Commit db1cd0d9 authored by Tinderbox User's avatar Tinderbox User

prep 9.13.4

parent 976881f4
--- 9.13.4 released ---
5098. [func] Failed memory allocations are now fatal. [GL #674]
5097. [cleanup] Remove embedded ATF unit testing framework
......
......@@ -59,3 +59,31 @@ These are platforms on which BIND is known not to build or run:
* Platforms that don't support IPv6 Advanced Socket API (RFC 3542)
* Platforms that don't support atomic operations (via compiler or
library)
* Linux without NPTL (Native POSIX Thread Library)
Platform quirks
ARM
If the compilation ends with following error:
Error: selected processor does not support `yield' in ARM mode
You will need to set -march compiler option to native, so the compiler
recognizes yield assembler instruction. The proper way to set -march=
native would be to put it into CFLAGS, e.g. run ./configure like this:
CFLAGS="-march=native -Os -g" ./configure plus your usual options.
If that doesn't work, you can enforce the minimum CPU and FPU (taken from
Debian armhf documentation):
* The lowest worthwhile CPU implementation is Armv7-A, therefore the
recommended build option is -march=armv7-a.
* FPU should be set at VFPv3-D16 as they represent the miminum
specification of the processors to support here, therefore the
recommended build option is -mfpu=vfpv3-d16.
The configure command should look like this:
CFLAGS="-march=armv7-a -mfpu=vfpv3-d16 -Os -g" ./configure
......@@ -104,6 +104,7 @@ BIND 9.13 features
BIND 9.13 is the newest development branch of BIND 9. It includes a number
of changes from BIND 9.12 and earlier releases. New features include:
* Socket and task code has been refactored to improve performance.
* QNAME minimization, as described in RFC 7816, is now supported.
* "Root key sentinel" support, enabling validating resolvers to indicate
via a special query which trust anchors are configured for the root
......
......@@ -122,6 +122,7 @@ BIND 9.13 is the newest development branch of BIND 9. It includes a
number of changes from BIND 9.12 and earlier releases. New features
include:
* Socket and task code has been refactored to improve performance.
* QNAME minimization, as described in RFC 7816, is now supported.
* "Root key sentinel" support, enabling validating resolvers to indicate
via a special query which trust anchors are configured for the root zone.
......
......@@ -74,7 +74,9 @@ will perform an NS query for "\&." (the root)\&.
It is possible to set per\-user defaults for
\fBdig\fR
via
${HOME}/\&.digrc\&. This file is read and any options in it are applied before the command line arguments\&.
${HOME}/\&.digrc\&. This file is read and any options in it are applied before the command line arguments\&. The
\fB\-r\fR
option disables this feature, for scripts that need predictable behaviour\&.
.PP
The IN and CH class names overlap with the IN and CH top level domain names\&. Either use the
\fB\-t\fR
......@@ -174,11 +176,6 @@ reads a list of lookup requests to process from the given
using the command\-line interface\&.
.RE
.PP
\-i
.RS 4
Do reverse IPv6 lookups using the obsolete RFC 1886 IP6\&.INT domain, which is no longer in use\&. Obsolete bit string label queries (RFC 2874) are not attempted\&.
.RE
.PP
\-k \fIkeyfile\fR
.RS 4
Sign queries using TSIG using a key read from the given file\&. Key files can be generated using
......@@ -208,6 +205,12 @@ The domain name to query\&. This is useful to distinguish the
from other arguments\&.
.RE
.PP
\-r
.RS 4
Do not read options from
${HOME}/\&.digrc\&. This is useful for scripts that need predictable behaviour\&.
.RE
.PP
\-t \fItype\fR
.RS 4
The resource record type to query\&. It can be any valid query type\&. If it is a resource record type supported in BIND 9, it can be given by the type mnemonic (such as "NS" or "AAAA")\&. The default query type is "A", unless the
......@@ -246,9 +249,7 @@ arguments\&.
