Commit 9bb0b30b authored by Tinderbox User's avatar Tinderbox User Committed by Evan Hunt

prep 9.15.1

parent 7dfef18b
...@@ -2,6 +2,8 @@ ...@@ -2,6 +2,8 @@
statistics when hitting recursive clients statistics when hitting recursive clients
soft quota. [GL #1067] soft quota. [GL #1067]
--- 9.15.1 released ---
5248. [func] To clarify the configuration of DNSSEC keys, 5248. [func] To clarify the configuration of DNSSEC keys,
the "managed-keys" and "trusted-keys" options the "managed-keys" and "trusted-keys" options
have both been deprecated. The new "dnssec-keys" have both been deprecated. The new "dnssec-keys"
......
CONTRIBUTING
BIND Source Access and Contributor Guidelines BIND Source Access and Contributor Guidelines
Feb 22, 2018 Feb 22, 2018
......
HISTORY
Functional enhancements from prior major releases of BIND 9 Functional enhancements from prior major releases of BIND 9
BIND 9.14 BIND 9.14
...@@ -505,11 +507,11 @@ BIND 9.4.0 ...@@ -505,11 +507,11 @@ BIND 9.4.0
* Detect duplicates of UDP queries we are recursing on and drop them. * Detect duplicates of UDP queries we are recursing on and drop them.
New stats category "duplicates". New stats category "duplicates".
* "USE INTERNAL MALLOC" is now runtime selectable. * "USE INTERNAL MALLOC" is now runtime selectable.
* The lame cache is now done on a basis as some servers only appear to * The lame cache is now done on a <qname,qclass,qtype> basis as some
be lame for certain query types. servers only appear to be lame for certain query types.
* Limit the number of recursive clients that can be waiting for a single * Limit the number of recursive clients that can be waiting for a single
query () to resolve. New options clients-per-query and query (<qname,qtype,qclass>) to resolve. New options clients-per-query
max-clients-per-query. and max-clients-per-query.
* dig: report the number of extra bytes still left in the packet after * dig: report the number of extra bytes still left in the packet after
processing all the records. processing all the records.
* Support for IPSECKEY rdata type. * Support for IPSECKEY rdata type.
......
OPTIONS
Setting the STD_CDEFINES environment variable before running configure can Setting the STD_CDEFINES environment variable before running configure can
be used to enable certain compile-time options that are not explicitly be used to enable certain compile-time options that are not explicitly
defined in configure. defined in configure.
Some of these settings are: Some of these settings are:
Setting Description Setting Description
Overwrite memory with tag values when allocating Overwrite memory with tag values when allocating
-DISC_MEM_DEFAULTFILL=1 or freeing it; this impairs performance but -DISC_MEM_DEFAULTFILL=1 or freeing it; this impairs performance but
makes debugging of memory problems easier. makes debugging of memory problems easier.
......
PLATFORMS
Supported platforms Supported platforms
In general, this version of BIND will build and run on any POSIX-compliant In general, this version of BIND will build and run on any POSIX-compliant
...@@ -64,31 +66,6 @@ These are platforms on which BIND 9.15 is known not to build or run: ...@@ -64,31 +66,6 @@ These are platforms on which BIND 9.15 is known not to build or run:
Platform quirks Platform quirks
ARM
If the compilation ends with following error:
Error: selected processor does not support `yield' in ARM mode
You will need to set -march compiler option to native, so the compiler
recognizes yield assembler instruction. The proper way to set -march=
native would be to put it into CFLAGS, e.g. run ./configure like this:
CFLAGS="-march=native -Os -g" ./configure plus your usual options.
If that doesn't work, you can enforce the minimum CPU and FPU (taken from
Debian armhf documentation):
* The lowest worthwhile CPU implementation is Armv7-A, therefore the
recommended build option is -march=armv7-a.
* FPU should be set at VFPv3-D16 as they represent the minimum
specification of the processors to support here, therefore the
recommended build option is -mfpu=vfpv3-d16.
The configure command should look like this:
CFLAGS="-march=armv7-a -mfpu=vfpv3-d16 -Os -g" ./configure
NetBSD 6 i386 NetBSD 6 i386
The i386 build of NetBSD requires the libatomic library, available from The i386 build of NetBSD requires the libatomic library, available from
......
README
BIND 9 BIND 9
Contents Contents
...@@ -134,7 +136,7 @@ make depend. If you're using Emacs, you might find make tags helpful. ...@@ -134,7 +136,7 @@ make depend. If you're using Emacs, you might find make tags helpful.
Several environment variables that can be set before running configure Several environment variables that can be set before running configure
will affect compilation: will affect compilation:
Variable Description Variable Description
CC The C compiler to use. configure tries to figure out the CC The C compiler to use. configure tries to figure out the
right one for supported systems. right one for supported systems.
