Commit ad94787c authored by Evan Hunt's avatar Evan Hunt Committed by Ondřej Surý

prepare 9.13.1 release

parent e1400e36
Pipeline #2476 passed with stages
in 8 minutes and 22 seconds
...@@ -16,6 +16,8 @@ ...@@ -16,6 +16,8 @@
4969. [cleanup] Refactor zone logging functions. [GL #269] 4969. [cleanup] Refactor zone logging functions. [GL #269]
--- 9.13.1 released ---
4968. [bug] If glue records are signed, attempt to validate them. 4968. [bug] If glue records are signed, attempt to validate them.
[GL #209] [GL #209]
......
...@@ -104,6 +104,7 @@ BIND 9.13 features ...@@ -104,6 +104,7 @@ BIND 9.13 features
BIND 9.13 is the newest development branch of BIND 9. It includes a number BIND 9.13 is the newest development branch of BIND 9. It includes a number
of changes from BIND 9.12 and earlier releases. New features include: of changes from BIND 9.12 and earlier releases. New features include:
* The default value of "dnssec-validation" is now "auto".
* Support for IDNA2008 when linking with libidn2. * Support for IDNA2008 when linking with libidn2.
* "Root key sentinel" support, enabling validating resolvers to indicate * "Root key sentinel" support, enabling validating resolvers to indicate
via a special query which trust anchors are configured for the root via a special query which trust anchors are configured for the root
......
...@@ -122,6 +122,7 @@ BIND 9.13 is the newest development branch of BIND 9. It includes a ...@@ -122,6 +122,7 @@ BIND 9.13 is the newest development branch of BIND 9. It includes a
number of changes from BIND 9.12 and earlier releases. New features number of changes from BIND 9.12 and earlier releases. New features
include: include:
* The default value of "dnssec-validation" is now "auto".
* Support for IDNA2008 when linking with `libidn2`. * Support for IDNA2008 when linking with `libidn2`.
* "Root key sentinel" support, enabling validating resolvers to indicate * "Root key sentinel" support, enabling validating resolvers to indicate
via a special query which trust anchors are configured for the root zone. via a special query which trust anchors are configured for the root zone.
......
...@@ -102,7 +102,7 @@ Specify a digest algorithm to use when converting CDNSKEY records to DS records\ ...@@ -102,7 +102,7 @@ Specify a digest algorithm to use when converting CDNSKEY records to DS records\
.sp .sp
The The
\fIalgorithm\fR \fIalgorithm\fR
must be one of SHA\-1 (SHA1), SHA\-256 (SHA256), GOST, or SHA\-384 (SHA384)\&. These values are case insensitive\&. If no algorithm is specified, the default is SHA\-256\&. must be one of SHA\-1 (SHA1), SHA\-256 (SHA256), or SHA\-384 (SHA384)\&. These values are case insensitive\&. If no algorithm is specified, the default is SHA\-256\&.
.RE .RE
.PP .PP
\-c \fIclass\fR \-c \fIclass\fR
......
...@@ -130,7 +130,7 @@ ...@@ -130,7 +130,7 @@
</p> </p>
<p> <p>
The <em class="replaceable"><code>algorithm</code></em> must be one of SHA-1 The <em class="replaceable"><code>algorithm</code></em> must be one of SHA-1
(SHA1), SHA-256 (SHA256), GOST, or SHA-384 (SHA384). These (SHA1), SHA-256 (SHA256), or SHA-384 (SHA384). These
values are case insensitive. If no algorithm is specified, values are case insensitive. If no algorithm is specified,
the default is SHA-256. the default is SHA-256.
</p> </p>
......
...@@ -64,7 +64,7 @@ Use SHA\-256 as the digest algorithm\&. ...@@ -64,7 +64,7 @@ Use SHA\-256 as the digest algorithm\&.
.RS 4 .RS 4
Select the digest algorithm\&. The value of Select the digest algorithm\&. The value of
\fBalgorithm\fR \fBalgorithm\fR
must be one of SHA\-1 (SHA1), SHA\-256 (SHA256), GOST or SHA\-384 (SHA384)\&. These values are case insensitive\&. must be one of SHA\-1 (SHA1), SHA\-256 (SHA256) or SHA\-384 (SHA384)\&. These values are case insensitive\&.
.RE .RE
.PP .PP
\-C \-C
......
