diff --git a/doc/arm/Bv9ARM.ch02.html b/doc/arm/Bv9ARM.ch02.html index 759663702d..f2672fdf40 100644 --- a/doc/arm/Bv9ARM.ch02.html +++ b/doc/arm/Bv9ARM.ch02.html @@ -128,7 +128,7 @@

ISC BIND 9 compiles and runs on a large number - of Unix-like operating systems and on + of Unix-like operating systems and on Microsoft Windows Server 2003 and 2008, and Windows XP and Vista. For an up-to-date list of supported systems, see the README file in the top level diff --git a/doc/arm/Bv9ARM.ch04.html b/doc/arm/Bv9ARM.ch04.html index b2c721083d..07680c6482 100644 --- a/doc/arm/Bv9ARM.ch04.html +++ b/doc/arm/Bv9ARM.ch04.html @@ -49,8 +49,8 @@

Dynamic Update
The journal file
Incremental Zone Transfers (IXFR)
-
Split DNS
-
Example split DNS setup
+
Split DNS
+
Example split DNS setup
TSIG
Generate Shared Keys for Each Pair of Hosts
@@ -61,10 +61,10 @@
Errors
TKEY
-
SIG(0)
+
SIG(0)
DNSSEC
-
Generating Keys
+
Generating Keys
Signing the Zone
Configuring Servers
@@ -72,37 +72,37 @@
Converting from insecure to secure
Dynamic DNS update method
-
Fully automatic zone signing
-
Private-type records
-
DNSKEY rollovers
-
Dynamic DNS update method
-
Automatic key rollovers
-
NSEC3PARAM rollovers via UPDATE
-
Converting from NSEC to NSEC3
-
Converting from NSEC3 to NSEC
-
Converting from secure to insecure
-
Periodic re-signing
-
NSEC3 and OPTOUT
+
Fully automatic zone signing
+
Private-type records
+
DNSKEY rollovers
+
Dynamic DNS update method
+
Automatic key rollovers
+
NSEC3PARAM rollovers via UPDATE
+
Converting from NSEC to NSEC3
+
Converting from NSEC3 to NSEC
+
Converting from secure to insecure
+
Periodic re-signing
+
NSEC3 and OPTOUT
Dynamic Trust Anchor Management
-
Validating Resolver
-
Authoritative Server
+
Validating Resolver
+
Authoritative Server
PKCS#11 (Cryptoki) support
Prerequisites
Native PKCS#11
OpenSSL-based PKCS#11
-
PKCS#11 Tools
-
Using the HSM
-
Specifying the engine on the command line
-
Running named with automatic zone re-signing
+
PKCS#11 Tools
+
Using the HSM
+
Specifying the engine on the command line
+
Running named with automatic zone re-signing
DLZ (Dynamically Loadable Zones)
-
Configuring DLZ
-
Sample DLZ Driver
+
Configuring DLZ
+
Sample DLZ Driver
IPv6 Support in BIND 9
@@ -271,7 +271,7 @@

-Split DNS

+Split DNS

Setting up different views, or visibility, of the DNS space to internal and external resolvers is usually referred to as a @@ -301,7 +301,7 @@

-Example split DNS setup

+Example split DNS setup

Let's say a company named Example, Inc. (example.com) @@ -761,7 +761,7 @@ allow-update { key host1-host2. ;};

-SIG(0)

+SIG(0)

BIND 9 partially supports DNSSEC SIG(0) transaction signatures as specified in RFC 2535 and RFC 2931. @@ -822,7 +822,7 @@ allow-update { key host1-host2. ;};

-Generating Keys

+Generating Keys

The dnssec-keygen program is used to generate keys. @@ -931,7 +931,7 @@ allow-update { key host1-host2. ;}; To enable named to validate answers from other servers, the dnssec-enable option must be set to yes, and the - dnssec-validation options must be set to + dnssec-validation options must be set to yes or auto.

@@ -1047,7 +1047,7 @@ options { including missing, expired, or invalid signatures, a key which does not match the DS RRset in the parent zone, or an insecure response from a zone which, according to its parent, should have - been secure. + been secure.

Note

@@ -1142,7 +1142,7 @@ options {

While the initial signing and NSEC/NSEC3 chain generation is happening, other updates are possible as well.

-Fully automatic zone signing

+Fully automatic zone signing

To enable automatic signing, add the auto-dnssec option to the zone statement in named.conf. @@ -1205,7 +1205,7 @@ options { configuration. If this has not been done, the configuration will fail.

-Private-type records

+Private-type records

The state of the signing process is signaled by private-type records (with a default type value of 65534). When signing is complete, these records will have a nonzero value for @@ -1246,12 +1246,12 @@ options {

-DNSKEY rollovers

+DNSKEY rollovers

As with insecure-to-secure conversions, rolling DNSSEC keys can be done in two ways: using a dynamic DNS update, or the auto-dnssec zone option.

-Dynamic DNS update method

+Dynamic DNS update method

To perform key rollovers via dynamic update, you need to add the K* files for the new keys so that named can find them. You can then add the new @@ -1273,7 +1273,7 @@ options { named will clean out any signatures generated by the old key after the update completes.

-Automatic key rollovers

+Automatic key rollovers

When a new key reaches its activation date (as set by dnssec-keygen or dnssec-settime), if the auto-dnssec zone option is set to @@ -1288,27 +1288,27 @@ options { completes in 30 days, after which it will be safe to remove the old key from the DNSKEY RRset.

-NSEC3PARAM rollovers via UPDATE

+NSEC3PARAM rollovers via UPDATE

Add the new NSEC3PARAM record via dynamic update. When the new NSEC3 chain has been generated, the NSEC3PARAM flag field will be zero. At this point you can remove the old NSEC3PARAM record. The old chain will be removed after the update request completes.

-Converting from NSEC to NSEC3

+Converting from NSEC to NSEC3

To do this, you just need to add an NSEC3PARAM record. When the conversion is complete, the NSEC chain will have been removed and the NSEC3PARAM record will have a zero flag field. The NSEC3 chain will be generated before the NSEC chain is destroyed.

-Converting from NSEC3 to NSEC

+Converting from NSEC3 to NSEC

To do this, use nsupdate to remove all NSEC3PARAM records with a zero flag field. The NSEC chain will be generated before the NSEC3 chain is removed.

-Converting from secure to insecure

+Converting from secure to insecure

To convert a signed zone to unsigned using dynamic DNS, delete all the DNSKEY records from the zone apex using nsupdate. All signatures, NSEC or NSEC3 chains, @@ -1323,14 +1323,14 @@ options { allow instead (or it will re-sign).

-Periodic re-signing

+Periodic re-signing

In any secure zone which supports dynamic updates, named will periodically re-sign RRsets which have not been re-signed as a result of some update action. The signature lifetimes will be adjusted so as to spread the re-sign load over time rather than all at once.

-NSEC3 and OPTOUT

+NSEC3 and OPTOUT

named only supports creating new NSEC3 chains where all the NSEC3 records in the zone have the same OPTOUT @@ -1352,7 +1352,7 @@ options { configuration files.