\fBdig\fR
automatically performs a lookup for a name like
94\&.2\&.0\&.192\&.in\-addr\&.arpa
and sets the query type and class to PTR and IN respectively\&. IPv6 addresses are looked up using nibble format under the IP6\&.ARPA domain (but see also the
\fB\-i\fR
option)\&.
and sets the query type and class to PTR and IN respectively\&. IPv6 addresses are looked up using nibble format under the IP6\&.ARPA domain\&.
.RE
.PP
\-y \fI[hmac:]\fR\fIkeyname:secret\fR
......@@ -468,12 +469,16 @@ option is enabled\&. If short form answers are requested, the default is not to
.PP
\fB+[no]idnin\fR
.RS 4
Process [do not process] IDN domain names on input\&. This requires IDN SUPPORT to have been enabled at compile time\&. The default is to process IDN input\&.
Process [do not process] IDN domain names on input\&. This requires IDN SUPPORT to have been enabled at compile time\&.
.sp
The default is to process IDN input when standard output is a tty\&. The IDN processing on input is disabled when dig output is redirected to files, pipes, and other non\-tty file descriptors\&.
.RE
.PP
\fB+[no]idnout\fR
.RS 4
Convert [do not convert] puny code on output\&. This requires IDN SUPPORT to have been enabled at compile time\&. The default is to convert output\&.
Convert [do not convert] puny code on output\&. This requires IDN SUPPORT to have been enabled at compile time\&.
.sp
The default is to process puny code on output when standard output is a tty\&. The puny code processing on output is disabled when dig output is redirected to files, pipes, and other non\-tty file descriptors\&.
.RE
.PP
\fB+[no]ignore\fR
......@@ -795,7 +800,10 @@ has been built with IDN (internationalized domain name) support, it can accept a
appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server\&. If you\*(Aqd like to turn off the IDN support for some reason, use parameters
\fI+noidnin\fR
and
\fI+noidnout\fR\&.
\fI+noidnout\fR
or define the
\fBIDN_DISABLE\fR
environment variable\&.
.SH "FILES"
.PP
/etc/resolv\&.conf
......
......@@ -106,9 +106,10 @@
<p>
It is possible to set per-user defaults for <span class="command"><strong>dig</strong></span> via
<code class="filename">${HOME}/.digrc</code>. This file is read and
any options in it
are applied before the command line arguments.
<code class="filename">${HOME}/.digrc</code>. This file is read and any
options in it are applied before the command line arguments.
The <code class="option">-r</code> option disables this feature, for
scripts that need predictable behaviour.
</p>
<p>
......@@ -227,14 +228,6 @@
<span class="command"><strong>dig</strong></span> using the command-line interface.
</p>
</dd>
<dt><span class="term">-i</span></dt>
<dd>
<p>
Do reverse IPv6 lookups using the obsolete RFC 1886 IP6.INT
domain, which is no longer in use. Obsolete bit string
label queries (RFC 2874) are not attempted.
</p>
</dd>
<dt><span class="term">-k <em class="replaceable"><code>keyfile</code></em></span></dt>
<dd>
<p>
......@@ -274,6 +267,13 @@
the <em class="parameter"><code>name</code></em> from other arguments.
</p>
</dd>
<dt><span class="term">-r</span></dt>
<dd>
<p>
Do not read options from <code class="filename">${HOME}/.digrc</code>.
This is useful for scripts that need predictable behaviour.
</p>
</dd>
<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
<dd>
<p>
......@@ -324,8 +324,7 @@
<code class="literal">94.2.0.192.in-addr.arpa</code> and sets the
query type and class to PTR and IN respectively. IPv6
addresses are looked up using nibble format under the
IP6.ARPA domain (but see also the <code class="option">-i</code>
option).
IP6.ARPA domain.
</p>
</dd>
<dt><span class="term">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]keyname:secret</code></em></span></dt>
......@@ -631,7 +630,13 @@
<p>
Process [do not process] IDN domain names on input.
This requires IDN SUPPORT to have been enabled at
compile time. The default is to process IDN input.
compile time.
