; ] [ zone-statisticsyes_or_no; ] }; @@ -8011,7 +8011,7 @@ zonezone_name[ Each static-stub zone is configured with internally generated NS and (if necessary) - glue A or AAAA RRs + glue A or AAAA RRszone_name["*. IN A 100.100.100.2" and"*. IN AAAA 2001:ffff:ffff::100.100.100.2". @@ -8103,7 +8103,7 @@ zonezone_name[ To redirect all Spanish names (under .ES) one would use similar entries but with the names - "*.ES." instead of "*.". To redirect all + "*.ES." instead of "*.". To redirect all commercial Spanish names (under COM.ES) one would use wildcard entries called "*.COM.ES.". @@ -8158,7 +8158,7 @@ zonezone_name[The zone's name may optionally be followed by a class. If a class is not specified, class
IN(forInternet), @@ -8180,7 +8180,7 @@ zonezone_name[
- allow-notify
@@ -8613,7 +8613,7 @@ example.com. NS ns2.example.net.
zonenamecauses named to load keys from the key repository and sign the zone with all keys that are - active. + active. rndc loadkeyszonenamecauses named to load keys from the key @@ -8644,7 +8644,7 @@ example.com. NS ns2.example.net. the zone is updated.- When set to + When set to serial-update-method unixtime;, the SOA serial number will be set to the number of seconds since the UNIX epoch, unless the serial number is @@ -8941,7 +8941,7 @@ example.com. NS ns2.example.net.
This rule takes a Windows machine principal (machine$@REALM) for machine in REALM and - and converts it machine.realm allowing the machine + and converts it machine.realm allowing the machine to update machine.realm. The REALM to be matched is specified in the
identityfield. @@ -8956,7 +8956,7 @@ example.com. NS ns2.example.net.- This rule takes a Windows machine principal + This rule takes a Windows machine principal (machine$@REALM) for machine in REALM and converts it to machine.realm allowing the machine to update subdomains of machine.realm. The REALM @@ -8975,7 +8975,7 @@ example.com. NS ns2.example.net.
This rule takes a Kerberos machine principal (host/machine@REALM) for machine in REALM and - and converts it machine.realm allowing the machine + and converts it machine.realm allowing the machine to update machine.realm. The REALM to be matched is specified in the
identityfield. @@ -8990,7 +8990,7 @@ example.com. NS ns2.example.net.- This rule takes a Kerberos machine principal + This rule takes a Kerberos machine principal (host/machine@REALM) for machine in REALM and converts it to machine.realm allowing the machine to update subdomains of machine.realm. The REALM @@ -9914,7 +9914,7 @@ view external {
RRs are represented in binary form in the packets of the DNS protocol, and are usually represented in highly encoded form @@ -10448,18 +10448,18 @@ view external {
When used in the label (or name) field, the asperand or at-sign (@) symbol represents the current origin. - At the start of the zone file, it is the + At the start of the zone file, it is the <
zone_name> (followed by trailing dot).Syntax: $ORIGIN
domain-name@@ -10488,7 +10488,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.Syntax: $INCLUDE
filename@@ -10524,7 +10524,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.Syntax: $TTL
default-ttl@@ -10543,7 +10543,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.Syntax: $GENERATE
range@@ -10740,7 +10740,7 @@ HOST-127.EXAMPLE. MX 0 .In addition to the standard textual format, BIND 9 supports the ability to read or dump to zone files in - other formats. + other formats.
The
rawformat is @@ -10760,7 +10760,7 @@ HOST-127.EXAMPLE. MX 0 . For a primary server, a zone file inrawormapformat is expected to be generated from a textual zone - file by the named-compilezone command. + file by the named-compilezone command. For a secondary server or for a dynamic zone, it is automatically generated (if this format is specified by the masterfile-format option) when @@ -10782,7 +10782,7 @@ HOST-127.EXAMPLE. MX 0 . with different pointer size, endianness or data alignment than the system on which it was generated, and should in general be used only inside a single system. - Whilerawformat uses + Whilerawformat uses network byte order and avoids architecture-dependent data alignment so that it is as portable as possible, it is also primarily expected to be used @@ -10986,7 +10986,7 @@ HOST-127.EXAMPLE. MX 0 .
@@ -11582,7 +11582,7 @@ HOST-127.EXAMPLE. MX 0 .
