Fix README related to --with-tuning

The files configure.ac and version are already up to date.

Updated CHANGES with 9.17.0 release line.

Fixed CHANGES by adding GitLab reference to entry 5357 and fix
grammar mistakes.

Add missing /util/check-make-install.in to .gitattributes.

The lib/*/api are already updated to match the new ranges.

I listed two new features under BIND 9.17 features that to me
seemed noteworthy.

The release notes look good to me.

.gitattributes

@@ -7,4 +7,5 @@
 /doc/dev			 export-ignore
 /util/**			 export-ignore
 /util/bindkeys.pl		-export-ignore
+/util/check-make-install.in	-export-ignore
 /util/mksymtbl.pl		-export-ignore

CHANGES

@@ -1,17 +1,18 @@
+	--- 9.17.0 released ---
+
 5366.	[bug]		Fix a race condition with the keymgr when the same
 			zone plus dnssec-policy is configured in multiple
 			views. [GL #1653]
 
 5365.	[bug]		Algorithm rollover was stuck on submitting DS
 			because keymgr thought it would move to an invalid
-			state.  Fixed by when checking the current key,
-			check it against the desired state, not the existing
-			state. [GL #1626]
+			state.  Fixed by checking the current key against
+			the desired state, not the existing state. [GL #1626]
 
 5364.	[bug]		Algorithm rollover waited too long before introducing
 			zone signatures.  It waited to make sure all signatures
-			were resigned, but when introducing a new algorithm,
-			all signatures are resigned immediately.  Only
+			were regenerated, but when introducing a new algorithm,
+			all signatures are regenerated immediately.  Only
 			add the sign delay if there is a predecessor key.
 			[GL #1625]
 
@@ -43,7 +44,8 @@
 
 5357.	[bug]		Newly added RRSIG records with expiry times before
 			the previous earliest expiry times might not be
-			re-signed in time.  The was a side effect of 5315.
+			re-signed in time.  This was a side effect of 5315.
+			[GL !3137]
 
 5356.	[func]		Update dnssec-policy configuration statements:
 			- Rename "zone-max-ttl" dnssec-policy option to

README

@@ -112,7 +112,12 @@ format-patch.
 BIND 9.17 features
 
 BIND 9.17 is the newest development branch of BIND 9. It includes a number
-of changes from BIND 9.16 and earlier releases.
+of changes from BIND 9.16 and earlier releases. New features include:
+
+  * New option "max-ixfr-ratio" to limit the size of outgoing IXFR
+    responses before falling back to full zone transfers.
+  * "rndc nta -d" and "rndc secroots" now include "validate-except"
+    entries when listing negative trust anchors.
 
 Building BIND
 
@@ -227,7 +232,7 @@ github.com/farsightsec/fstrm and libprotobuf-c https://
 developers.google.com/protocol-buffers, and BIND must be configured with
 --enable-dnstap.
 
-Certain compiled-in constants and default settings can be increased to
+Certain compiled-in constants and default settings can be decreased to
 values better suited to small machines, e.g. OpenWRT boxes, by specifying
 --with-tuning=small on the configure command line. This will decrease
 memory usage by using smaller structures, but will degrade performance.

README.md

@@ -128,7 +128,12 @@ including your patch as an attachment, preferably generated by
 ### <a name="features"/> BIND 9.17 features
 
 BIND 9.17 is the newest development branch of BIND 9. It includes a
-number of changes from BIND 9.16 and earlier releases.
+number of changes from BIND 9.16 and earlier releases. New features include:
+
+* New option "max-ixfr-ratio" to limit the size of outgoing IXFR responses
+  before falling back to full zone transfers.
+* "rndc nta -d" and "rndc secroots" now include "validate-except" entries
+  when listing negative trust anchors.
 
 ### <a name="build"/> Building BIND
 
@@ -244,7 +249,7 @@ and `libprotobuf-c`
 [https://developers.google.com/protocol-buffers](https://developers.google.com/protocol-buffers),
 and BIND must be configured with `--enable-dnstap`.
 