</p>
<p>
The default is to process IDN input when standard output
is a tty. The IDN processing on input is disabled when
dig output is redirected to files, pipes, and other
non-tty file descriptors.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]idnout</code></span></dt>
......@@ -639,7 +644,13 @@
<p>
Convert [do not convert] puny code on output.
This requires IDN SUPPORT to have been enabled at
compile time. The default is to convert output.
compile time.
</p>
<p>
The default is to process puny code on output when
standard output is a tty. The puny code processing on
output is disabled when dig output is redirected to
files, pipes, and other non-tty file descriptors.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]ignore</code></span></dt>
......@@ -1061,7 +1072,9 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
reply from the server.
If you'd like to turn off the IDN support for some reason, use
parameters <em class="parameter"><code>+noidnin</code></em> and
<em class="parameter"><code>+noidnout</code></em>.
<em class="parameter"><code>+noidnout</code></em> or define
the <code class="envar">IDN_DISABLE</code> environment variable.
</p>
</div>
......
......@@ -112,11 +112,6 @@ Print debugging traces\&. Equivalent to the
verbose option\&.
.RE
.PP
\-i
.RS 4
Obsolete\&. Use the IP6\&.INT domain for reverse lookups of IPv6 addresses as defined in RFC1886 and deprecated in RFC4159\&. The default is to use IP6\&.ARPA as specified in RFC3596\&.
.RE
.PP
\-l
.RS 4
List zone: The
......@@ -257,7 +252,7 @@ If
\fBhost\fR
has been built with IDN (internationalized domain name) support, it can accept and display non\-ASCII domain names\&.
\fBhost\fR
appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server\&. If you\*(Aqd like to turn off the IDN support for some reason, defines the
appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server\&. If you\*(Aqd like to turn off the IDN support for some reason, define the
\fBIDN_DISABLE\fR
environment variable\&. The IDN support is disabled if the variable is set when
\fBhost\fR
......
......@@ -138,15 +138,6 @@
Equivalent to the <code class="option">-v</code> verbose option.
</p>
</dd>
<dt><span class="term">-i</span></dt>
<dd>
<p>
Obsolete.
Use the IP6.INT domain for reverse lookups of IPv6
addresses as defined in RFC1886 and deprecated in RFC4159.
The default is to use IP6.ARPA as specified in RFC3596.
</p>
</dd>
<dt><span class="term">-l</span></dt>
<dd>
<p>
......@@ -311,7 +302,7 @@
<span class="command"><strong>host</strong></span> appropriately converts character encoding of
domain name before sending a request to DNS server or displaying a
reply from the server.
If you'd like to turn off the IDN support for some reason, defines
If you'd like to turn off the IDN support for some reason, define
the <code class="envar">IDN_DISABLE</code> environment variable.
The IDN support is disabled if the variable is set when
<span class="command"><strong>host</strong></span> runs.
......
......@@ -277,6 +277,17 @@ Try the next nameserver if a nameserver responds with SERVFAIL or a referral (no
.PP
\fBnslookup\fR
returns with an exit status of 1 if any query failed, and 0 otherwise\&.
.SH "IDN SUPPORT"
.PP
If
\fBnslookup\fR
has been built with IDN (internationalized domain name) support, it can accept and display non\-ASCII domain names\&.
\fBnslookup\fR
appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server\&. If you\*(Aqd like to turn off the IDN support for some reason, define the
\fBIDN_DISABLE\fR
environment variable\&. The IDN support is disabled if the variable is set when
\fBnslookup\fR
runs or when the standard output is not a tty\&.
.SH "FILES"
.PP
/etc/resolv\&.conf
......
......@@ -362,14 +362,31 @@ nslookup -query=hinfo -timeout=10
</div>
<div class="refsection">
<a name="id-1.11"></a><h2>FILES</h2>
<a name="id-1.11"></a><h2>IDN SUPPORT</h2>
<p>
If <span class="command"><strong>nslookup</strong></span> has been built with IDN (internationalized
domain name) support, it can accept and display non-ASCII domain names.
<span class="command"><strong>nslookup</strong></span> appropriately converts character encoding of
domain name before sending a request to DNS server or displaying a
reply from the server.
