Commit 9bb0b30b authored by Tinderbox User's avatar Tinderbox User Committed by Evan Hunt

prep 9.15.1

parent 7dfef18b
......@@ -2,6 +2,8 @@
statistics when hitting recursive clients
soft quota. [GL #1067]
--- 9.15.1 released ---
5248. [func] To clarify the configuration of DNSSEC keys,
the "managed-keys" and "trusted-keys" options
have both been deprecated. The new "dnssec-keys"
......
CONTRIBUTING
BIND Source Access and Contributor Guidelines
Feb 22, 2018
......
HISTORY
Functional enhancements from prior major releases of BIND 9
BIND 9.14
......@@ -505,11 +507,11 @@ BIND 9.4.0
* Detect duplicates of UDP queries we are recursing on and drop them.
New stats category "duplicates".
* "USE INTERNAL MALLOC" is now runtime selectable.
* The lame cache is now done on a basis as some servers only appear to
be lame for certain query types.
* The lame cache is now done on a <qname,qclass,qtype> basis as some
servers only appear to be lame for certain query types.
* Limit the number of recursive clients that can be waiting for a single
query () to resolve. New options clients-per-query and
max-clients-per-query.
query (<qname,qtype,qclass>) to resolve. New options clients-per-query
and max-clients-per-query.
* dig: report the number of extra bytes still left in the packet after
processing all the records.
* Support for IPSECKEY rdata type.
......
OPTIONS
Setting the STD_CDEFINES environment variable before running configure can
be used to enable certain compile-time options that are not explicitly
defined in configure.
Some of these settings are:
Setting Description
Setting Description
Overwrite memory with tag values when allocating
-DISC_MEM_DEFAULTFILL=1 or freeing it; this impairs performance but
makes debugging of memory problems easier.
......
PLATFORMS
Supported platforms
In general, this version of BIND will build and run on any POSIX-compliant
......@@ -64,31 +66,6 @@ These are platforms on which BIND 9.15 is known not to build or run:
Platform quirks
ARM
If the compilation ends with following error:
Error: selected processor does not support `yield' in ARM mode
You will need to set -march compiler option to native, so the compiler
recognizes yield assembler instruction. The proper way to set -march=
native would be to put it into CFLAGS, e.g. run ./configure like this:
CFLAGS="-march=native -Os -g" ./configure plus your usual options.
If that doesn't work, you can enforce the minimum CPU and FPU (taken from
Debian armhf documentation):
* The lowest worthwhile CPU implementation is Armv7-A, therefore the
recommended build option is -march=armv7-a.
* FPU should be set at VFPv3-D16 as they represent the minimum
specification of the processors to support here, therefore the
recommended build option is -mfpu=vfpv3-d16.
The configure command should look like this:
CFLAGS="-march=armv7-a -mfpu=vfpv3-d16 -Os -g" ./configure
NetBSD 6 i386
The i386 build of NetBSD requires the libatomic library, available from
......
README
BIND 9
Contents
......@@ -134,7 +136,7 @@ make depend. If you're using Emacs, you might find make tags helpful.
Several environment variables that can be set before running configure
will affect compilation:
Variable Description
Variable Description
CC The C compiler to use. configure tries to figure out the
right one for supported systems.
C compiler flags. Defaults to include -g and/or -O2 as
......@@ -187,8 +189,10 @@ operations, specify the path to the PKCS#11 provider library using
To support the HTTP statistics channel, the server must be linked with at
least one of the following: libxml2 http://xmlsoft.org or json-c https://
github.com/json-c. If these are installed at a nonstandard location,
specify the prefix using --with-libxml2=/prefix or --with-libjson=/prefix.
github.com/json-c. If these are installed at a nonstandard location, then:
* for libxml2, specify the prefix using --with-libxml2=/prefix,
* for json-c, adjust PKG_CONFIG_PATH.
