diff --git a/CHANGES b/CHANGES
index f831e1bb98..9d58c90f80 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+4400. [doc] Description of masters with TSIG, allow-query and
+ allow-transfer options in catalog zones. [RT #42692]
+
4389. [test] Rewritten test suite for catalog zones. [RT #42676]
4388. [func] Support for master entries with TSIG keys in catalog
diff --git a/doc/arm/catz.xml b/doc/arm/catz.xml
index 30b1c4a99e..726ef22d32 100644
--- a/doc/arm/catz.xml
+++ b/doc/arm/catz.xml
@@ -190,25 +190,59 @@ version.catalog.example. IN TXT "1"
the domain name label immediately before the catalog zone domain.
- Catalog zones can contain a set of global options that are applied to
- all member zones, overriding the settings for the catalog zone
- in the configuration file. Currently only the "masters" option
- is supported:
-
+ Catalog zone options can be set either globally for the whole catalog
+ zone or for a single member zone. Global options override the settings
+ in the configuration file and member zone options override global
+ options.
-
-masters.catalog.example. IN A 192.0.2.1
-masters.catalog.example. IN AAAA 2001:db8::1
-
- (Note that if more than one server is defined, the order in which
- they are used is undefined. The above example could correspond to
- a zone configured with
-
- or with
- .
- There is currently no way to force a particular ordering.)
-
+ Global options are set at the apex of the catalog zone, e.g.:
+
+
+ masters.catalog.example. IN AAAA 2001:db8::1
+
+ BIND currently supports the following options:
+
+
+ A simple definition:
+
+ masters.catalog.example. IN A 192.0.2.1
+
+
+ This option defines a master server for the member zones - it
+ can be either an A or AAAA record. If multiple masters are set the
+ order in which they are used is random.
+
+
+
+ A with a TSIG key defined:
+
+ label.masters.catalog.example. IN A 192.0.2.2
+ label.masters.catalog.example. IN TXT "tsig_key_name"
+
+
+ This option defines a master server for the member zone with a TSIG
+ key set. The TSIG key must be configured in the configuration file.
+ can be any valid DNS label.
+
+
+
+ and
+ ACLs:
+
+ allow-query.catalog.example. IN APL 1:10.0.0.1/24
+ allow-transfer.catalog.example. IN APL !1:10.0.0.1/32 1:10.0.0.0/24
+
+
+ These options are the equivalents of
+ and in a zone declaration in the
+ named.conf configuration file. The ACL is
+ processed in order - if there's no match to any rule the default
+ policy is to deny access. For the syntax of the APL RR see RFC
+ 3123
+
+
+
A member zone is added by including a PTR
resource record in the zones sub-domain of the
@@ -227,7 +261,9 @@ masters.catalog.example. IN AAAA 2001:db8::1
masters.5960775ba382e7a4e09263fc06e7c00569b6a05c.zones.catalog.example. IN A 192.0.2.2
-masters.5960775ba382e7a4e09263fc06e7c00569b6a05c.zones.catalog.example. IN AAAA 2001:db8::2
+label.masters.5960775ba382e7a4e09263fc06e7c00569b6a05c.zones.catalog.example. IN AAAA 2001:db8::2
+label.masters.5960775ba382e7a4e09263fc06e7c00569b6a05c.zones.catalog.example. IN TXT "tsig_key"
+allow-query.5960775ba382e7a4e09263fc06e7c00569b6a05c.zones.catalog.example. IN APL 1:10.0.0.0/24
As would be expected, options defined for a specific zone override