prep 9.13.3

CHANGES

+	--- 9.13.3 released ---
+
 5029.	[func]		Workarounds for servers that misbehave when queried
 			with EDNS have been removed, because these broken
 			servers and the workarounds for their noncompliance

PLATFORMS

 Supported platforms
 
 In general, this version of BIND will build and run on any POSIX-compliant
-system with a C99-compliant C compiler, BSD-style sockets with RFC-compliant
-IPv6 support, POSIX-compliant threads, and the OpenSSL cryptography library.
-Atomic operations support from the compiler is needed, either in the form of
-builtin operations, C11 atomics or the Interlocked family of functions on
-Windows.
+system with a C99-compliant C compiler, BSD-style sockets with
+RFC-compliant IPv6 support, POSIX-compliant threads, and the OpenSSL
+cryptography library. Atomic operations support from the compiler is
+needed, either in the form of builtin operations, C11 atomics or the
+Interlocked family of functions on Windows.
 
 ISC regularly tests BIND on many operating systems and architectures, but
 lacks the resources to test all of them. Consequently, ISC is only able to
@@ -57,4 +57,5 @@ These are platforms on which BIND is known not to build or run:
   * Windows 10 / x86
   * Windows Server 2012 and older
   * Platforms that don't support IPv6 Advanced Socket API (RFC 3542)
-  * Platforms that don't support atomic operations (via compiler or library)
+  * Platforms that don't support atomic operations (via compiler or
+    library)

README

@@ -104,8 +104,7 @@ BIND 9.13 features
 BIND 9.13 is the newest development branch of BIND 9. It includes a number
 of changes from BIND 9.12 and earlier releases. New features include:
 
-  * The default value of "dnssec-validation" is now "auto".
-  * Support for IDNA2008 when linking with libidn2.
+  * QNAME minimization, as described in RFC 7816, is now supported.
   * "Root key sentinel" support, enabling validating resolvers to indicate
     via a special query which trust anchors are configured for the root
     zone.
@@ -114,15 +113,24 @@ of changes from BIND 9.12 and earlier releases. New features include:
     subject to DNSSEC validation and are not treated as authoritative data
     when answering. This makes it easier to configure a local copy of the
     root zone as described in RFC 7706.
-  * QNAME minimization is now supported
   * The "validate-except" option allows configuration of domains below
     which DNSSEC validation should not be performed.
+  * The default value of "dnssec-validation" is now "auto".
+  * IDNA2008 is now supported when linking with libidn2.
+
+In addition, workarounds that were formerly in place to enable resolution
+of domains whose authoritative servers did not respond to EDNS queries
+have been removed. See https://dnsflagday.net for more details.
+
+Cryptographic support has been modernized. BIND now uses the best
+available pseudo-random number generator for the platform on which it's
+built. Very old versions of OpenSSL are no longer supported. Cryptography
+is now mandatory: building BIND without DNSSEC is now longer supported.
 
-In addition, cryptographic support has been modernized. BIND now uses the
-best available pseudo-random number generator for the platform on which
-it's built. Very old versions of OpenSSL are no longer supported.
-Cryptography is now mandatory; building BIND without DNSSEC is now longer
-supported.
+Special code to support certain legacy operating systems has also been
+removed; see the file PLATFORMS.md for details of supported platforms. In
+addition to OpenSSL, BIND now requires support for IPv6, threads, and
+standard atomic operations provided by the C compiler.
 