To support compression on the HTTP statistics channel, the server must be
linked against libzlib. If this is installed in a nonstandard location,
......@@ -286,7 +290,7 @@ development BIND 9 is included in the file CHANGES, with the most recent
changes listed first. Change notes include tags indicating the category of
the change that was made; these categories are:
Category Description
Category Description
[func] New feature
[bug] General bug fix
[security] Fix for a significant security flaw
......@@ -321,8 +325,8 @@ issue number. Prior to 2018, these were usually of the form [RT #NNN] and
referred to entries in the "bind9-bugs" RT database, which was not open to
the public. More recent entries use the form [GL #NNN] or, less often, [GL
!NNN], which, respectively, refer to issues or merge requests in the
Gitlab database. Most of these are publically readable, unless they
include information which is confidential or security senstive.
Gitlab database. Most of these are publicly readable, unless they include
information which is confidential or security senstive.
To look up a Gitlab issue by its number, use the URL https://
gitlab.isc.org/isc-projects/bind9/issues/NNN. To look up a merge request,
......@@ -337,21 +341,23 @@ Acknowledgments
* The original development of BIND 9 was underwritten by the following
organizations:
Sun Microsystems, Inc.
Hewlett Packard
Compaq Computer Corporation
IBM
Process Software Corporation
Silicon Graphics, Inc.
Network Associates, Inc.
U.S. Defense Information Systems Agency
USENIX Association
Stichting NLnet - NLnet Foundation
Nominum, Inc.
Sun Microsystems, Inc.
Hewlett Packard
Compaq Computer Corporation
IBM
Process Software Corporation
Silicon Graphics, Inc.
Network Associates, Inc.
U.S. Defense Information Systems Agency
USENIX Association
Stichting NLnet - NLnet Foundation
Nominum, Inc.
* This product includes software developed by the OpenSSL Project for
use in the OpenSSL Toolkit. http://www.OpenSSL.org/
* This product includes cryptographic software written by Eric Young
(eay@cryptsoft.com)
* This product includes software written by Tim Hudson
(tjh@cryptsoft.com)
......@@ -332,7 +332,7 @@ issue number. Prior to 2018, these were usually of the form `[RT #NNN]`
and referred to entries in the "bind9-bugs" RT database, which was not open
to the public. More recent entries use the form `[GL #NNN]` or, less often,
`[GL !NNN]`, which, respectively, refer to issues or merge requests in the
Gitlab database. Most of these are publically readable, unless they include
Gitlab database. Most of these are publicly readable, unless they include
information which is confidential or security senstive.
To look up a Gitlab issue by its number, use the URL
......
......@@ -146,14 +146,16 @@ to specify the name of a zone containing DLV records\&.
Note: When reading the trust anchor file,
\fBdelv\fR
treats
\fBmanaged\-keys\fR
statements and
\fBtrusted\-keys\fR
statements identically\&. That is, for a managed key, it is the
\fIinitial\fR
key that is trusted; RFC 5011 key management is not supported\&.
\fBdnssec\-keys\fR\fBinitial\-key\fR
and
\fBstatic\-key\fR
entries identically\&. That is, even if a key is configured with
\fBinitial\-key\fR, indicating that it is meant to be used only as an initializing key for RFC 5011 key maintenance, it is still treated by
\fBdelv\fR
as if it had been configured as a
\fBstatic\-key\fR\&.
\fBdelv\fR
will not consult the managed\-keys database maintained by
does not consult the managed keys database maintained by
\fBnamed\fR\&. This means that if either of the keys in
/etc/bind\&.keys
is revoked and rolled over, it will be necessary to update
......