@@ -11736,7 +11736,7 @@ HOST-127.EXAMPLE. MX 0 .
@@ -12119,7 +12119,7 @@ HOST-127.EXAMPLE. MX 0 . Socket I/O statistics counters are defined per socket types, which are @@ -12274,7 +12274,7 @@ HOST-127.EXAMPLE. MX 0 .
Most statistics counters that were available in BIND 8 are also supported in diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html index 0bfb9ba86b..437ca8e23f 100644 --- a/doc/arm/Bv9ARM.ch07.html +++ b/doc/arm/Bv9ARM.ch07.html @@ -46,7 +46,7 @@
Table of Contents
- Access Control Lists
-- Chroot and Setuid
+- Chroot and Setuid
- The chroot Environment
- Using the setuid Function
@@ -114,7 +114,7 @@ zone "example.com" {On UNIX servers, it is possible to run BIND diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html index a4f092a3d1..cd788ff4e5 100644 --- a/doc/arm/Bv9ARM.ch09.html +++ b/doc/arm/Bv9ARM.ch09.html @@ -45,7 +45,7 @@
Table of Contents
diff --git a/doc/arm/Bv9ARM.ch12.html b/doc/arm/Bv9ARM.ch12.html index d5ed2ab9ef..5b94d8171a 100644 --- a/doc/arm/Bv9ARM.ch12.html +++ b/doc/arm/Bv9ARM.ch12.html @@ -50,9 +50,9 @@- Prerequisite
- Compilation
- Installation
-- Known Defects/Restrictions
-- The dns.conf File
-- Sample Applications
+- Known Defects/Restrictions
+- The dns.conf File
+- Sample Applications
- Library References
@@ -135,7 +135,7 @@ $make install
Currently, win32 is not supported for the export library. (Normal BIND 9 application can be built as @@ -175,7 +175,7 @@ $
makeThe IRS library supports an "advanced" configuration file related to the DNS library for configuration parameters that would be beyond the capability of the @@ -193,14 +193,14 @@ $
makeSome sample application programs using this API are provided for reference. The following is a brief description of these applications.
It sends a query of a given name (of a given optional RR type) to a specified recursive server, and prints the result as a list of @@ -264,7 +264,7 @@ $
makeSimilar to "sample", but accepts a list of (query) domain names as a separate file and resolves the names @@ -305,7 +305,7 @@ $
makeIt sends a query to a specified server, and prints the response with minimal processing. It doesn't act as a @@ -346,7 +346,7 @@ $
makeThis is a test program to check getaddrinfo() and getnameinfo() behavior. It takes a @@ -363,7 +363,7 @@ $
makeIt accepts a single update command as a command-line argument, sends an update request message to the diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html index 3171ae1a90..e86ee87ed9 100644 --- a/doc/arm/Bv9ARM.html +++ b/doc/arm/Bv9ARM.html @@ -93,8 +93,8 @@
- Dynamic Update
- Incremental Zone Transfers (IXFR)
-- Split DNS
-- +
- Split DNS
+- TSIG
- Generate Shared Keys for Each Pair of Hosts
@@ -105,10 +105,10 @@- Errors
- TKEY
-- SIG(0)
+- SIG(0)
- DNSSEC
- @@ -116,37 +116,37 @@
- Converting from insecure to secure
- Dynamic DNS update method
-- Fully automatic zone signing
-- Private-type records
-- DNSKEY rollovers
-- Dynamic DNS update method
-- Automatic key rollovers
-- NSEC3PARAM rollovers via UPDATE
-- Converting from NSEC to NSEC3
-- Converting from NSEC3 to NSEC
-- Converting from secure to insecure
-- Periodic re-signing
-- NSEC3 and OPTOUT
+- Fully automatic zone signing
+- Private-type records
+- DNSKEY rollovers
+- Dynamic DNS update method
+- Automatic key rollovers