 Building BIND
 

README.md

@@ -122,8 +122,7 @@ BIND 9.13 is the newest development branch of BIND 9. It includes a
 number of changes from BIND 9.12 and earlier releases.  New features
 include:
 
-* The default value of "dnssec-validation" is now "auto".
-* Support for IDNA2008 when linking with `libidn2`.
+* QNAME minimization, as described in RFC 7816, is now supported.
 * "Root key sentinel" support, enabling validating resolvers to indicate
   via a special query which trust anchors are configured for the root zone.
 * Secondary zones can now be configured as "mirror" zones; their contents
@@ -131,16 +130,28 @@ include:
   DNSSEC validation and are not treated as authoritative data when
   answering. This makes it easier to configure a local copy of the root
   zone as described in RFC 7706.
-* QNAME minimization is now supported
 * The "validate-except" option allows configuration of domains below which
   DNSSEC validation should not be performed.
+* The default value of "dnssec-validation" is now "auto".
+* IDNA2008 is now supported when linking with `libidn2`.
 
-In addition, cryptographic support has been modernized. BIND now uses the
+In addition, workarounds that were formerly in place to enable resolution
+of domains whose authoritative servers did not respond to EDNS queries
+have been removed. See [https://dnsflagday.net](https://dnsflagday.net)
+for more details.
+
+Cryptographic support has been modernized. BIND now uses the
 best available pseudo-random number generator for the platform on which
 it's built. Very old versions of OpenSSL are no longer supported.
-Cryptography is now mandatory; building BIND without DNSSEC is now
+Cryptography is now mandatory: building BIND without DNSSEC is now
 longer supported.
 
+Special code to support certain legacy operating systems has also
+been removed; see the file [PLATFORMS.md](PLATFORMS.md) for details
+of supported platforms. In addition to OpenSSL, BIND now requires
+support for IPv6, threads, and standard atomic operations provided
+by the C compiler.
+
 ### <a name="build"/> Building BIND
 
 Minimally, BIND requires a UNIX or Linux system with an ANSI C compiler,

bin/check/named-checkconf.8

@@ -9,7 +9,7 @@
 '\" t
 .\"     Title: named-checkconf
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
 .\"      Date: 2014-01-10
 .\"    Manual: BIND9
 .\"    Source: ISC
@@ -38,7 +38,7 @@
 .SH "NAME"
 named-checkconf \- named configuration file syntax checking tool
 .SH "SYNOPSIS"
-.HP 16
+.HP \w'\fBnamed\-checkconf\fR\ 'u
 \fBnamed\-checkconf\fR [\fB\-hjlvz\fR] [\fB\-p\fR\ [\fB\-x\fR\ ]] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] {filename}
 .SH "DESCRIPTION"
 .PP

bin/check/named-checkzone.8

@@ -9,7 +9,7 @@
 '\" t
 .\"     Title: named-checkzone
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
 .\"      Date: 2014-02-19
 .\"    Manual: BIND9
 .\"    Source: ISC
@@ -38,9 +38,9 @@
 .SH "NAME"
 named-checkzone, named-compilezone \- zone file validity checking or converting tool
 .SH "SYNOPSIS"
-.HP 16
+.HP \w'\fBnamed\-checkzone\fR\ 'u
 \fBnamed\-checkzone\fR [\fB\-d\fR] [\fB\-h\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIformat\fR\fR] [\fB\-F\ \fR\fB\fIformat\fR\fR] [\fB\-J\ \fR\fB\fIfilename\fR\fR] [\fB\-i\ \fR\fB\fImode\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-m\ \fR\fB\fImode\fR\fR] [\fB\-M\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-l\ \fR\fB\fIttl\fR\fR] [\fB\-L\ \fR\fB\fIserial\fR\fR] [\fB\-o\ \fR\fB\fIfilename\fR\fR] [\fB\-r\ \fR\fB\fImode\fR\fR] [\fB\-s\ \fR\fB\fIstyle\fR\fR] [\fB\-S\ \fR\fB\fImode\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-T\ \fR\fB\fImode\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-W\ \fR\fB\fImode\fR\fR] {zonename} {filename}
-.HP 18
+.HP \w'\fBnamed\-compilezone\fR\ 'u
 \fBnamed\-compilezone\fR [\fB\-d\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-C\ \fR\fB\fImode\fR\fR] [\fB\-f\ \fR\fB\fIformat\fR\fR] [\fB\-F\ \fR\fB\fIformat\fR\fR] [\fB\-J\ \fR\fB\fIfilename\fR\fR] [\fB\-i\ \fR\fB\fImode\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-m\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-l\ \fR\fB\fIttl\fR\fR] [\fB\-L\ \fR\fB\fIserial\fR\fR] [\fB\-r\ \fR\fB\fImode\fR\fR] [\fB\-s\ \fR\fB\fIstyle\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-T\ \fR\fB\fImode\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-W\ \fR\fB\fImode\fR\fR] {\fB\-o\ \fR\fB\fIfilename\fR\fR} {zonename} {filename}
 .SH "DESCRIPTION"
 .PP