......@@ -200,14 +200,17 @@
</p>
<p>
Note: When reading the trust anchor file,
<span class="command"><strong>delv</strong></span> treats <code class="option">managed-keys</code>
statements and <code class="option">trusted-keys</code> statements
identically. That is, for a managed key, it is the
<span class="emphasis"><em>initial</em></span> key that is trusted; RFC 5011
key management is not supported. <span class="command"><strong>delv</strong></span>
will not consult the managed-keys database maintained by
<span class="command"><strong>named</strong></span>. This means that if either of the
keys in <code class="filename">/etc/bind.keys</code> is revoked
<span class="command"><strong>delv</strong></span> treats <code class="option">dnssec-keys</code>
<code class="option">initial-key</code> and <code class="option">static-key</code>
entries identically. That is, even if a key is configured
with <span class="command"><strong>initial-key</strong></span>, indicating that it is
meant to be used only as an initializing key for RFC 5011
key maintenance, it is still treated by <span class="command"><strong>delv</strong></span>
as if it had been configured as a <span class="command"><strong>static-key</strong></span>.
<span class="command"><strong>delv</strong></span> does not consult the managed keys
database maintained by <span class="command"><strong>named</strong></span>. This means
that if either of the keys in
<code class="filename">/etc/bind.keys</code> is revoked
and rolled over, it will be necessary to update
<code class="filename">/etc/bind.keys</code> to use DNSSEC
validation in <span class="command"><strong>delv</strong></span>.
......
......@@ -589,11 +589,11 @@ A synonym for
.RS 4
Toggle the setting of the RD (recursion desired) bit in the query\&. This bit is set by default, which means
\fBdig\fR
normally sends recursive queries\&. Recursion is automatically disabled when the
normally sends recursive queries\&. Recursion is automatically disabled when using the
\fI+nssearch\fR
or
option, and when using
\fI+trace\fR
query options are used\&.
except for an initial recursive query to get the list of root servers\&.
.RE
.PP
\fB+retry=T\fR
......
......@@ -797,8 +797,10 @@
in the query. This bit is set by default, which means
<span class="command"><strong>dig</strong></span> normally sends recursive
queries. Recursion is automatically disabled when
the <em class="parameter"><code>+nssearch</code></em> or
<em class="parameter"><code>+trace</code></em> query options are used.
using the <em class="parameter"><code>+nssearch</code></em> option, and
when using <em class="parameter"><code>+trace</code></em> except for
an initial recursive query to get the list of root
servers.
</p>
</dd>
<dt><span class="term"><code class="option">+retry=T</code></span></dt>
......
......@@ -10,12 +10,12 @@
.\" Title: named.conf
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 2018-12-07
.\" Date: 2019-05-10
.\" Manual: BIND9
.\" Source: ISC
.\" Language: English
.\"
.TH "NAMED\&.CONF" "5" "2018\-12\-07" "ISC" "BIND9"
.TH "NAMED\&.CONF" "5" "2019\-05\-10" "ISC" "BIND9"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
......@@ -97,6 +97,19 @@ dlz \fIstring\fR {
.if n \{\
.RE
.\}
.SH "DNSSEC-KEYS"
.sp
.if n \{\
.RS 4
.\}
.nf
dnssec\-keys { \fIstring\fR ( static\-key |
initial\-key ) \fIinteger\fR \fIinteger\fR \fIinteger\fR
\fIquoted_string\fR; \&.\&.\&. };
.fi
.if n \{\
.RE
.\}
.SH "DYNDB"
.sp
.if n \{\
......@@ -149,13 +162,16 @@ logging {
.RE
.\}
.SH "MANAGED-KEYS"
.PP
See DNSSEC\-KEYS\&.