If you'd like to turn off the IDN support for some reason, define
the <code class="envar">IDN_DISABLE</code> environment variable.
The IDN support is disabled if the variable is set when
<span class="command"><strong>nslookup</strong></span> runs or when the standard output is not
a tty.
</p>
</div>
<div class="refsection">
<a name="id-1.12"></a><h2>FILES</h2>
<p><code class="filename">/etc/resolv.conf</code>
</p>
</div>
<div class="refsection">
<a name="id-1.12"></a><h2>SEE ALSO</h2>
<a name="id-1.13"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry">
<span class="refentrytitle">dig</span>(1)
......
......@@ -55,7 +55,7 @@ of the key is specified on the command line\&. This must match the name of the z
.RS 4
Selects the cryptographic algorithm\&. The value of
\fBalgorithm\fR
must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448\&.
must be one of RSAMD5, RSASHA1, NSEC3RSASHA1, RSASHA256, RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448\&.
.sp
If no algorithm is specified, then RSASHA1 will be used by default, unless the
\fB\-3\fR
......@@ -63,9 +63,9 @@ option is specified, in which case NSEC3RSASHA1 will be used instead\&. (If
\fB\-3\fR
is used and an algorithm is specified, that algorithm will be checked for compatibility with NSEC3\&.)
.sp
These values are case insensitive\&. In some cases, abbreviations are supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384 for ECDSAP384SHA384\&. If RSASHA1 or DSA is specified along with the
These values are case insensitive\&. In some cases, abbreviations are supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384 for ECDSAP384SHA384\&. If RSASHA1 is specified along with the
\fB\-3\fR
option, then NSEC3RSASHA1 or NSEC3DSA will be used instead\&.
option, then NSEC3RSASHA1 will be used instead\&.
.sp
As of BIND 9\&.12\&.0, this option is mandatory except when using the
\fB\-S\fR
......
......@@ -90,7 +90,7 @@
<p>
Selects the cryptographic algorithm. The value of
<code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512,
NSEC3RSASHA1, RSASHA256, RSASHA512,
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
</p>
<p>
......@@ -103,9 +103,9 @@
<p>
These values are case insensitive. In some cases, abbreviations
are supported, such as ECDSA256 for ECDSAP256SHA256 and
ECDSA384 for ECDSAP384SHA384. If RSASHA1 or DSA is specified
ECDSA384 for ECDSAP384SHA384. If RSASHA1 is specified
along with the <code class="option">-3</code> option, then NSEC3RSASHA1
or NSEC3DSA will be used instead.
will be used instead.
</p>
<p>
As of BIND 9.12.0, this option is mandatory except when using
......
......@@ -62,13 +62,13 @@ may be preferable to direct use of
.RS 4
Selects the cryptographic algorithm\&. For DNSSEC keys, the value of
\fBalgorithm\fR
must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448\&. For TKEY, the value must be DH (Diffie Hellman); specifying his value will automatically set the
must be one of RSAMD5, RSASHA1, NSEC3RSASHA1, RSASHA256, RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448\&. For TKEY, the value must be DH (Diffie Hellman); specifying his value will automatically set the
\fB\-T KEY\fR
option as well\&.
.sp
These values are case insensitive\&. In some cases, abbreviations are supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384 for ECDSAP384SHA384\&. If RSASHA1 or DSA is specified along with the
These values are case insensitive\&. In some cases, abbreviations are supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384 for ECDSAP384SHA384\&. If RSASHA1 is specified along with the
\fB\-3\fR
option, then NSEC3RSASHA1 or NSEC3DSA will be used instead\&.
option, then NSEC3RSASHA1 will be used instead\&.
.sp
This parameter
\fImust\fR
......