-Certain compiled-in constants and default settings can be increased to
+Certain compiled-in constants and default settings can be decreased to
 values better suited to small machines, e.g. OpenWRT boxes, by specifying
 `--with-tuning=small` on the `configure` command line. This will decrease
 memory usage by using smaller structures, but will degrade performance.

doc/arm/Bv9ARM.ch01.html

@@ -75,7 +75,7 @@
         <acronym class="acronym">BIND</acronym> version 9 software package for
         system administrators.
       </p>
-      <p>This version of the manual corresponds to BIND version 9.15.</p>
+      <p>This version of the manual corresponds to BIND version 9.17.</p>
     </div>
 
     <div class="section">

doc/arm/Bv9ARM.ch04.html

@@ -271,30 +271,43 @@
 
       <p>
         The incremental zone transfer (IXFR) protocol is a way for
-        slave servers to transfer only changed data, instead of having to
+        secondary servers to transfer only changed data, instead of having to
         transfer the entire zone. The IXFR protocol is specified in RFC
         1995. See <a class="xref" href="Bv9ARM.ch10.html#proposed_standards" title="Proposed Standards">Proposed Standards</a>.
       </p>
 
       <p>
-        When acting as a master, <acronym class="acronym">BIND</acronym> 9
+        When acting as a primary server, <acronym class="acronym">BIND</acronym> 9
         supports IXFR for those zones
         where the necessary change history information is available. These
-        include master zones maintained by dynamic update and slave zones
+        include primary zones maintained by dynamic update and secondary zones
         whose data was obtained by IXFR.  For manually maintained master
-        zones, and for slave zones obtained by performing a full zone
+        zones, and for secondary zones obtained by performing a full zone
         transfer (AXFR), IXFR is supported only if the option
         <span class="command"><strong>ixfr-from-differences</strong></span> is set
         to <strong class="userinput"><code>yes</code></strong>.
       </p>
 
       <p>
-        When acting as a slave, <acronym class="acronym">BIND</acronym> 9 will
+        When acting as a secondary server, <acronym class="acronym">BIND</acronym> 9 will
         attempt to use IXFR unless
         it is explicitly disabled. For more information about disabling
         IXFR, see the description of the <span class="command"><strong>request-ixfr</strong></span> clause
         of the <span class="command"><strong>server</strong></span> statement.
       </p>
+
+      <p>
+        When a secondary server receives a zone via AXFR, it creates a
+        new copy of the zone database and then swaps it into place; during
+        the loading process, queries continue to be served from the old
+        database with no interference. When receiving a zone via IXFR,
+        however, changes are applied to the running zone, which may
+        degrade query performance during the transfer.  If a server
+        receiving an IXFR request determines that the response size would
+        be similar in size to an AXFR response, it may wish to send AXFR
+        instead. The threshold at which this determination is made can
+        be configured using the <span class="command"><strong>max-ixfr-ratio</strong></span> option.
+      </p>
     </div>
 
