Commit 98eda76e authored by Tinderbox User's avatar Tinderbox User

Merge branch 'prep-release'

parents 4b4f33e6 2e637325
--- 9.15.2 released ---
5263. [cleanup] Use atomics and isc_refcount_t wherever possible.
[GL #1038]
......
......@@ -139,7 +139,7 @@ make depend. If you're using Emacs, you might find make tags helpful.
Several environment variables that can be set before running configure
will affect compilation:
Variable Description
Variable Description
CC The C compiler to use. configure tries to figure out the
right one for supported systems.
C compiler flags. Defaults to include -g and/or -O2 as
......@@ -291,7 +291,7 @@ development BIND 9 is included in the file CHANGES, with the most recent
changes listed first. Change notes include tags indicating the category of
the change that was made; these categories are:
Category Description
Category Description
[func] New feature
[bug] General bug fix
[security] Fix for a significant security flaw
......@@ -342,21 +342,23 @@ Acknowledgments
* The original development of BIND 9 was underwritten by the following
organizations:
Sun Microsystems, Inc.
Hewlett Packard
Compaq Computer Corporation
IBM
Process Software Corporation
Silicon Graphics, Inc.
Network Associates, Inc.
U.S. Defense Information Systems Agency
USENIX Association
Stichting NLnet - NLnet Foundation
Nominum, Inc.
Sun Microsystems, Inc.
Hewlett Packard
Compaq Computer Corporation
IBM
Process Software Corporation
Silicon Graphics, Inc.
Network Associates, Inc.
U.S. Defense Information Systems Agency
USENIX Association
Stichting NLnet - NLnet Foundation
Nominum, Inc.
* This product includes software developed by the OpenSSL Project for
use in the OpenSSL Toolkit. http://www.OpenSSL.org/
* This product includes cryptographic software written by Eric Young
(eay@cryptsoft.com)
* This product includes software written by Tim Hudson
(tjh@cryptsoft.com)
......@@ -86,6 +86,11 @@ Check "core" configuration only\&. This suppresses the loading of plugin modules
statements to be ignored\&.
.RE
.PP
\-i
.RS 4
Ignore warnings on deprecated options\&.
.RE
.PP
\-p
.RS 4
Print out the
......
......@@ -96,6 +96,12 @@
<span class="command"><strong>plugin</strong></span> statements to be ignored.
</p>
</dd>
<dt><span class="term">-i</span></dt>
<dd>
<p>
Ignore warnings on deprecated options.
</p>
</dd>
<dt><span class="term">-p</span></dt>
<dd>
<p>
......
......@@ -92,8 +92,7 @@ to generate TSIG keys\&.
.RS 4
Specifies the number of bits in the key\&. The choice of key size depends on the algorithm used\&. RSA keys must be between 1024 and 4096 bits\&. Diffie Hellman keys must be between 128 and 4096 bits\&. Elliptic curve algorithms don\*(Aqt need this parameter\&.
.sp
If the key size is not specified, some algorithms have pre\-defined defaults\&. For example, RSA keys for use as DNSSEC zone signing keys have a default size of 1024 bits; RSA keys for use as key signing keys (KSKs, generated with
\fB\-f KSK\fR) default to 2048 bits\&.
If the key size is not specified, some algorithms have pre\-defined defaults\&. For instance, RSA keys have a default size of 2048 bits\&.
.RE
.PP
\-C
......
......@@ -145,10 +145,8 @@
</p>
<p>
If the key size is not specified, some algorithms have
pre-defined defaults. For example, RSA keys for use as
DNSSEC zone signing keys have a default size of 1024 bits;
RSA keys for use as key signing keys (KSKs, generated with
<code class="option">-f KSK</code>) default to 2048 bits.
pre-defined defaults. For instance, RSA keys have a default
size of 2048 bits.
</p>
</dd>
<dt><span class="term">-C</span></dt>
......
