Vendor import of Bind 9.8.5-P1

Approved by:	delphij (mentor)
Sponsored by:	DK Hostmaster A/S
This commit is contained in:
Erwin Lansing 2013-07-24 07:12:55 +00:00
parent 650b026006
commit 6f34f6a389
268 changed files with 30068 additions and 20465 deletions

428
CHANGES
View File

@ -1,20 +1,386 @@
--- 9.8.4-P2 released ---
--- 9.8.5-P1 released ---
3516. [security] Removed the check for regex.h in configure in order
to disable regex syntax checking, as it exposes
BIND to a critical flaw in libregex on some
platforms. [RT #32688]
3584. [security] Caching data from an incompletely signed zone could
trigger an assertion failure in resolver.c [RT #33690]
--- 9.8.4-P1 released ---
--- 9.8.5 released ---
3407. [security] Named could die on specific queries with dns64 enabled.
[Addressed in change #3388 for BIND 9.8.5 and 9.9.3.]
3568. [cleanup] Add a product description line to the version file,
to be reported by named -v/-V. [RT #33366]
--- 9.8.4 released ---
3567. [bug] Silence clang static analyzer warnings. [RT #33365]
3563. [contrib] zone2sqlite failed with some table names. [RT #33375]
3561. [bug] dig: issue a warning if an EDNS query returns FORMERR
or NOTIMP. Adjust usage message. [RT #33363]
--- 9.8.5rc1 released ---
3560. [bug] isc-config.sh did not honor includedir and libdir
when set via configure. [RT #33345]
3559. [func] Check that both forms of Sender Policy Framework
records exist or do not exist. [RT #33355]
3558. [bug] IXFR of a DLZ stored zone was broken. [RT #33331]
3556. [maint] Added AAAA for D.ROOT-SERVERS.NET.
3555. [bug] Address theoretical race conditions in acache.c
(change #3553 was incomplete). [RT #33252]
3553. [bug] Address suspected double free in acache. [RT #33252]
3552. [bug] Wrong getopt option string for 'nsupdate -r'.
[RT #33280]
3549. [doc] Documentation for "request-nsid" was missing.
[RT #33153]
3548. [bug] The NSID request code in resolver.c was broken
resulting in invalid EDNS options being sent.
[RT #33153]
3547. [bug] Some malformed unknown rdata records were not properly
detected and rejected. [RT #33129]
3056. [func] Added support for URI resource record. [RT #23386]
--- 9.8.5rc1 released ---
3546. [func] Add EUI48 and EUI64 types. [RT #33082]
3544. [contrib] check5011.pl: Script to report the status of
managed keys as recorded in managed-keys.bind.
Contributed by Tony Finch <dot@dotat.at>
3543. [bug] Update socket structure before attaching to socket
manager after accept. [RT #33084]
3542. [bug] masterformat system test was broken. [RT #33086]
3541. [bug] Parts of libdns were not properly initialized when
built in libexport mode. [RT #33028]
3540. [test] libt_api: t_info and t_assert were not thread safe.
3539. [port] win32: timestamp format didn't match other platforms.
3538. [test] Running "make test" now requires loopback interfaces
to be set up. [RT #32452]
3537. [tuning] Slave zones, when updated, now send NOTIFY messages
to peers before being dumped to disk rather than
after. [RT #27242]
3535. [bug] Minor win32 cleanups. [RT #32962]
3534. [bug] Extra text after an embedded NULL was ignored when
parsing zone files. [RT #32699]
3533. [contrib] query-loc-0.4.0: memory leaks. [RT #32960]
3532. [contrib] zkt: fixed buffer overrun, resource leaks. [RT #32960]
3531. [bug] win32: A uninitialized value could be returned on out
of memory. [RT #32960]
3530. [contrib] Better RTT tracking in queryperf. [RT #30128]
3526. [cleanup] Set up dependencies for unit tests correctly during
build. [RT #32803]
3521. [bug] Address memory leak in opensslecdsa_link.c. [RT #32249]
3520. [bug] 'mctx' was not being referenced counted in some places
where it should have been. [RT #32794]
--- 9.8.5b2 released ---
3517. [bug] Reorder destruction to avoid shutdown race. [RT #32777]
3515. [port] '%T' is not portable in strftime(). [RT #32763]
3514. [bug] The ranges for valid key sizes in ddns-confgen and
rndc-confgen were too constrained. Keys up to 512
bits are now allowed for most algorithms, and up
to 1024 bits for hmac-sha384 and hmac-sha512.
[RT #32753]
3509. [cleanup] Added a product line to version file to allow for
easy naming of different products (BIND
vs BIND ESV, for example). [RT #32755]
3508. [contrib] queryperf was incorrectly rejecting the -T option.
[RT #32338]
3503. [doc] Clarify size_spec syntax. [RT #32449]
3500. [security] Support NAPTR regular expression validation on
all platforms without using libregex, which
can be vulnerable to memory exhaustion attack
(CVE-2013-2266). [RT #32688]
3499. [doc] Corrected ARM documentation of built-in zones.
[RT #32694]
3498. [bug] zone statistics for zones which matched a potential
empty zone could have their zone-statistics setting
overridden.
3496. [func] Improvements to RPZ performance. The "response-policy"