C compiler flags. Defaults to include -g and/or -O2 as C compiler flags. Defaults to include -g and/or -O2 as
...@@ -187,8 +189,10 @@ operations, specify the path to the PKCS#11 provider library using ...@@ -187,8 +189,10 @@ operations, specify the path to the PKCS#11 provider library using
To support the HTTP statistics channel, the server must be linked with at To support the HTTP statistics channel, the server must be linked with at
least one of the following: libxml2 http://xmlsoft.org or json-c https:// least one of the following: libxml2 http://xmlsoft.org or json-c https://
github.com/json-c. If these are installed at a nonstandard location, github.com/json-c. If these are installed at a nonstandard location, then:
specify the prefix using --with-libxml2=/prefix or --with-libjson=/prefix.
* for libxml2, specify the prefix using --with-libxml2=/prefix,
* for json-c, adjust PKG_CONFIG_PATH.
To support compression on the HTTP statistics channel, the server must be To support compression on the HTTP statistics channel, the server must be
linked against libzlib. If this is installed in a nonstandard location, linked against libzlib. If this is installed in a nonstandard location,
...@@ -286,7 +290,7 @@ development BIND 9 is included in the file CHANGES, with the most recent ...@@ -286,7 +290,7 @@ development BIND 9 is included in the file CHANGES, with the most recent
changes listed first. Change notes include tags indicating the category of changes listed first. Change notes include tags indicating the category of
the change that was made; these categories are: the change that was made; these categories are:
Category Description Category Description
[func] New feature [func] New feature
[bug] General bug fix [bug] General bug fix
[security] Fix for a significant security flaw [security] Fix for a significant security flaw
...@@ -321,8 +325,8 @@ issue number. Prior to 2018, these were usually of the form [RT #NNN] and ...@@ -321,8 +325,8 @@ issue number. Prior to 2018, these were usually of the form [RT #NNN] and
referred to entries in the "bind9-bugs" RT database, which was not open to referred to entries in the "bind9-bugs" RT database, which was not open to
the public. More recent entries use the form [GL #NNN] or, less often, [GL the public. More recent entries use the form [GL #NNN] or, less often, [GL
!NNN], which, respectively, refer to issues or merge requests in the !NNN], which, respectively, refer to issues or merge requests in the
Gitlab database. Most of these are publically readable, unless they Gitlab database. Most of these are publicly readable, unless they include
include information which is confidential or security senstive. information which is confidential or security senstive.
To look up a Gitlab issue by its number, use the URL https:// To look up a Gitlab issue by its number, use the URL https://
gitlab.isc.org/isc-projects/bind9/issues/NNN. To look up a merge request, gitlab.isc.org/isc-projects/bind9/issues/NNN. To look up a merge request,
...@@ -337,21 +341,23 @@ Acknowledgments ...@@ -337,21 +341,23 @@ Acknowledgments
* The original development of BIND 9 was underwritten by the following * The original development of BIND 9 was underwritten by the following
organizations: organizations:
Sun Microsystems, Inc. Sun Microsystems, Inc.
Hewlett Packard Hewlett Packard
Compaq Computer Corporation Compaq Computer Corporation
IBM IBM
Process Software Corporation Process Software Corporation
Silicon Graphics, Inc. Silicon Graphics, Inc.
Network Associates, Inc. Network Associates, Inc.
U.S. Defense Information Systems Agency U.S. Defense Information Systems Agency
USENIX Association USENIX Association
Stichting NLnet - NLnet Foundation Stichting NLnet - NLnet Foundation
Nominum, Inc. Nominum, Inc.
* This product includes software developed by the OpenSSL Project for * This product includes software developed by the OpenSSL Project for
use in the OpenSSL Toolkit. http://www.OpenSSL.org/ use in the OpenSSL Toolkit. http://www.OpenSSL.org/
* This product includes cryptographic software written by Eric Young * This product includes cryptographic software written by Eric Young
(eay@cryptsoft.com) (eay@cryptsoft.com)
* This product includes software written by Tim Hudson * This product includes software written by Tim Hudson
(tjh@cryptsoft.com) (tjh@cryptsoft.com)
...@@ -332,7 +332,7 @@ issue number. Prior to 2018, these were usually of the form `[RT #NNN]` ...@@ -332,7 +332,7 @@ issue number. Prior to 2018, these were usually of the form `[RT #NNN]`
and referred to entries in the "bind9-bugs" RT database, which was not open and referred to entries in the "bind9-bugs" RT database, which was not open
to the public. More recent entries use the form `[GL #NNN]` or, less often, to the public. More recent entries use the form `[GL #NNN]` or, less often,
`[GL !NNN]`, which, respectively, refer to issues or merge requests in the `[GL !NNN]`, which, respectively, refer to issues or merge requests in the
Gitlab database. Most of these are publically readable, unless they include Gitlab database. Most of these are publicly readable, unless they include
information which is confidential or security senstive. information which is confidential or security senstive.