......@@ -10,12 +10,12 @@
.\" Title: named.conf
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 2019-05-10
.\" Date: 2019-06-28
.\" Manual: BIND9
.\" Source: ISC
.\" Language: English
.\"
.TH "NAMED\&.CONF" "5" "2019\-05\-10" "ISC" "BIND9"
.TH "NAMED\&.CONF" "5" "2019\-06\-28" "ISC" "BIND9"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
......@@ -163,15 +163,16 @@ logging {
.\}
.SH "MANAGED-KEYS"
.PP
See DNSSEC\-KEYS\&.
Deprecated \- see DNSSEC\-KEYS\&.
.sp
.if n \{\
.RS 4
.\}
.nf
managed\-keys { \fIstring\fR ( static\-key |
initial\-key ) \fIinteger\fR \fIinteger\fR \fIinteger\fR
\fIquoted_string\fR; \&.\&.\&. };
managed\-keys { \fIstring\fR ( static\-key
| initial\-key ) \fIinteger\fR
\fIinteger\fR \fIinteger\fR
\fIquoted_string\fR; \&.\&.\&. }; deprecated
.fi
.if n \{\
.RE
......@@ -241,7 +242,6 @@ options {
check\-spf ( warn | ignore );
check\-srv\-cname ( fail | warn | ignore );
check\-wildcard \fIboolean\fR;
cleaning\-interval \fIinteger\fR;
clients\-per\-query \fIinteger\fR;
cookie\-algorithm ( aes | sha1 | sha256 );
cookie\-secret \fIstring\fR;
......@@ -274,8 +274,9 @@ options {
dnssec\-accept\-expired \fIboolean\fR;
dnssec\-dnskey\-kskonly \fIboolean\fR;
dnssec\-loadkeys\-interval \fIinteger\fR;
dnssec\-lookaside ( \fIstring\fR trust\-anchor
\fIstring\fR | auto | no );
dnssec\-lookaside ( \fIstring\fR
trust\-anchor \fIstring\fR |
auto | no ); deprecated
dnssec\-must\-be\-secure \fIstring\fR \fIboolean\fR;
dnssec\-secure\-to\-insecure \fIboolean\fR;
dnssec\-update\-mode ( maintain | no\-resign );
......@@ -576,7 +577,7 @@ Deprecated \- see DNSSEC\-KEYS\&.
.nf
trusted\-keys { \fIstring\fR \fIinteger\fR
\fIinteger\fR \fIinteger\fR
\fIquoted_string\fR; \&.\&.\&. };, deprecated
\fIquoted_string\fR; \&.\&.\&. }; deprecated
.fi
.if n \{\
.RE
......@@ -626,7 +627,6 @@ view \fIstring\fR [ \fIclass\fR ] {
check\-spf ( warn | ignore );
check\-srv\-cname ( fail | warn | ignore );
check\-wildcard \fIboolean\fR;
cleaning\-interval \fIinteger\fR;
clients\-per\-query \fIinteger\fR;
deny\-answer\-addresses { \fIaddress_match_element\fR; \&.\&.\&. } [
except\-from { \fIstring\fR; \&.\&.\&. } ];
......@@ -661,8 +661,9 @@ view \fIstring\fR [ \fIclass\fR ] {
initial\-key ) \fIinteger\fR \fIinteger\fR
\fIinteger\fR \fIquoted_string\fR; \&.\&.\&. };
dnssec\-loadkeys\-interval \fIinteger\fR;
dnssec\-lookaside ( \fIstring\fR trust\-anchor
\fIstring\fR | auto | no );
dnssec\-lookaside ( \fIstring\fR
trust\-anchor \fIstring\fR |
auto | no ); deprecated
dnssec\-must\-be\-secure \fIstring\fR \fIboolean\fR;
dnssec\-secure\-to\-insecure \fIboolean\fR;
dnssec\-update\-mode ( maintain | no\-resign );
......@@ -697,9 +698,11 @@ view \fIstring\fR [ \fIclass\fR ] {
key\-directory \fIquoted_string\fR;
lame\-ttl \fIttlval\fR;
lmdb\-mapsize \fIsizeval\fR;
managed\-keys { \fIstring\fR ( static\-key |
initial\-key ) \fIinteger\fR \fIinteger\fR
\fIinteger\fR \fIquoted_string\fR; \&.\&.\&. };
managed\-keys { \fIstring\fR (
static\-key | initial\-key
) \fIinteger\fR \fIinteger\fR
\fIinteger\fR
\fIquoted_string\fR; \&.\&.\&. }; deprecated
masterfile\-format ( map | raw | text );
masterfile\-style ( full | relative );
match\-clients { \fIaddress_match_element\fR; \&.\&.\&. };
......@@ -852,7 +855,7 @@ view \fIstring\fR [ \fIclass\fR ] {
trusted\-keys { \fIstring\fR
\fIinteger\fR \fIinteger\fR
\fIinteger\fR
\fIquoted_string\fR; \&.\&.\&. };, deprecated
\fIquoted_string\fR; \&.\&.\&. }; deprecated
try\-tcp\-refresh \fIboolean\fR;
update\-check\-ksk \fIboolean\fR;
use\-alt\-transfer\-source \fIboolean\fR;
......
