prep 9.13.5

CHANGES

+	--- 9.13.5 released ---
+
 5108.	[bug]		Named could fail to determine bottom of zone when
 			removing out of date keys leading to invalid NSEC
 			and NSEC3 records being added to the zone. [GL #771]

README

@@ -104,6 +104,10 @@ BIND 9.13 features
 BIND 9.13 is the newest development branch of BIND 9. It includes a number
 of changes from BIND 9.12 and earlier releases. New features include:
 
+  * A new "plugin" mechanism has been added to allow query functionality
+    to be extended using dynamically loadable libraries. The "filter-aaaa"
+    feature has been removed from named and is now implemented as a
+    plugin.
   * Socket and task code has been refactored to improve performance.
   * QNAME minimization, as described in RFC 7816, is now supported.
   * "Root key sentinel" support, enabling validating resolvers to indicate

README.md

@@ -122,6 +122,9 @@ BIND 9.13 is the newest development branch of BIND 9. It includes a
 number of changes from BIND 9.12 and earlier releases.  New features
 include:
 
+* A new "plugin" mechanism has been added to allow query functionality
+  to be extended using dynamically loadable libraries. The "filter-aaaa"
+  feature has been removed from named and is now implemented as a plugin.
 * Socket and task code has been refactored to improve performance.
 * QNAME minimization, as described in RFC 7816, is now supported.
 * "Root key sentinel" support, enabling validating resolvers to indicate

bin/check/named-checkconf.8

@@ -39,7 +39,7 @@
 named-checkconf \- named configuration file syntax checking tool
 .SH "SYNOPSIS"
 .HP \w'\fBnamed\-checkconf\fR\ 'u
-\fBnamed\-checkconf\fR [\fB\-hjlvz\fR] [\fB\-p\fR\ [\fB\-x\fR\ ]] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] {filename}
+\fBnamed\-checkconf\fR [\fB\-chjlvz\fR] [\fB\-p\fR\ [\fB\-x\fR\ ]] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] {filename}
 .SH "DESCRIPTION"
 .PP
 \fBnamed\-checkconf\fR
@@ -79,6 +79,13 @@ When loading a zonefile read the journal if it exists\&.
 List all the configured zones\&. Each line of output contains the zone name, class (e\&.g\&. IN), view, and type (e\&.g\&. master or slave)\&.
 .RE
 .PP
+\-c
+.RS 4
+Check "core" configuration only\&. This suppresses the loading of plugin modules, and causes all parameters to
+\fBplugin\fR
+statements to be ignored\&.
+.RE
+.PP
 \-p
 .RS 4
 Print out the

bin/check/named-checkconf.html

@@ -33,7 +33,7 @@
 <h2>Synopsis</h2>
     <div class="cmdsynopsis"><p>
       <code class="command">named-checkconf</code> 
-       [<code class="option">-hjlvz</code>]
+       [<code class="option">-chjlvz</code>]
        [<code class="option">-p</code>
 	 [<code class="option">-x</code>
       ]]
@@ -88,6 +88,14 @@
             (e.g. master or slave).
           </p>
         </dd>
+<dt><span class="term">-c</span></dt>
+<dd>
+          <p>
+	    Check "core" configuration only. This suppresses the loading
+	    of plugin modules, and causes all parameters to
+	    <span class="command"><strong>plugin</strong></span> statements to be ignored.
+          </p>
+        </dd>
 <dt><span class="term">-p</span></dt>
 <dd>
           <p>

bin/dnssec/dnssec-keygen.8

@@ -327,21 +327,21 @@ and
 files are generated for symmetric cryptography algorithms such as HMAC\-MD5, even though the public and private key are equivalent\&.
 .SH "EXAMPLE"
 .PP
-To generate a 768\-bit DSA key for the domain
+To generate an ECDSAP256SHA256 key for the domain
 \fBexample\&.com\fR, the following command would be issued:
 .PP
-\fBdnssec\-keygen \-a DSA \-b 768 \-n ZONE example\&.com\fR
+\fBdnssec\-keygen \-a ECDSAP256SHA256 \-n ZONE example\&.com\fR
 .PP
 The command would print a string of the form:
 .PP
-\fBKexample\&.com\&.+003+26160\fR
+\fBKexample\&.com\&.+013+26160\fR
 .PP
 In this example,
 \fBdnssec\-keygen\fR
 creates the files
-Kexample\&.com\&.+003+26160\&.key
+Kexample\&.com\&.+013+26160\&.key
 and
-Kexample\&.com\&.+003+26160\&.private\&.
+Kexample\&.com\&.+013+26160\&.private\&.
 .SH "SEE ALSO"
 .PP
 \fBdnssec-signzone\fR(8),