To look up a Gitlab issue by its number, use the URL To look up a Gitlab issue by its number, use the URL
......
...@@ -146,14 +146,16 @@ to specify the name of a zone containing DLV records\&. ...@@ -146,14 +146,16 @@ to specify the name of a zone containing DLV records\&.
Note: When reading the trust anchor file, Note: When reading the trust anchor file,
\fBdelv\fR \fBdelv\fR
treats treats
\fBmanaged\-keys\fR \fBdnssec\-keys\fR\fBinitial\-key\fR
statements and and
\fBtrusted\-keys\fR \fBstatic\-key\fR
statements identically\&. That is, for a managed key, it is the entries identically\&. That is, even if a key is configured with
\fIinitial\fR \fBinitial\-key\fR, indicating that it is meant to be used only as an initializing key for RFC 5011 key maintenance, it is still treated by
key that is trusted; RFC 5011 key management is not supported\&. \fBdelv\fR
as if it had been configured as a
\fBstatic\-key\fR\&.
\fBdelv\fR \fBdelv\fR
will not consult the managed\-keys database maintained by does not consult the managed keys database maintained by
\fBnamed\fR\&. This means that if either of the keys in \fBnamed\fR\&. This means that if either of the keys in
/etc/bind\&.keys /etc/bind\&.keys
is revoked and rolled over, it will be necessary to update is revoked and rolled over, it will be necessary to update
......
...@@ -200,14 +200,17 @@ ...@@ -200,14 +200,17 @@
</p> </p>
<p> <p>
Note: When reading the trust anchor file, Note: When reading the trust anchor file,
<span class="command"><strong>delv</strong></span> treats <code class="option">managed-keys</code> <span class="command"><strong>delv</strong></span> treats <code class="option">dnssec-keys</code>
statements and <code class="option">trusted-keys</code> statements <code class="option">initial-key</code> and <code class="option">static-key</code>
identically. That is, for a managed key, it is the entries identically. That is, even if a key is configured
<span class="emphasis"><em>initial</em></span> key that is trusted; RFC 5011 with <span class="command"><strong>initial-key</strong></span>, indicating that it is
key management is not supported. <span class="command"><strong>delv</strong></span> meant to be used only as an initializing key for RFC 5011
will not consult the managed-keys database maintained by key maintenance, it is still treated by <span class="command"><strong>delv</strong></span>
<span class="command"><strong>named</strong></span>. This means that if either of the as if it had been configured as a <span class="command"><strong>static-key</strong></span>.
keys in <code class="filename">/etc/bind.keys</code> is revoked <span class="command"><strong>delv</strong></span> does not consult the managed keys
database maintained by <span class="command"><strong>named</strong></span>. This means
that if either of the keys in
<code class="filename">/etc/bind.keys</code> is revoked
and rolled over, it will be necessary to update and rolled over, it will be necessary to update
<code class="filename">/etc/bind.keys</code> to use DNSSEC <code class="filename">/etc/bind.keys</code> to use DNSSEC
validation in <span class="command"><strong>delv</strong></span>. validation in <span class="command"><strong>delv</strong></span>.
......
...@@ -589,11 +589,11 @@ A synonym for ...@@ -589,11 +589,11 @@ A synonym for
.RS 4 .RS 4
Toggle the setting of the RD (recursion desired) bit in the query\&. This bit is set by default, which means Toggle the setting of the RD (recursion desired) bit in the query\&. This bit is set by default, which means
\fBdig\fR \fBdig\fR
normally sends recursive queries\&. Recursion is automatically disabled when the normally sends recursive queries\&. Recursion is automatically disabled when using the
\fI+nssearch\fR \fI+nssearch\fR
or option, and when using
\fI+trace\fR \fI+trace\fR
query options are used\&. except for an initial recursive query to get the list of root servers\&.
.RE .RE
.PP .PP
\fB+retry=T\fR \fB+retry=T\fR
......
...@@ -797,8 +797,10 @@ ...@@ -797,8 +797,10 @@
in the query. This bit is set by default, which means in the query. This bit is set by default, which means
<span class="command"><strong>dig</strong></span> normally sends recursive <span class="command"><strong>dig</strong></span> normally sends recursive
queries. Recursion is automatically disabled when queries. Recursion is automatically disabled when
the <em class="parameter"><code>+nssearch</code></em> or using the <em class="parameter"><code>+nssearch</code></em> option, and
<em class="parameter"><code>+trace</code></em> query options are used. when using <em class="parameter"><code>+trace</code></em> except for
an initial recursive query to get the list of root
servers.
</p> </p>
</dd> </dd>
<dt><span class="term"><code class="option">+retry=T</code></span></dt> <dt><span class="term"><code class="option">+retry=T</code></span></dt>
......