......@@ -142,11 +142,12 @@ logging
<div class="refsection">
<a name="id-1.15"></a><h2>MANAGED-KEYS</h2>
<p>See DNSSEC-KEYS.</p>
<p>Deprecated - see DNSSEC-KEYS.</p>
<div class="literallayout"><p><br>
managed-keys{<em class="replaceable"><code>string</code></em>(static-key|<br>
initial-key)<em class="replaceable"><code>integer</code></em><em class="replaceable"><code>integer</code></em><em class="replaceable"><code>integer</code></em><br>
<em class="replaceable"><code>quoted_string</code></em>;...};<br>
managed-keys{<em class="replaceable"><code>string</code></em>(static-key<br>
|initial-key)<em class="replaceable"><code>integer</code></em><br>
<em class="replaceable"><code>integer</code></em><em class="replaceable"><code>integer</code></em><br>
<em class="replaceable"><code>quoted_string</code></em>;...};deprecated<br>
</p></div>
</div>
......@@ -208,7 +209,6 @@ options
check-spf(warn|ignore);<br>
check-srv-cname(fail|warn|ignore);<br>
check-wildcard<em class="replaceable"><code>boolean</code></em>;<br>
cleaning-interval<em class="replaceable"><code>integer</code></em>;<br>
clients-per-query<em class="replaceable"><code>integer</code></em>;<br>
cookie-algorithm(aes|sha1|sha256);<br>
cookie-secret<em class="replaceable"><code>string</code></em>;<br>
......@@ -241,8 +241,9 @@ options
dnssec-accept-expired<em class="replaceable"><code>boolean</code></em>;<br>
dnssec-dnskey-kskonly<em class="replaceable"><code>boolean</code></em>;<br>
dnssec-loadkeys-interval<em class="replaceable"><code>integer</code></em>;<br>
dnssec-lookaside(<em class="replaceable"><code>string</code></em>trust-anchor<br>
<em class="replaceable"><code>string</code></em>|auto|no);<br>
dnssec-lookaside(<em class="replaceable"><code>string</code></em><br>
trust-anchor<em class="replaceable"><code>string</code></em>|<br>
auto|no);deprecated<br>
dnssec-must-be-secure<em class="replaceable"><code>string</code></em><em class="replaceable"><code>boolean</code></em>;<br>
dnssec-secure-to-insecure<em class="replaceable"><code>boolean</code></em>;<br>
dnssec-update-mode(maintain|no-resign);<br>
......@@ -526,7 +527,7 @@ statistics-channels
<div class="literallayout"><p><br>
trusted-keys{<em class="replaceable"><code>string</code></em><em class="replaceable"><code>integer</code></em><br>
<em class="replaceable"><code>integer</code></em><em class="replaceable"><code>integer</code></em><br>
<em class="replaceable"><code>quoted_string</code></em>;...};,deprecated<br>
<em class="replaceable"><code>quoted_string</code></em>;...};deprecated<br>
</p></div>
</div>
......@@ -572,7 +573,6 @@ view
check-spf(warn|ignore);<br>
check-srv-cname(fail|warn|ignore);<br>
check-wildcard<em class="replaceable"><code>boolean</code></em>;<br>
cleaning-interval<em class="replaceable"><code>integer</code></em>;<br>
clients-per-query<em class="replaceable"><code>integer</code></em>;<br>
deny-answer-addresses{<em class="replaceable"><code>address_match_element</code></em>;...}[<br>
except-from{<em class="replaceable"><code>string</code></em>;...}];<br>
......@@ -607,8 +607,9 @@ view
initial-key)<em class="replaceable"><code>integer</code></em><em class="replaceable"><code>integer</code></em><br>