...@@ -55,7 +55,7 @@ of the key is specified on the command line\&. This must match the name of the z ...@@ -55,7 +55,7 @@ of the key is specified on the command line\&. This must match the name of the z
.RS 4 .RS 4
Selects the cryptographic algorithm\&. The value of Selects the cryptographic algorithm\&. The value of
\fBalgorithm\fR \fBalgorithm\fR
must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448\&. must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448\&.
.sp .sp
If no algorithm is specified, then RSASHA1 will be used by default, unless the If no algorithm is specified, then RSASHA1 will be used by default, unless the
\fB\-3\fR \fB\-3\fR
......
...@@ -90,7 +90,7 @@ ...@@ -90,7 +90,7 @@
<p> <p>
Selects the cryptographic algorithm. The value of Selects the cryptographic algorithm. The value of
<code class="option">algorithm</code> must be one of RSAMD5, RSASHA1, <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512,
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448. ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
</p> </p>
<p> <p>
......
...@@ -62,7 +62,7 @@ may be preferable to direct use of ...@@ -62,7 +62,7 @@ may be preferable to direct use of
.RS 4 .RS 4
Selects the cryptographic algorithm\&. For DNSSEC keys, the value of Selects the cryptographic algorithm\&. For DNSSEC keys, the value of
\fBalgorithm\fR \fBalgorithm\fR
must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448\&. For TKEY, the value must be DH (Diffie Hellman); specifying his value will automatically set the must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448\&. For TKEY, the value must be DH (Diffie Hellman); specifying his value will automatically set the
\fB\-T KEY\fR \fB\-T KEY\fR
option as well\&. option as well\&.
.sp .sp
......
...@@ -100,7 +100,7 @@ ...@@ -100,7 +100,7 @@
<p> <p>
Selects the cryptographic algorithm. For DNSSEC keys, the value Selects the cryptographic algorithm. For DNSSEC keys, the value
of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1, of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512,
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448. For ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448. For
TKEY, the value must be DH (Diffie Hellman); specifying TKEY, the value must be DH (Diffie Hellman); specifying
his value will automatically set the <code class="option">-T KEY</code> his value will automatically set the <code class="option">-T KEY</code>
......
...@@ -524,13 +524,25 @@ See also ...@@ -524,13 +524,25 @@ See also
\fBrndc managed\-keys\fR\&. \fBrndc managed\-keys\fR\&.
.RE .RE
.PP .PP
\fBserve\-stale ( on | off | status | reset ) \fR\fB[\fIclass\fR [\fIview\fR]]\fR \fBserve\-stale ( on | off | reset | status ) \fR\fB[\fIclass\fR [\fIview\fR]]\fR
.RS 4 .RS 4
Enable, disable, or reset the serving of stale answers as configured in named\&.conf\&. Serving of stale answers will remain disabled across Enable, disable, reset, or report the current status of the serving of stale answers as configured in
named\&.conf named\&.conf\&.
reloads if disabled via rndc until it is reset via rndc\&. .sp
If serving of stale answers is disabled by
\fBrndc\-serve\-stale off\fR, then it will remain disabled even if
\fBnamed\fR
is reloaded or reconfigured\&.
\fBrndc serve\-stale reset\fR
restores the setting as configured in
named\&.conf\&.
.sp .sp
Status will report whether serving of stale answers is currently enabled, disabled or not configured for a view\&. If serving of stale records is configured then the values of stale\-answer\-ttl and max\-stale\-ttl are reported\&. \fBrndc serve\-stale status\fR
will report whether serving of stale answers is currently enabled, disabled by the configuration, or disabled by
\fBrndc\fR\&. It will also report the values of
\fBstale\-answer\-ttl\fR
and
\fBmax\-stale\-ttl\fR\&.
.RE .RE
.PP .PP
\fBshowzone \fR\fB\fIzone\fR\fR\fB \fR\fB[\fIclass\fR [\fIview\fR]]\fR\fB \fR \fBshowzone \fR\fB\fIzone\fR\fR\fB \fR\fB[\fIclass\fR [\fIview\fR]]\fR\fB \fR
......
...@@ -664,20 +664,28 @@ ...@@ -664,20 +664,28 @@
See also <span class="command"><strong>rndc managed-keys</strong></span>. See also <span class="command"><strong>rndc managed-keys</strong></span>.
</p> </p>
</dd> </dd>
<dt><span class="term"><strong class="userinput"><code>serve-stale ( on | off | status | reset ) [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt> <dt><span class="term"><strong class="userinput"><code>serve-stale ( on | off | reset | status ) [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
<dd> <dd>
<p> <p>
Enable, disable, or reset the serving of stale answers Enable, disable, reset, or report the current status
as configured in named.conf. Serving of stale answers of the serving of stale answers as configured in
will remain disabled across <code class="filename">named.conf</code> <code class="filename">named.conf</code>.
reloads if disabled via rndc until it is reset via rndc.