     <div class="section">

doc/arm/Bv9ARM.ch05.html

@@ -1220,7 +1220,8 @@
 
         <p>
           The <span class="command"><strong>include</strong></span> statement inserts the
-          specified file at the point where the <span class="command"><strong>include</strong></span>
+          specified file (or files if a valid glob expression is detected)
+          at the point where the <span class="command"><strong>include</strong></span>
           statement is encountered. The <span class="command"><strong>include</strong></span>
                 statement facilitates the administration of configuration
           files
@@ -3115,6 +3116,22 @@ badresp:1,adberr:0,findfail:0,valfail:0]
                 of the new format.)
               </p>
             </dd>
+<dt><span class="term"><span class="command"><strong>max-ixfr-ratio</strong></span></span></dt>
+<dd>
+              <p>
+                Sets the size threshold (expressed as a percentage
+                of the size of the full zone) beyond which
+                <span class="command"><strong>named</strong></span> will choose to use an AXFR
+                response rather than IXFR when answering zone transfer
+                requests.  See <a class="xref" href="Bv9ARM.ch04.html#incremental_zone_transfers" title="Incremental Zone Transfers (IXFR)">the section called &#8220;Incremental Zone Transfers (IXFR)&#8221;</a>.
+              </p>
+              <p>
+                The minimum value is <code class="literal">1%</code>. The keyword
+                <code class="literal">unlimited</code> disables ratio checking and
+                allows IXFRs of any size.  The default is
+                <code class="literal">100%</code>.
+              </p>
+            </dd>
 <dt><span class="term"><span class="command"><strong>new-zones-directory</strong></span></span></dt>
 <dd>
               <p>
@@ -9125,6 +9142,13 @@ example.com                 CNAME   rpz-tcp-only.
             roll, which cryptographic algorithms to use, and how often RRSIG
             records need to be refreshed.
           </p>
+          <p>
+            Keys are not shared among zones, which means that one set of keys
+            per zone will be generated even if they have the same policy.
+            If multiple views are configured with different versions of the
+            same zone, each separate version will use the same set of signing
+            keys.
+          </p>
           <p>
             Multiple key and signing policies can be configured.  To
             attach a policy to a zone, add a <span class="command"><strong>dnssec-policy</strong></span>
@@ -10607,6 +10631,15 @@ view "external" {
                     This is applicable to <span class="command"><strong>master</strong></span> and <span class="command"><strong>slave</strong></span> zones.
                   </p>
                 </dd>
+<dt><span class="term"><span class="command"><strong>max-ixfr-ratio</strong></span></span></dt>
+<dd>
+                  <p>
+                    See the description of
+                    <span class="command"><strong>max-ixfr-ratio</strong></span> in
+                    <a class="xref" href="Bv9ARM.ch05.html#options" title="options Statement Definition and Usage">the section called &#8220;<span class="command"><strong>options</strong></span> Statement Definition and
+          Usage&#8221;</a>.
+                  </p>
+                </dd>
 <dt><span class="term"><span class="command"><strong>max-journal-size</strong></span></span></dt>
 <dd>
                   <p>

doc/arm/Bv9ARM.ch08.html

@@ -109,6 +109,89 @@
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes-9.17.0"></a>Notes for BIND 9.17.0</h3></div></div></div>
 
+  <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.17.0-known"></a>Known Issues</h4></div></div></div>
+    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+        <p>
+          UDP network ports used for listening can no longer simultaneously be
+          used for sending traffic.  An example configuration which triggers
+          this issue would be one which uses the same
+          <em class="replaceable"><code>address:port</code></em> pair for
+          <span class="command"><strong>listen-on(-v6)</strong></span> statements as for
+          <span class="command"><strong>notify-source(-v6)</strong></span> or
+          <span class="command"><strong>transfer-source(-v6)</strong></span>.  While this issue affects all
+          operating systems, it only triggers log messages (e.g. "unable to
+          create dispatch for reserved port") on some of them.  There are
+          currently no plans to make such a combination of settings work again.
+        </p>
+      </li></ul></div>
+  </div>
+
+  <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.17.0-new"></a>New Features</h4></div></div></div>
+    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+        <p>
+          When a secondary server receives a large incremental zone
+          transfer (IXFR), it can have a negative impact on query
+          performance while the incremental changes are applied to
+          the zone. To address this, <span class="command"><strong>named</strong></span> can now
+          limit the size of IXFR responses it sends in response to zone
+          transfer requests. If an IXFR response would be larger than an
+          AXFR of the entire zone, it will send an AXFR response instead.
+        </p>
+        <p>
+          This behavior is controlled by the <span class="command"><strong>max-ixfr-ratio</strong></span>
+          option - a percentage value representing the ratio of IXFR size
+          to the size of a full zone transfer. The default is
+          <code class="literal">100%</code>. [GL #1515]
+        </p>
+      </li></ul></div>
+  </div>
+
+  <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.17.0-changes"></a>Feature Changes</h4></div></div></div>
+    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+        <p>
+          The system-provided POSIX Threads read-write lock implementation is
+          now used by default instead of the native BIND 9 implementation.
+          Please be aware that glibc versions 2.26 through 2.29 had a
+          <a class="link" href="https://sourceware.org/bugzilla/show_bug.cgi?id=23844" target="_top">bug</a>
+          that could cause BIND 9 to deadlock. A fix was released in glibc 2.30,
+          and most current Linux distributions have patched or updated glibc,
+          with the notable exception of Ubuntu 18.04 (Bionic) which is a work in
+          progress. If you are running on an affected operating system, compile
+          BIND 9 with <span class="command"><strong>--disable-pthread-rwlock</strong></span> until a fixed
+          version of glibc is available. [GL !3125]
+        </p>
+      </li>
+<li class="listitem">
+        <p>
+          The <span class="command"><strong>rndc nta -dump</strong></span> and
+          <span class="command"><strong>rndc secroots</strong></span> commands now both include
+          <span class="command"><strong>validate-except</strong></span> entries when listing negative
+          trust anchors. These are indicated by the keyword
+          <code class="literal">permanent</code> in place of the expiry
+          date. [GL #1532]
+        </p>
+      </li>
+</ul></div>
+  </div>
+
+  <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.17.0-bugs"></a>Bug Fixes</h4></div></div></div>
+    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+        <p>
+          Fixed re-signing issues with inline zones which resulted in
+          records being re-signed late or not at all.
+        </p>
+      </li></ul></div>
+  </div>
+
 </div>
 