.sp
.if n \{\
.RS 4
.\}
.nf
managed\-keys { \fIstring\fR \fIstring\fR \fIinteger\fR
\fIinteger\fR \fIinteger\fR \fIquoted_string\fR; \&.\&.\&. };
managed\-keys { \fIstring\fR ( static\-key |
initial\-key ) \fIinteger\fR \fIinteger\fR \fIinteger\fR
\fIquoted_string\fR; \&.\&.\&. };
.fi
.if n \{\
.RE
......@@ -257,7 +273,6 @@ options {
dnsrps\-options { \fIunspecified\-text\fR };
dnssec\-accept\-expired \fIboolean\fR;
dnssec\-dnskey\-kskonly \fIboolean\fR;
dnssec\-enable \fIboolean\fR;
dnssec\-loadkeys\-interval \fIinteger\fR;
dnssec\-lookaside ( \fIstring\fR trust\-anchor
\fIstring\fR | auto | no );
......@@ -409,11 +424,12 @@ options {
resolver\-retry\-interval \fIinteger\fR;
response\-padding { \fIaddress_match_element\fR; \&.\&.\&. } block\-size
\fIinteger\fR;
response\-policy { zone \fIstring\fR [ log \fIboolean\fR ] [ max\-policy\-ttl
\fIttlval\fR ] [ min\-update\-interval \fIttlval\fR ] [ policy ( cname |
disabled | drop | given | no\-op | nodata | nxdomain | passthru
| tcp\-only \fIquoted_string\fR ) ] [ recursive\-only \fIboolean\fR ] [
nsip\-enable \fIboolean\fR ] [ nsdname\-enable \fIboolean\fR ]; \&.\&.\&. } [
response\-policy { zone \fIstring\fR [ add\-soa \fIboolean\fR ] [ log
\fIboolean\fR ] [ max\-policy\-ttl \fIttlval\fR ] [ min\-update\-interval
\fIttlval\fR ] [ policy ( cname | disabled | drop | given | no\-op |
nodata | nxdomain | passthru | tcp\-only \fIquoted_string\fR ) ] [
recursive\-only \fIboolean\fR ] [ nsip\-enable \fIboolean\fR ] [
nsdname\-enable \fIboolean\fR ]; \&.\&.\&. } [ add\-soa \fIboolean\fR ] [
break\-dnssec \fIboolean\fR ] [ max\-policy\-ttl \fIttlval\fR ] [
min\-update\-interval \fIttlval\fR ] [ min\-ns\-dots \fIinteger\fR ] [
nsip\-wait\-recurse \fIboolean\fR ] [ qname\-wait\-recurse \fIboolean\fR ]
......@@ -551,13 +567,16 @@ statistics\-channels {
.RE
.\}
.SH "TRUSTED-KEYS"
.PP
Deprecated \- see DNSSEC\-KEYS\&.
.sp
.if n \{\
.RS 4
.\}
.nf
trusted\-keys { \fIstring\fR \fIinteger\fR \fIinteger\fR
\fIinteger\fR \fIquoted_string\fR; \&.\&.\&. };
trusted\-keys { \fIstring\fR \fIinteger\fR
\fIinteger\fR \fIinteger\fR
\fIquoted_string\fR; \&.\&.\&. };, deprecated
.fi
.if n \{\
.RE
......@@ -638,7 +657,9 @@ view \fIstring\fR [ \fIclass\fR ] {
dnsrps\-options { \fIunspecified\-text\fR };
dnssec\-accept\-expired \fIboolean\fR;
dnssec\-dnskey\-kskonly \fIboolean\fR;
dnssec\-enable \fIboolean\fR;
dnssec\-keys { \fIstring\fR ( static\-key |
initial\-key ) \fIinteger\fR \fIinteger\fR
\fIinteger\fR \fIquoted_string\fR; \&.\&.\&. };
dnssec\-loadkeys\-interval \fIinteger\fR;
dnssec\-lookaside ( \fIstring\fR trust\-anchor
\fIstring\fR | auto | no );
......@@ -676,9 +697,9 @@ view \fIstring\fR [ \fIclass\fR ] {
key\-directory \fIquoted_string\fR;
lame\-ttl \fIttlval\fR;
lmdb\-mapsize \fIsizeval\fR;
managed\-keys { \fIstring\fR \fIstring\fR
\fIinteger\fR \fIinteger\fR \fIinteger\fR
\fIquoted_string\fR; \&.\&.\&. };
managed\-keys { \fIstring\fR ( static\-key |
initial\-key ) \fIinteger\fR \fIinteger\fR