......@@ -100,7 +100,7 @@
<p>
Selects the cryptographic algorithm. For DNSSEC keys, the value
of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512,
NSEC3RSASHA1, RSASHA256, RSASHA512,
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448. For
TKEY, the value must be DH (Diffie Hellman); specifying
his value will automatically set the <code class="option">-T KEY</code>
......@@ -109,9 +109,9 @@
<p>
These values are case insensitive. In some cases, abbreviations
are supported, such as ECDSA256 for ECDSAP256SHA256 and
ECDSA384 for ECDSAP384SHA384. If RSASHA1 or DSA is specified
ECDSA384 for ECDSAP384SHA384. If RSASHA1 is specified
along with the <code class="option">-3</code> option, then NSEC3RSASHA1
or NSEC3DSA will be used instead.
will be used instead.
</p>
<p>
This parameter <span class="emphasis"><em>must</em></span> be specified except
......
......@@ -10,12 +10,12 @@
.\" Title: named.conf
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 2018-06-21
.\" Date: 2018-10-23
.\" Manual: BIND9
.\" Source: ISC
.\" Language: English
.\"
.TH "NAMED\&.CONF" "5" "2018\-06\-21" "ISC" "BIND9"
.TH "NAMED\&.CONF" "5" "2018\-10\-23" "ISC" "BIND9"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
......@@ -199,6 +199,7 @@ options {
] [ dscp \fIinteger\fR ];
alt\-transfer\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR |
* ) ] [ dscp \fIinteger\fR ];
answer\-cookie \fIboolean\fR;
attach\-cache \fIstring\fR;
auth\-nxdomain \fIboolean\fR; // default changed
auto\-dnssec ( allow | maintain | off );
......@@ -264,8 +265,8 @@ options {
dnssec\-secure\-to\-insecure \fIboolean\fR;
dnssec\-update\-mode ( maintain | no\-resign );
dnssec\-validation ( yes | no | auto );
dnstap { ( all | auth | client | forwarder | resolver ) [ ( query |
response ) ]; \&.\&.\&. };
dnstap { ( all | auth | client | forwarder | resolver | update ) [
( query | response ) ]; \&.\&.\&. };
dnstap\-identity ( \fIquoted_string\fR | none | hostname );
dnstap\-output ( file | unix ) \fIquoted_string\fR [ size ( unlimited |
\fIsize\fR ) ] [ versions ( unlimited | \fIinteger\fR ) ] [ suffix (
......@@ -343,6 +344,8 @@ options {
memstatistics \fIboolean\fR;
memstatistics\-file \fIquoted_string\fR;
message\-compression \fIboolean\fR;
min\-cache\-ttl \fIttlval\fR;
min\-ncache\-ttl \fIttlval\fR;
min\-refresh\-time \fIinteger\fR;
min\-retry\-time \fIinteger\fR;
minimal\-any \fIboolean\fR;
......@@ -632,8 +635,8 @@ view \fIstring\fR [ \fIclass\fR ] {
dnssec\-secure\-to\-insecure \fIboolean\fR;
dnssec\-update\-mode ( maintain | no\-resign );
dnssec\-validation ( yes | no | auto );
dnstap { ( all | auth | client | forwarder | resolver ) [ ( query |
response ) ]; \&.\&.\&. };
dnstap { ( all | auth | client | forwarder | resolver | update ) [
( query | response ) ]; \&.\&.\&. };
dual\-stack\-servers [ port \fIinteger\fR ] { ( \fIquoted_string\fR [ port
\fIinteger\fR ] [ dscp \fIinteger\fR ] | \fIipv4_address\fR [ port
\fIinteger\fR ] [ dscp \fIinteger\fR ] | \fIipv6_address\fR [ port
......@@ -914,10 +917,10 @@ view \fIstring\fR [ \fIclass\fR ] {
static\-stub | stub );
update\-check\-ksk \fIboolean\fR;
update\-policy ( local | { ( deny | grant ) \fIstring\fR (
6to4\-self | external | krb5\-self | krb5\-subdomain |
ms\-self | ms\-subdomain | name | self | selfsub |
selfwild | subdomain | tcp\-self | wildcard | zonesub )