...@@ -10,12 +10,12 @@ ...@@ -10,12 +10,12 @@
.\" Title: named.conf .\" Title: named.conf
.\" Author: .\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 2018-12-07 .\" Date: 2019-05-10
.\" Manual: BIND9 .\" Manual: BIND9
.\" Source: ISC .\" Source: ISC
.\" Language: English .\" Language: English
.\" .\"
.TH "NAMED\&.CONF" "5" "2018\-12\-07" "ISC" "BIND9" .TH "NAMED\&.CONF" "5" "2019\-05\-10" "ISC" "BIND9"
.\" ----------------------------------------------------------------- .\" -----------------------------------------------------------------
.\" * Define some portability stuff .\" * Define some portability stuff
.\" ----------------------------------------------------------------- .\" -----------------------------------------------------------------
...@@ -97,6 +97,19 @@ dlz \fIstring\fR { ...@@ -97,6 +97,19 @@ dlz \fIstring\fR {
.if n \{\ .if n \{\
.RE .RE
.\} .\}
.SH "DNSSEC-KEYS"
.sp
.if n \{\
.RS 4
.\}
.nf
dnssec\-keys { \fIstring\fR ( static\-key |
initial\-key ) \fIinteger\fR \fIinteger\fR \fIinteger\fR
\fIquoted_string\fR; \&.\&.\&. };
.fi
.if n \{\
.RE
.\}
.SH "DYNDB" .SH "DYNDB"
.sp .sp
.if n \{\ .if n \{\
...@@ -149,13 +162,16 @@ logging { ...@@ -149,13 +162,16 @@ logging {
.RE .RE
.\} .\}
.SH "MANAGED-KEYS" .SH "MANAGED-KEYS"
.PP
See DNSSEC\-KEYS\&.
.sp .sp
.if n \{\ .if n \{\
.RS 4 .RS 4
.\} .\}
.nf .nf
managed\-keys { \fIstring\fR \fIstring\fR \fIinteger\fR managed\-keys { \fIstring\fR ( static\-key |
\fIinteger\fR \fIinteger\fR \fIquoted_string\fR; \&.\&.\&. }; initial\-key ) \fIinteger\fR \fIinteger\fR \fIinteger\fR
\fIquoted_string\fR; \&.\&.\&. };
.fi .fi
.if n \{\ .if n \{\
.RE .RE
...@@ -257,7 +273,6 @@ options { ...@@ -257,7 +273,6 @@ options {
dnsrps\-options { \fIunspecified\-text\fR }; dnsrps\-options { \fIunspecified\-text\fR };
dnssec\-accept\-expired \fIboolean\fR; dnssec\-accept\-expired \fIboolean\fR;
dnssec\-dnskey\-kskonly \fIboolean\fR; dnssec\-dnskey\-kskonly \fIboolean\fR;
dnssec\-enable \fIboolean\fR;
dnssec\-loadkeys\-interval \fIinteger\fR; dnssec\-loadkeys\-interval \fIinteger\fR;
dnssec\-lookaside ( \fIstring\fR trust\-anchor dnssec\-lookaside ( \fIstring\fR trust\-anchor
\fIstring\fR | auto | no ); \fIstring\fR | auto | no );
...@@ -409,11 +424,12 @@ options { ...@@ -409,11 +424,12 @@ options {
resolver\-retry\-interval \fIinteger\fR; resolver\-retry\-interval \fIinteger\fR;
response\-padding { \fIaddress_match_element\fR; \&.\&.\&. } block\-size response\-padding { \fIaddress_match_element\fR; \&.\&.\&. } block\-size
\fIinteger\fR; \fIinteger\fR;
response\-policy { zone \fIstring\fR [ log \fIboolean\fR ] [ max\-policy\-ttl response\-policy { zone \fIstring\fR [ add\-soa \fIboolean\fR ] [ log
\fIttlval\fR ] [ min\-update\-interval \fIttlval\fR ] [ policy ( cname | \fIboolean\fR ] [ max\-policy\-ttl \fIttlval\fR ] [ min\-update\-interval
disabled | drop | given | no\-op | nodata | nxdomain | passthru \fIttlval\fR ] [ policy ( cname | disabled | drop | given | no\-op |
| tcp\-only \fIquoted_string\fR ) ] [ recursive\-only \fIboolean\fR ] [ nodata | nxdomain | passthru | tcp\-only \fIquoted_string\fR ) ] [
nsip\-enable \fIboolean\fR ] [ nsdname\-enable \fIboolean\fR ]; \&.\&.\&. } [ recursive\-only \fIboolean\fR ] [ nsip\-enable \fIboolean\fR ] [
nsdname\-enable \fIboolean\fR ]; \&.\&.\&. } [ add\-soa \fIboolean\fR ] [
break\-dnssec \fIboolean\fR ] [ max\-policy\-ttl \fIttlval\fR ] [ break\-dnssec \fIboolean\fR ] [ max\-policy\-ttl \fIttlval\fR ] [
min\-update\-interval \fIttlval\fR ] [ min\-ns\-dots \fIinteger\fR ] [ min\-update\-interval \fIttlval\fR ] [ min\-ns\-dots \fIinteger\fR ] [
nsip\-wait\-recurse \fIboolean\fR ] [ qname\-wait\-recurse \fIboolean\fR ] nsip\-wait\-recurse \fIboolean\fR ] [ qname\-wait\-recurse \fIboolean\fR ]
...@@ -551,13 +567,16 @@ statistics\-channels { ...@@ -551,13 +567,16 @@ statistics\-channels {
.RE .RE
.\} .\}
.SH "TRUSTED-KEYS" .SH "TRUSTED-KEYS"
.PP
Deprecated \- see DNSSEC\-KEYS\&.