+- NSEC3PARAM rollovers via UPDATE
+- Converting from NSEC to NSEC3
+- Converting from NSEC3 to NSEC
+- Converting from secure to insecure
+- Periodic re-signing
+- NSEC3 and OPTOUT
- Dynamic Trust Anchor Management
- PKCS#11 (Cryptoki) support
- DLZ (Dynamically Loadable Zones)
- IPv6 Support in BIND 9
@@ -197,9 +197,9 @@
- statistics-channels Statement Definition and Usage
- trusted-keys Statement Grammar
-- trusted-keys Statement Definition +
- trusted-keys Statement Definition and Usage
-- managed-keys Statement Grammar
+- managed-keys Statement Grammar
- managed-keys Statement Definition and Usage
- view Statement Grammar
@@ -215,7 +215,7 @@- Setting TTLs
- Inverse Mapping in IPv4
- Other Zone File Directives
-- BIND Master File Extension: the $GENERATE Directive
+- BIND Master File Extension: the $GENERATE Directive
- Additional File Formats
- BIND9 Statistics
@@ -224,7 +224,7 @@- 7. BIND 9 Security Considerations
- Access Control Lists
-- Chroot and Setuid
+- Chroot and Setuid
- The chroot Environment
- Using the setuid Function
@@ -240,7 +240,7 @@- A. Release Notes
- diff --git a/doc/arm/man.arpaname.html b/doc/arm/man.arpaname.html index ce8d54f4ed..c9b73c008b 100644 --- a/doc/arm/man.arpaname.html +++ b/doc/arm/man.arpaname.html @@ -50,20 +50,20 @@
arpaname{ipaddress...}-diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html index 8e97a506eb..8b9348fb4e 100644 --- a/doc/arm/man.ddns-confgen.html +++ b/doc/arm/man.ddns-confgen.html @@ -51,7 +51,7 @@DESCRIPTION
+DESCRIPTION
arpaname translates IP addresses (IPv4 and IPv6) to the corresponding IN-ADDR.ARPA or IP6.ARPA names.
ddns-confgen[-a] [algorithm-h] [-k] [keyname-q] [-r] [ -srandomfilename| -zzone]-diff --git a/doc/arm/man.delv.html b/doc/arm/man.delv.html index 3ba71fa1c0..f1ed6ead3d 100644 --- a/doc/arm/man.delv.html +++ b/doc/arm/man.delv.html @@ -53,7 +53,7 @@DESCRIPTION
+DESCRIPTION
tsig-keygen and ddns-confgen are invocation methods for a utility that generates keys for use @@ -87,7 +87,7 @@
delv[queryopt...] [query...]-DESCRIPTION
+DESCRIPTION
delv (Domain Entity Lookup & Validation) is a tool for sending DNS queries and validating the results, using the the same internal @@ -96,7 +96,7 @@
-OPTIONS
+OPTIONS
- -a
anchor-file- @@ -465,12 +465,12 @@
-SEE ALSO
+SEE ALSO
dig(1), named(8), RFC4034, diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html index 25f6b06795..3861fd699a 100644 --- a/doc/arm/man.dig.html +++ b/doc/arm/man.dig.html @@ -52,7 +52,7 @@
dig[global-queryopt...] [query...]-DESCRIPTION
+DESCRIPTION
dig (domain information groper) is a flexible tool for interrogating DNS name servers. It performs DNS lookups and @@ -99,7 +99,7 @@
-QUERY OPTIONS
+QUERY OPTIONS
dig provides a number of query options which affect the way in which lookups are made and the results displayed. Some of @@ -747,7 +747,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
-IDN SUPPORT
+IDN SUPPORT
If dig has been built with IDN (internationalized domain name) support, it can accept and display non-ASCII domain names. @@ -761,14 +761,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
-SEE ALSO
+SEE ALSO
host(1), named(8), dnssec-keygen(8), @@ -776,7 +776,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
-BUGS
+BUGS
There are probably too many query options.