bin/dnssec/dnssec-keygen.html

@@ -498,22 +498,22 @@
 <a name="id-1.11"></a><h2>EXAMPLE</h2>
 
     <p>
-      To generate a 768-bit DSA key for the domain
+      To generate an ECDSAP256SHA256 key for the domain
       <strong class="userinput"><code>example.com</code></strong>, the following command would be
       issued:
     </p>
-    <p><strong class="userinput"><code>dnssec-keygen -a DSA -b 768 -n ZONE example.com</code></strong>
+    <p><strong class="userinput"><code>dnssec-keygen -a ECDSAP256SHA256 -n ZONE example.com</code></strong>
     </p>
     <p>
       The command would print a string of the form:
     </p>
-    <p><strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
+    <p><strong class="userinput"><code>Kexample.com.+013+26160</code></strong>
     </p>
     <p>
       In this example, <span class="command"><strong>dnssec-keygen</strong></span> creates
-      the files <code class="filename">Kexample.com.+003+26160.key</code>
+      the files <code class="filename">Kexample.com.+013+26160.key</code>
       and
-      <code class="filename">Kexample.com.+003+26160.private</code>.
+      <code class="filename">Kexample.com.+013+26160.private</code>.
     </p>
   </div>
 

bin/dnssec/dnssec-signzone.8

@@ -415,9 +415,9 @@ Specify which keys should be used to sign the zone\&. If no keys are specified,
 .PP
 The following command signs the
 \fBexample\&.com\fR
-zone with the DSA key generated by
+zone with the ECDSAP256SHA256 key generated by key generated by
 \fBdnssec\-keygen\fR
-(Kexample\&.com\&.+003+17247)\&. Because the
+(Kexample\&.com\&.+013+17247)\&. Because the
 \fB\-S\fR
 option is not being used, the zone\*(Aqs keys must be in the master file (db\&.example\&.com)\&. This invocation looks for
 dsset
@@ -428,7 +428,7 @@ files, in the current directory, so that DS records can be imported from them (\
 .\}
 .nf
 % dnssec\-signzone \-g \-o example\&.com db\&.example\&.com \e
-Kexample\&.com\&.+003+17247
+Kexample\&.com\&.+013+17247
 db\&.example\&.com\&.signed
 %
 .fi

bin/dnssec/dnssec-signzone.html

@@ -624,15 +624,16 @@
 
     <p>
       The following command signs the <strong class="userinput"><code>example.com</code></strong>
-      zone with the DSA key generated by <span class="command"><strong>dnssec-keygen</strong></span>
-      (Kexample.com.+003+17247).  Because the <span class="command"><strong>-S</strong></span> option
-      is not being used, the zone's keys must be in the master file
+      zone with the ECDSAP256SHA256 key generated by key generated by
+      <span class="command"><strong>dnssec-keygen</strong></span> (Kexample.com.+013+17247).
+      Because the <span class="command"><strong>-S</strong></span> option is not being used,
+      the zone's keys must be in the master file
       (<code class="filename">db.example.com</code>).  This invocation looks
       for <code class="filename">dsset</code> files, in the current directory,
       so that DS records can be imported from them (<span class="command"><strong>-g</strong></span>).
     </p>
 <pre class="programlisting">% dnssec-signzone -g -o example.com db.example.com \
-Kexample.com.+003+17247
+Kexample.com.+013+17247
 db.example.com.signed
 %</pre>
     <p>