bin/delv/delv.1

@@ -9,7 +9,7 @@
 '\" t
 .\"     Title: delv
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
 .\"      Date: 2014-04-23
 .\"    Manual: BIND9
 .\"    Source: ISC
@@ -38,13 +38,13 @@
 .SH "NAME"
 delv \- DNS lookup and validation utility
 .SH "SYNOPSIS"
-.HP 5
+.HP \w'\fBdelv\fR\ 'u
 \fBdelv\fR [@server] [[\fB\-4\fR] | [\fB\-6\fR]] [\fB\-a\ \fR\fB\fIanchor\-file\fR\fR] [\fB\-b\ \fR\fB\fIaddress\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-d\ \fR\fB\fIlevel\fR\fR] [\fB\-i\fR] [\fB\-m\fR] [\fB\-p\ \fR\fB\fIport#\fR\fR] [\fB\-q\ \fR\fB\fIname\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-x\ \fR\fB\fIaddr\fR\fR] [name] [type] [class] [queryopt...]
-.HP 5
+.HP \w'\fBdelv\fR\ 'u
 \fBdelv\fR [\fB\-h\fR]
-.HP 5
+.HP \w'\fBdelv\fR\ 'u
 \fBdelv\fR [\fB\-v\fR]
-.HP 5
+.HP \w'\fBdelv\fR\ 'u
 \fBdelv\fR [queryopt...] [query...]
 .SH "DESCRIPTION"
 .PP

bin/dig/host.1

@@ -9,7 +9,7 @@
 '\" t
 .\"     Title: host
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
 .\"      Date: 2009-01-20
 .\"    Manual: BIND9
 .\"    Source: ISC
@@ -38,7 +38,7 @@
 .SH "NAME"
 host \- DNS lookup utility
 .SH "SYNOPSIS"
-.HP 5
+.HP \w'\fBhost\fR\ 'u
 \fBhost\fR [\fB\-aACdlnrsTUwv\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-N\ \fR\fB\fIndots\fR\fR] [\fB\-R\ \fR\fB\fInumber\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-W\ \fR\fB\fIwait\fR\fR] [\fB\-m\ \fR\fB\fIflag\fR\fR] [[\fB\-4\fR] | [\fB\-6\fR]] [\fB\-v\fR] [\fB\-V\fR] {name} [server]
 .SH "DESCRIPTION"
 .PP

bin/dig/nslookup.1

@@ -9,7 +9,7 @@
 '\" t
 .\"     Title: nslookup
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
 .\"      Date: 2014-01-24
 .\"    Manual: BIND9
 .\"    Source: ISC
@@ -38,7 +38,7 @@
 .SH "NAME"
 nslookup \- query Internet name servers interactively
 .SH "SYNOPSIS"
-.HP 9
+.HP \w'\fBnslookup\fR\ 'u
 \fBnslookup\fR [\fB\-option\fR] [name\ |\ \-] [server]
 .SH "DESCRIPTION"
 .PP
@@ -85,7 +85,6 @@ nslookup \-query=hinfo  \-timeout=10
 .if n \{\
 .RE
 .\}
-.sp
 .PP
 The
 \fB\-version\fR