diff --git a/doc/arm/man.dnssec-checkds.html b/doc/arm/man.dnssec-checkds.html index aa09b12c38..2a4ad0a702 100644 --- a/doc/arm/man.dnssec-checkds.html +++ b/doc/arm/man.dnssec-checkds.html @@ -51,7 +51,7 @@
dnssec-dsfromkey[-l] [domain-f] [file-d] [dig path-D] {zone}dsfromkey path-diff --git a/doc/arm/man.dnssec-coverage.html b/doc/arm/man.dnssec-coverage.html index 2ef8cab85f..a833b0bc2a 100644 --- a/doc/arm/man.dnssec-coverage.html +++ b/doc/arm/man.dnssec-coverage.html @@ -50,7 +50,7 @@DESCRIPTION
+DESCRIPTION
dnssec-checkds verifies the correctness of Delegation Signer (DS) or DNSSEC Lookaside Validation (DLV) resource records for keys in a specified @@ -59,7 +59,7 @@
dnssec-coverage[-K] [directory-l] [length-f] [file-d] [DNSKEY TTL-m] [max TTL-r] [interval-c] [compilezone path-k] [-z] [zone]-diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html index e912580c84..aa7d768417 100644 --- a/doc/arm/man.dnssec-dsfromkey.html +++ b/doc/arm/man.dnssec-dsfromkey.html @@ -52,14 +52,14 @@DESCRIPTION
+DESCRIPTION
dnssec-coverage verifies that the DNSSEC keys for a given zone or a set of zones have timing metadata set properly to ensure no future lapses in DNSSEC @@ -78,7 +78,7 @@
dnssec-dsfromkey[-h] [-V]-DESCRIPTION
+DESCRIPTION
dnssec-dsfromkey outputs the Delegation Signer (DS) resource record (RR), as defined in RFC 3658 and RFC 4509, for the given key(s).
-FILES
+FILES
The keyfile can be designed by the key identification
Knnnn.+aaa+iiiiior the full file name @@ -179,13 +179,13 @@-diff --git a/doc/arm/man.dnssec-importkey.html b/doc/arm/man.dnssec-importkey.html index 6e77e44257..8d68bad8a8 100644 --- a/doc/arm/man.dnssec-importkey.html +++ b/doc/arm/man.dnssec-importkey.html @@ -51,7 +51,7 @@SEE ALSO
+SEE ALSO
dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, @@ -195,7 +195,7 @@
dnssec-importkey{-f} [filename-K] [directory-L] [ttl-P] [date/offset-D] [date/offset-h] [-v] [level-V] [dnsname]-DESCRIPTION
+DESCRIPTION
dnssec-importkey reads a public DNSKEY record and generates a pair of .key/.private files. The DNSKEY record may be read from an @@ -71,7 +71,7 @@
-TIMING OPTIONS
+TIMING OPTIONS
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as @@ -142,7 +142,7 @@
-FILES
+FILES
A keyfile can be designed by the key identification
Knnnn.+aaa+iiiiior the full file name @@ -151,7 +151,7 @@-diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html index 9a0f8568e5..30c6051913 100644 --- a/doc/arm/man.dnssec-keyfromlabel.html +++ b/doc/arm/man.dnssec-keyfromlabel.html @@ -50,7 +50,7 @@SEE ALSO
+SEE ALSO
dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, @@ -159,7 +159,7 @@
dnssec-keyfromlabel{-llabel} [-3] [-a] [algorithm-A] [date/offset-c] [class-D] [date/offset-E] [engine-f] [flag-G] [-I] [date/offset-i] [interval-k] [-K] [directory-L] [ttl-n] [nametype-P] [date/offset-p] [protocol-R] [date/offset-S] [key-t] [type-v] [level-V] [-y] {name}-DESCRIPTION
+DESCRIPTION
dnssec-keyfromlabel generates a key pair of files that referencing a key object stored in a cryptographic hardware service module (HSM). The private key @@ -66,7 +66,7 @@
-GENERATED KEY FILES
+GENERATED KEY FILES
When dnssec-keyfromlabel completes successfully, @@ -354,7 +354,7 @@
-diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html index 8e8d9e40e1..cb22976913 100644 --- a/doc/arm/man.dnssec-keygen.html +++ b/doc/arm/man.dnssec-keygen.html @@ -50,7 +50,7 @@SEE ALSO
+SEE ALSO
dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, @@ -363,7 +363,7 @@
dnssec-keygen[-a] [algorithm-b] [keysize-n] [nametype-3] [-A] [date/offset-C] [-c] [class-D] [date/offset-E] [engine-f] [flag-G] [-g] [generator-h] [-I] [date/offset-i] [interval-K] [directory-L] [ttl-k] [-P] [date/offset-p] [protocol-q] [-R] [date/offset-r] [randomdev-S] [key-s] [strength-t] [type-v] [level-V] [-z] {name}-DESCRIPTION
+DESCRIPTION
dnssec-keygen generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034. It can also generate keys for use with @@ -64,7 +64,7 @@
-TIMING OPTIONS
+TIMING OPTIONS