bin/plugins/filter-aaaa.8

@@ -9,7 +9,7 @@
 '\" t
 .\"     Title: filter-aaaa.so
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
 .\"      Date: 2018-08-13
 .\"    Manual: BIND9
 .\"    Source: ISC
@@ -38,12 +38,12 @@
 .SH "NAME"
 filter-aaaa.so \- filter AAAA in DNS responses when A is present
 .SH "SYNOPSIS"
-.HP 28
-\fBhook query "filter\-aaaa\&.so"\fR [\fI{\ parameters\ }\fR];
+.HP \w'\fBplugin\ query\ "filter\-aaaa\&.so"\fR\ 'u
+\fBplugin query "filter\-aaaa\&.so"\fR [\fI{\ parameters\ }\fR];
 .SH "DESCRIPTION"
 .PP
 \fBfilter\-aaaa\&.so\fR
-is a query hook module for
+is a query plugin module for
 \fBnamed\fR, enabling
 \fBnamed\fR
 to omit some IPv6 addresses when responding to clients\&.
@@ -59,13 +59,13 @@ and
 options\&. These options are now deprecated in
 named\&.conf, but can be passed as parameters to the
 \fBfilter\-aaaa\&.so\fR
-hook module, for example:
+plugin, for example:
 .sp
 .if n \{\
 .RS 4
 .\}
 .nf
-hook query "/usr/local/lib/filter\-aaaa\&.so" {
+plugin query "/usr/local/lib/filter\-aaaa\&.so" {
         filter\-aaaa\-on\-v4 yes;
         filter\-aaaa\-on\-v6 yes;
         filter\-aaaa { 192\&.0\&.2\&.1; 2001:db8:2::1; };

bin/plugins/filter-aaaa.c

@@ -460,7 +460,7 @@ plugin_destroy(void **instp) {
 }
 
 /*
- * Returns hook module API version for compatibility checks.
+ * Returns plugin API version for compatibility checks.
  */
 int
 plugin_version(void) {