bin/dnssec/dnssec-settime.8

@@ -9,7 +9,7 @@
 '\" t
 .\"     Title: dnssec-settime
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
 .\"      Date: 2015-08-21
 .\"    Manual: BIND9
 .\"    Source: ISC
@@ -38,7 +38,7 @@
 .SH "NAME"
 dnssec-settime \- set the key timing metadata for a DNSSEC key
 .SH "SYNOPSIS"
-.HP 15
+.HP \w'\fBdnssec\-settime\fR\ 'u
 \fBdnssec\-settime\fR [\fB\-f\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-h\fR] [\fB\-V\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] {keyfile}
 .SH "DESCRIPTION"
 .PP

bin/named/named.8

@@ -9,7 +9,7 @@
 '\" t
 .\"     Title: named
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
 .\"      Date: 2014-02-19
 .\"    Manual: BIND9
 .\"    Source: ISC
@@ -38,7 +38,7 @@
 .SH "NAME"
 named \- Internet domain name server
 .SH "SYNOPSIS"
-.HP 6
+.HP \w'\fBnamed\fR\ 'u
 \fBnamed\fR [[\fB\-4\fR] | [\fB\-6\fR]] [\fB\-c\ \fR\fB\fIconfig\-file\fR\fR] [\fB\-d\ \fR\fB\fIdebug\-level\fR\fR] [\fB\-D\ \fR\fB\fIstring\fR\fR] [\fB\-E\ \fR\fB\fIengine\-name\fR\fR] [\fB\-f\fR] [\fB\-g\fR] [\fB\-L\ \fR\fB\fIlogfile\fR\fR] [\fB\-M\ \fR\fB\fIoption\fR\fR] [\fB\-m\ \fR\fB\fIflag\fR\fR] [\fB\-n\ \fR\fB\fI#cpus\fR\fR] [\fB\-p\ \fR\fB\fIport\fR\fR] [\fB\-s\fR] [\fB\-S\ \fR\fB\fI#max\-socks\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-U\ \fR\fB\fI#listeners\fR\fR] [\fB\-u\ \fR\fB\fIuser\fR\fR] [\fB\-v\fR] [\fB\-V\fR] [\fB\-X\ \fR\fB\fIlock\-file\fR\fR] [\fB\-x\ \fR\fB\fIcache\-file\fR\fR]
 .SH "DESCRIPTION"
 .PP
@@ -164,9 +164,20 @@ Listen for queries on port
 Write memory usage statistics to
 stdout
 on exit\&.
-.RS
-.B "Note:"
+.if n \{\
+.sp
+.\}
+.RS 4
+.it 1 an-trap
+.nr an-no-space-flag 1
+.nr an-break-flag 1
+.br
+.ps +1
+\fBNote\fR
+.ps -1
+.br
 This option is mainly of interest to BIND 9 developers and may be removed or changed in a future release\&.
+.sp .5v
 .RE
 .RE
 .PP
@@ -177,11 +188,22 @@ Allow
 to use up to
 \fI#max\-socks\fR
 sockets\&. The default value is 4096 on systems built with default configuration options, and 21000 on systems built with "configure \-\-with\-tuning=large"\&.
-.RS
-.B "Warning:"
+.if n \{\
+.sp
+.\}
+.RS 4
+.it 1 an-trap
+.nr an-no-space-flag 1
+.nr an-break-flag 1
+.br
+.ps +1
+\fBWarning\fR
+.ps -1
+.br
 This option should be unnecessary for the vast majority of users\&. The use of this option could even be harmful because the specified value may exceed the limitation of the underlying system API\&. It is therefore set only when the default configuration causes exhaustion of file descriptors and the operational environment is known to support the specified number of sockets\&. Note also that the actual maximum number is normally a little fewer than the specified value because
 \fBnamed\fR
 reserves some file descriptors for its internal use\&.
+.sp .5v
 .RE
 .RE
 .PP
@@ -190,13 +212,24 @@ reserves some file descriptors for its internal use\&.
 Chroot to
 \fIdirectory\fR
 after processing the command line arguments, but before reading the configuration file\&.
-.RS
-.B "Warning:"
+.if n \{\
+.sp
+.\}
+.RS 4
+.it 1 an-trap
+.nr an-no-space-flag 1
+.nr an-break-flag 1
+.br
+.ps +1
+\fBWarning\fR
+.ps -1
+.br
 This option should be used in conjunction with the
 \fB\-u\fR
 option, as chrooting a process running as root doesn\*(Aqt enhance security on most systems; the way
 \fBchroot(2)\fR
 is defined allows a process with root privileges to escape a chroot jail\&.
+.sp .5v
 .RE
 .RE
 .PP
@@ -218,8 +251,18 @@ may be increased as high as that value, but no higher\&. On Windows, the number
 Setuid to
 \fIuser\fR
 after completing privileged operations, such as creating sockets that listen on privileged ports\&.
-.RS
-.B "Note:"
+.if n \{\
+.sp
+.\}
+.RS 4
+.it 1 an-trap
+.nr an-no-space-flag 1
+.nr an-break-flag 1
+.br
+.ps +1
+\fBNote\fR
+.ps -1
+.br
 On Linux,
 \fBnamed\fR
 uses the kernel\*(Aqs capability mechanism to drop all root privileges except the ability to
@@ -230,6 +273,7 @@ option only works when
 \fBnamed\fR
 is run on kernel 2\&.2\&.18 or later, or kernel 2\&.3\&.99\-pre3 or later, since previous kernels did not allow privileges to be retained after
 \fBsetuid(2)\fR\&.
+.sp .5v
 .RE
 .RE
 .PP
@@ -259,9 +303,20 @@ none, the lock file check is disabled\&.
 Load data from
 \fIcache\-file\fR
 into the cache of the default view\&.
-.RS
-.B "Warning:"
+.if n \{\
+.sp
+.\}
+.RS 4
+.it 1 an-trap
+.nr an-no-space-flag 1
+.nr an-break-flag 1
+.br
+.ps +1
+\fBWarning\fR
+.ps -1
+.br
 This option must not be used\&. It is only of interest to BIND 9 developers and may be removed or changed in a future release\&.
+.sp .5v
 .RE
 .RE
 .SH "SIGNALS"