-Validating Resolver

+Validating Resolver

To configure a validating resolver to use RFC 5011 to maintain a trust anchor, configure the trust anchor using a managed-keys statement. Information about @@ -1363,7 +1363,7 @@ options {

-Authoritative Server

+Authoritative Server

To set up an authoritative zone for RFC 5011 trust anchor maintenance, generate two (or more) key signing keys (KSKs) for the zone. Sign the zone with one of them; this is the "active" @@ -1631,7 +1631,7 @@ $ patch -p1 -d openssl-0.9.8zc \

-Building OpenSSL for the AEP Keyper on Linux

+Building OpenSSL for the AEP Keyper on Linux

The AEP Keyper is a highly secure key storage device, but does not provide hardware cryptographic acceleration. It @@ -1702,7 +1702,7 @@ $ ./Configure solaris64-x86_64-cc \

-Building OpenSSL for SoftHSM

+Building OpenSSL for SoftHSM

SoftHSM (version 1) is a software library developed by the OpenDNSSEC project @@ -1777,7 +1777,7 @@ $ ./Configure linux-x86_64 -pthread \

-Configuring BIND 9 for Linux with the AEP Keyper

+Configuring BIND 9 for Linux with the AEP Keyper

To link with the PKCS#11 provider, threads must be enabled in the BIND 9 build. @@ -1797,7 +1797,7 @@ $ ./configure CC="gcc -m32" --enable-threads \

-Configuring BIND 9 for Solaris with the SCA 6000

+Configuring BIND 9 for Solaris with the SCA 6000

To link with the PKCS#11 provider, threads must be enabled in the BIND 9 build. @@ -1819,7 +1819,7 @@ $ ./configure CC="cc -xarch=amd64" --enable-thre

-Configuring BIND 9 for SoftHSM

+Configuring BIND 9 for SoftHSM
 $ cd ../bind9
 $ ./configure --enable-threads \
@@ -1840,7 +1840,7 @@ $ ./configure --enable-threads \
 
 

-PKCS#11 Tools

+PKCS#11 Tools

BIND 9 includes a minimal set of tools to operate the HSM, including @@ -1863,7 +1863,7 @@ $ ./configure --enable-threads \

-Using the HSM

+Using the HSM

For OpenSSL-based PKCS#11, we must first set up the runtime environment so the OpenSSL and PKCS#11 libraries can be loaded: @@ -1984,7 +1984,7 @@ example.net.signed

-Specifying the engine on the command line

+Specifying the engine on the command line

When using OpenSSL-based PKCS#11, the "engine" to be used by OpenSSL can be specified in named and all of @@ -2016,7 +2016,7 @@ $ dnssec-signzone -E '' -S example.net

-Running named with automatic zone re-signing

+Running named with automatic zone re-signing

If you want named to dynamically re-sign zones using HSM keys, and/or to to sign new records inserted via nsupdate, @@ -2103,7 +2103,7 @@ $ dnssec-signzone -E '' -S example.net

-Configuring DLZ

+Configuring DLZ

A DLZ database is configured with a dlz statement in named.conf: @@ -2152,7 +2152,7 @@ $ dnssec-signzone -E '' -S example.net

-Sample DLZ Driver

+Sample DLZ Driver

For guidance in implementation of DLZ modules, the directory contrib/dlz/example contains a basic @@ -2224,7 +2224,7 @@ $ dnssec-signzone -E '' -S example.netip6.arpa domain, as well as the older, deprecated ip6.int domain. - Older versions of BIND 9 + Older versions of BIND 9 supported the "binary label" (also known as "bitstring") format, but support of binary labels has been completely removed per RFC 3363. diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html index c1b1c8f79b..90d5c5c63f 100644 --- a/doc/arm/Bv9ARM.ch06.html +++ b/doc/arm/Bv9ARM.ch06.html @@ -81,9 +81,9 @@

statistics-channels Statement Definition and Usage
trusted-keys Statement Grammar
-
trusted-keys Statement Definition +
trusted-keys Statement Definition and Usage
-
managed-keys Statement Grammar
+
managed-keys Statement Grammar
managed-keys Statement Definition and Usage
view Statement Grammar
@@ -99,7 +99,7 @@
Setting TTLs
Inverse Mapping in IPv4
Other Zone File Directives
-
BIND Master File Extension: the $GENERATE Directive
+
BIND Master File Extension: the $GENERATE Directive
Additional File Formats
BIND9 Statistics
@@ -439,7 +439,7 @@ "as big as possible", depending on the context. See the explanations of particular parameters that use size_spec - for details on how they interpret its use. + for details on how they interpret its use.

Numeric values can optionally be followed by a @@ -458,7 +458,7 @@ way to safely set a very large number.

- default + default uses the limit that was in force when the server was started.

@@ -787,7 +787,7 @@

defines a named masters list for inclusion in stub and slave zones' - masters or + masters or also-notify lists.

@@ -2194,7 +2194,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]

masters Statement Grammar

-masters name [port ip_port] [dscp ip_dscp] { ( masters_list | 
+masters name [port ip_port] [dscp ip_dscp] { ( masters_list |
       ip_addr [port ip_port] [key key] ) ; [...] };
 
@@ -2272,7 +2272,7 @@ badresp:1,adberr:0,findfail:0,valfail:0] [ forwarders { [ ip_addr [port ip_port] [dscp ip_dscp] ; ... ] }; ] [ dual-stack-servers [port ip_port] [dscp ip_dscp] { ( domain_name [port ip_port] [dscp ip_dscp] | - ip_addr [port ip_port] [dscp ip_dscp]) ; + ip_addr [port ip_port] [dscp ip_dscp]) ; ... }; ] [ check-names ( master | slave | response ) ( warn | fail | ignore ); ] @@ -2320,7 +2320,7 @@ badresp:1,adberr:0,findfail:0,valfail:0] [ query-source-v6 ( ( ip6_addr | * ) [ port ( ip_port | * ) ] [ dscp ip_dscp] | - [ address ( ip6_addr | * ) ] + [ address ( ip6_addr | * ) ] [ port ( ip_port | * ) ] ) [ dscp ip_dscp] ; ] [ use-queryport-pool yes_or_no; ] @@ -2736,7 +2736,7 @@ badresp:1,adberr:0,findfail:0,valfail:0] The pathname of a file to override the built-in trusted keys provided by named. See the discussion of dnssec-lookaside - and dnssec-validation for details. + and dnssec-validation for details. If not specified, the default is /etc/bind.keys.

@@ -2989,7 +2989,7 @@ options {

Each dns64 supports an optional mapped ACL that selects which - IPv4 addresses are to be mapped in the corresponding + IPv4 addresses are to be mapped in the corresponding A RRset. If not defined it defaults to any;.

@@ -3122,7 +3122,7 @@ options { option can also accept yes or no; yes has the same meaning as full. - As of BIND 9.10, + As of BIND 9.10, no has the same meaning as none; previously, it was the same as terse. @@ -3532,7 +3532,7 @@ options {
request-nsid

If yes, then an empty EDNS(0) - NSID (Name Server Identifier) option is sent with all + NSID (Name Server Identifier) option is sent with all queries to authoritative name servers during iterative resolution. If the authoritative server returns an NSID option in its response, then its contents are logged in @@ -3746,7 +3746,7 @@ options {

If yes, the DNS client is at an IPv4 address, in filter-aaaa, - and if the response does not include DNSSEC signatures, + and if the response does not include DNSSEC signatures, then all AAAA records are deleted from the response. This filtering applies to all responses and not only authoritative responses. @@ -3758,8 +3758,8 @@ options { because the DNSSEC protocol is designed detect deletions.