</p> </p>
<p> <p>
Status will report whether serving of stale answers is If serving of stale answers is disabled by
currently enabled, disabled or not configured for a <span class="command"><strong>rndc-serve-stale off</strong></span>, then it
view. If serving of stale records is configured then will remain disabled even if <span class="command"><strong>named</strong></span>
the values of stale-answer-ttl and max-stale-ttl are is reloaded or reconfigured.
reported. <span class="command"><strong>rndc serve-stale reset</strong></span> restores
the setting as configured in <code class="filename">named.conf</code>.
</p>
<p>
<span class="command"><strong>rndc serve-stale status</strong></span> will report
whether serving of stale answers is currently enabled,
disabled by the configuration, or disabled by
<span class="command"><strong>rndc</strong></span>. It will also report the
values of <span class="command"><strong>stale-answer-ttl</strong></span> and
<span class="command"><strong>max-stale-ttl</strong></span>.
</p> </p>
</dd> </dd>
<dt><span class="term"><strong class="userinput"><code>showzone <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] </code></strong></span></dt> <dt><span class="term"><strong class="userinput"><code>showzone <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] </code></strong></span></dt>
......
...@@ -614,6 +614,6 @@ ...@@ -614,6 +614,6 @@
</tr> </tr>
</table> </table>
</div> </div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0 (Development Release)</p> <p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
</body> </body>
</html> </html>
...@@ -146,6 +146,6 @@ ...@@ -146,6 +146,6 @@
</tr> </tr>
</table> </table>
</div> </div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0 (Development Release)</p> <p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
</body> </body>
</html> </html>
...@@ -759,6 +759,6 @@ controls { ...@@ -759,6 +759,6 @@ controls {
</tr> </tr>
</table> </table>
</div> </div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0 (Development Release)</p> <p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
</body> </body>
</html> </html>
...@@ -1034,28 +1034,36 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;}; ...@@ -1034,28 +1034,36 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
To enable <span class="command"><strong>named</strong></span> to respond appropriately To enable <span class="command"><strong>named</strong></span> to respond appropriately
to DNS requests from DNSSEC aware clients, to DNS requests from DNSSEC aware clients,
<span class="command"><strong>dnssec-enable</strong></span> must be set to yes. <span class="command"><strong>dnssec-enable</strong></span> must be set to yes.
(This is the default setting.) This is the default setting.
</p> </p>
<p> <p>
To enable <span class="command"><strong>named</strong></span> to validate answers from To enable <span class="command"><strong>named</strong></span> to validate answers from
other servers, the <span class="command"><strong>dnssec-enable</strong></span> option other servers, the <span class="command"><strong>dnssec-enable</strong></span> option
must be set to <strong class="userinput"><code>yes</code></strong>, and the must be set to <strong class="userinput"><code>yes</code></strong>, and the
<span class="command"><strong>dnssec-validation</strong></span> options must be set to <span class="command"><strong>dnssec-validation</strong></span> option must be set to
<strong class="userinput"><code>yes</code></strong> or <strong class="userinput"><code>auto</code></strong>. either <strong class="userinput"><code>yes</code></strong> or <strong class="userinput"><code>auto</code></strong>.
</p> </p>
<p> <p>
When <span class="command"><strong>dnssec-validation</strong></span> is set to
<strong class="userinput"><code>auto</code></strong>, a trust anchor for the DNS
root zone will automatically be used. This trust anchor is
provided as part of BIND and is kept up to date using RFC 5011
key management.
If <span class="command"><strong>dnssec-validation</strong></span> is set to If <span class="command"><strong>dnssec-validation</strong></span> is set to
<strong class="userinput"><code>auto</code></strong>, then a default <strong class="userinput"><code>yes</code></strong>, then
trust anchor for the DNS root zone will be used. DNSSEC validation only occurs if
If it is set to <strong class="userinput"><code>yes</code></strong>, however, at least one trust anchor has been explicitly configured
then at least one trust anchor must be configured in <code class="filename">named.conf</code>,
with a <span class="command"><strong>trusted-keys</strong></span> or using a <span class="command"><strong>trusted-keys</strong></span> or
<span class="command"><strong>managed-keys</strong></span> statement in <span class="command"><strong>managed-keys</strong></span> statement.