bin/named/named.conf.5

@@ -9,7 +9,7 @@
 '\" t
 .\"     Title: named.conf
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
 .\"      Date: 2018-06-21
 .\"    Manual: BIND9
 .\"    Source: ISC
@@ -38,7 +38,7 @@
 .SH "NAME"
 named.conf \- configuration file for \fBnamed\fR
 .SH "SYNOPSIS"
-.HP 11
+.HP \w'\fBnamed\&.conf\fR\ 'u
 \fBnamed\&.conf\fR
 .SH "DESCRIPTION"
 .PP
@@ -148,7 +148,7 @@ logging {
 .if n \{\
 .RE
 .\}
-.SH "MANAGED\-KEYS"
+.SH "MANAGED-KEYS"
 .sp
 .if n \{\
 .RS 4
@@ -520,7 +520,7 @@ server \fInetprefix\fR {
 .if n \{\
 .RE
 .\}
-.SH "STATISTICS\-CHANNELS"
+.SH "STATISTICS-CHANNELS"
 .sp
 .if n \{\
 .RS 4
@@ -536,7 +536,7 @@ statistics\-channels {
 .if n \{\
 .RE
 .\}
-.SH "TRUSTED\-KEYS"
+.SH "TRUSTED-KEYS"
 .sp
 .if n \{\
 .RS 4