<em class="replaceable"><code>integer</code></em><em class="replaceable"><code>quoted_string</code></em>;...};<br>
dnssec-loadkeys-interval<em class="replaceable"><code>integer</code></em>;<br>
dnssec-lookaside(<em class="replaceable"><code>string</code></em>trust-anchor<br>
<em class="replaceable"><code>string</code></em>|auto|no);<br>
dnssec-lookaside(<em class="replaceable"><code>string</code></em><br>
trust-anchor<em class="replaceable"><code>string</code></em>|<br>
auto|no);deprecated<br>
dnssec-must-be-secure<em class="replaceable"><code>string</code></em><em class="replaceable"><code>boolean</code></em>;<br>
dnssec-secure-to-insecure<em class="replaceable"><code>boolean</code></em>;<br>
dnssec-update-mode(maintain|no-resign);<br>
......@@ -643,9 +644,11 @@ view
key-directory<em class="replaceable"><code>quoted_string</code></em>;<br>
lame-ttl<em class="replaceable"><code>ttlval</code></em>;<br>
lmdb-mapsize<em class="replaceable"><code>sizeval</code></em>;<br>
managed-keys{<em class="replaceable"><code>string</code></em>(static-key|<br>
initial-key)<em class="replaceable"><code>integer</code></em><em class="replaceable"><code>integer</code></em><br>
<em class="replaceable"><code>integer</code></em><em class="replaceable"><code>quoted_string</code></em>;...};<br>
managed-keys{<em class="replaceable"><code>string</code></em>(<br>
static-key|initial-key<br>
)<em class="replaceable"><code>integer</code></em><em class="replaceable"><code>integer</code></em><br>
<em class="replaceable"><code>integer</code></em><br>
<em class="replaceable"><code>quoted_string</code></em>;...};deprecated<br>
masterfile-format(map|raw|text);<br>
masterfile-style(full|relative);<br>
match-clients{<em class="replaceable"><code>address_match_element</code></em>;...};<br>
......@@ -798,7 +801,7 @@ view
trusted-keys{<em class="replaceable"><code>string</code></em><br>
<em class="replaceable"><code>integer</code></em><em class="replaceable"><code>integer</code></em><br>
<em class="replaceable"><code>integer</code></em><br>
<em class="replaceable"><code>quoted_string</code></em>;...};,deprecated<br>
<em class="replaceable"><code>quoted_string</code></em>;...};deprecated<br>
try-tcp-refresh<em class="replaceable"><code>boolean</code></em>;<br>
update-check-ksk<em class="replaceable"><code>boolean</code></em>;<br>
use-alt-transfer-source<em class="replaceable"><code>boolean</code></em>;<br>
......
......@@ -516,11 +516,7 @@ timer\&.
.RS 4
Dump the security roots (i\&.e\&., trust anchors configured via
\fBdnssec\-keys\fR
statements, or the synonymous
\fBmanaged\-keys\fR
or the deprecated
\fBtrusted\-keys\fR
statements, or via
statements, or the managed\-keys or trusted\-keys statements (both deprecated), or via
\fBdnssec\-validation auto\fR) and negative trust anchors for the specified views\&. If no view is specified, all views are dumped\&. Security roots will indicate whether they are configured as trusted keys, managed keys, or initializing managed keys (managed keys that have not yet been updated by a successful key refresh query)\&.
.sp
If the first argument is "\-", then the output is returned via the
......