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as @@ -361,7 +361,7 @@
-EXAMPLE
+EXAMPLE
To generate a 768-bit DSA key for the domain
example.com, the following command would be @@ -428,7 +428,7 @@-diff --git a/doc/arm/man.dnssec-revoke.html b/doc/arm/man.dnssec-revoke.html index e5b44bc4fb..9623dcd9d2 100644 --- a/doc/arm/man.dnssec-revoke.html +++ b/doc/arm/man.dnssec-revoke.html @@ -50,7 +50,7 @@SEE ALSO
+SEE ALSO
dnssec-signzone(8), BIND 9 Administrator Reference Manual, RFC 2539, @@ -437,7 +437,7 @@
dnssec-revoke[-hr] [-v] [level-V] [-K] [directory-E] [engine-f] [-R] {keyfile}-diff --git a/doc/arm/man.dnssec-settime.html b/doc/arm/man.dnssec-settime.html index 38d17cbfcc..ca40b2acf4 100644 --- a/doc/arm/man.dnssec-settime.html +++ b/doc/arm/man.dnssec-settime.html @@ -50,7 +50,7 @@DESCRIPTION
+DESCRIPTION
dnssec-revoke reads a DNSSEC key file, sets the REVOKED bit on the key as defined in RFC 5011, and creates a new pair of key files containing the @@ -58,7 +58,7 @@
dnssec-settime[-f] [-K] [directory-L] [ttl-P] [date/offset-A] [date/offset-R] [date/offset-I] [date/offset-D] [date/offset-h] [-V] [-v] [level-E] {keyfile}engine-DESCRIPTION
+DESCRIPTION
dnssec-settime reads a DNSSEC private key file and sets the key timing metadata as specified by the
-P,-A, @@ -76,7 +76,7 @@-TIMING OPTIONS
+TIMING OPTIONS
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as @@ -212,7 +212,7 @@
-PRINTING OPTIONS
+PRINTING OPTIONS
dnssec-settime can also be used to print the timing metadata associated with a key. @@ -238,7 +238,7 @@
-diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html index aa4214781c..f5a175c3ef 100644 --- a/doc/arm/man.dnssec-signzone.html +++ b/doc/arm/man.dnssec-signzone.html @@ -50,7 +50,7 @@SEE ALSO
+SEE ALSO
dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, @@ -246,7 +246,7 @@
dnssec-signzone[-a] [-c] [class-d] [directory-D] [-E] [engine-e] [end-time-f] [output-file-g] [-h] [-K] [directory-k] [key-L] [serial-l] [domain-M] [domain-i] [interval-I] [input-format-j] [jitter-N] [soa-serial-format-o] [origin-O] [output-format-P] [-p] [-R] [-r] [randomdev-S] [-s] [start-time-T] [ttl-t] [-u] [-v] [level-V] [-X] [extended end-time-x] [-z] [-3] [salt-H] [iterations-A] {zonefile} [key...]-DESCRIPTION
+DESCRIPTION
dnssec-signzone signs a zone. It generates NSEC and RRSIG records and produces a signed version of the @@ -61,7 +61,7 @@
-diff --git a/doc/arm/man.dnssec-verify.html b/doc/arm/man.dnssec-verify.html index f4e0da17e0..332bc792da 100644 --- a/doc/arm/man.dnssec-verify.html +++ b/doc/arm/man.dnssec-verify.html @@ -50,7 +50,7 @@EXAMPLE
+EXAMPLE
The following command signs the
example.comzone with the DSA key generated by dnssec-keygen @@ -539,14 +539,14 @@ db.example.com.signed %
dnssec-verify[-c] [class-E] [engine-I] [input-format-o] [origin-v] [level-V] [-x] [-z] {zonefile}-diff --git a/doc/arm/man.genrandom.html b/doc/arm/man.genrandom.html index b522c3b85b..fa1c118eea 100644 --- a/doc/arm/man.genrandom.html +++ b/doc/arm/man.genrandom.html @@ -50,7 +50,7 @@DESCRIPTION
+DESCRIPTION
dnssec-verify verifies that a zone is fully signed for each algorithm found in the DNSKEY RRset for the zone, and that the NSEC / NSEC3 @@ -58,7 +58,7 @@
genrandom[-n] {numbersize} {filename}-diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html index dc096e5c9c..9c549290b2 100644 --- a/doc/arm/man.host.html +++ b/doc/arm/man.host.html @@ -50,7 +50,7 @@DESCRIPTION
+DESCRIPTION
genrandom generates a file or a set of files containing a specified quantity @@ -59,7 +59,7 @@
host[-aCdlnrsTwv] [-c] [class-N] [ndots-R] [number-t] [type-W] [wait-m] [flag-4] [-6] [-v] [-V] {name} [server]-DESCRIPTION
+DESCRIPTION
host is a simple utility for performing DNS lookups. It is normally used to convert names to IP addresses and vice versa. @@ -206,7 +206,7 @@
-IDN SUPPORT
+IDN SUPPORT
If host has been built with IDN (internationalized domain name) support, it can accept and display non-ASCII domain names. @@ -220,12 +220,12 @@
-SEE ALSO
+SEE ALSO
dig(1), named(8).