<code class="filename">named.conf</code>, or DNSSEC validation If <span class="command"><strong>dnssec-validation</strong></span> is set to
will not occur. The default setting is <strong class="userinput"><code>no</code></strong>, then DNSSEC validation will
<strong class="userinput"><code>yes</code></strong>. not occur.
The default is <strong class="userinput"><code>auto</code></strong> unless BIND is
built with <span class="command"><strong>configure --disable-auto-validation</strong></span>,
in which case the default is <strong class="userinput"><code>yes</code></strong>.
</p> </p>
<p> <p>
...@@ -1702,7 +1710,7 @@ $ <strong class="userinput"><code>./configure --enable-native-pkcs11 \ ...@@ -1702,7 +1710,7 @@ $ <strong class="userinput"><code>./configure --enable-native-pkcs11 \
</p> </p>
<pre class="screen"> <pre class="screen">
$ <strong class="userinput"><code> cd SoftHSMv2 </code></strong> $ <strong class="userinput"><code> cd SoftHSMv2 </code></strong>
$ <strong class="userinput"><code> configure --with-crypto-backend=openssl --prefix=/opt/pkcs11/usr --enable-gost </code></strong> $ <strong class="userinput"><code> configure --with-crypto-backend=openssl --prefix=/opt/pkcs11/usr </code></strong>
$ <strong class="userinput"><code> make </code></strong> $ <strong class="userinput"><code> make </code></strong>
$ <strong class="userinput"><code> make install </code></strong> $ <strong class="userinput"><code> make install </code></strong>
$ <strong class="userinput"><code> /opt/pkcs11/usr/bin/softhsm-util --init-token 0 --slot 0 --label softhsmv2 </code></strong> $ <strong class="userinput"><code> /opt/pkcs11/usr/bin/softhsm-util --init-token 0 --slot 0 --label softhsmv2 </code></strong>
...@@ -2867,6 +2875,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. ...@@ -2867,6 +2875,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
</tr> </tr>
</table> </table>
</div> </div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0 (Development Release)</p> <p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
</body> </body>
</html> </html>
...@@ -1564,6 +1564,7 @@ notrace</strong></span>. All debugging messages in the server have a debug ...@@ -1564,6 +1564,7 @@ notrace</strong></span>. All debugging messages in the server have a debug
syslog daemon; syslog daemon;
// only send priority info and higher // only send priority info and higher
severity info; severity info;
};
channel default_debug { channel default_debug {
// write to named.run in the working directory // write to named.run in the working directory
...@@ -1865,6 +1866,16 @@ category notify { null; }; ...@@ -1865,6 +1866,16 @@ category notify { null; };
</td> </td>
</tr> </tr>
<tr> <tr>
<td>
<p><span class="command"><strong>nsid</strong></span></p>
</td>
<td>
<p>
NSID options received from upstream servers.
</p>
</td>
</tr>
<tr>
<td> <td>
<p><span class="command"><strong>queries</strong></span></p> <p><span class="command"><strong>queries</strong></span></p>
</td> </td>
...@@ -1987,6 +1998,17 @@ category notify { null; }; ...@@ -1987,6 +1998,17 @@ category notify { null; };
</td> </td>
</tr> </tr>
<tr> <tr>
<td>
<p><span class="command"><strong>serve-stale</strong></span></p>
</td>
<td>
<p>
Whether or not a stale answer is used
following a resolver failure.
</p>
</td>
</tr>
<tr>
<td> <td>
<p><span class="command"><strong>spill</strong></span></p> <p><span class="command"><strong>spill</strong></span></p>
</td> </td>
...@@ -3663,12 +3685,13 @@ options { ...@@ -3663,12 +3685,13 @@ options {
Specifies the TTL to be returned on stale answers. Specifies the TTL to be returned on stale answers.
The default is 1 second. The minimum allowed is The default is 1 second. The minimum allowed is
also 1 second; a value of 0 will be updated silently also 1 second; a value of 0 will be updated silently
to 1 second. For stale answers to be returned, to 1 second.
they must be enabled (either in the configuration file </p>
using <span class="command"><strong>stale-answer-enable</strong></span> or via <p>
<span class="command"><strong>rndc</strong></span>), and For stale answers to be returned, they must be enabled,
<code class="option">max-stale-ttl</code> must be set to a either in the configuration file using
nonzero value. <span class="command"><strong>stale-answer-enable</strong></span> or via
<span class="command"><strong>rndc serve-stale on</strong></span>.