[ \fIstring\fR ] \fIrrtypelist\fR; \&.\&.\&. };
6to4\-self | external | krb5\-self | krb5\-selfsub |
krb5\-subdomain | ms\-self | ms\-selfsub | ms\-subdomain |
name | self | selfsub | selfwild | subdomain | tcp\-self
| wildcard | zonesub ) [ \fIstring\fR ] \fIrrtypelist\fR; \&.\&.\&. };
use\-alt\-transfer\-source \fIboolean\fR;
zero\-no\-soa\-ttl \fIboolean\fR;
zone\-statistics ( full | terse | none | \fIboolean\fR );
......@@ -1020,9 +1023,10 @@ zone \fIstring\fR [ \fIclass\fR ] {
stub );
update\-check\-ksk \fIboolean\fR;
update\-policy ( local | { ( deny | grant ) \fIstring\fR ( 6to4\-self |
external | krb5\-self | krb5\-subdomain | ms\-self | ms\-subdomain
| name | self | selfsub | selfwild | subdomain | tcp\-self |
wildcard | zonesub ) [ \fIstring\fR ] \fIrrtypelist\fR; \&.\&.\&. };
external | krb5\-self | krb5\-selfsub | krb5\-subdomain | ms\-self
| ms\-selfsub | ms\-subdomain | name | self | selfsub | selfwild
| subdomain | tcp\-self | wildcard | zonesub ) [ \fIstring\fR ]
\fIrrtypelist\fR; \&.\&.\&. };
use\-alt\-transfer\-source \fIboolean\fR;
zero\-no\-soa\-ttl \fIboolean\fR;
zone\-statistics ( full | terse | none | \fIboolean\fR );
......
......@@ -180,6 +180,7 @@ options
][dscp<em class="replaceable"><code>integer</code></em>];<br>
alt-transfer-source-v6(<em class="replaceable"><code>ipv6_address</code></em>|*)[port(<em class="replaceable"><code>integer</code></em>|<br>
*)][dscp<em class="replaceable"><code>integer</code></em>];<br>
answer-cookie<em class="replaceable"><code>boolean</code></em>;<br>
attach-cache<em class="replaceable"><code>string</code></em>;<br>
auth-nxdomain<em class="replaceable"><code>boolean</code></em>;//defaultchanged<br>
auto-dnssec(allow|maintain|off);<br>
......@@ -245,8 +246,8 @@ options
dnssec-secure-to-insecure<em class="replaceable"><code>boolean</code></em>;<br>
dnssec-update-mode(maintain|no-resign);<br>
dnssec-validation(yes|no|auto);<br>
dnstap{(all|auth|client|forwarder|resolver)[(query|<br>
response)];...};<br>
dnstap{(all|auth|client|forwarder|resolver|update)[<br>
(query|response)];...};<br>
dnstap-identity(<em class="replaceable"><code>quoted_string</code></em>|none|hostname);<br>
dnstap-output(file|unix)<em class="replaceable"><code>quoted_string</code></em>[size(unlimited|<br>
<em class="replaceable"><code>size</code></em>)][versions(unlimited|<em class="replaceable"><code>integer</code></em>)][suffix(<br>
......@@ -324,6 +325,8 @@ options
memstatistics<em class="replaceable"><code>boolean</code></em>;<br>
memstatistics-file<em class="replaceable"><code>quoted_string</code></em>;<br>
message-compression<em class="replaceable"><code>boolean</code></em>;<br>
min-cache-ttl<em class="replaceable"><code>ttlval</code></em>;<br>
min-ncache-ttl<em class="replaceable"><code>ttlval</code></em>;<br>
min-refresh-time<em class="replaceable"><code>integer</code></em>;<br>
min-retry-time<em class="replaceable"><code>integer</code></em>;<br>
minimal-any<em class="replaceable"><code>boolean</code></em>;<br>
......@@ -601,8 +604,8 @@ view
dnssec-secure-to-insecure<em class="replaceable"><code>boolean</code></em>;<br>
dnssec-update-mode(maintain|no-resign);<br>
dnssec-validation(yes|no|auto);<br>
dnstap{(all|auth|client|forwarder|resolver)[(query|<br>
response)];...};<br>
dnstap{(all|auth|client|forwarder|resolver|update)[<br>