- This mechanism can erroneously cause other servers to - not give AAAA records to their clients. + This mechanism can erroneously cause other servers to + not give AAAA records to their clients. A recursing server with both IPv6 and IPv4 network connections that queries an authoritative server using this mechanism via IPv4 will be denied AAAA records even if its client is @@ -4390,7 +4390,7 @@ options {

-Interfaces

+Interfaces

The interfaces and ports that the server will answer queries from may be specified using the listen-on option. listen-on takes @@ -4549,7 +4549,7 @@ avoid-v6-udp-ports {};

Note: BIND 9.5.0 introduced - the use-queryport-pool + the use-queryport-pool option to support a pool of such random ports, but this option is now obsolete because reusing the same ports in the pool may not be sufficiently secure. @@ -5014,7 +5014,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };

A "soft quota" is also set. When this lower quota is exceeded, incoming requests are accepted, but - for each one, a pending request will be dropped. + for each one, a pending request will be dropped. If recursive-clients is greater than 1000, the soft quota is set to recursive-clients minus 100; @@ -5230,7 +5230,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; or the value 0, will place no limit on cache size; records will be purged from the cache only when their TTLs expire. - Any positive values less than 2MB will be ignored + Any positive values less than 2MB will be ignored and reset to 2MB. In a server with multiple views, the limit applies separately to the cache of each view. @@ -5245,7 +5245,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; waiting for some data before being passed to accept. Nonzero values less than 10 will be silently raised. A value of 0 may also - be used; on most platforms this sets the listen queue + be used; on most platforms this sets the listen queue length to a system-defined default value.

@@ -6260,7 +6260,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };

-Content Filtering

+Content Filtering

BIND 9 provides the ability to filter out DNS responses from external DNS servers containing @@ -6436,7 +6436,7 @@ deny-answer-aliases { "example.net"; }; to the standard IPv6 text representation, prefixlength.W8.W7.W6.W5.W4.W3.W2.W1.rpz-client-ip. Each of W8,...,W1 is a one to four digit hexadecimal number - representing 16 bits of the IPv6 address as in the standard + representing 16 bits of the IPv6 address as in the standard text representation of IPv6 addresses, but reversed as in IP6.ARPA. (Note that this representation of IPv6 address is different from IP6.ARPA where each hex @@ -7197,7 +7197,7 @@ example.com CNAME rpz-tcp-only. whether the local server will add a NSID EDNS option to requests sent to the server. This overrides request-nsid set at the view or - option level. + option level.

The request-sit clause determines @@ -7278,16 +7278,16 @@ example.com CNAME rpz-tcp-only. port 8888, then the statistics are accessible in XML format at http://127.0.0.1:8888/ or http://127.0.0.1:8888/xml. A CSS file is - included which can format the XML statistics into tables - when viewed with a stylesheet-capable browser, and into + included which can format the XML statistics into tables + when viewed with a stylesheet-capable browser, and into charts and graphs using the Google Charts API when using a javascript-capable browser.

Applications that depend on a particular XML schema - can request + can request http://127.0.0.1:8888/xml/v2 for version 2 - of the statistics XML schema or + of the statistics XML schema or http://127.0.0.1:8888/xml/v3 for version 3. If the requested schema is supported by the server, then it will respond; if not, it will return a "page not found" @@ -7337,7 +7337,7 @@ example.com CNAME rpz-tcp-only.

-trusted-keys Statement Definition +trusted-keys Statement Definition and Usage

The trusted-keys statement defines @@ -7377,7 +7377,7 @@ example.com CNAME rpz-tcp-only.

-managed-keys Statement Grammar

+managed-keys Statement Grammar
managed-keys {
     name initial-key flags protocol algorithm key-data ;
     [ name initial-key flags protocol algorithm key-data ; [...]]
@@ -7389,7 +7389,7 @@ example.com                 CNAME   rpz-tcp-only.
 managed-keys Statement Definition
             and Usage
 

- The managed-keys statement, like + The managed-keys statement, like trusted-keys, defines DNSSEC security roots. The difference is that managed-keys can be kept up to date @@ -7435,7 +7435,7 @@ example.com CNAME rpz-tcp-only. initial-key. The difference is, whereas the keys listed in a trusted-keys continue to be trusted until they are removed from - named.conf, an initializing key listed + named.conf, an initializing key listed in a managed-keys statement is only trusted once: for as long as it takes to load the managed key database and start the RFC 5011 key maintenance @@ -7806,7 +7806,7 @@ zone zone_name [ allow-query { address_match_list }; ] [ server-addresses { [ ip_addr ; ... ] }; ] - [ server-names { [ namelist ] }; ] + [ server-names { [ namelist ] }; ] [ zone-statistics yes_or_no ; ] }; @@ -8011,7 +8011,7 @@ zone zone_name [ Each static-stub zone is configured with internally generated NS and (if necessary) - glue A or AAAA RRs + glue A or AAAA RRs

@@ -8095,7 +8095,7 @@ zone zone_name ["*. IN A 100.100.100.2"
and "*. IN AAAA 2001:ffff:ffff::100.100.100.2". @@ -8103,7 +8103,7 @@ zone zone_name [ To redirect all Spanish names (under .ES) one would use similar entries but with the names - "*.ES." instead of "*.". To redirect all + "*.ES." instead of "*.". To redirect all commercial Spanish names (under COM.ES) one would use wildcard entries called "*.COM.ES.".

@@ -8158,7 +8158,7 @@ zone zone_name [

-Class

+Class

The zone's name may optionally be followed by a class. If a class is not specified, class IN (for Internet), @@ -8180,7 +8180,7 @@ zone zone_name [

-Zone Options

+Zone Options
allow-notify

@@ -8613,7 +8613,7 @@ example.com. NS ns2.example.net. zonename causes named to load keys from the key repository and sign the zone with all keys that are - active. + active. rndc loadkeys zonename causes named to load keys from the key @@ -8644,7 +8644,7 @@ example.com. NS ns2.example.net. the zone is updated.

- When set to + When set to serial-update-method unixtime;, the SOA serial number will be set to the number of seconds since the UNIX epoch, unless the serial number is @@ -8941,7 +8941,7 @@ example.com. NS ns2.example.net.

This rule takes a Windows machine principal (machine$@REALM) for machine in REALM and - and converts it machine.realm allowing the machine + and converts it machine.realm allowing the machine to update machine.realm. The REALM to be matched is specified in the identity field. @@ -8956,7 +8956,7 @@ example.com. NS ns2.example.net.

- This rule takes a Windows machine principal + This rule takes a Windows machine principal (machine$@REALM) for machine in REALM and converts it to machine.realm allowing the machine to update subdomains of machine.realm. The REALM @@ -8975,7 +8975,7 @@ example.com. NS ns2.example.net.

This rule takes a Kerberos machine principal (host/machine@REALM) for machine in REALM and - and converts it machine.realm allowing the machine + and converts it machine.realm allowing the machine to update machine.realm. The REALM to be matched is specified in the identity field. @@ -8990,7 +8990,7 @@ example.com. NS ns2.example.net.