bin/plugins/filter-aaaa.html

@@ -10,27 +10,40 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>filter-aaaa.so</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
 <a name="man.filter-aaaa"></a><div class="titlepage"></div>
-<div class="refnamediv">
+  
+  
+  
+
+  <div class="refnamediv">
 <h2>Name</h2>
-<p><span class="application">filter-aaaa.so</span> &#8212; filter AAAA in DNS responses when A is present</p>
+<p>
+    <span class="application">filter-aaaa.so</span>
+     &#8212; filter AAAA in DNS responses when A is present
+  </p>
 </div>
-<div class="refsynopsisdiv">
+
+  
+
+  <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">hook query "filter-aaaa.so"</code>  [<em class="replaceable"><code>{ parameters }</code></em>];
+    <div class="cmdsynopsis"><p>
+      <code class="command">plugin query "filter-aaaa.so"</code> 
+       [<em class="replaceable"><code>{ parameters }</code></em>];
     </p></div>
-</div>
-<div class="refsection">
+  </div>
+
+  <div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
-<p>
-      <span class="command"><strong>filter-aaaa.so</strong></span> is a query hook module for
+    <p>
+      <span class="command"><strong>filter-aaaa.so</strong></span> is a query plugin module for
       <span class="command"><strong>named</strong></span>, enabling <span class="command"><strong>named</strong></span>
       to omit some IPv6 addresses when responding to clients.
     </p>
-<p>
+    <p>
       Until BIND 9.12, this feature was implemented natively in
       <span class="command"><strong>named</strong></span> and enabled with the
       <span class="command"><strong>filter-aaaa</strong></span> ACL and the
@@ -38,42 +51,45 @@
       <span class="command"><strong>filter-aaaa-on-v6</strong></span> options. These options are
       now deprecated in <code class="filename">named.conf</code>, but can be
       passed as parameters to the <span class="command"><strong>filter-aaaa.so</strong></span>
-      hook module, for example:
+      plugin, for example:
     </p>
-<pre class="programlisting">
-hook query "/usr/local/lib/filter-aaaa.so" {
+    <pre class="programlisting">
+plugin query "/usr/local/lib/filter-aaaa.so" {
         filter-aaaa-on-v4 yes;
         filter-aaaa-on-v6 yes;
         filter-aaaa { 192.0.2.1; 2001:db8:2::1; };
 };
 </pre>
-<p>
+    <p>
       This module is intended to aid transition from IPv4 to IPv6 by
       withholding IPv6 addresses from DNS clients which are not connected
       to the IPv6 Internet, when the name being looked up has an IPv4
       address available.  Use of this module is not recommended unless
       absolutely necessary.
     </p>
-<p>
+    <p>
       Note: This mechanism can erroneously cause other servers not to
       give AAAA records to their clients.  If a recursing server with
       both IPv6 and IPv4 network connections queries an authoritative
       server using this mechanism via IPv4, it will be denied AAAA
       records even if its client is using IPv6.
     </p>
-</div>
-<div class="refsection">
+  </div>
+
+  <div class="refsection">
 <a name="id-1.8"></a><h2>OPTIONS</h2>
-<div class="variablelist"><dl class="variablelist">
+    <div class="variablelist"><dl class="variablelist">
 <dt><span class="term"><span class="command"><strong>filter-aaaa</strong></span></span></dt>
-<dd><p>
+<dd>
+	  <p>
 	    Specifies a list of client addresses for which AAAA
 	    filtering is to be applied.  The default is
 	    <strong class="userinput"><code>any</code></strong>.
-	  </p></dd>
+	  </p>
+	</dd>
 <dt><span class="term"><span class="command"><strong>filter-aaaa-on-v4</strong></span></span></dt>
 <dd>
-<p>
+	  <p>
 	    If set to <strong class="userinput"><code>yes</code></strong>, the DNS client is
 	    at an IPv4 address, in <span class="command"><strong>filter-aaaa</strong></span>,
 	    and if the response does not include DNSSEC signatures,
@@ -81,35 +97,39 @@ hook query "/usr/local/lib/filter-aaaa.so" {
 	    This filtering applies to all responses and not only
 	    authoritative responses.
 	  </p>
-<p>
+	  <p>
 	    If set to <strong class="userinput"><code>break-dnssec</code></strong>,
 	    then AAAA records are deleted even when DNSSEC is
 	    enabled.  As suggested by the name, this causes the
 	    response to fail to verify, because the DNSSEC protocol is
 	    designed to detect deletions.
 	  </p>
-<p>
+	  <p>
 	    This mechanism can erroneously cause other servers not to
 	    give AAAA records to their clients.  A recursing server with
 	    both IPv6 and IPv4 network connections that queries an
 	    authoritative server using this mechanism via IPv4 will be
 	    denied AAAA records even if its client is using IPv6.
 	  </p>
-</dd>
+	</dd>
 <dt><span class="term"><span class="command"><strong>filter-aaaa-on-v6</strong></span></span></dt>
-<dd><p>
+<dd>
+	  <p>
 	    Identical to <span class="command"><strong>filter-aaaa-on-v4</strong></span>,
 	    except it filters AAAA responses to queries from IPv6
 	    clients instead of IPv4 clients.  To filter all
 	    responses, set both options to <strong class="userinput"><code>yes</code></strong>.
-	  </p></dd>
+	  </p>
+	</dd>
 </dl></div>
-</div>
-<div class="refsection">
+  </div>
+
+  <div class="refsection">
 <a name="id-1.9"></a><h2>SEE ALSO</h2>
-<p>
+    <p>
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
     </p>
-</div>
+  </div>
+
 </div></body>
 </html>

configure

@@ -842,7 +842,6 @@ infodir
 docdir
 oldincludedir
 includedir
-runstatedir
 localstatedir
 sharedstatedir
 sysconfdir
@@ -1002,7 +1001,6 @@ datadir='${datarootdir}'
 sysconfdir='${prefix}/etc'
 sharedstatedir='${prefix}/com'
 localstatedir='${prefix}/var'
-runstatedir='${localstatedir}/run'
 includedir='${prefix}/include'
 oldincludedir='/usr/include'
 docdir='${datarootdir}/doc/${PACKAGE_TARNAME}'
@@ -1255,15 +1253,6 @@ do
   | -silent | --silent | --silen | --sile | --sil)
     silent=yes ;;
 