</p> </p>
</dd> </dd>
<dt><span class="term"><span class="command"><strong>serial-update-method</strong></span></span></dt> <dt><span class="term"><span class="command"><strong>serial-update-method</strong></span></span></dt>
...@@ -4055,7 +4078,7 @@ options { ...@@ -4055,7 +4078,7 @@ options {
<dt><span class="term"><span class="command"><strong>fetch-glue</strong></span></span></dt> <dt><span class="term"><span class="command"><strong>fetch-glue</strong></span></span></dt>
<dd> <dd>
<p> <p>
This option is obsolete. <span class="emphasis"><em>This option is obsolete</em></span>.
In BIND 8, <strong class="userinput"><code>fetch-glue yes</code></strong> In BIND 8, <strong class="userinput"><code>fetch-glue yes</code></strong>
caused the server to attempt to fetch glue resource records caused the server to attempt to fetch glue resource records
it it
...@@ -4077,12 +4100,9 @@ options { ...@@ -4077,12 +4100,9 @@ options {
<dt><span class="term"><span class="command"><strong>geoip-use-ecs</strong></span></span></dt> <dt><span class="term"><span class="command"><strong>geoip-use-ecs</strong></span></span></dt>
<dd> <dd>
<p> <p>
When BIND is compiled with GeoIP support and configured This option was part of an experimental implementation
with "geoip" ACL elements, this option indicates whether of the EDNS CLIENT-SUBNET for authoritative servers,
the EDNS Client Subnet option, if present in a request, but is now obsolete.
should be used for matching against the GeoIP database.
The default is
<span class="command"><strong>geoip-use-ecs</strong></span> <strong class="userinput"><code>yes</code></strong>.
</p> </p>
</dd> </dd>
<dt><span class="term"><span class="command"><strong>has-old-clients</strong></span></span></dt> <dt><span class="term"><span class="command"><strong>has-old-clients</strong></span></span></dt>
...@@ -4290,7 +4310,7 @@ options { ...@@ -4290,7 +4310,7 @@ options {
queries to authoritative name servers during iterative queries to authoritative name servers during iterative
resolution. If the authoritative server returns an NSID resolution. If the authoritative server returns an NSID
option in its response, then its contents are logged in option in its response, then its contents are logged in
the <span class="command"><strong>resolver</strong></span> category at level the <span class="command"><strong>nsid</strong></span> category at level
<span class="command"><strong>info</strong></span>. <span class="command"><strong>info</strong></span>.
The default is <strong class="userinput"><code>no</code></strong>. The default is <strong class="userinput"><code>no</code></strong>.
</p> </p>
...@@ -4310,6 +4330,15 @@ options { ...@@ -4310,6 +4330,15 @@ options {
server cookie. server cookie.
</p> </p>
</dd> </dd>
<dt><span class="term"><span class="command"><strong>answer-cookie</strong></span></span></dt>
<dd>
<p>
<span class="emphasis"><em>This option is obsolete</em></span>.
This option was used to prevent the sending of
a DNS COOKIE option in response to a request with
one present in BIND 9.11 and BIND 9.12.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>send-cookie</strong></span></span></dt> <dt><span class="term"><span class="command"><strong>send-cookie</strong></span></span></dt>
<dd> <dd>
<p> <p>
...@@ -4333,18 +4362,28 @@ options { ...@@ -4333,18 +4362,28 @@ options {
<dt><span class="term"><span class="command"><strong>stale-answer-enable</strong></span></span></dt> <dt><span class="term"><span class="command"><strong>stale-answer-enable</strong></span></span></dt>
<dd> <dd>
<p> <p>
Enable the returning of stale answers when the Enable the returning of "stale" cached answers when
nameservers for the zone are not answering. This the nameservers for a zone are not answering. The
is off by default, but can be enabled/disabled via default is not to return stale answers.
<span class="command"><strong>rndc serve-stale on</strong></span> and </p>
<span class="command"><strong>rndc serve-stale off</strong></span>, which <p>
override the <code class="filename">named.conf</code> Stale answers can also be enabled or disabled at
setting. <span class="command"><strong>rndc serve-stale reset</strong></span> runtime via <span class="command"><strong>rndc serve-stale on</strong></span> or
<span class="command"><strong>rndc serve-stale off</strong></span>; these
override the configured setting.