- This rule takes a Kerberos machine principal + This rule takes a Kerberos machine principal (host/machine@REALM) for machine in REALM and converts it to machine.realm allowing the machine to update subdomains of machine.realm. The REALM @@ -9914,7 +9914,7 @@ view external {

-Textual expression of RRs

+Textual expression of RRs

RRs are represented in binary form in the packets of the DNS protocol, and are usually represented in highly encoded form @@ -10448,18 +10448,18 @@ view external {

-The @ (at-sign)

+The @ (at-sign)

When used in the label (or name) field, the asperand or at-sign (@) symbol represents the current origin. - At the start of the zone file, it is the + At the start of the zone file, it is the <zone_name> (followed by trailing dot).

-The $ORIGIN Directive

+The $ORIGIN Directive

Syntax: $ORIGIN domain-name @@ -10488,7 +10488,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.

-The $INCLUDE Directive

+The $INCLUDE Directive

Syntax: $INCLUDE filename @@ -10524,7 +10524,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.

-The $TTL Directive

+The $TTL Directive

Syntax: $TTL default-ttl @@ -10543,7 +10543,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.

-BIND Master File Extension: the $GENERATE Directive

+BIND Master File Extension: the $GENERATE Directive

Syntax: $GENERATE range @@ -10740,7 +10740,7 @@ HOST-127.EXAMPLE. MX 0 .

In addition to the standard textual format, BIND 9 supports the ability to read or dump to zone files in - other formats. + other formats.

The raw format is @@ -10760,7 +10760,7 @@ HOST-127.EXAMPLE. MX 0 . For a primary server, a zone file in raw or map format is expected to be generated from a textual zone - file by the named-compilezone command. + file by the named-compilezone command. For a secondary server or for a dynamic zone, it is automatically generated (if this format is specified by the masterfile-format option) when @@ -10782,7 +10782,7 @@ HOST-127.EXAMPLE. MX 0 . with different pointer size, endianness or data alignment than the system on which it was generated, and should in general be used only inside a single system. - While raw format uses + While raw format uses network byte order and avoids architecture-dependent data alignment so that it is as portable as possible, it is also primarily expected to be used @@ -10986,7 +10986,7 @@ HOST-127.EXAMPLE. MX 0 .

-Name Server Statistics Counters

+Name Server Statistics Counters
@@ -11582,7 +11582,7 @@ HOST-127.EXAMPLE. MX 0 .

-Zone Maintenance Statistics Counters

+Zone Maintenance Statistics Counters
@@ -11736,7 +11736,7 @@ HOST-127.EXAMPLE. MX 0 .

-Resolver Statistics Counters

+Resolver Statistics Counters
@@ -12119,7 +12119,7 @@ HOST-127.EXAMPLE. MX 0 .

-Socket I/O Statistics Counters

+Socket I/O Statistics Counters

Socket I/O statistics counters are defined per socket types, which are @@ -12274,7 +12274,7 @@ HOST-127.EXAMPLE. MX 0 .

-Compatibility with BIND 8 Counters

+Compatibility with BIND 8 Counters

Most statistics counters that were available in BIND 8 are also supported in diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html index 0bfb9ba86b..437ca8e23f 100644 --- a/doc/arm/Bv9ARM.ch07.html +++ b/doc/arm/Bv9ARM.ch07.html @@ -46,7 +46,7 @@

Table of Contents

Access Control Lists
-
Chroot and Setuid
+
Chroot and Setuid
The chroot Environment
Using the setuid Function
@@ -114,7 +114,7 @@ zone "example.com" {

-Chroot and Setuid +Chroot and Setuid

On UNIX servers, it is possible to run BIND diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html index a4f092a3d1..cd788ff4e5 100644 --- a/doc/arm/Bv9ARM.ch09.html +++ b/doc/arm/Bv9ARM.ch09.html @@ -45,7 +45,7 @@

-Release Notes for BIND Version 9.10.2

+Release Notes for BIND Version 9.10.2

Introduction

diff --git a/doc/arm/Bv9ARM.ch12.html b/doc/arm/Bv9ARM.ch12.html index d5ed2ab9ef..5b94d8171a 100644 --- a/doc/arm/Bv9ARM.ch12.html +++ b/doc/arm/Bv9ARM.ch12.html @@ -50,9 +50,9 @@
Prerequisite
Compilation
Installation
-
Known Defects/Restrictions
-
The dns.conf File
-
Sample Applications
+
Known Defects/Restrictions
+
The dns.conf File
+
Sample Applications
Library References
@@ -135,7 +135,7 @@ $ make install

-Known Defects/Restrictions

+Known Defects/Restrictions
  • Currently, win32 is not supported for the export library. (Normal BIND 9 application can be built as @@ -175,7 +175,7 @@ $ make

-The dns.conf File

+The dns.conf File

The IRS library supports an "advanced" configuration file related to the DNS library for configuration parameters that would be beyond the capability of the @@ -193,14 +193,14 @@ $ make

-Sample Applications

+Sample Applications

Some sample application programs using this API are provided for reference. The following is a brief description of these applications.

-sample: a simple stub resolver utility

+sample: a simple stub resolver utility

It sends a query of a given name (of a given optional RR type) to a specified recursive server, and prints the result as a list of @@ -264,7 +264,7 @@ $ make

-sample-async: a simple stub resolver, working asynchronously

+sample-async: a simple stub resolver, working asynchronously

Similar to "sample", but accepts a list of (query) domain names as a separate file and resolves the names @@ -305,7 +305,7 @@ $ make

-sample-request: a simple DNS transaction client

+sample-request: a simple DNS transaction client

It sends a query to a specified server, and prints the response with minimal processing. It doesn't act as a @@ -346,7 +346,7 @@ $ make

-sample-gai: getaddrinfo() and getnameinfo() test code

+sample-gai: getaddrinfo() and getnameinfo() test code

This is a test program to check getaddrinfo() and getnameinfo() behavior. It takes a @@ -363,7 +363,7 @@ $ make

-sample-update: a simple dynamic update client program

+sample-update: a simple dynamic update client program

It accepts a single update command as a command-line argument, sends an update request message to the diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html index 3171ae1a90..e86ee87ed9 100644 --- a/doc/arm/Bv9ARM.html +++ b/doc/arm/Bv9ARM.html @@ -93,8 +93,8 @@