-  -runstatedir | --runstatedir | --runstatedi | --runstated \
-  | --runstate | --runstat | --runsta | --runst | --runs \
-  | --run | --ru | --r)
-    ac_prev=runstatedir ;;
-  -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \
-  | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \
-  | --run=* | --ru=* | --r=*)
-    runstatedir=$ac_optarg ;;
-
   -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb)
     ac_prev=sbindir ;;
   -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \
@@ -1401,7 +1390,7 @@ fi
 for ac_var in	exec_prefix prefix bindir sbindir libexecdir datarootdir \
 		datadir sysconfdir sharedstatedir localstatedir includedir \
 		oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
-		libdir localedir mandir runstatedir
+		libdir localedir mandir
 do
   eval ac_val=\$$ac_var
   # Remove trailing slashes.
@@ -1554,7 +1543,6 @@ Fine tuning of the installation directories:
   --sysconfdir=DIR        read-only single-machine data [PREFIX/etc]
   --sharedstatedir=DIR    modifiable architecture-independent data [PREFIX/com]
   --localstatedir=DIR     modifiable single-machine data [PREFIX/var]
-  --runstatedir=DIR       modifiable per-process data [LOCALSTATEDIR/run]
   --libdir=DIR            object code libraries [EPREFIX/lib]
   --includedir=DIR        C header files [PREFIX/include]
   --oldincludedir=DIR     C header files for non-gcc [/usr/include]

doc/arm/Bv9ARM.ch01.html

@@ -614,6 +614,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.5 (Development Release)</p>
 </body>
 </html>

doc/arm/Bv9ARM.ch02.html

@@ -146,6 +146,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.5 (Development Release)</p>
 </body>
 </html>

doc/arm/Bv9ARM.ch03.html

@@ -47,6 +47,11 @@
 <dt><span class="section"><a href="Bv9ARM.ch03.html#tools">Tools for Use With the Name Server Daemon</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch03.html#signals">Signals</a></span></dt>
 </dl></dd>
+<dt><span class="section"><a href="Bv9ARM.ch03.html#module-info">Plugins</a></span></dt>
+<dd><dl>
+<dt><span class="section"><a href="Bv9ARM.ch03.html#id-1.4.6.5">Configuring Plugins</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch03.html#id-1.4.6.6">Developing Plugins</a></span></dt>
+</dl></dd>
 </dl>
 </div>
 
@@ -741,6 +746,105 @@ controls {
         </div>
       </div>
     </div>
+
+    <div class="section">
+<div class="titlepage"><div><div><h2 class="title" style="clear: both">
+<a name="module-info"></a>Plugins</h2></div></div></div>
+
+  <p>
+    Plugins are a mechanism to extend the functionality of
+    <span class="command"><strong>named</strong></span> using dynamically loadable libraries.
+    By using plugins, core server functionality can be kept simple
+    for the majority of users; more complex code implementing optional
+    features need only be installed by users that need those features.
+  </p>
+  <p>
+    The plugin interface is a work in progress, and is expected to evolve
+    as more plugins are added. Currently, only "query plugins" are supported;
+    these modify the name server query logic. Other plugin types may be added
+    in the future.
+  </p>
+  <p>
+    The only plugin currently included in BIND is
+    <code class="filename">filter-aaaa.so</code>, which replaces the
+    <span class="command"><strong>filter-aaaa</strong></span> feature that previously existed natively
+    as part of <span class="command"><strong>named</strong></span>.
+    The code for this feature has been removed from <span class="command"><strong>named</strong></span>,
+    and can no longer be configured using standard
+    <code class="filename">named.conf</code> syntax, but linking in the
+    <code class="filename">filter-aaaa.so</code> plugin provides identical
+    functionality.
+  </p>
+
+  <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="id-1.4.6.5"></a>Configuring Plugins</h3></div></div></div>
+    <p>
+      A plugin is configured with the <span class="command"><strong>plugin</strong></span>
+      statement in <code class="filename">named.conf</code>:
+    </p>
+    <pre class="screen">
+    plugin query "library.so" {
+        <em class="replaceable"><code>parameters</code></em>
+    };
+    </pre>
+    <p>
+      In this example, file <code class="filename">library.so</code> is the plugin
+      library.  <code class="literal">query</code> indicates that this is a query
+      plugin.
+    </p>
+<p>
+    </p>
+<p>
+      Multiple <span class="command"><strong>plugin</strong></span> statements can be specified, to load
+      different plugins or multiple instances of the same plugin.
+    </p>
+    <p>
+      <em class="replaceable"><code>parameters</code></em> are passed as an opaque
+      string to the plugin's initialization routine. Configuration
+      syntax will differ depending on the module.
+    </p>
+  </div>
+
+  <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="id-1.4.6.6"></a>Developing Plugins</h3></div></div></div>
+    <p>
+      Each plugin implements four functions:
+      </p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+<span class="command"><strong>plugin_register</strong></span> to allocate memory,
+        configure a plugin instance, and attach to hook points within
+        <span class="command"><strong>named</strong></span>,</li>
+<li class="listitem">
+<span class="command"><strong>plugin_destroy</strong></span> to tear down the plugin
+        instance and free memory,</li>
+<li class="listitem">
+<span class="command"><strong>plugin_version</strong></span> to check that the plugin
+        is compatible with the current version of the plugin API,</li>
+<li class="listitem">
+<span class="command"><strong>plugin_check</strong></span> to test syntactic
+        correctness of the plugin parameters.</li>
+</ul></div>
+<p>
+    </p>
+    <p>
+      At various locations within the <span class="command"><strong>named</strong></span> source code,
+      there are "hook points" at which a plugin may register itself.
+      When a hook point is reached while <span class="command"><strong>named</strong></span> is
+      running, it is checked to see whether any plugins have registered
+      themselves there; if so, the associated "hook action" is called -
+      this is a function within the plugin library. Hook actions may
+      examine the runtime state and make changes - for example, modifying
+      the answers to be sent back to a client or forcing a query to be
+      aborted. More details can be found in the file
+      <code class="filename">lib/ns/include/ns/hooks.h</code>.
+    </p>
+  </div>
+
+</div>
+
   </div>
 <div class="navfooter">
 <hr>
@@ -759,6 +863,6 @@ controls {
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.5 (Development Release)</p>
 </body>
 </html>