(query|response)];...};<br>
dual-stack-servers[port<em class="replaceable"><code>integer</code></em>]{(<em class="replaceable"><code>quoted_string</code></em>[port<br>
<em class="replaceable"><code>integer</code></em>][dscp<em class="replaceable"><code>integer</code></em>]|<em class="replaceable"><code>ipv4_address</code></em>[port<br>
<em class="replaceable"><code>integer</code></em>][dscp<em class="replaceable"><code>integer</code></em>]|<em class="replaceable"><code>ipv6_address</code></em>[port<br>
......@@ -883,10 +886,10 @@ view
static-stub|stub);<br>
update-check-ksk<em class="replaceable"><code>boolean</code></em>;<br>
update-policy(local|{(deny|grant)<em class="replaceable"><code>string</code></em>(<br>
6to4-self|external|krb5-self|krb5-subdomain|<br>
ms-self|ms-subdomain|name|self|selfsub|<br>
selfwild|subdomain|tcp-self|wildcard|zonesub)<br>
[<em class="replaceable"><code>string</code></em>]<em class="replaceable"><code>rrtypelist</code></em>;...};<br>
6to4-self|external|krb5-self|krb5-selfsub|<br>
krb5-subdomain|ms-self|ms-selfsub|ms-subdomain|<br>
name|self|selfsub|selfwild|subdomain|tcp-self<br>
|wildcard|zonesub)[<em class="replaceable"><code>string</code></em>]<em class="replaceable"><code>rrtypelist</code></em>;...};<br>
use-alt-transfer-source<em class="replaceable"><code>boolean</code></em>;<br>
zero-no-soa-ttl<em class="replaceable"><code>boolean</code></em>;<br>
zone-statistics(full|terse|none|<em class="replaceable"><code>boolean</code></em>);<br>
......@@ -986,9 +989,10 @@ zone
stub);<br>
update-check-ksk<em class="replaceable"><code>boolean</code></em>;<br>
update-policy(local|{(deny|grant)<em class="replaceable"><code>string</code></em>(6to4-self|<br>
external|krb5-self|krb5-subdomain|ms-self|ms-subdomain<br>
|name|self|selfsub|selfwild|subdomain|tcp-self|<br>
wildcard|zonesub)[<em class="replaceable"><code>string</code></em>]<em class="replaceable"><code>rrtypelist</code></em>;...};<br>
external|krb5-self|krb5-selfsub|krb5-subdomain|ms-self<br>
|ms-selfsub|ms-subdomain|name|self|selfsub|selfwild<br>
|subdomain|tcp-self|wildcard|zonesub)[<em class="replaceable"><code>string</code></em>]<br>
<em class="replaceable"><code>rrtypelist</code></em>;...};<br>
use-alt-transfer-source<em class="replaceable"><code>boolean</code></em>;<br>
zero-no-soa-ttl<em class="replaceable"><code>boolean</code></em>;<br>
zone-statistics(full|terse|none|<em class="replaceable"><code>boolean</code></em>);<br>
......
......@@ -215,7 +215,7 @@ Specifies the directory in which keys should be stored\&.
.PP
\fBkey\-size\fR
.RS 4
Specifies the number of bits to use in creating keys\&. Takes two arguments: keytype (eihter "zsk" or "ksk") and size\&. A default value for this option can be set in algorithm policies as well as in policy classes or zone policies\&. If no policy is configured, the default is 1024 bits for DSA keys and 2048 for RSA\&.
Specifies the number of bits to use in creating keys\&. Takes two arguments: keytype (eihter "zsk" or "ksk") and size\&. A default value for this option can be set in algorithm policies as well as in policy classes or zone policies\&. If no policy is configured, the default is 2048 bits for RSA keys\&.
.RE
.PP
\fBkeyttl\fR
......
......@@ -258,8 +258,7 @@
Takes two arguments: keytype (eihter "zsk" or "ksk") and size.