\fIinteger\fR \fIquoted_string\fR; \&.\&.\&. };
masterfile\-format ( map | raw | text );
masterfile\-style ( full | relative );
match\-clients { \fIaddress_match_element\fR; \&.\&.\&. };
......@@ -761,11 +782,12 @@ view \fIstring\fR [ \fIclass\fR ] {
resolver\-retry\-interval \fIinteger\fR;
response\-padding { \fIaddress_match_element\fR; \&.\&.\&. } block\-size
\fIinteger\fR;
response\-policy { zone \fIstring\fR [ log \fIboolean\fR ] [ max\-policy\-ttl
\fIttlval\fR ] [ min\-update\-interval \fIttlval\fR ] [ policy ( cname |
disabled | drop | given | no\-op | nodata | nxdomain | passthru
| tcp\-only \fIquoted_string\fR ) ] [ recursive\-only \fIboolean\fR ] [
nsip\-enable \fIboolean\fR ] [ nsdname\-enable \fIboolean\fR ]; \&.\&.\&. } [
response\-policy { zone \fIstring\fR [ add\-soa \fIboolean\fR ] [ log
\fIboolean\fR ] [ max\-policy\-ttl \fIttlval\fR ] [ min\-update\-interval
\fIttlval\fR ] [ policy ( cname | disabled | drop | given | no\-op |
nodata | nxdomain | passthru | tcp\-only \fIquoted_string\fR ) ] [
recursive\-only \fIboolean\fR ] [ nsip\-enable \fIboolean\fR ] [
nsdname\-enable \fIboolean\fR ]; \&.\&.\&. } [ add\-soa \fIboolean\fR ] [
break\-dnssec \fIboolean\fR ] [ max\-policy\-ttl \fIttlval\fR ] [
min\-update\-interval \fIttlval\fR ] [ min\-ns\-dots \fIinteger\fR ] [
nsip\-wait\-recurse \fIboolean\fR ] [ qname\-wait\-recurse \fIboolean\fR ]
......@@ -827,9 +849,10 @@ view \fIstring\fR [ \fIclass\fR ] {
transfer\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * )
] [ dscp \fIinteger\fR ];
trust\-anchor\-telemetry \fIboolean\fR; // experimental
trusted\-keys { \fIstring\fR \fIinteger\fR
\fIinteger\fR \fIinteger\fR \fIquoted_string\fR;
\&.\&.\&. };
trusted\-keys { \fIstring\fR
\fIinteger\fR \fIinteger\fR
\fIinteger\fR
\fIquoted_string\fR; \&.\&.\&. };, deprecated
try\-tcp\-refresh \fIboolean\fR;
update\-check\-ksk \fIboolean\fR;
use\-alt\-transfer\-source \fIboolean\fR;
......
This diff is collapsed.
......@@ -284,7 +284,7 @@ maintain, and also requires the zone to be configured to allow dynamic DNS\&. (S
.PP
\fBmanaged\-keys \fR\fB\fI(status | refresh | sync | destroy)\fR\fR\fB \fR\fB[\fIclass\fR [\fIview\fR]]\fR
.RS 4
Inspect and control the "managed\-keys" database which handles RFC 5011 DNSSEC trust anchor maintenance\&. If a view is specified, these commands are applied to that view; otherwise they are applied to all views\&.
Inspect and control the "managed keys" database which handles RFC 5011 DNSSEC trust anchor maintenance\&. If a view is specified, these commands are applied to that view; otherwise they are applied to all views\&.
.sp
.RS 4
.ie n \{\
......@@ -296,7 +296,7 @@ Inspect and control the "managed\-keys" database which handles RFC 5011 DNSSEC t
.\}
When run with the
status
keyword, prints the current status of the managed\-keys database\&.
keyword, prints the current status of the managed keys database\&.
.RE
.sp
.RS 4
......@@ -309,7 +309,7 @@ keyword, prints the current status of the managed\-keys database\&.