Dynamic Update
The journal file
Incremental Zone Transfers (IXFR)
-
Split DNS
-
Example split DNS setup
+
Split DNS
+
Example split DNS setup
TSIG
Generate Shared Keys for Each Pair of Hosts
@@ -105,10 +105,10 @@
Errors
TKEY
-
SIG(0)
+
SIG(0)
DNSSEC
-
Generating Keys
+
Generating Keys
Signing the Zone
Configuring Servers
@@ -116,37 +116,37 @@
Converting from insecure to secure
Dynamic DNS update method
-
Fully automatic zone signing
-
Private-type records
-
DNSKEY rollovers
-
Dynamic DNS update method
-
Automatic key rollovers
-
NSEC3PARAM rollovers via UPDATE
-
Converting from NSEC to NSEC3
-
Converting from NSEC3 to NSEC
-
Converting from secure to insecure
-
Periodic re-signing
-
NSEC3 and OPTOUT
+
Fully automatic zone signing
+
Private-type records
+
DNSKEY rollovers
+
Dynamic DNS update method
+
Automatic key rollovers
+
NSEC3PARAM rollovers via UPDATE
+
Converting from NSEC to NSEC3
+
Converting from NSEC3 to NSEC
+
Converting from secure to insecure
+
Periodic re-signing
+
NSEC3 and OPTOUT
Dynamic Trust Anchor Management
-
Validating Resolver
-
Authoritative Server
+
Validating Resolver
+
Authoritative Server
PKCS#11 (Cryptoki) support
Prerequisites
Native PKCS#11
OpenSSL-based PKCS#11
-
PKCS#11 Tools
-
Using the HSM
-
Specifying the engine on the command line
-
Running named with automatic zone re-signing
+
PKCS#11 Tools
+
Using the HSM
+
Specifying the engine on the command line
+
Running named with automatic zone re-signing
DLZ (Dynamically Loadable Zones)
-
Configuring DLZ
-
Sample DLZ Driver
+
Configuring DLZ
+
Sample DLZ Driver
IPv6 Support in BIND 9
@@ -197,9 +197,9 @@
statistics-channels Statement Definition and Usage
trusted-keys Statement Grammar
-
trusted-keys Statement Definition +
trusted-keys Statement Definition and Usage
-
managed-keys Statement Grammar
+
managed-keys Statement Grammar
managed-keys Statement Definition and Usage
view Statement Grammar
@@ -215,7 +215,7 @@
Setting TTLs
Inverse Mapping in IPv4
Other Zone File Directives
-
BIND Master File Extension: the $GENERATE Directive
+
BIND Master File Extension: the $GENERATE Directive
Additional File Formats
BIND9 Statistics
@@ -224,7 +224,7 @@
7. BIND 9 Security Considerations
Access Control Lists
-
Chroot and Setuid
+
Chroot and Setuid
The chroot Environment
Using the setuid Function
@@ -240,7 +240,7 @@
A. Release Notes
-
Release Notes for BIND Version 9.10.2
+
Release Notes for BIND Version 9.10.2
Introduction
Download
@@ -271,9 +271,9 @@
Prerequisite
Compilation
Installation
-
Known Defects/Restrictions
-
The dns.conf File
-
Sample Applications
+
Known Defects/Restrictions
+
The dns.conf File
+
Sample Applications
Library References
diff --git a/doc/arm/man.arpaname.html b/doc/arm/man.arpaname.html index ce8d54f4ed..c9b73c008b 100644 --- a/doc/arm/man.arpaname.html +++ b/doc/arm/man.arpaname.html @@ -50,20 +50,20 @@

arpaname {ipaddress ...}

-

DESCRIPTION

+

DESCRIPTION

arpaname translates IP addresses (IPv4 and IPv6) to the corresponding IN-ADDR.ARPA or IP6.ARPA names.

-

SEE ALSO

+

SEE ALSO

BIND 9 Administrator Reference Manual.

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html index 8e97a506eb..8b9348fb4e 100644 --- a/doc/arm/man.ddns-confgen.html +++ b/doc/arm/man.ddns-confgen.html @@ -51,7 +51,7 @@

ddns-confgen [-a algorithm] [-h] [-k keyname] [-q] [-r randomfile] [ -s name | -z zone ]

-

DESCRIPTION

+

DESCRIPTION

tsig-keygen and ddns-confgen are invocation methods for a utility that generates keys for use @@ -87,7 +87,7 @@

-

OPTIONS

+

OPTIONS

-a algorithm

@@ -159,7 +159,7 @@

-

SEE ALSO

+

SEE ALSO

nsupdate(1), named.conf(5), named(8), @@ -167,7 +167,7 @@

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.delv.html b/doc/arm/man.delv.html index 3ba71fa1c0..f1ed6ead3d 100644 --- a/doc/arm/man.delv.html +++ b/doc/arm/man.delv.html @@ -53,7 +53,7 @@

delv [queryopt...] [query...]

-

DESCRIPTION

+

DESCRIPTION

delv (Domain Entity Lookup & Validation) is a tool for sending DNS queries and validating the results, using the the same internal @@ -96,7 +96,7 @@

-

SIMPLE USAGE

+

SIMPLE USAGE

A typical invocation of delv looks like:

@@ -151,7 +151,7 @@

-

OPTIONS

+

OPTIONS

-a anchor-file
@@ -465,12 +465,12 @@

-

FILES

+

FILES

/etc/bind.keys

/etc/resolv.conf

-

SEE ALSO

+

SEE ALSO

dig(1), named(8), RFC4034, diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html index 25f6b06795..3861fd699a 100644 --- a/doc/arm/man.dig.html +++ b/doc/arm/man.dig.html @@ -52,7 +52,7 @@

dig [global-queryopt...] [query...]

-

DESCRIPTION

+

DESCRIPTION

dig (domain information groper) is a flexible tool for interrogating DNS name servers. It performs DNS lookups and @@ -99,7 +99,7 @@

-

SIMPLE USAGE

+

SIMPLE USAGE

A typical invocation of dig looks like:

@@ -152,7 +152,7 @@

-

OPTIONS

+

OPTIONS

-4

@@ -280,7 +280,7 @@

-

QUERY OPTIONS

+

QUERY OPTIONS

dig provides a number of query options which affect the way in which lookups are made and the results displayed. Some of @@ -747,7 +747,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr

-

IDN SUPPORT

+

IDN SUPPORT

If dig has been built with IDN (internationalized domain name) support, it can accept and display non-ASCII domain names. @@ -761,14 +761,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr

-

FILES

+

FILES

/etc/resolv.conf

${HOME}/.digrc

-

SEE ALSO

+

SEE ALSO

host(1), named(8), dnssec-keygen(8), @@ -776,7 +776,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr

-

BUGS

+

BUGS

There are probably too many query options.

diff --git a/doc/arm/man.dnssec-checkds.html b/doc/arm/man.dnssec-checkds.html index aa09b12c38..2a4ad0a702 100644 --- a/doc/arm/man.dnssec-checkds.html +++ b/doc/arm/man.dnssec-checkds.html @@ -51,7 +51,7 @@

dnssec-dsfromkey [-l domain] [-f file] [-d dig path] [-D dsfromkey path] {zone}

-

DESCRIPTION

+

DESCRIPTION

dnssec-checkds verifies the correctness of Delegation Signer (DS) or DNSSEC Lookaside Validation (DLV) resource records for keys in a specified @@ -59,7 +59,7 @@

-

OPTIONS

+

OPTIONS

-f file

@@ -88,14 +88,14 @@

-

SEE ALSO

+

SEE ALSO

dnssec-dsfromkey(8), dnssec-keygen(8), dnssec-signzone(8),

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.dnssec-coverage.html b/doc/arm/man.dnssec-coverage.html index 2ef8cab85f..a833b0bc2a 100644 --- a/doc/arm/man.dnssec-coverage.html +++ b/doc/arm/man.dnssec-coverage.html @@ -50,7 +50,7 @@

dnssec-coverage [-K directory] [-l length] [-f file] [-d DNSKEY TTL] [-m max TTL] [-r interval] [-c compilezone path] [-k] [-z] [zone]