diff --git a/doc/arm/man.isc-hmac-fixup.html b/doc/arm/man.isc-hmac-fixup.html index 40adfafc71..748354978c 100644 --- a/doc/arm/man.isc-hmac-fixup.html +++ b/doc/arm/man.isc-hmac-fixup.html @@ -50,7 +50,7 @@
isc-hmac-fixup{algorithm} {secret}-DESCRIPTION
+DESCRIPTION
Versions of BIND 9 up to and including BIND 9.6 had a bug causing HMAC-SHA* TSIG keys which were longer than the digest length of the @@ -76,7 +76,7 @@
-diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html index 8a0b0501a8..aee1eff89c 100644 --- a/doc/arm/man.named-checkconf.html +++ b/doc/arm/man.named-checkconf.html @@ -50,7 +50,7 @@SECURITY CONSIDERATIONS
+SECURITY CONSIDERATIONS
Secrets that have been converted by isc-hmac-fixup are shortened, but as this is how the HMAC protocol works in @@ -87,14 +87,14 @@
named-checkconf[-h] [-v] [-j] [-t] {filename} [directory-p] [-x] [-z]-DESCRIPTION
+DESCRIPTION
named-checkconf checks the syntax, but not the semantics, of a named configuration file. The file is parsed @@ -70,7 +70,7 @@
-diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html index b957c1b91f..ffd514dbe5 100644 --- a/doc/arm/man.named-checkzone.html +++ b/doc/arm/man.named-checkzone.html @@ -51,7 +51,7 @@RETURN VALUES
+RETURN VALUES
named-checkconf returns an exit status of 1 if errors were detected and 0 otherwise.
named-compilezone[-d] [-j] [-q] [-v] [-c] [class-C] [mode-f] [format-F] [format-J] [filename-i] [mode-k] [mode-m] [mode-n] [mode-l] [ttl-L] [serial-r] [mode-s] [style-t] [directory-T] [mode-w] [directory-D] [-W] {mode-o} {zonename} {filename}filename-DESCRIPTION
+DESCRIPTION
named-checkzone checks the syntax and integrity of a zone file. It performs the same checks as named does when loading a @@ -71,7 +71,7 @@
-diff --git a/doc/arm/man.named-journalprint.html b/doc/arm/man.named-journalprint.html index 683a466e4a..5edb521bd1 100644 --- a/doc/arm/man.named-journalprint.html +++ b/doc/arm/man.named-journalprint.html @@ -50,7 +50,7 @@RETURN VALUES
+RETURN VALUES
named-checkzone returns an exit status of 1 if errors were detected and 0 otherwise.