.sp .sp
.if n \{\ .if n \{\
.RS 4 .RS 4
.\} .\}
.nf .nf
trusted\-keys { \fIstring\fR \fIinteger\fR \fIinteger\fR trusted\-keys { \fIstring\fR \fIinteger\fR
\fIinteger\fR \fIquoted_string\fR; \&.\&.\&. }; \fIinteger\fR \fIinteger\fR
\fIquoted_string\fR; \&.\&.\&. };, deprecated
.fi .fi
.if n \{\ .if n \{\
.RE .RE
...@@ -638,7 +657,9 @@ view \fIstring\fR [ \fIclass\fR ] { ...@@ -638,7 +657,9 @@ view \fIstring\fR [ \fIclass\fR ] {
dnsrps\-options { \fIunspecified\-text\fR }; dnsrps\-options { \fIunspecified\-text\fR };
dnssec\-accept\-expired \fIboolean\fR; dnssec\-accept\-expired \fIboolean\fR;
dnssec\-dnskey\-kskonly \fIboolean\fR; dnssec\-dnskey\-kskonly \fIboolean\fR;
dnssec\-enable \fIboolean\fR; dnssec\-keys { \fIstring\fR ( static\-key |
initial\-key ) \fIinteger\fR \fIinteger\fR
\fIinteger\fR \fIquoted_string\fR; \&.\&.\&. };
dnssec\-loadkeys\-interval \fIinteger\fR; dnssec\-loadkeys\-interval \fIinteger\fR;
dnssec\-lookaside ( \fIstring\fR trust\-anchor dnssec\-lookaside ( \fIstring\fR trust\-anchor
\fIstring\fR | auto | no ); \fIstring\fR | auto | no );
...@@ -676,9 +697,9 @@ view \fIstring\fR [ \fIclass\fR ] { ...@@ -676,9 +697,9 @@ view \fIstring\fR [ \fIclass\fR ] {
key\-directory \fIquoted_string\fR; key\-directory \fIquoted_string\fR;
lame\-ttl \fIttlval\fR; lame\-ttl \fIttlval\fR;
lmdb\-mapsize \fIsizeval\fR; lmdb\-mapsize \fIsizeval\fR;
managed\-keys { \fIstring\fR \fIstring\fR managed\-keys { \fIstring\fR ( static\-key |
\fIinteger\fR \fIinteger\fR \fIinteger\fR initial\-key ) \fIinteger\fR \fIinteger\fR
\fIquoted_string\fR; \&.\&.\&. }; \fIinteger\fR \fIquoted_string\fR; \&.\&.\&. };
masterfile\-format ( map | raw | text ); masterfile\-format ( map | raw | text );
masterfile\-style ( full | relative ); masterfile\-style ( full | relative );
match\-clients { \fIaddress_match_element\fR; \&.\&.\&. }; match\-clients { \fIaddress_match_element\fR; \&.\&.\&. };
...@@ -761,11 +782,12 @@ view \fIstring\fR [ \fIclass\fR ] { ...@@ -761,11 +782,12 @@ view \fIstring\fR [ \fIclass\fR ] {
resolver\-retry\-interval \fIinteger\fR; resolver\-retry\-interval \fIinteger\fR;
response\-padding { \fIaddress_match_element\fR; \&.\&.\&. } block\-size response\-padding { \fIaddress_match_element\fR; \&.\&.\&. } block\-size
\fIinteger\fR; \fIinteger\fR;
response\-policy { zone \fIstring\fR [ log \fIboolean\fR ] [ max\-policy\-ttl response\-policy { zone \fIstring\fR [ add\-soa \fIboolean\fR ] [ log
\fIttlval\fR ] [ min\-update\-interval \fIttlval\fR ] [ policy ( cname | \fIboolean\fR ] [ max\-policy\-ttl \fIttlval\fR ] [ min\-update\-interval
disabled | drop | given | no\-op | nodata | nxdomain | passthru \fIttlval\fR ] [ policy ( cname | disabled | drop | given | no\-op |
| tcp\-only \fIquoted_string\fR ) ] [ recursive\-only \fIboolean\fR ] [ nodata | nxdomain | passthru | tcp\-only \fIquoted_string\fR ) ] [
nsip\-enable \fIboolean\fR ] [ nsdname\-enable \fIboolean\fR ]; \&.\&.\&. } [ recursive\-only \fIboolean\fR ] [ nsip\-enable \fIboolean\fR ] [
nsdname\-enable \fIboolean\fR ]; \&.\&.\&. } [ add\-soa \fIboolean\fR ] [
break\-dnssec \fIboolean\fR ] [ max\-policy\-ttl \fIttlval\fR ] [ break\-dnssec \fIboolean\fR ] [ max\-policy\-ttl \fIttlval\fR ] [
min\-update\-interval \fIttlval\fR ] [ min\-ns\-dots \fIinteger\fR ] [ min\-update\-interval \fIttlval\fR ] [ min\-ns\-dots \fIinteger\fR ] [
nsip\-wait\-recurse \fIboolean\fR ] [ qname\-wait\-recurse \fIboolean\fR ] nsip\-wait\-recurse \fIboolean\fR ] [ qname\-wait\-recurse \fIboolean\fR ]
...@@ -827,9 +849,10 @@ view \fIstring\fR [ \fIclass\fR ] { ...@@ -827,9 +849,10 @@ view \fIstring\fR [ \fIclass\fR ] {
transfer\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) transfer\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * )
] [ dscp \fIinteger\fR ]; ] [ dscp \fIinteger\fR ];
trust\-anchor\-telemetry \fIboolean\fR; // experimental trust\-anchor\-telemetry \fIboolean\fR; // experimental
trusted\-keys { \fIstring\fR \fIinteger\fR trusted\-keys { \fIstring\fR
\fIinteger\fR \fIinteger\fR \fIquoted_string\fR; \fIinteger\fR \fIinteger\fR
\&.\&.\&. }; \fIinteger\fR
\fIquoted_string\fR; \&.\&.\&. };, deprecated
try\-tcp\-refresh \fIboolean\fR; try\-tcp\-refresh \fIboolean\fR;
update\-check\-ksk \fIboolean\fR; update\-check\-ksk \fIboolean\fR;
use\-alt\-transfer\-source \fIboolean\fR; use\-alt\-transfer\-source \fIboolean\fR;
......
...@@ -59,7 +59,6 @@ ...@@ -59,7 +59,6 @@
<div class="refsection"> <div class="refsection">
<a name="id-1.8"></a><h2>ACL</h2> <a name="id-1.8"></a><h2>ACL</h2>
<div class="literallayout"><p><br> <div class="literallayout"><p><br>
acl<em class="replaceable"><code>string</code></em>{<em class="replaceable"><code>address_match_element</code></em>;...};<br> acl<em class="replaceable"><code>string</code></em>{<em class="replaceable"><code>address_match_element</code></em>;...};<br>
</p></div> </p></div>
...@@ -67,7 +66,6 @@ acl ...@@ -67,7 +66,6 @@ acl
<div class="refsection"> <div class="refsection">
<a name="id-1.9"></a><h2>CONTROLS</h2> <a name="id-1.9"></a><h2>CONTROLS</h2>
<div class="literallayout"><p><br> <div class="literallayout"><p><br>
controls{<br> controls{<br>
inet(<em class="replaceable"><code>ipv4_address</code></em>|<em class="replaceable"><code>ipv6_address</code></em>|<br> inet(<em class="replaceable"><code>ipv4_address</code></em>|<em class="replaceable"><code>ipv6_address</code></em>|<br>
...@@ -85,7 +83,6 @@ controls ...@@ -85,7 +83,6 @@ controls
<div class="refsection"> <div class="refsection">
<a name="id-1.10"></a><h2>DLZ</h2> <a name="id-1.10"></a><h2>DLZ</h2>
<div class="literallayout"><p><br> <div class="literallayout"><p><br>
dlz<em class="replaceable"><code>string</code></em>{<br> dlz<em class="replaceable"><code>string</code></em>{<br>
database<em class="replaceable"><code>string</code></em>;<br> database<em class="replaceable"><code>string</code></em>;<br>
...@@ -95,8 +92,16 @@ dlz ...@@ -95,8 +92,16 @@ dlz
</div> </div>
<div class="refsection"> <div class="refsection">
<a name="id-1.11"></a><h2>DYNDB</h2> <a name="id-1.11"></a><h2>DNSSEC-KEYS</h2>
<div class="literallayout"><p><br>
dnssec-keys{<em class="replaceable"><code>string</code></em>(static-key|<br>
initial-key)<em class="replaceable"><code>integer</code></em><em class="replaceable"><code>integer</code></em><em class="replaceable"><code>integer</code></em><br>
<em class="replaceable"><code>quoted_string</code></em>;...};<br>
</p></div>
</div>
<div class="refsection">
<a name="id-1.12"></a><h2>DYNDB</h2>
<div class="literallayout"><p><br> <div class="literallayout"><p><br>
dyndb<em class="replaceable"><code>string</code></em><em class="replaceable"><code>quoted_string</code></em>{<br> dyndb<em class="replaceable"><code>string</code></em><em class="replaceable"><code>quoted_string</code></em>{<br>
<em class="replaceable"><code>unspecified-text</code></em>};<br> <em class="replaceable"><code>unspecified-text</code></em>};<br>
...@@ -104,8 +109,7 @@ dyndb ...@@ -104,8 +109,7 @@ dyndb
</div> </div>
<div class="refsection"> <div class="refsection">
<a name="id-1.12"></a><h2>KEY</h2> <a name="id-1.13"></a><h2>KEY</h2>
<div class="literallayout"><p><br> <div class="literallayout"><p><br>
key<em class="replaceable"><code>string</code></em>{<br> key<em class="replaceable"><code>string</code></em>{<br>
algorithm<em class="replaceable"><code>string</code></em>;<br> algorithm<em class="replaceable"><code>string</code></em>;<br>
...@@ -115,8 +119,7 @@ key ...@@ -115,8 +119,7 @@ key
</div> </div>