   <div class="section">

doc/arm/notes-9.17.0.xml

@@ -40,7 +40,7 @@
           the zone. To address this, <command>named</command> can now
           limit the size of IXFR responses it sends in response to zone
           transfer requests. If an IXFR response would be larger than an
-          AXFR of the entire zone, it will send an AXFR resonse instead.
+          AXFR of the entire zone, it will send an AXFR response instead.
         </para>
         <para>
           This behavior is controlled by the <command>max-ixfr-ratio</command>

doc/arm/notes.html

@@ -74,6 +74,89 @@
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes-9.17.0"></a>Notes for BIND 9.17.0</h3></div></div></div>
 
+  <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.17.0-known"></a>Known Issues</h4></div></div></div>
+    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+        <p>
+          UDP network ports used for listening can no longer simultaneously be
+          used for sending traffic.  An example configuration which triggers
+          this issue would be one which uses the same
+          <em class="replaceable"><code>address:port</code></em> pair for
+          <span class="command"><strong>listen-on(-v6)</strong></span> statements as for
+          <span class="command"><strong>notify-source(-v6)</strong></span> or
+          <span class="command"><strong>transfer-source(-v6)</strong></span>.  While this issue affects all
+          operating systems, it only triggers log messages (e.g. "unable to
+          create dispatch for reserved port") on some of them.  There are
+          currently no plans to make such a combination of settings work again.
+        </p>
+      </li></ul></div>
+  </div>
+
+  <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.17.0-new"></a>New Features</h4></div></div></div>
+    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+        <p>
+          When a secondary server receives a large incremental zone
+          transfer (IXFR), it can have a negative impact on query
+          performance while the incremental changes are applied to
+          the zone. To address this, <span class="command"><strong>named</strong></span> can now
+          limit the size of IXFR responses it sends in response to zone
+          transfer requests. If an IXFR response would be larger than an
+          AXFR of the entire zone, it will send an AXFR response instead.
+        </p>
+        <p>
+          This behavior is controlled by the <span class="command"><strong>max-ixfr-ratio</strong></span>
+          option - a percentage value representing the ratio of IXFR size
+          to the size of a full zone transfer. The default is
+          <code class="literal">100%</code>. [GL #1515]
+        </p>
+      </li></ul></div>
+  </div>
+
+  <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.17.0-changes"></a>Feature Changes</h4></div></div></div>
+    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+        <p>
+          The system-provided POSIX Threads read-write lock implementation is
+          now used by default instead of the native BIND 9 implementation.
+          Please be aware that glibc versions 2.26 through 2.29 had a
+          <a class="link" href="https://sourceware.org/bugzilla/show_bug.cgi?id=23844" target="_top">bug</a>
+          that could cause BIND 9 to deadlock. A fix was released in glibc 2.30,
+          and most current Linux distributions have patched or updated glibc,
+          with the notable exception of Ubuntu 18.04 (Bionic) which is a work in
+          progress. If you are running on an affected operating system, compile
+          BIND 9 with <span class="command"><strong>--disable-pthread-rwlock</strong></span> until a fixed
+          version of glibc is available. [GL !3125]
+        </p>
+      </li>
+<li class="listitem">
+        <p>
+          The <span class="command"><strong>rndc nta -dump</strong></span> and
+          <span class="command"><strong>rndc secroots</strong></span> commands now both include
+          <span class="command"><strong>validate-except</strong></span> entries when listing negative
+          trust anchors. These are indicated by the keyword
+          <code class="literal">permanent</code> in place of the expiry
+          date. [GL #1532]
+        </p>
+      </li>
+</ul></div>
+  </div>
+
+  <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.17.0-bugs"></a>Bug Fixes</h4></div></div></div>
+    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+        <p>
+          Fixed re-signing issues with inline zones which resulted in
+          records being re-signed late or not at all.
+        </p>
+      </li></ul></div>
+  </div>
+
 </div>
 