......@@ -653,9 +653,8 @@
<dd>
<p>
Dump the security roots (i.e., trust anchors
configured via <span class="command"><strong>dnssec-keys</strong></span> statements,
or the synonymous <span class="command"><strong>managed-keys</strong></span> or
the deprecated <span class="command"><strong>trusted-keys</strong></span> statements, or
configured via <span class="command"><strong>dnssec-keys</strong></span> statements, or the
managed-keys or trusted-keys statements (both deprecated), or
via <span class="command"><strong>dnssec-validation auto</strong></span>) and negative trust
anchors for the specified views. If no view is specified, all
views are dumped. Security roots will indicate whether
......
......@@ -850,7 +850,6 @@ infodir
docdir
oldincludedir
includedir
runstatedir
localstatedir
sharedstatedir
sysconfdir
......@@ -1020,7 +1019,6 @@ datadir='${datarootdir}'
sysconfdir='${prefix}/etc'
sharedstatedir='${prefix}/com'
localstatedir='${prefix}/var'
runstatedir='${localstatedir}/run'
includedir='${prefix}/include'
oldincludedir='/usr/include'
docdir='${datarootdir}/doc/${PACKAGE_TARNAME}'
......@@ -1273,15 +1271,6 @@ do
| -silent | --silent | --silen | --sile | --sil)
silent=yes ;;
-runstatedir | --runstatedir | --runstatedi | --runstated \
| --runstate | --runstat | --runsta | --runst | --runs \
| --run | --ru | --r)
ac_prev=runstatedir ;;
-runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \
| --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \
| --run=* | --ru=* | --r=*)
runstatedir=$ac_optarg ;;
-sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb)
ac_prev=sbindir ;;
-sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \
......@@ -1419,7 +1408,7 @@ fi
for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \
datadir sysconfdir sharedstatedir localstatedir includedir \
oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
libdir localedir mandir runstatedir
libdir localedir mandir
do
eval ac_val=\$$ac_var
# Remove trailing slashes.
......@@ -1572,7 +1561,6 @@ Fine tuning of the installation directories:
--sysconfdir=DIR read-only single-machine data [PREFIX/etc]
--sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com]
--localstatedir=DIR modifiable single-machine data [PREFIX/var]
--runstatedir=DIR modifiable per-process data [LOCALSTATEDIR/run]
--libdir=DIR object code libraries [EPREFIX/lib]
--includedir=DIR C header files [PREFIX/include]
--oldincludedir=DIR C header files for non-gcc [/usr/include]
......@@ -4013,7 +4001,7 @@ else
We can't simply define LARGE_OFF_T to be 9223372036854775807,
since some C++ compilers masquerading as C compilers
incorrectly reject 9223372036854775807. */
#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31))
#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
&& LARGE_OFF_T % 2147483647 == 1)
? 1 : -1];
......@@ -4059,7 +4047,7 @@ else
We can't simply define LARGE_OFF_T to be 9223372036854775807,
since some C++ compilers masquerading as C compilers
incorrectly reject 9223372036854775807. */
#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31))
#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
&& LARGE_OFF_T % 2147483647 == 1)
? 1 : -1];
......@@ -4083,7 +4071,7 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
We can't simply define LARGE_OFF_T to be 9223372036854775807,
since some C++ compilers masquerading as C compilers
incorrectly reject 9223372036854775807. */
#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31))
#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
&& LARGE_OFF_T % 2147483647 == 1)
? 1 : -1];
......@@ -4128,7 +4116,7 @@ else
We can't simply define LARGE_OFF_T to be 9223372036854775807,
since some C++ compilers masquerading as C compilers
incorrectly reject 9223372036854775807. */
#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31))
#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
&& LARGE_OFF_T % 2147483647 == 1)
? 1 : -1];
......@@ -4152,7 +4140,7 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
We can't simply define LARGE_OFF_T to be 9223372036854775807,
since some C++ compilers masquerading as C compilers
incorrectly reject 9223372036854775807. */
#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31))
#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
&& LARGE_OFF_T % 2147483647 == 1)
? 1 : -1];
......