<div class="refsection"> <div class="refsection">
<a name="id-1.13"></a><h2>LOGGING</h2> <a name="id-1.14"></a><h2>LOGGING</h2>
<div class="literallayout"><p><br> <div class="literallayout"><p><br>
logging{<br> logging{<br>
category<em class="replaceable"><code>string</code></em>{<em class="replaceable"><code>string</code></em>;...};<br> category<em class="replaceable"><code>string</code></em>{<em class="replaceable"><code>string</code></em>;...};<br>
...@@ -138,17 +141,17 @@ logging ...@@ -138,17 +141,17 @@ logging
<div class="refsection"> <div class="refsection">
<a name="id-1.14"></a><h2>MANAGED-KEYS</h2> <a name="id-1.15"></a><h2>MANAGED-KEYS</h2>
<p>See DNSSEC-KEYS.</p>
<div class="literallayout"><p><br> <div class="literallayout"><p><br>
managed-keys{<em class="replaceable"><code>string</code></em><em class="replaceable"><code>string</code></em><em class="replaceable"><code>integer</code></em><br> managed-keys{<em class="replaceable"><code>string</code></em>(static-key|<br>
<em class="replaceable"><code>integer</code></em><em class="replaceable"><code>integer</code></em><em class="replaceable"><code>quoted_string</code></em>;...};<br> initial-key)<em class="replaceable"><code>integer</code></em><em class="replaceable"><code>integer</code></em><em class="replaceable"><code>integer</code></em><br>
<em class="replaceable"><code>quoted_string</code></em>;...};<br>
</p></div> </p></div>
</div> </div>
<div class="refsection"> <div class="refsection">
<a name="id-1.15"></a><h2>MASTERS</h2> <a name="id-1.16"></a><h2>MASTERS</h2>
<div class="literallayout"><p><br> <div class="literallayout"><p><br>
masters<em class="replaceable"><code>string</code></em>[port<em class="replaceable"><code>integer</code></em>][dscp<br> masters<em class="replaceable"><code>string</code></em>[port<em class="replaceable"><code>integer</code></em>][dscp<br>
<em class="replaceable"><code>integer</code></em>]{(<em class="replaceable"><code>masters</code></em>|<em class="replaceable"><code>ipv4_address</code></em>[<br> <em class="replaceable"><code>integer</code></em>]{(<em class="replaceable"><code>masters</code></em>|<em class="replaceable"><code>ipv4_address</code></em>[<br>
...@@ -158,8 +161,7 @@ masters ...@@ -158,8 +161,7 @@ masters
</div> </div>
<div class="refsection"> <div class="refsection">
<a name="id-1.16"></a><h2>OPTIONS</h2> <a name="id-1.17"></a><h2>OPTIONS</h2>
<div class="literallayout"><p><br> <div class="literallayout"><p><br>
options{<br> options{<br>
allow-new-zones<em class="replaceable"><code>boolean</code></em>;<br> allow-new-zones<em class="replaceable"><code>boolean</code></em>;<br>
...@@ -238,7 +240,6 @@ options ...@@ -238,7 +240,6 @@ options
dnsrps-options{<em class="replaceable"><code>unspecified-text</code></em>};<br> dnsrps-options{<em class="replaceable"><code>unspecified-text</code></em>};<br>
dnssec-accept-expired<em class="replaceable"><code>boolean</code></em>;<br> dnssec-accept-expired<em class="replaceable"><code>boolean</code></em>;<br>
dnssec-dnskey-kskonly<em class="replaceable"><code>boolean</code></em>;<br> dnssec-dnskey-kskonly<em class="replaceable"><code>boolean</code></em>;<br>
dnssec-enable<em class="replaceable"><code>boolean</code></em>;<br>
dnssec-loadkeys-interval<em class="replaceable"><code>integer</code></em>;<br> dnssec-loadkeys-interval<em class="replaceable"><code>integer</code></em>;<br>
dnssec-lookaside(<em class="replaceable"><code>string</code></em>trust-anchor<br> dnssec-lookaside(<em class="replaceable"><code>string</code></em>trust-anchor<br>
<em class="replaceable"><code>string</code></em>|auto|no);<br> <em class="replaceable"><code>string</code></em>|auto|no);<br>
...@@ -390,11 +391,12 @@ options ...@@ -390,11 +391,12 @@ options