   <div class="section">

doc/arm/notes.txt

@@ -38,6 +38,52 @@ operating systems.
 
 Notes for BIND 9.17.0
 
+Known Issues
+
+  * UDP network ports used for listening can no longer simultaneously be
+    used for sending traffic. An example configuration which triggers this
+    issue would be one which uses the same address:port pair for listen-on
+    (-v6) statements as for notify-source(-v6) or transfer-source(-v6).
+    While this issue affects all operating systems, it only triggers log
+    messages (e.g. "unable to create dispatch for reserved port") on some
+    of them. There are currently no plans to make such a combination of
+    settings work again.
+
+New Features
+
+  * When a secondary server receives a large incremental zone transfer
+    (IXFR), it can have a negative impact on query performance while the
+    incremental changes are applied to the zone. To address this, named
+    can now limit the size of IXFR responses it sends in response to zone
+    transfer requests. If an IXFR response would be larger than an AXFR of
+    the entire zone, it will send an AXFR response instead.
+
+    This behavior is controlled by the max-ixfr-ratio option - a
+    percentage value representing the ratio of IXFR size to the size of a
+    full zone transfer. The default is 100%. [GL #1515]
+
+Feature Changes
+
+  * The system-provided POSIX Threads read-write lock implementation is
+    now used by default instead of the native BIND 9 implementation.
+    Please be aware that glibc versions 2.26 through 2.29 had a bug that
+    could cause BIND 9 to deadlock. A fix was released in glibc 2.30, and
+    most current Linux distributions have patched or updated glibc, with
+    the notable exception of Ubuntu 18.04 (Bionic) which is a work in
+    progress. If you are running on an affected operating system, compile
+    BIND 9 with --disable-pthread-rwlock until a fixed version of glibc is
+    available. [GL !3125]
+
+  * The rndc nta -dump and rndc secroots commands now both include
+    validate-except entries when listing negative trust anchors. These are
+    indicated by the keyword permanent in place of the expiry date. [GL
+    #1532]
+
+Bug Fixes
+
+  * Fixed re-signing issues with inline zones which resulted in records
+    being re-signed late or not at all.
+
 License
 
 BIND 9 is open source software licensed under the terms of the Mozilla

doc/misc/master.zoneopt

@@ -35,6 +35,7 @@ zone <string> [ <class> ] {
 	key-directory <quoted_string>;
 	masterfile-format ( map | raw | text );
 	masterfile-style ( full | relative );
+	max-ixfr-ratio ( unlimited | <percentage> );
 	max-journal-size ( default | unlimited | <sizeval> );
 	max-records <integer>;
 	max-transfer-idle-out <integer>;