bin/named/named.conf.html

@@ -10,46 +10,65 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>named.conf</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
 <a name="man.named.conf"></a><div class="titlepage"></div>
-<div class="refnamediv">
+  
+  
+
+  
+
+  <div class="refnamediv">
 <h2>Name</h2>
-<p><code class="filename">named.conf</code> &#8212; configuration file for <span class="command"><strong>named</strong></span></p>
+<p>
+    <code class="filename">named.conf</code>
+     &#8212; configuration file for <span class="command"><strong>named</strong></span>
+  </p>
 </div>
-<div class="refsynopsisdiv">
+
+  
+
+  <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">named.conf</code> </p></div>
-</div>
-<div class="refsection">
+    <div class="cmdsynopsis"><p>
+      <code class="command">named.conf</code> 
+    </p></div>
+  </div>
+
+  <div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
-<p><code class="filename">named.conf</code> is the configuration file
+
+    <p><code class="filename">named.conf</code> is the configuration file
       for
       <span class="command"><strong>named</strong></span>.  Statements are enclosed
       in braces and terminated with a semi-colon.  Clauses in
       the statements are also semi-colon terminated.  The usual
       comment styles are supported:
     </p>
-<p>
+    <p>
       C style: /* */
     </p>
-<p>
+    <p>
       C++ style: // to end of line
     </p>
-<p>
+    <p>
       Unix style: # to end of line
     </p>
-</div>
-<div class="refsection">
+  </div>
+
+  <div class="refsection">
 <a name="id-1.8"></a><h2>ACL</h2>
-<div class="literallayout"><p><br>
+
+    <div class="literallayout"><p><br>
 acl<em class="replaceable"><code>string</code></em>{<em class="replaceable"><code>address_match_element</code></em>;...};<br>
 </p></div>
-</div>
-<div class="refsection">
+  </div>
+
+  <div class="refsection">
 <a name="id-1.9"></a><h2>CONTROLS</h2>
-<div class="literallayout"><p><br>
+
+    <div class="literallayout"><p><br>
 controls{<br>
 	inet(<em class="replaceable"><code>ipv4_address</code></em>|<em class="replaceable"><code>ipv6_address</code></em>|<br>
 	*)[port(<em class="replaceable"><code>integer</code></em>|*)]allow<br>
@@ -62,35 +81,43 @@ controls
 	<em class="replaceable"><code>boolean</code></em>];<br>
 };<br>
 </p></div>
-</div>
-<div class="refsection">
+  </div>
+
+  <div class="refsection">
 <a name="id-1.10"></a><h2>DLZ</h2>
-<div class="literallayout"><p><br>
+
+    <div class="literallayout"><p><br>
 dlz<em class="replaceable"><code>string</code></em>{<br>
 	database<em class="replaceable"><code>string</code></em>;<br>
 	search<em class="replaceable"><code>boolean</code></em>;<br>
 };<br>
 </p></div>
-</div>
-<div class="refsection">
+  </div>
+
+  <div class="refsection">
 <a name="id-1.11"></a><h2>DYNDB</h2>
-<div class="literallayout"><p><br>
+
+    <div class="literallayout"><p><br>
 dyndb<em class="replaceable"><code>string</code></em><em class="replaceable"><code>quoted_string</code></em>{<br>
 <em class="replaceable"><code>unspecified-text</code></em>};<br>
 </p></div>
-</div>
-<div class="refsection">
+  </div>
+
+  <div class="refsection">
 <a name="id-1.12"></a><h2>KEY</h2>
-<div class="literallayout"><p><br>
+
+    <div class="literallayout"><p><br>
 key<em class="replaceable"><code>string</code></em>{<br>
 	algorithm<em class="replaceable"><code>string</code></em>;<br>
 	secret<em class="replaceable"><code>string</code></em>;<br>
 };<br>
 </p></div>
-</div>