resolver-retry-interval<em class="replaceable"><code>integer</code></em>;<br> resolver-retry-interval<em class="replaceable"><code>integer</code></em>;<br>
response-padding{<em class="replaceable"><code>address_match_element</code></em>;...}block-size<br> response-padding{<em class="replaceable"><code>address_match_element</code></em>;...}block-size<br>
<em class="replaceable"><code>integer</code></em>;<br> <em class="replaceable"><code>integer</code></em>;<br>
response-policy{zone<em class="replaceable"><code>string</code></em>[log<em class="replaceable"><code>boolean</code></em>][max-policy-ttl<br> response-policy{zone<em class="replaceable"><code>string</code></em>[add-soa<em class="replaceable"><code>boolean</code></em>][log<br>
<em class="replaceable"><code>ttlval</code></em>][min-update-interval<em class="replaceable"><code>ttlval</code></em>][policy(cname|<br> <em class="replaceable"><code>boolean</code></em>][max-policy-ttl<em class="replaceable"><code>ttlval</code></em>][min-update-interval<br>
disabled|drop|given|no-op|nodata|nxdomain|passthru<br> <em class="replaceable"><code>ttlval</code></em>][policy(cname|disabled|drop|given|no-op|<br>
|tcp-only<em class="replaceable"><code>quoted_string</code></em>)][recursive-only<em class="replaceable"><code>boolean</code></em>][<br> nodata|nxdomain|passthru|tcp-only<em class="replaceable"><code>quoted_string</code></em>)][<br>
nsip-enable<em class="replaceable"><code>boolean</code></em>][nsdname-enable<em class="replaceable"><code>boolean</code></em>];...}[<br> recursive-only<em class="replaceable"><code>boolean</code></em>][nsip-enable<em class="replaceable"><code>boolean</code></em>][<br>
nsdname-enable<em class="replaceable"><code>boolean</code></em>];...}[add-soa<em class="replaceable"><code>boolean</code></em>][<br>
break-dnssec<em class="replaceable"><code>boolean</code></em>][max-policy-ttl<em class="replaceable"><code>ttlval</code></em>][<br> break-dnssec<em class="replaceable"><code>boolean</code></em>][max-policy-ttl<em class="replaceable"><code>ttlval</code></em>][<br>
min-update-interval<em class="replaceable"><code>ttlval</code></em>][min-ns-dots<em class="replaceable"><code>integer</code></em>][<br> min-update-interval<em class="replaceable"><code>ttlval</code></em>][min-ns-dots<em class="replaceable"><code>integer</code></em>][<br>
nsip-wait-recurse<em class="replaceable"><code>boolean</code></em>][qname-wait-recurse<em class="replaceable"><code>boolean</code></em>]<br> nsip-wait-recurse<em class="replaceable"><code>boolean</code></em>][qname-wait-recurse<em class="replaceable"><code>boolean</code></em>]<br>
...@@ -461,8 +463,7 @@ options ...@@ -461,8 +463,7 @@ options
</div> </div>
<div class="refsection"> <div class="refsection">
<a name="id-1.17"></a><h2>PLUGIN</h2> <a name="id-1.18"></a><h2>PLUGIN</h2>
<div class="literallayout"><p><br> <div class="literallayout"><p><br>
plugin(query)<em class="replaceable"><code>string</code></em>[{<em class="replaceable"><code>unspecified-text</code></em><br> plugin(query)<em class="replaceable"><code>string</code></em>[{<em class="replaceable"><code>unspecified-text</code></em><br>
}];<br> }];<br>
...@@ -470,8 +471,7 @@ plugin ...@@ -470,8 +471,7 @@ plugin
</div> </div>
<div class="refsection"> <div class="refsection">
<a name="id-1.18"></a><h2>SERVER</h2> <a name="id-1.19"></a><h2>SERVER</h2>
<div class="literallayout"><p><br> <div class="literallayout"><p><br>
server<em class="replaceable"><code>netprefix</code></em>{<br> server<em class="replaceable"><code>netprefix</code></em>{<br>
bogus<em class="replaceable"><code>boolean</code></em>;<br> bogus<em class="replaceable"><code>boolean</code></em>;<br>
...@@ -509,8 +509,7 @@ server ...@@ -509,8 +509,7 @@ server
</div>