<span class="command"><strong>rndc serve-stale reset</strong></span>
restores the setting to the one specified in restores the setting to the one specified in
<code class="filename">named.conf</code>. Note that <code class="filename">named.conf</code>. Note that if
reloading or reconfiguring <span class="command"><strong>named</strong></span> stale answers have been disabled by <span class="command"><strong>rndc</strong></span>,
will not re-enable serving of stale records if they then they cannot be re-enabled by reloading or
have been disabled via <span class="command"><strong>rndc</strong></span>. reconfiguring <span class="command"><strong>named</strong></span>;
they must be re-enabled with
<span class="command"><strong>rndc serve-stale on</strong></span>,
or the server must be restarted.
</p>
<p>
Information about stale answers is logged under
the <span class="command"><strong>serve-stale</strong></span> log category.
</p> </p>
</dd> </dd>
<dt><span class="term"><span class="command"><strong>nocookie-udp-size</strong></span></span></dt> <dt><span class="term"><span class="command"><strong>nocookie-udp-size</strong></span></span></dt>
...@@ -6851,19 +6890,21 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; ...@@ -6851,19 +6890,21 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
<dt><span class="term"><span class="command"><strong>max-stale-ttl</strong></span></span></dt> <dt><span class="term"><span class="command"><strong>max-stale-ttl</strong></span></span></dt>
<dd> <dd>
<p> <p>
Sets the maximum time for which the server will If stale answers are enabled,
<span class="command"><strong>max-stale-ttl</strong></span>
sets the maximum time for which the server will
retain records past their normal expiry to retain records past their normal expiry to
return them as stale records when the servers return them as stale records when the servers
for those records are not reachable. The default for those records are not reachable.
is to not retain the record. The default is 1 week. The minimum allowed is
1 second; a value of 0 will be updated silently
to 1 second.
</p> </p>
<p> <p>
<span class="command"><strong>rndc serve-stale</strong></span> can be used For stale answers to be returned, they must be enabled,
to disable and re-enable the serving of stale either in the configuration file using
records at runtime. Reloading or reconfiguring <span class="command"><strong>stale-answer-enable</strong></span> or via
<span class="command"><strong>named</strong></span> will not re-enable serving <span class="command"><strong>rndc serve-stale on</strong></span>.
of stale records if they have been disabled via
<span class="command"><strong>rndc</strong></span>.
</p> </p>
</dd> </dd>
<dt><span class="term"><span class="command"><strong>min-roots</strong></span></span></dt> <dt><span class="term"><span class="command"><strong>min-roots</strong></span></span></dt>
...@@ -7435,6 +7476,8 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; ...@@ -7435,6 +7476,8 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
<li class="listitem">9.E.F.IP6.ARPA</li> <li class="listitem">9.E.F.IP6.ARPA</li>
<li class="listitem">A.E.F.IP6.ARPA</li> <li class="listitem">A.E.F.IP6.ARPA</li>
<li class="listitem">B.E.F.IP6.ARPA</li> <li class="listitem">B.E.F.IP6.ARPA</li>
<li class="listitem">EMPTY.AS112.ARPA</li>
<li class="listitem">HOME.ARPA</li>
</ul></div> </ul></div>
<p> <p>
</p> </p>
...@@ -14672,6 +14715,6 @@ HOST-127.EXAMPLE. MX 0 . ...@@ -14672,6 +14715,6 @@ HOST-127.EXAMPLE. MX 0 .
</tr> </tr>
</table> </table>
</div> </div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0 (Development Release)</p> <p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
</body> </body>
</html> </html>
...@@ -118,38 +118,8 @@ zone "example.com" { ...@@ -118,38 +118,8 @@ zone "example.com" {
In addition to network addresses and prefixes, which are In addition to network addresses and prefixes, which are
matched against the source address of the DNS request, ACLs matched against the source address of the DNS request, ACLs
may include <code class="option">key</code> elements, which specify the may include <code class="option">key</code> elements, which specify the
name of a TSIG or SIG(0) key, or <code class="option">ecs</code> name of a TSIG or SIG(0) key.
elements, which specify a network prefix but are only matched
if that prefix matches an EDNS client subnet option included
in the request.
</p> </p>
<p>
The EDNS Client Subnet (ECS) option is used by a recursive
resolver to inform an authoritative name server of the network
address block from which the original query was received, enabling
authoritative servers to give different answers to the same
resolver for different resolver clients. An ACL containing
an element of the form
<span class="command"><strong>ecs <em class="replaceable"><code>prefix</code></em></strong></span>
will match if a request arrives in containing an ECS option
encoding an address within that prefix. If the request has no
ECS option, then "ecs" elements are simply ignored. Addresses
in ACLs that are not prefixed with "ecs" are matched only
against the source address.
</p>