doc/misc/mirror.zoneopt

@@ -16,6 +16,7 @@ zone <string> [ <class> ] {
 	masterfile-format ( map | raw | text );
 	masterfile-style ( full | relative );
 	masters [ port <integer> ] [ dscp <integer> ] { ( <masters> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... };
+	max-ixfr-ratio ( unlimited | <percentage> );
 	max-journal-size ( default | unlimited | <sizeval> );
 	max-records <integer>;
 	max-refresh-time <integer>;

doc/misc/options

@@ -23,8 +23,8 @@ dlz <string> {
 
 dnssec-policy <string> {
         dnskey-ttl <duration>;
-        keys { ( csk | ksk | zsk ) ( key-directory ) lifetime ( <duration> | unlimited )
-            algorithm <integer> [ <integer> ]; ... };
+        keys { ( csk | ksk | zsk ) [ ( key-directory ) ] lifetime
+            <duration_or_unlimited> algorithm <string> [ <integer> ]; ... };
         max-zone-ttl <duration>;
         parent-ds-ttl <duration>;
         parent-propagation-delay <duration>;
@@ -206,7 +206,7 @@ options {
         fstrm-set-output-queue-model ( mpsc | spsc ); // not configured
         fstrm-set-output-queue-size <integer>; // not configured
         fstrm-set-reopen-interval <duration>; // not configured
-        geoip-directory ( <quoted_string> | none );
+        geoip-directory ( <quoted_string> | none ); // not configured
         geoip-use-ecs <boolean>; // obsolete
         glue-cache <boolean>;
         has-old-clients <boolean>; // ancient
@@ -227,7 +227,7 @@ options {
         listen-on-v6 [ port <integer> ] [ dscp
             <integer> ] {
             <address_match_element>; ... }; // may occur multiple times
-        lmdb-mapsize <sizeval>;
+        lmdb-mapsize <sizeval>; // non-operational
         lock-file ( <quoted_string> | none );
         maintain-ixfr-base <boolean>; // ancient
         managed-keys-directory <quoted_string>;
@@ -239,6 +239,7 @@ options {
         max-cache-ttl <duration>;
         max-clients-per-query <integer>;
         max-ixfr-log-size ( default | unlimited | <sizeval> ); // ancient
+        max-ixfr-ratio ( unlimited | <percentage> );
         max-journal-size ( default | unlimited | <sizeval> );
         max-ncache-ttl <duration>;
         max-records <integer>;
@@ -581,7 +582,7 @@ view <string> [ <class> ] {
         }; // may occur multiple times
         key-directory <quoted_string>;
         lame-ttl <duration>;
-        lmdb-mapsize <sizeval>;
+        lmdb-mapsize <sizeval>; // non-operational
         maintain-ixfr-base <boolean>; // ancient
         managed-keys { <string> (
             static-key | initial-key
@@ -599,6 +600,7 @@ view <string> [ <class> ] {
         max-cache-ttl <duration>;
         max-clients-per-query <integer>;
         max-ixfr-log-size ( default | unlimited | <sizeval> ); // ancient
+        max-ixfr-ratio ( unlimited | <percentage> );
         max-journal-size ( default | unlimited | <sizeval> );
         max-ncache-ttl <duration>;
         max-records <integer>;
@@ -823,6 +825,7 @@ view <string> [ <class> ] {
                     port <integer> ] ) [ key <string> ]; ... };
                 max-ixfr-log-size ( default | unlimited |
                     <sizeval> ); // ancient
+                max-ixfr-ratio ( unlimited | <percentage> );
                 max-journal-size ( default | unlimited | <sizeval> );
                 max-records <integer>;
                 max-refresh-time <integer>;
@@ -927,6 +930,7 @@ zone <string> [ <class> ] {
             <ipv4_address> [ port <integer> ] | <ipv6_address> [ port
             <integer> ] ) [ key <string> ]; ... };
         max-ixfr-log-size ( default | unlimited | <sizeval> ); // ancient
+        max-ixfr-ratio ( unlimited | <percentage> );
         max-journal-size ( default | unlimited | <sizeval> );
         max-records <integer>;
         max-refresh-time <integer>;