......@@ -614,6 +614,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
</body>
</html>
......@@ -146,6 +146,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
</body>
</html>
......@@ -856,6 +856,6 @@ controls {
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
</body>
</html>
......@@ -1043,8 +1043,8 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
if at least one trust anchor has been explicitly configured
in <code class="filename">named.conf</code>
using a <span class="command"><strong>dnssec-keys</strong></span> statement (or the
synonymous <span class="command"><strong>managed-keys</strong></span> or the deprecated
<span class="command"><strong>trusted-keys</strong></span> statements).
<span class="command"><strong>managed-keys</strong></span> and <span class="command"><strong>trusted-keys</strong></span>
statements, both deprecated).
</p>
<p>
When <span class="command"><strong>dnssec-validation</strong></span> is set to
......@@ -2840,6 +2840,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
</body>
</html>
......@@ -894,8 +894,6 @@
keys are kept up to date using RFC 5011
trust anchor maintenance, and if used with
<span class="command"><strong>static-key</strong></span>, keys are permanent.
Identical to <span class="command"><strong>managed-keys</strong></span>,
but has been added for improved clarity.
</p>
</td>
</tr>
......@@ -905,8 +903,11 @@
</td>
<td>
<p>
is identical to <span class="command"><strong>dnssec-keys</strong></span>,
and is retained for backward compatibility.
is identical to <span class="command"><strong>dnssec-keys</strong></span>;
this option is deprecated in favor
of <span class="command"><strong>dnssec-keys</strong></span> with
the <span class="command"><strong>initial-key</strong></span> keyword,
and may be removed in a future release.
</p>
</td>
</tr>
......@@ -2429,7 +2430,6 @@ badresp:1,adberr:0,findfail:0,valfail:0]
<span class="command"><strong>check-spf</strong></span> ( warn | ignore );
<span class="command"><strong>check-srv-cname</strong></span> ( fail | warn | ignore );
<span class="command"><strong>check-wildcard</strong></span> <em class="replaceable"><code>boolean</code></em>;
<span class="command"><strong>cleaning-interval</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>clients-per-query</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>cookie-algorithm</strong></span> ( aes | sha1 | sha256 );
<span class="command"><strong>cookie-secret</strong></span> <em class="replaceable"><code>string</code></em>;
......@@ -2462,8 +2462,9 @@ badresp:1,adberr:0,findfail:0,valfail:0]
<span class="command"><strong>dnssec-accept-expired</strong></span> <em class="replaceable"><code>boolean</code></em>;
<span class="command"><strong>dnssec-dnskey-kskonly</strong></span> <em class="replaceable"><code>boolean</code></em>;
<span class="command"><strong>dnssec-loadkeys-interval</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>dnssec-lookaside</strong></span> ( <em class="replaceable"><code>string</code></em> trust-anchor
<em class="replaceable"><code>string</code></em> | auto | no );
<span class="command"><strong>dnssec-lookaside</strong></span> ( <em class="replaceable"><code>string</code></em>
<span class="command"><strong>trust-anchor</strong></span> <em class="replaceable"><code>string</code></em> |
<span class="command"><strong>auto</strong></span> | no ); deprecated
<span class="command"><strong>dnssec-must-be-secure</strong></span> <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;
<span class="command"><strong>dnssec-secure-to-insecure</strong></span> <em class="replaceable"><code>boolean</code></em>;
<span class="command"><strong>dnssec-update-mode</strong></span> ( maintain | no-resign );
......@@ -3015,14 +3016,19 @@ badresp:1,adberr:0,findfail:0,valfail:0]
<dt><span class="term"><span class="command"><strong>geoip-directory</strong></span></span></dt>
<dd>
<p>
Specifies the directory containing GeoIP
<code class="filename">.dat</code> database files for GeoIP
initialization. By default, this option is unset
and the GeoIP support will use libGeoIP's
built-in directory.