-

DESCRIPTION

+

DESCRIPTION

dnssec-coverage verifies that the DNSSEC keys for a given zone or a set of zones have timing metadata set properly to ensure no future lapses in DNSSEC @@ -78,7 +78,7 @@

-

OPTIONS

+

OPTIONS

-K directory

@@ -192,7 +192,7 @@

-

SEE ALSO

+

SEE ALSO

dnssec-checkds(8), dnssec-dsfromkey(8), @@ -201,7 +201,7 @@

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html index e912580c84..aa7d768417 100644 --- a/doc/arm/man.dnssec-dsfromkey.html +++ b/doc/arm/man.dnssec-dsfromkey.html @@ -52,14 +52,14 @@

dnssec-dsfromkey [-h] [-V]

-

DESCRIPTION

+

DESCRIPTION

dnssec-dsfromkey outputs the Delegation Signer (DS) resource record (RR), as defined in RFC 3658 and RFC 4509, for the given key(s).

-

OPTIONS

+

OPTIONS

-1

@@ -150,7 +150,7 @@

-

EXAMPLE

+

EXAMPLE

To build the SHA-256 DS RR from the Kexample.com.+003+26160 @@ -165,7 +165,7 @@

-

FILES

+

FILES

The keyfile can be designed by the key identification Knnnn.+aaa+iiiii or the full file name @@ -179,13 +179,13 @@

-

CAVEAT

+

CAVEAT

A keyfile error can give a "file not found" even if the file exists.

-

SEE ALSO

+

SEE ALSO

dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, @@ -195,7 +195,7 @@

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.dnssec-importkey.html b/doc/arm/man.dnssec-importkey.html index 6e77e44257..8d68bad8a8 100644 --- a/doc/arm/man.dnssec-importkey.html +++ b/doc/arm/man.dnssec-importkey.html @@ -51,7 +51,7 @@

dnssec-importkey {-f filename} [-K directory] [-L ttl] [-P date/offset] [-D date/offset] [-h] [-v level] [-V] [dnsname]

-

DESCRIPTION

+

DESCRIPTION

dnssec-importkey reads a public DNSKEY record and generates a pair of .key/.private files. The DNSKEY record may be read from an @@ -71,7 +71,7 @@

-

OPTIONS

+

OPTIONS

-f filename
@@ -114,7 +114,7 @@
-

TIMING OPTIONS

+

TIMING OPTIONS

Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as @@ -142,7 +142,7 @@

-

FILES

+

FILES

A keyfile can be designed by the key identification Knnnn.+aaa+iiiii or the full file name @@ -151,7 +151,7 @@

-

SEE ALSO

+

SEE ALSO

dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, @@ -159,7 +159,7 @@

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html index 9a0f8568e5..30c6051913 100644 --- a/doc/arm/man.dnssec-keyfromlabel.html +++ b/doc/arm/man.dnssec-keyfromlabel.html @@ -50,7 +50,7 @@

dnssec-keyfromlabel {-l label} [-3] [-a algorithm] [-A date/offset] [-c class] [-D date/offset] [-E engine] [-f flag] [-G] [-I date/offset] [-i interval] [-k] [-K directory] [-L ttl] [-n nametype] [-P date/offset] [-p protocol] [-R date/offset] [-S key] [-t type] [-v level] [-V] [-y] {name}

-

DESCRIPTION

+

DESCRIPTION

dnssec-keyfromlabel generates a key pair of files that referencing a key object stored in a cryptographic hardware service module (HSM). The private key @@ -66,7 +66,7 @@

-

OPTIONS

+

OPTIONS

-a algorithm
@@ -315,7 +315,7 @@
-

GENERATED KEY FILES

+

GENERATED KEY FILES

When dnssec-keyfromlabel completes successfully, @@ -354,7 +354,7 @@

-

SEE ALSO

+

SEE ALSO

dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, @@ -363,7 +363,7 @@

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html index 8e8d9e40e1..cb22976913 100644 --- a/doc/arm/man.dnssec-keygen.html +++ b/doc/arm/man.dnssec-keygen.html @@ -50,7 +50,7 @@

dnssec-keygen [-a algorithm] [-b keysize] [-n nametype] [-3] [-A date/offset] [-C] [-c class] [-D date/offset] [-E engine] [-f flag] [-G] [-g generator] [-h] [-I date/offset] [-i interval] [-K directory] [-L ttl] [-k] [-P date/offset] [-p protocol] [-q] [-R date/offset] [-r randomdev] [-S key] [-s strength] [-t type] [-v level] [-V] [-z] {name}

-

DESCRIPTION

+

DESCRIPTION

dnssec-keygen generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034. It can also generate keys for use with @@ -64,7 +64,7 @@

-

OPTIONS

+

OPTIONS

-a algorithm
@@ -287,7 +287,7 @@
-

TIMING OPTIONS

+

TIMING OPTIONS

Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as @@ -361,7 +361,7 @@

-

GENERATED KEYS

+

GENERATED KEYS

When dnssec-keygen completes successfully, @@ -407,7 +407,7 @@

-

EXAMPLE

+

EXAMPLE

To generate a 768-bit DSA key for the domain example.com, the following command would be @@ -428,7 +428,7 @@

-

SEE ALSO

+

SEE ALSO

dnssec-signzone(8), BIND 9 Administrator Reference Manual, RFC 2539, @@ -437,7 +437,7 @@

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.dnssec-revoke.html b/doc/arm/man.dnssec-revoke.html index e5b44bc4fb..9623dcd9d2 100644 --- a/doc/arm/man.dnssec-revoke.html +++ b/doc/arm/man.dnssec-revoke.html @@ -50,7 +50,7 @@

dnssec-revoke [-hr] [-v level] [-V] [-K directory] [-E engine] [-f] [-R] {keyfile}

-

DESCRIPTION

+

DESCRIPTION

dnssec-revoke reads a DNSSEC key file, sets the REVOKED bit on the key as defined in RFC 5011, and creates a new pair of key files containing the @@ -58,7 +58,7 @@

-

OPTIONS

+

OPTIONS

-h

@@ -109,14 +109,14 @@

-

SEE ALSO

+

SEE ALSO

dnssec-keygen(8), BIND 9 Administrator Reference Manual, RFC 5011.