.\}
When run with the
refresh
keyword, forces an immediate refresh query to be sent for all the managed keys, updating the managed\-keys database if any new keys are found, without waiting the normal refresh interval\&.
keyword, forces an immediate refresh query to be sent for all the managed keys, updating the managed keys database if any new keys are found, without waiting the normal refresh interval\&.
.RE
.sp
.RS 4
......@@ -322,7 +322,7 @@ keyword, forces an immediate refresh query to be sent for all the managed keys,
.\}
When run with the
sync
keyword, forces an immediate dump of the managed\-keys database to disk (in the file
keyword, forces an immediate dump of the managed keys database to disk (in the file
managed\-keys\&.bind
or (\fIviewname\fR\&.mkeys)\&. This synchronizes the database with its journal file, so that the database\*(Aqs current contents can be inspected visually\&.
.RE
......@@ -337,7 +337,7 @@ or (\fIviewname\fR\&.mkeys)\&. This synchronizes the database with its journal f
.\}
When run with the
destroy
keyword, the managed\-keys database is shut down and deleted, and all key maintenance is terminated\&. This command should be used only with extreme caution\&.
keyword, the managed keys database is shut down and deleted, and all key maintenance is terminated\&. This command should be used only with extreme caution\&.
.sp
Existing keys that are already trusted are not deleted from memory; DNSSEC validation can continue after this command is used\&. However, key maintenance operations will cease until
\fBnamed\fR
......@@ -515,8 +515,12 @@ timer\&.
\fBsecroots \fR\fB[\-]\fR\fB \fR\fB[\fIview \&.\&.\&.\fR]\fR
.RS 4
Dump the security roots (i\&.e\&., trust anchors configured via
\fBtrusted\-keys\fR,
\fBmanaged\-keys\fR, or
\fBdnssec\-keys\fR
statements, or the synonymous
\fBmanaged\-keys\fR
or the deprecated
\fBtrusted\-keys\fR
statements, or via
\fBdnssec\-validation auto\fR) and negative trust anchors for the specified views\&. If no view is specified, all views are dumped\&. Security roots will indicate whether they are configured as trusted keys, managed keys, or initializing managed keys (managed keys that have not yet been updated by a successful key refresh query)\&.
.sp
If the first argument is "\-", then the output is returned via the
......@@ -697,7 +701,7 @@ Delete a given TKEY\-negotiated key from the server\&. (This does not apply to s
.RS 4
List the names of all TSIG keys currently configured for use by
\fBnamed\fR
in each view\&. The list both statically configured keys and dynamic TKEY\-negotiated keys\&.
in each view\&. The list includes both statically configured keys and dynamic TKEY\-negotiated keys\&.
.RE
.PP
\fBvalidation ( on | off | status ) \fR\fB[\fIview \&.\&.\&.\fR]\fR\fB \fR
......
......@@ -378,7 +378,7 @@
<dt><span class="term"><strong class="userinput"><code>managed-keys <em class="replaceable"><code>(status | refresh | sync | destroy)</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
<dd>
<p>
Inspect and control the "managed-keys" database which
Inspect and control the "managed keys" database which
handles RFC 5011 DNSSEC trust anchor maintenance. If a view
is specified, these commands are applied to that view;
otherwise they are applied to all views.
......@@ -387,14 +387,14 @@
<li class="listitem">
<p>
When run with the <code class="literal">status</code> keyword, prints
the current status of the managed-keys database.
the current status of the managed keys database.
</p>
</li>
<li class="listitem">
<p>
When run with the <code class="literal">refresh</code> keyword,
forces an immediate refresh query to be sent for all
the managed keys, updating the managed-keys database
the managed keys, updating the managed keys database
if any new keys are found, without waiting the normal
refresh interval.
</p>
......@@ -402,7 +402,7 @@
<li class="listitem">
<p>
When run with the <code class="literal">sync</code> keyword, forces an
immediate dump of the managed-keys database to disk
immediate dump of the managed keys database to disk
(in the file <code class="filename">managed-keys.bind</code> or
(<code class="filename"><em class="replaceable"><code>viewname</code></em>.mkeys</code>).