(For details, see <a class="xref" href="Bv9ARM.ch05.html#acl" title="acl Statement Definition and Usage">the section called &#8220;<span class="command"><strong>acl</strong></span> Statement Definition and
Usage&#8221;</a> about the
<span class="command"><strong>geoip</strong></span> ACL.)
When <span class="command"><strong>named</strong></span> is compiled using the
MaxMind GeoIP2 geolocation API,
this specifies the directory containing GeoIP
database files. By default, the option is set based on
the prefix used to build the <span class="command"><strong>libmaxminddb</strong></span>
module: for example, if the library is installed in
<code class="filename">/usr/local/lib</code>, then the default
<span class="command"><strong>geoip-directory</strong></span> will be
<code class="filename">/usr/local/share/GeoIP</code>. On Windows,
the default is the <span class="command"><strong>named</strong></span> working
directory. See <a class="xref" href="Bv9ARM.ch05.html#acl" title="acl Statement Definition and Usage">the section called &#8220;<span class="command"><strong>acl</strong></span> Statement Definition and
Usage&#8221;</a> for details about
<span class="command"><strong>geoip</strong></span> ACLs.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>key-directory</strong></span></span></dt>
......@@ -3434,10 +3440,11 @@ options {
as insecure.
</p>
<p>
Configured trust anchors in <span class="command"><strong>trusted-keys</strong></span>
or <span class="command"><strong>managed-keys</strong></span> that match a disabled
algorithm will be ignored and treated as if they were not
configured at all.
Configured trust anchors in <span class="command"><strong>dnssec-keys</strong></span>
(or <span class="command"><strong>managed-keys</strong></span> or
<span class="command"><strong>trusted-keys</strong></span>, both deprecated)
that match a disabled algorithm will be ignored and treated
as if they were not configured at all.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>disable-ds-digests</strong></span></span></dt>
......@@ -3475,6 +3482,9 @@ options {
<strong class="userinput"><code>no</code></strong>, then dnssec-lookaside
is not used.
</p>
<p>
This option is deprecated and its use is discouraged.
</p>
<p>
NOTE: The ISC-provided DLV service at
<code class="literal">dlv.isc.org</code>, has been shut down.
......@@ -3773,6 +3783,8 @@ options {
<span class="command"><strong>zone-statistics terse</strong></span> or
<span class="command"><strong>zone-statistics none</strong></span>
in the <span class="command"><strong>zone</strong></span> statement).
These include, for example, DNSSEC signing operations
and the number of authoritative answers per query type.
The default is <strong class="userinput"><code>terse</code></strong>, providing
minimal statistics on zones (including name and
current serial number, but not query type
......@@ -4676,8 +4688,8 @@ options {
If set to <strong class="userinput"><code>yes</code></strong>, DNSSEC validation is
enabled, but a trust anchor must be manually configured
using a <span class="command"><strong>dnssec-keys</strong></span> statement (or
the synonymous <span class="command"><strong>managed-keys</strong></span>, or the
deprecated <span class="command"><strong>trusted-keys</strong></span> statements).
the <span class="command"><strong>managed-keys</strong></span> or the
<span class="command"><strong>trusted-keys</strong></span> statements, both deprecated).
If there is no configured trust anchor, validation will
not take place.
</p>
......@@ -9007,9 +9019,10 @@ example.com CNAME rpz-tcp-only.
<div class="titlepage"><div><div><h3 class="title">
<a name="managed-keys"></a><span class="command"><strong>managed-keys</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting">
<span class="command"><strong>managed-keys</strong></span> { <em class="replaceable"><code>string</code></em> ( static-key |
<span class="command"><strong>initial-key</strong></span> ) <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em>
<em class="replaceable"><code>quoted_string</code></em>; ... };
<span class="command"><strong>managed-keys</strong></span> { <em class="replaceable"><code>string</code></em> ( static-key
| initial-key ) <em class="replaceable"><code>integer</code></em>
<em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em>
<em class="replaceable"><code>quoted_string</code></em>; ... }; deprecated
</pre>
</div>
<div class="section">
......@@ -9018,9 +9031,9 @@ example.com CNAME rpz-tcp-only.
and Usage</h3></div></div></div>
<p>
The <span class="command"><strong>managed-keys</strong></span> statement is
identical to the <span class="command"><strong>dnssec-keys</strong></span>, and is
retained for backward compatibility.