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.dnssec-settime.html b/doc/arm/man.dnssec-settime.html index 38d17cbfcc..ca40b2acf4 100644 --- a/doc/arm/man.dnssec-settime.html +++ b/doc/arm/man.dnssec-settime.html @@ -50,7 +50,7 @@

dnssec-settime [-f] [-K directory] [-L ttl] [-P date/offset] [-A date/offset] [-R date/offset] [-I date/offset] [-D date/offset] [-h] [-V] [-v level] [-E engine] {keyfile}

-

DESCRIPTION

+

DESCRIPTION

dnssec-settime reads a DNSSEC private key file and sets the key timing metadata as specified by the -P, -A, @@ -76,7 +76,7 @@

-

OPTIONS

+

OPTIONS

-f

@@ -133,7 +133,7 @@

-

TIMING OPTIONS

+

TIMING OPTIONS

Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as @@ -212,7 +212,7 @@

-

PRINTING OPTIONS

+

PRINTING OPTIONS

dnssec-settime can also be used to print the timing metadata associated with a key. @@ -238,7 +238,7 @@

-

SEE ALSO

+

SEE ALSO

dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, @@ -246,7 +246,7 @@

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html index aa4214781c..f5a175c3ef 100644 --- a/doc/arm/man.dnssec-signzone.html +++ b/doc/arm/man.dnssec-signzone.html @@ -50,7 +50,7 @@

dnssec-signzone [-a] [-c class] [-d directory] [-D] [-E engine] [-e end-time] [-f output-file] [-g] [-h] [-K directory] [-k key] [-L serial] [-l domain] [-M domain] [-i interval] [-I input-format] [-j jitter] [-N soa-serial-format] [-o origin] [-O output-format] [-P] [-p] [-R] [-r randomdev] [-S] [-s start-time] [-T ttl] [-t] [-u] [-v level] [-V] [-X extended end-time] [-x] [-z] [-3 salt] [-H iterations] [-A] {zonefile} [key...]

-

DESCRIPTION

+

DESCRIPTION

dnssec-signzone signs a zone. It generates NSEC and RRSIG records and produces a signed version of the @@ -61,7 +61,7 @@

-

OPTIONS

+

OPTIONS

-a

@@ -509,7 +509,7 @@

-

EXAMPLE

+

EXAMPLE

The following command signs the example.com zone with the DSA key generated by dnssec-keygen @@ -539,14 +539,14 @@ db.example.com.signed %

-

SEE ALSO

+

SEE ALSO

dnssec-keygen(8), BIND 9 Administrator Reference Manual, RFC 4033, RFC 4641.

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.dnssec-verify.html b/doc/arm/man.dnssec-verify.html index f4e0da17e0..332bc792da 100644 --- a/doc/arm/man.dnssec-verify.html +++ b/doc/arm/man.dnssec-verify.html @@ -50,7 +50,7 @@

dnssec-verify [-c class] [-E engine] [-I input-format] [-o origin] [-v level] [-V] [-x] [-z] {zonefile}

-

DESCRIPTION

+

DESCRIPTION

dnssec-verify verifies that a zone is fully signed for each algorithm found in the DNSKEY RRset for the zone, and that the NSEC / NSEC3 @@ -58,7 +58,7 @@

-

OPTIONS

+

OPTIONS

-c class

@@ -138,7 +138,7 @@

-

SEE ALSO

+

SEE ALSO

dnssec-signzone(8), BIND 9 Administrator Reference Manual, @@ -146,7 +146,7 @@

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.genrandom.html b/doc/arm/man.genrandom.html index b522c3b85b..fa1c118eea 100644 --- a/doc/arm/man.genrandom.html +++ b/doc/arm/man.genrandom.html @@ -50,7 +50,7 @@

genrandom [-n number] {size} {filename}

-

DESCRIPTION

+

DESCRIPTION

genrandom generates a file or a set of files containing a specified quantity @@ -59,7 +59,7 @@

-

ARGUMENTS

+

ARGUMENTS

-n number

@@ -77,14 +77,14 @@

-

SEE ALSO

+

SEE ALSO

rand(3), arc4random(3)

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html index dc096e5c9c..9c549290b2 100644 --- a/doc/arm/man.host.html +++ b/doc/arm/man.host.html @@ -50,7 +50,7 @@

host [-aCdlnrsTwv] [-c class] [-N ndots] [-R number] [-t type] [-W wait] [-m flag] [-4] [-6] [-v] [-V] {name} [server]

-

DESCRIPTION

+

DESCRIPTION

host is a simple utility for performing DNS lookups. It is normally used to convert names to IP addresses and vice versa. @@ -206,7 +206,7 @@

-

IDN SUPPORT

+

IDN SUPPORT

If host has been built with IDN (internationalized domain name) support, it can accept and display non-ASCII domain names. @@ -220,12 +220,12 @@

-

FILES

+

FILES

/etc/resolv.conf

-

SEE ALSO

+

SEE ALSO

dig(1), named(8).

diff --git a/doc/arm/man.isc-hmac-fixup.html b/doc/arm/man.isc-hmac-fixup.html index 40adfafc71..748354978c 100644 --- a/doc/arm/man.isc-hmac-fixup.html +++ b/doc/arm/man.isc-hmac-fixup.html @@ -50,7 +50,7 @@

isc-hmac-fixup {algorithm} {secret}

-

DESCRIPTION

+

DESCRIPTION

Versions of BIND 9 up to and including BIND 9.6 had a bug causing HMAC-SHA* TSIG keys which were longer than the digest length of the @@ -76,7 +76,7 @@

-

SECURITY CONSIDERATIONS

+

SECURITY CONSIDERATIONS

Secrets that have been converted by isc-hmac-fixup are shortened, but as this is how the HMAC protocol works in @@ -87,14 +87,14 @@

-

SEE ALSO

+

SEE ALSO

BIND 9 Administrator Reference Manual, RFC 2104.

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html index 8a0b0501a8..aee1eff89c 100644 --- a/doc/arm/man.named-checkconf.html +++ b/doc/arm/man.named-checkconf.html @@ -50,7 +50,7 @@

named-checkconf [-h] [-v] [-j] [-t directory] {filename} [-p] [-x] [-z]

-

DESCRIPTION

+

DESCRIPTION

named-checkconf checks the syntax, but not the semantics, of a named configuration file. The file is parsed @@ -70,7 +70,7 @@

-

OPTIONS

+

OPTIONS

-h

@@ -119,21 +119,21 @@

-

RETURN VALUES

+

RETURN VALUES

named-checkconf returns an exit status of 1 if errors were detected and 0 otherwise.

-

SEE ALSO

+

SEE ALSO

named(8), named-checkzone(8), BIND 9 Administrator Reference Manual.

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html index b957c1b91f..ffd514dbe5 100644 --- a/doc/arm/man.named-checkzone.html +++ b/doc/arm/man.named-checkzone.html @@ -51,7 +51,7 @@

named-compilezone [-d] [-j] [-q] [-v] [-c class] [-C mode] [-f format] [-F format] [-J filename] [-i mode] [-k mode] [-m mode] [-n mode] [-l ttl] [-L serial] [-r mode] [-s style] [-t directory] [-T mode] [-w directory] [-D] [-W mode] {-o filename} {zonename} {filename}

-

DESCRIPTION

+

DESCRIPTION

named-checkzone checks the syntax and integrity of a zone file. It performs the same checks as named does when loading a @@ -71,7 +71,7 @@

-

OPTIONS

+

OPTIONS

-d

@@ -305,14 +305,14 @@

-

RETURN VALUES

+

RETURN VALUES

named-checkzone returns an exit status of 1 if errors were detected and 0 otherwise.