named-journalprint{journal}-diff --git a/doc/arm/man.named-rrchecker.html b/doc/arm/man.named-rrchecker.html index 21ac889d9b..2f563157dd 100644 --- a/doc/arm/man.named-rrchecker.html +++ b/doc/arm/man.named-rrchecker.html @@ -50,7 +50,7 @@DESCRIPTION
+DESCRIPTION
named-journalprint prints the contents of a zone journal file in a human-readable @@ -76,7 +76,7 @@
named-rrchecker[-h] [-o] [origin-p] [-u] [-C] [-T] [-P]-DESCRIPTION
+DESCRIPTION
named-rrchecker read a individual DNS resource record from standard input and checks if it is syntactically correct. @@ -78,7 +78,7 @@
-SEE ALSO
+SEE ALSO
RFC 1034, RFC 1035, diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html index 13be4dd380..9197c04e50 100644 --- a/doc/arm/man.named.html +++ b/doc/arm/man.named.html @@ -50,7 +50,7 @@
named[-4] [-6] [-c] [config-file-d] [debug-level-D] [string-E] [engine-name-f] [-g] [-M] [option-m] [flag-n] [#cpus-p] [port-s] [-S] [#max-socks-t] [directory-U] [#listeners-u] [user-v] [-V] [-x]cache-file-DESCRIPTION
+DESCRIPTION
named is a Domain Name System (DNS) server, part of the BIND 9 distribution from ISC. For more @@ -65,7 +65,7 @@
-SIGNALS
+SIGNALS
In routine operation, signals should not be used to control the nameserver; rndc should be used @@ -305,7 +305,7 @@
-diff --git a/doc/arm/man.nsec3hash.html b/doc/arm/man.nsec3hash.html index 3ed4163e3a..109dbcb599 100644 --- a/doc/arm/man.nsec3hash.html +++ b/doc/arm/man.nsec3hash.html @@ -48,7 +48,7 @@CONFIGURATION
+CONFIGURATION
The named configuration file is too complex to describe in detail here. A complete description is provided @@ -322,7 +322,7 @@
nsec3hash{salt} {algorithm} {iterations} {domain}-diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html index ce3ff55319..e853f9841d 100644 --- a/doc/arm/man.nsupdate.html +++ b/doc/arm/man.nsupdate.html @@ -50,7 +50,7 @@DESCRIPTION
+DESCRIPTION
nsec3hash generates an NSEC3 hash based on a set of NSEC3 parameters. This can be used to check the validity @@ -56,7 +56,7 @@
nsupdate[-d] [-D] [-L] [[level-g] | [-o] | [-l] | [-y] | [[hmac:]keyname:secret-k]] [keyfile-t] [timeout-u] [udptimeout-r] [udpretries-R] [randomdev-v] [-T] [-P] [-V] [filename]-DESCRIPTION
+DESCRIPTION
nsupdate is used to submit Dynamic DNS Update requests as defined in RFC 2136 to a name server. @@ -108,7 +108,7 @@
-BUGS
+BUGS
The TSIG key is redundantly stored in two separate files. This is a consequence of nsupdate using the DST library diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html index 17a2ce7812..e514fcfd2a 100644 --- a/doc/arm/man.rndc-confgen.html +++ b/doc/arm/man.rndc-confgen.html @@ -50,7 +50,7 @@
rndc-confgen[-a] [-A] [algorithm-b] [keysize-c] [keyfile-h] [-k] [keyname-p] [port-r] [randomfile-s] [address-t] [chrootdir-u]user-diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html index 82a61a1fe6..faab7d27c0 100644 --- a/doc/arm/man.rndc.conf.html +++ b/doc/arm/man.rndc.conf.html @@ -50,7 +50,7 @@DESCRIPTION
+DESCRIPTION
rndc-confgen generates configuration files for rndc. It can be used as a @@ -66,7 +66,7 @@
rndc.conf-DESCRIPTION
+DESCRIPTION
rndc.confis the configuration file for rndc, the BIND 9 name server control utility. This file has a similar structure and syntax to @@ -136,7 +136,7 @@-diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html index f98ecc6a11..db67e732c0 100644 --- a/doc/arm/man.rndc.html +++ b/doc/arm/man.rndc.html @@ -50,7 +50,7 @@NAME SERVER CONFIGURATION
+NAME SERVER CONFIGURATION
The name server must be configured to accept rndc connections and to recognize the key specified in the
rndc.conf@@ -220,7 +220,7 @@
rndc[-b] [source-address-c] [config-file-k] [key-file-s] [server-p] [port-q] [-V] [-y] {command}key_id-DESCRIPTION
+DESCRIPTION
rndc controls the operation of a name server. It supersedes the ndc utility @@ -81,7 +81,7 @@
-COMMANDS
+COMMANDS
A list of commands supported by rndc can be seen by running rndc without arguments. @@ -583,7 +583,7 @@