doc/arm/Bv9ARM.ch04.html

@@ -2868,6 +2868,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.5 (Development Release)</p>
 </body>
 </html>

doc/arm/Bv9ARM.ch05.html

@@ -4626,63 +4626,6 @@ options {
                   internally.  The use of this option is discouraged.
                 </p>
               </dd>
-<dt><span class="term"><span class="command"><strong>filter-aaaa-on-v4</strong></span></span></dt>
-<dd>
-                <p>
-                  This option is intended to help the
-                  transition from IPv4 to IPv6 by not giving IPv6 addresses
-                  to DNS clients unless they have connections to the IPv6
-                  Internet.  This is not recommended unless absolutely
-                  necessary.  The default is <strong class="userinput"><code>no</code></strong>.
-                  The <span class="command"><strong>filter-aaaa-on-v4</strong></span> option
-                  may also be specified in <span class="command"><strong>view</strong></span> statements
-                  to override the global <span class="command"><strong>filter-aaaa-on-v4</strong></span>
-                  option.
-                </p>
-                <p>
-                  If <strong class="userinput"><code>yes</code></strong>,
-                  the DNS client is at an IPv4 address, in <span class="command"><strong>filter-aaaa</strong></span>,
-                  and if the response does not include DNSSEC signatures,
-                  then all AAAA records are deleted from the response.
-                  This filtering applies to all responses and not only
-                  authoritative responses.
-                </p>
-                <p>
-                  If <strong class="userinput"><code>break-dnssec</code></strong>,
-                  then AAAA records are deleted even when DNSSEC is enabled.
-                  As suggested by the name, this makes the response not verify,
-                  because the DNSSEC protocol is designed detect deletions.
-                </p>
-                <p>
-                  This mechanism can erroneously cause other servers to
-                  not give AAAA records to their clients.
-                  A recursing server with both IPv6 and IPv4 network connections
-                  that queries an authoritative server using this mechanism
-                  via IPv4 will be denied AAAA records even if its client is
-                  using IPv6.
-                </p>
-                <p>
-                  This mechanism is applied to authoritative as well as
-                  non-authoritative records.
-                  A client using IPv4 that is not allowed recursion can
-                  erroneously be given AAAA records because the server is not
-                  allowed to check for A records.
-                </p>
-                <p>
-                  Some AAAA records are given to IPv4 clients in glue records.
-                  IPv4 clients that are servers can then erroneously
-                  answer requests for AAAA records received via IPv4.