-

SEE ALSO

+

SEE ALSO

named(8), named-checkconf(8), RFC 1035, @@ -320,7 +320,7 @@

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.named-journalprint.html b/doc/arm/man.named-journalprint.html index 683a466e4a..5edb521bd1 100644 --- a/doc/arm/man.named-journalprint.html +++ b/doc/arm/man.named-journalprint.html @@ -50,7 +50,7 @@

named-journalprint {journal}

-

DESCRIPTION

+

DESCRIPTION

named-journalprint prints the contents of a zone journal file in a human-readable @@ -76,7 +76,7 @@

-

SEE ALSO

+

SEE ALSO

named(8), nsupdate(8), @@ -84,7 +84,7 @@

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.named-rrchecker.html b/doc/arm/man.named-rrchecker.html index 21ac889d9b..2f563157dd 100644 --- a/doc/arm/man.named-rrchecker.html +++ b/doc/arm/man.named-rrchecker.html @@ -50,7 +50,7 @@

named-rrchecker [-h] [-o origin] [-p] [-u] [-C] [-T] [-P]

-

DESCRIPTION

+

DESCRIPTION

named-rrchecker read a individual DNS resource record from standard input and checks if it is syntactically correct. @@ -78,7 +78,7 @@

-

SEE ALSO

+

SEE ALSO

RFC 1034, RFC 1035, diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html index 13be4dd380..9197c04e50 100644 --- a/doc/arm/man.named.html +++ b/doc/arm/man.named.html @@ -50,7 +50,7 @@

named [-4] [-6] [-c config-file] [-d debug-level] [-D string] [-E engine-name] [-f] [-g] [-M option] [-m flag] [-n #cpus] [-p port] [-s] [-S #max-socks] [-t directory] [-U #listeners] [-u user] [-v] [-V] [-x cache-file]

-

DESCRIPTION

+

DESCRIPTION

named is a Domain Name System (DNS) server, part of the BIND 9 distribution from ISC. For more @@ -65,7 +65,7 @@

-

OPTIONS

+

OPTIONS

-4

@@ -284,7 +284,7 @@

-

SIGNALS

+

SIGNALS

In routine operation, signals should not be used to control the nameserver; rndc should be used @@ -305,7 +305,7 @@

-

CONFIGURATION

+

CONFIGURATION

The named configuration file is too complex to describe in detail here. A complete description is provided @@ -322,7 +322,7 @@

-

FILES

+

FILES

/etc/named.conf

@@ -335,7 +335,7 @@

-

SEE ALSO

+

SEE ALSO

RFC 1033, RFC 1034, RFC 1035, @@ -348,7 +348,7 @@

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.nsec3hash.html b/doc/arm/man.nsec3hash.html index 3ed4163e3a..109dbcb599 100644 --- a/doc/arm/man.nsec3hash.html +++ b/doc/arm/man.nsec3hash.html @@ -48,7 +48,7 @@

nsec3hash {salt} {algorithm} {iterations} {domain}

-

DESCRIPTION

+

DESCRIPTION

nsec3hash generates an NSEC3 hash based on a set of NSEC3 parameters. This can be used to check the validity @@ -56,7 +56,7 @@

-

ARGUMENTS

+

ARGUMENTS

salt

@@ -80,14 +80,14 @@

-

SEE ALSO

+

SEE ALSO

BIND 9 Administrator Reference Manual, RFC 5155.

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html index ce3ff55319..e853f9841d 100644 --- a/doc/arm/man.nsupdate.html +++ b/doc/arm/man.nsupdate.html @@ -50,7 +50,7 @@

nsupdate [-d] [-D] [-L level] [[-g] | [-o] | [-l] | [-y [hmac:]keyname:secret] | [-k keyfile]] [-t timeout] [-u udptimeout] [-r udpretries] [-R randomdev] [-v] [-T] [-P] [-V] [filename]

-

DESCRIPTION

+

DESCRIPTION

nsupdate is used to submit Dynamic DNS Update requests as defined in RFC 2136 to a name server. @@ -108,7 +108,7 @@

-

OPTIONS

+

OPTIONS

-d

@@ -242,7 +242,7 @@

-

INPUT FORMAT

+

INPUT FORMAT

nsupdate reads input from filename @@ -544,7 +544,7 @@

-

EXAMPLES

+

EXAMPLES

The examples below show how nsupdate @@ -598,7 +598,7 @@

-

FILES

+

FILES

/etc/resolv.conf

@@ -621,7 +621,7 @@

-

SEE ALSO

+

SEE ALSO

RFC 2136, RFC 3007, @@ -636,7 +636,7 @@

-

BUGS

+

BUGS

The TSIG key is redundantly stored in two separate files. This is a consequence of nsupdate using the DST library diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html index 17a2ce7812..e514fcfd2a 100644 --- a/doc/arm/man.rndc-confgen.html +++ b/doc/arm/man.rndc-confgen.html @@ -50,7 +50,7 @@

rndc-confgen [-a] [-A algorithm] [-b keysize] [-c keyfile] [-h] [-k keyname] [-p port] [-r randomfile] [-s address] [-t chrootdir] [-u user]

-

DESCRIPTION

+

DESCRIPTION

rndc-confgen generates configuration files for rndc. It can be used as a @@ -66,7 +66,7 @@

-

OPTIONS

+

OPTIONS

-a
@@ -180,7 +180,7 @@
-

EXAMPLES

+

EXAMPLES

To allow rndc to be used with no manual configuration, run @@ -197,7 +197,7 @@

-

SEE ALSO

+

SEE ALSO

rndc(8), rndc.conf(5), named(8), @@ -205,7 +205,7 @@

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html index 82a61a1fe6..faab7d27c0 100644 --- a/doc/arm/man.rndc.conf.html +++ b/doc/arm/man.rndc.conf.html @@ -50,7 +50,7 @@

rndc.conf

-

DESCRIPTION

+

DESCRIPTION

rndc.conf is the configuration file for rndc, the BIND 9 name server control utility. This file has a similar structure and syntax to @@ -136,7 +136,7 @@

-

EXAMPLE

+

EXAMPLE

       options {
         default-server  localhost;
@@ -210,7 +210,7 @@
     

-

NAME SERVER CONFIGURATION

+

NAME SERVER CONFIGURATION

The name server must be configured to accept rndc connections and to recognize the key specified in the rndc.conf @@ -220,7 +220,7 @@

-

SEE ALSO

+

SEE ALSO

rndc(8), rndc-confgen(8), mmencode(1), @@ -228,7 +228,7 @@

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html index f98ecc6a11..db67e732c0 100644 --- a/doc/arm/man.rndc.html +++ b/doc/arm/man.rndc.html @@ -50,7 +50,7 @@

rndc [-b source-address] [-c config-file] [-k key-file] [-s server] [-p port] [-q] [-V] [-y key_id] {command}

-

DESCRIPTION

+

DESCRIPTION

rndc controls the operation of a name server. It supersedes the ndc utility @@ -81,7 +81,7 @@

-

OPTIONS

+

OPTIONS

-b source-address

@@ -152,7 +152,7 @@

-

COMMANDS

+

COMMANDS

A list of commands supported by rndc can be seen by running rndc without arguments. @@ -583,7 +583,7 @@

-

LIMITATIONS

+

LIMITATIONS

There is currently no way to provide the shared secret for a key_id without using the configuration file. @@ -593,7 +593,7 @@

-

SEE ALSO

+

SEE ALSO

rndc.conf(5), rndc-confgen(8), named(8), @@ -603,7 +603,7 @@

-

AUTHOR

+

AUTHOR

Internet Systems Consortium