-<div class="refsection">
+  </div>
+
+  <div class="refsection">
 <a name="id-1.13"></a><h2>LOGGING</h2>
-<div class="literallayout"><p><br>
+
+    <div class="literallayout"><p><br>
 logging{<br>
 	category<em class="replaceable"><code>string</code></em>{<em class="replaceable"><code>string</code></em>;...};<br>
 	channel<em class="replaceable"><code>string</code></em>{<br>
@@ -107,26 +134,33 @@ logging
 	};<br>
 };<br>
 </p></div>
-</div>
-<div class="refsection">
+  </div>
+
+
+  <div class="refsection">
 <a name="id-1.14"></a><h2>MANAGED-KEYS</h2>
-<div class="literallayout"><p><br>
+
+    <div class="literallayout"><p><br>
 managed-keys{<em class="replaceable"><code>string</code></em><em class="replaceable"><code>string</code></em><em class="replaceable"><code>integer</code></em><br>
 <em class="replaceable"><code>integer</code></em><em class="replaceable"><code>integer</code></em><em class="replaceable"><code>quoted_string</code></em>;...};<br>
 </p></div>
-</div>
-<div class="refsection">
+  </div>
+
+  <div class="refsection">
 <a name="id-1.15"></a><h2>MASTERS</h2>
-<div class="literallayout"><p><br>
+
+    <div class="literallayout"><p><br>
 masters<em class="replaceable"><code>string</code></em>[port<em class="replaceable"><code>integer</code></em>][dscp<br>
 <em class="replaceable"><code>integer</code></em>]{(<em class="replaceable"><code>masters</code></em>|<em class="replaceable"><code>ipv4_address</code></em>[<br>
 port<em class="replaceable"><code>integer</code></em>]|<em class="replaceable"><code>ipv6_address</code></em>[port<br>
 <em class="replaceable"><code>integer</code></em>])[key<em class="replaceable"><code>string</code></em>];...};<br>
 </p></div>
-</div>
-<div class="refsection">
+  </div>
+
+  <div class="refsection">
 <a name="id-1.16"></a><h2>OPTIONS</h2>
-<div class="literallayout"><p><br>
+
+    <div class="literallayout"><p><br>
 options{<br>
 	allow-new-zones<em class="replaceable"><code>boolean</code></em>;<br>
 	allow-notify{<em class="replaceable"><code>address_match_element</code></em>;...};<br>
@@ -422,10 +456,12 @@ options
 	zone-statistics(full|terse|none|<em class="replaceable"><code>boolean</code></em>);<br>
 };<br>
 </p></div>
-</div>
-<div class="refsection">
+  </div>
+
+  <div class="refsection">
 <a name="id-1.17"></a><h2>SERVER</h2>
-<div class="literallayout"><p><br>
+
+    <div class="literallayout"><p><br>
 server<em class="replaceable"><code>netprefix</code></em>{<br>
 	bogus<em class="replaceable"><code>boolean</code></em>;<br>
 	edns<em class="replaceable"><code>boolean</code></em>;<br>
@@ -459,10 +495,12 @@ server
 	transfers<em class="replaceable"><code>integer</code></em>;<br>
 };<br>
 </p></div>
-</div>
-<div class="refsection">
+  </div>
+
+  <div class="refsection">
 <a name="id-1.18"></a><h2>STATISTICS-CHANNELS</h2>
-<div class="literallayout"><p><br>
+
+    <div class="literallayout"><p><br>
 statistics-channels{<br>
 	inet(<em class="replaceable"><code>ipv4_address</code></em>|<em class="replaceable"><code>ipv6_address</code></em>|<br>
 	*)[port(<em class="replaceable"><code>integer</code></em>|*)][<br>
@@ -470,17 +508,21 @@ statistics-channels
 	}];<br>
 };<br>
 </p></div>
-</div>
-<div class="refsection">
+  </div>
+
+  <div class="refsection">
 <a name="id-1.19"></a><h2>TRUSTED-KEYS</h2>
-<div class="literallayout"><p><br>
+
+    <div class="literallayout"><p><br>
 trusted-keys{<em class="replaceable"><code>string</code></em><em class="replaceable"><code>integer</code></em><em class="replaceable"><code>integer</code><