The <span class="command"><strong>managed-keys</strong></span> statement has been
deprecated in favor of <a class="xref" href="Bv9ARM.ch05.html#dnssec_keys" title="dnssec-keys Statement Grammar">the section called &#8220;<span class="command"><strong>dnssec-keys</strong></span> Statement Grammar&#8221;</a>
with the <span class="command"><strong>initial-key</strong></span> keyword.
</p>
</div>
......@@ -9030,7 +9043,7 @@ example.com CNAME rpz-tcp-only.
<pre class="programlisting">
<span class="command"><strong>trusted-keys</strong></span> { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em>
<em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em>
<em class="replaceable"><code>quoted_string</code></em>; ... };, deprecated
<em class="replaceable"><code>quoted_string</code></em>; ... }; deprecated
</pre>
</div>
<div class="section">
......@@ -9041,7 +9054,7 @@ example.com CNAME rpz-tcp-only.
<p>
The <span class="command"><strong>trusted-keys</strong></span> statement has been
deprecated in favor of <a class="xref" href="Bv9ARM.ch05.html#dnssec_keys" title="dnssec-keys Statement Grammar">the section called &#8220;<span class="command"><strong>dnssec-keys</strong></span> Statement Grammar&#8221;</a>
with the <span class="command"><strong>static</strong></span> keyword.
with the <span class="command"><strong>static-key</strong></span> keyword.
</p>
</div>
......@@ -9674,9 +9687,8 @@ view "external" {
For validation to succeed, a key-signing key
(KSK) for the zone must be configured as a trust
anchor in <code class="filename">named.conf</code>: that
is, a key for the zone must either be specified
in <span class="command"><strong>managed-keys</strong></span> or
<span class="command"><strong>trusted-keys</strong></span>. In the case
is, a key for the zone must be specified in
<span class="command"><strong>dnssec-keys</strong></span>. In the case
of the root zone, you may also rely on the
built-in root trust anchor, which is enabled
when <a class="xref" href="Bv9ARM.ch05.html#dnssec_validation"><span class="command"><strong>dnssec-validation</strong></span></a> is set to the
......@@ -13515,6 +13527,15 @@ HOST-127.EXAMPLE. MX 0 .
<acronym class="acronym">BIND</acronym> 8 statistics, if applicable.
</p>
<p>
Note: BIND statistics counters are signed 64-bit values on
all platforms except one: 32-bit Windows, where they are
signed 32-bit values. Given that 32-bit values have a
vastly smaller range than 64-bit values, BIND statistics
counters in 32-bit Windows builds overflow significantly
more quickly than on all other platforms.
</p>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="stats_counters"></a>Name Server Statistics Counters</h4></div></div></div>
......@@ -14913,6 +14934,6 @@ HOST-127.EXAMPLE. MX 0 .
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.1 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.2 (Development Release)</p>
</body>
</html>
......@@ -131,46 +131,45 @@ zone "example.com" {
to search for a match. Available fields are "country",
"region", "city", "continent", "postal" (postal code),
"metro" (metro code), "area" (area code), "tz" (timezone),
"isp", "org", "asnum", "domain" and "netspeed".
"isp", "asnum", and "domain".
</p>
<p>
<em class="replaceable"><code>value</code></em> is the value to search
for within the database. A string may be quoted if it
contains spaces or other special characters. If this is
an "asnum" search, then the leading "ASNNNN" string can be
used, otherwise the full description must be used (e.g.
"ASNNNN Example Company Name"). If this is a "country"
search and the string is two characters long, then it must
be a standard ISO-3166-1 two-letter country code, and if it
is three characters long then it must be an ISO-3166-1
three-letter country code; otherwise it is the full name
of the country. Similarly, if this is a "region" search
and the string is two characters long, then it must be a
standard two-letter state or province abbreviation;
otherwise it is the full name of the state or province.