doc/misc/options.active

@@ -23,8 +23,8 @@ dlz <string> {
 
 dnssec-policy <string> {
         dnskey-ttl <duration>;
-        keys { ( csk | ksk | zsk ) ( key-directory ) lifetime ( <duration> | unlimited )
-            algorithm <integer> [ <integer> ]; ... };
+        keys { ( csk | ksk | zsk ) [ ( key-directory ) ] lifetime
+            <duration_or_unlimited> algorithm <string> [ <integer> ]; ... };
         max-zone-ttl <duration>;
         parent-ds-ttl <duration>;
         parent-propagation-delay <duration>;
@@ -188,7 +188,7 @@ options {
         fstrm-set-output-queue-model ( mpsc | spsc ); // not configured
         fstrm-set-output-queue-size <integer>; // not configured
         fstrm-set-reopen-interval <duration>; // not configured
-        geoip-directory ( <quoted_string> | none );
+        geoip-directory ( <quoted_string> | none ); // not configured
         glue-cache <boolean>;
         heartbeat-interval <integer>;
         hostname ( <quoted_string> | none );
@@ -205,7 +205,7 @@ options {
         listen-on-v6 [ port <integer> ] [ dscp
             <integer> ] {
             <address_match_element>; ... }; // may occur multiple times
-        lmdb-mapsize <sizeval>;
+        lmdb-mapsize <sizeval>; // non-operational
         lock-file ( <quoted_string> | none );
         managed-keys-directory <quoted_string>;
         masterfile-format ( map | raw | text );
@@ -214,6 +214,7 @@ options {
         max-cache-size ( default | unlimited | <sizeval> | <percentage> );
         max-cache-ttl <duration>;
         max-clients-per-query <integer>;
+        max-ixfr-ratio ( unlimited | <percentage> );
         max-journal-size ( default | unlimited | <sizeval> );
         max-ncache-ttl <duration>;
         max-records <integer>;
@@ -522,7 +523,7 @@ view <string> [ <class> ] {
         }; // may occur multiple times
         key-directory <quoted_string>;
         lame-ttl <duration>;
-        lmdb-mapsize <sizeval>;
+        lmdb-mapsize <sizeval>; // non-operational
         managed-keys { <string> (
             static-key | initial-key
             | static-ds | initial-ds
@@ -537,6 +538,7 @@ view <string> [ <class> ] {
         max-cache-size ( default | unlimited | <sizeval> | <percentage> );
         max-cache-ttl <duration>;
         max-clients-per-query <integer>;
+        max-ixfr-ratio ( unlimited | <percentage> );
         max-journal-size ( default | unlimited | <sizeval> );
         max-ncache-ttl <duration>;
         max-records <integer>;
@@ -744,6 +746,7 @@ view <string> [ <class> ] {
                 masters [ port <integer> ] [ dscp <integer> ] { ( <masters>
                     | <ipv4_address> [ port <integer> ] | <ipv6_address> [
                     port <integer> ] ) [ key <string> ]; ... };
+                max-ixfr-ratio ( unlimited | <percentage> );
                 max-journal-size ( default | unlimited | <sizeval> );
                 max-records <integer>;
                 max-refresh-time <integer>;
@@ -841,6 +844,7 @@ zone <string> [ <class> ] {
         masters [ port <integer> ] [ dscp <integer> ] { ( <masters> |
             <ipv4_address> [ port <integer> ] | <ipv6_address> [ port
             <integer> ] ) [ key <string> ]; ... };
+        max-ixfr-ratio ( unlimited | <percentage> );
         max-journal-size ( default | unlimited | <sizeval> );
         max-records <integer>;
         max-refresh-time <integer>;

doc/misc/slave.zoneopt

@@ -28,6 +28,7 @@ zone <string> [ <class> ] {
 	masterfile-format ( map | raw | text );
 	masterfile-style ( full | relative );
 	masters [ port <integer> ] [ dscp <integer> ] { ( <masters> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... };
+	max-ixfr-ratio ( unlimited | <percentage> );
 	max-journal-size ( default | unlimited | <sizeval> );
 	max-records <integer>;
 	max-refresh-time <integer>;