A default value for this option can be set in algorithm policies
as well as in policy classes or zone policies. If no policy is
configured, the default is 1024 bits for DSA keys and 2048 for
RSA.
configured, the default is 2048 bits for RSA keys.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>keyttl</strong></span></span></dt>
......
......@@ -386,7 +386,7 @@ See also
\fBrndc trace\fR\&.
.RE
.PP
\fBnta \fR\fB[( \-d | \-f | \-r | \-l \fIduration\fR)]\fR\fB \fR\fB\fIdomain\fR\fR\fB \fR\fB[\fIview\fR]\fR\fB \fR
\fBnta \fR\fB[( \-class \fIclass\fR | \-dump | \-force | \-remove | \-lifetime \fIduration\fR)]\fR\fB \fR\fB\fIdomain\fR\fR\fB \fR\fB[\fIview\fR]\fR\fB \fR
.RS 4
Sets a DNSSEC negative trust anchor (NTA) for
\fBdomain\fR, with a lifetime of
......@@ -418,7 +418,7 @@ option\&. TTL\-style suffixes can be used to specify the lifetime in seconds, mi
to zero is equivalent to
\fB\-remove\fR\&.
.sp
If
If the
\fB\-dump\fR
is used, any other arguments are ignored, and a list of existing NTAs is printed (note that this may include NTAs that are expired but have not yet been cleaned up)\&.
.sp
......@@ -430,11 +430,18 @@ option in the Administrator Reference Manual for details)\&. If data can be vali
\fB\-force\fR
overrides this behavior and forces an NTA to persist for its entire lifetime, regardless of whether data could be validated if the NTA were not present\&.
.sp
The view class can be specified with
\fB\-class\fR\&. The default is class
\fBIN\fR, which is the only class for which DNSSEC is currently supported\&.
.sp
All of these options can be shortened, i\&.e\&., to
\fB\-l\fR,
\fB\-r\fR,
\fB\-d\fR, and
\fB\-f\fR\&.
\fB\-d\fR,
\fB\-f\fR, and
\fB\-c\fR\&.
.sp
Unrecognized options are treated as errors\&. To reference a domain or view name that begins with a hyphen, use a double\-hyphen on the command line to indicate the end of options\&.
.RE
.PP
\fBquerylog\fR [ on | off ]
......@@ -695,13 +702,14 @@ in each view\&. The list both statically configured keys and dynamic TKEY\-negot
.PP
\fBvalidation ( on | off | status ) \fR\fB[\fIview \&.\&.\&.\fR]\fR\fB \fR
.RS 4
Enable, disable, or check the current status of DNSSEC validation\&. Note
Enable, disable, or check the current status of DNSSEC validation\&. By default, validation is enabled\&. (Note that
\fBdnssec\-enable\fR
also needs to be set to
must also be
\fByes\fR
or
\fBauto\fR
to be effective\&. It defaults to enabled\&.
(the default value) for signatures to be returned along with validated data\&. If validation is enabled while
\fBdnssec\-enable\fR
is set to
\fBno\fR, the server will validate internally, but will not supply clients with the necessary records to allow validity to be confirmed\&.)
.RE
.PP
\fBzonestatus \fR\fB\fIzone\fR\fR\fB \fR\fB[\fIclass\fR [\fIview\fR]]\fR
......
......@@ -484,7 +484,7 @@
</p>
</dd>
<dt><span class="term"><strong class="userinput"><code>nta
[<span class="optional">( -d | -f | -r | -l <em class="replaceable"><code>duration</code></em>)</span>]
[<span class="optional">( -class <em class="replaceable"><code>class</code></em> | -dump | -force | -remove | -lifetime <em class="replaceable"><code>duration</code></em>)</span>]
<em class="replaceable"><code>domain</code></em>
[<span class="optional"><em class="replaceable"><code>view</code></em></span>]
</code></strong></span></dt>
......@@ -532,7 +532,7 @@
is equivalent to <code class="option">-remove</code>.
</p>
<p>
If <code class="option">-dump</code> is used, any other arguments
If the <code class="option">-dump</code> is used, any other arguments
are ignored, and a list of existing NTAs is printed