This synchronizes the database with its journal file, so
......@@ -413,7 +413,7 @@
<li class="listitem">
<p>
When run with the <code class="literal">destroy</code> keyword, the
managed-keys database is shut down and deleted, and all key
managed keys database is shut down and deleted, and all key
maintenance is terminated. This command should be used only
with extreme caution.
</p>
......@@ -653,9 +653,10 @@
<dd>
<p>
Dump the security roots (i.e., trust anchors
configured via <span class="command"><strong>trusted-keys</strong></span>,
<span class="command"><strong>managed-keys</strong></span>, or
<span class="command"><strong>dnssec-validation auto</strong></span>) and negative trust
configured via <span class="command"><strong>dnssec-keys</strong></span> statements,
or the synonymous <span class="command"><strong>managed-keys</strong></span> or
the deprecated <span class="command"><strong>trusted-keys</strong></span> statements, or
via <span class="command"><strong>dnssec-validation auto</strong></span>) and negative trust
anchors for the specified views. If no view is specified, all
views are dumped. Security roots will indicate whether
they are configured as trusted keys, managed keys, or
......@@ -905,7 +906,7 @@
<p>
List the names of all TSIG keys currently configured
for use by <span class="command"><strong>named</strong></span> in each view. The
list both statically configured keys and dynamic
list includes both statically configured keys and dynamic
TKEY-negotiated keys.
</p>
</dd>
......
......@@ -614,6 +614,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>
......@@ -146,6 +146,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>
......@@ -856,6 +856,6 @@ controls {
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>
......@@ -54,7 +54,7 @@
<dt><span class="section"><a href="Bv9ARM.ch04.html#sig0">SIG(0)</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec_keys">Generating Keys</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#generating_dnssec_keys">Generating Keys</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec_signing">Signing the Zone</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch04.html#dnssec_config">Configuring Servers for DNSSEC</a></span></dt>
</dl></dd>
......@@ -913,7 +913,7 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="dnssec_keys"></a>Generating Keys</h3></div></div></div>
<a name="generating_dnssec_keys"></a>Generating Keys</h3></div></div></div>
<p>
The <span class="command"><strong>dnssec-keygen</strong></span> program is used to
......@@ -1042,8 +1042,9 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
<strong class="userinput"><code>yes</code></strong>, DNSSEC validation will only occur
if at least one trust anchor has been explicitly configured
in <code class="filename">named.conf</code>
using a <span class="command"><strong>trusted-keys</strong></span> or
<span class="command"><strong>managed-keys</strong></span> statement.
using a <span class="command"><strong>dnssec-keys</strong></span> statement (or the
synonymous <span class="command"><strong>managed-keys</strong></span> or the deprecated
<span class="command"><strong>trusted-keys</strong></span> statements).
</p>
<p>
When <span class="command"><strong>dnssec-validation</strong></span> is set to
......@@ -1056,23 +1057,20 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
</p>
<p>
<span class="command"><strong>trusted-keys</strong></span> are copies of DNSKEY RRs
for zones that are used to form the first link in the
cryptographic chain of trust. All keys listed in
<span class="command"><strong>trusted-keys</strong></span> (and corresponding zones)
are deemed to exist and only the listed keys will be used
to validated the DNSKEY RRset that they are from.
The keys specified in <span class="command"><strong>dnssec-keys</strong></span>
copies of DNSKEY RRs for zones that are used to form the
first link in the cryptographic chain of trust. Keys configured
with the keyword <span class="command"><strong>static-key</strong></span> are loaded directly
into the table of trust anchors, and can only be changed by
altering the configuration. Keys configured with
<span class="command"><strong>initial-key</strong></span> are used to initialize
RFC 5011 trust anchor maintenance, and will be kept up to
date automatically after the first time <span class="command"><strong>named</strong></span>
runs.
</p>
<p>
<span class="command"><strong>managed-keys</strong></span> are trusted keys which are
automatically kept up to date via RFC 5011 trust anchor
maintenance.
</p>
<p>
<span class="command"><strong>trusted-keys</strong></span> and
<span class="command"><strong>managed-keys</strong></span> are described in more detail
<span class="command"><strong>dnssec-keys</strong></span> is described in more detail
later in this document.
</p>
......@@ -1095,7 +1093,7 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
</p>
<pre class="programlisting">
managed-keys {
dnssec-keys {
/* Root Key */
"." initial-key 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwS
JxrGkxJWoZu6I7PzJu/E9gx4UC1zGAHlXKdE4zYIpRh
......@@ -1107,11 +1105,8 @@ managed-keys {
66gKodQj+MiA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ
97S+LKUTpQcq27R7AT3/V5hRQxScINqwcz4jYqZD2fQ
dgxbcDTClU0CRBdiieyLMNzXG3";
};
trusted-keys {
/* Key for our organization's forward zone */
example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM6
example.com. static-key 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM6
5KbhTjrW1ZaARmPhEZZe3Y9ifgEuq7vZ/z
GZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb
4JKUbbOTcM8pwXlj0EiX3oDFVmjHO444gL
......@@ -1124,7 +1119,7 @@ trusted-keys {
1OTQ09A0=";
/* Key for our reverse zone. */
2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwc
2.0.192.IN-ADDRPA.NET. static-key 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwc
xOdNax071L18QqZnQQQAVVr+i
LhGTnNGp3HoWQLUIzKrJVZ3zg
gy3WwNT6kZo6c0tszYqbtvchm
......@@ -1516,11 +1511,11 @@ options {
<p>To configure a validating resolver to use RFC 5011 to
maintain a trust anchor, configure the trust anchor using a
<span class="command"><strong>managed-keys</strong></span> statement. Information about
<span class="command"><strong>dnssec-keys</strong></span> statement and the
<span class="command"><strong>initial-key</strong></span> keyword. Information about
this can be found in
<a class="xref" href="Bv9ARM.ch05.html#managed-keys" title="managed-keys Statement Definition and Usage">the section called &#8220;<span class="command"><strong>managed-keys</strong></span> Statement Definition
<a class="xref" href="Bv9ARM.ch05.html#dnssec-keys" title="dnssec-keys Statement Definition and Usage">the section called &#8220;<span class="command"><strong>dnssec-keys</strong></span> Statement Definition
and Usage&#8221;</a>.</p>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
......@@ -2845,6 +2840,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>
This diff is collapsed.
......@@ -361,6 +361,6 @@ allow-query { !{ !10/8; any; }; key example; };
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>
......@@ -191,6 +191,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
</body>
</html>
......@@ -36,7 +36,7 @@
<div class="toc">
<p><b>Table of Contents</b></p>
<dl class="toc">
<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.15.0</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.15.1</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_intro">Introduction</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_versions">Note on Version Numbering</a></span></dt>
......@@ -55,7 +55,7 @@
</div>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id-1.9.2"></a>Release Notes for BIND Version 9.15.0</h2></div></div></div>
<a name="id-1.9.2"></a>Release Notes for BIND Version 9.15.1</h2></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
......@@ -145,7 +145,15 @@
<p>
The TCP client quota set using the <span class="command"><strong>tcp-clients</strong></span>
option could be exceeded in some cases. This could lead to
exhaustion of file descriptors. (CVE-2018-5743) [GL #615]
exhaustion of file descriptors. This flaw is disclosed in
CVE-2018-5743. [GL #615]
</p>
</li>
<li class="listitem">
<p>
A race condition could trigger an assertion failure when
a large number of incoming packets were being rejected.
This flaw is disclosed in CVE-2019-6471. [GL #942]
</p>
</li>
</ul></div>
......@@ -154,37 +162,76 @@
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_features"></a>New Features</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">