syntax now includes a "min-ns-dots" clause, with
default 1, to exclude top-level domains from
NSIP and NSDNAME checking. --enable-rpz-nsip and
--enable-rpz-nsdname are now the default. [RT #32251]
3489. [bug] --enable-developer now turns on ISC_LIST_CHECKINIT.
When cloning a rdataset do not copy the link contents.
[RT #32651]
3488. [bug] Use after free error with DH generated keys. [RT #32649]
3487. [bug] Change 3444 was not complete. There was a additional
place where the NOQNAME proof needed to be saved.
[RT #32629]
3486. [bug] named could crash when using TKEY-negotiated keys
that had been deleted and then recreated. [RT #32506]
3485. [cleanup] Only compile openssl_gostlink.c if we support GOST.
3481. [cleanup] Removed use of const const in atf.
3479. [bug] Address potential memory leaks in gssapi support
code. [RT #32405]
3478. [port] Fix a build failure in strict C99 environments
[RT #32475]
3474. [bug] nsupdate could assert when the local and remote
address families didn't match. [RT #22897]
3470. [bug] Slave zones could fail to dump when successfully
refreshing after an initial failure. [RT #31276]
--- 9.8.5b1 released ---
3468. [security] RPZ rules to generate A records (but not AAAA records)
could trigger an assertion failure when used in
conjunction with DNS64 (CVE-2012-5689). [RT #32141]
3467. [bug] Added checks in dnssec-keygen and dnssec-settime
to check for delete date < inactive date. [RT #31719]
3465. [bug] Handle isolated reserved ports. [RT #31778]
3464. [maint] Updates to PKCS#11 openssl patches, supporting
versions 0.9.8x, 1.0.0j, 1.0.1c [RT #29749]
3463. [doc] Clarify managed-keys syntax in ARM. [RT #32232]
3462. [doc] Clarify server selection behavior of dig when using
-4 or -6 options. [RT #32181]
3461. [bug] Negative responses could incorrectly have AD=1
set. [RT #32237]
3458. [bug] Return FORMERR when presented with a overly long
domain named in a request. [RT #29682]
3457. [protocol] Add ILNP records (NID, LP, L32, L64). [RT #31836]
3456. [port] g++47: ATF failed to compile. [RT #32012]
3455. [contrib] queryperf: fix getopt option list. [RT #32338]
3454. [port] sparc64: improve atomic support. [RT #25182]
3452. [bug] Accept duplicate singleton records. [RT #32329]
3451. [port] Increase per thread stack size from 64K to 1M.
[RT #32230]
3450. [bug] Stop logfileconfig system test spam system logs.
[RT #32315]
3449. [bug] gen.c: use the pre-processor to construct format
strings so that compiler can perform sanity checks;
check the snprintf results. [RT #17576]
3448. [bug] The allow-query-on ACL was not processed correctly.
[RT #29486]
3447. [port] Add support for libxml2-2.9.x [RT #32231]
3446. [port] win32: Add source ID (see change #3400) to build.
[RT #31683]
3445. [bug] Warn about zone files with blank owner names
immediately after $ORIGIN directives. [RT #31848]
3444. [bug] The NOQNAME proof was not being returned from cached
insecure responses. [RT #21409]
3443. [bug] ddns-confgen: Some TSIG algorithms were incorrectly
rejected when generating keys. [RT #31927]
3442. [port] Net::DNS 0.69 introduced a non backwards compatible
change. [RT #32216]
3441. [maint] D.ROOT-SERVERS.NET is now 199.7.91.13.
3440. [bug] Reorder get_key_struct to not trigger a assertion when
cleaning up due to out of memory error. [RT #32131]
3439. [bug] contrib/dlz error checking fixes. [RT #32102]
3438. [bug] Don't accept unknown data escape in quotes. [RT #32031]
3437. [bug] isc_buffer_init -> isc_buffer_constinit to initialize
buffers with constant data. [RT #32064]
3436. [bug] Check malloc/calloc return values. [RT #32088]
3435. [bug] Cross compilation support in configure was broken.
[RT #32078]
3431. [bug] ddns-confgen: Some valid key algorithms were
not accepted. [RT #31927]
3430. [bug] win32: isc_time_formatISO8601 was missing the
'T' between the date and time. [RT #32044]
3429. [bug] dns_zone_getserial2 could a return success without
returning a valid serial. [RT #32007]
3428. [cleanup] dig: Add timezone to date output. [RT #2269]
3427. [bug] dig +trace incorrectly displayed name server
addresses instead of names. [RT #31641]
3425. [bug] "acacheentry" reference counting was broken resulting
in use after free. [RT #31908]
3422. [bug] Added a clear error message for when the SOA does not
match the referral. [RT #31281]
3421. [bug] Named loops when re-signing if all keys are offline.
[RT #31916]
3420. [bug] Address VPATH compilation issues. [RT #31879]
3419. [bug] Memory leak on validation cancel. [RT #31869]
3415. [bug] named could die with a REQUIRE failure if a validation
was canceled. [RT #31804]
3412. [bug] Copy timeval structure from control message data.
[RT #31548]
3411. [tuning] Use IPV6_USE_MIN_MTU or equivalent with TCP in addition
to UDP. [RT #31690]
3410. [bug] Addressed Coverity warnings. [RT #31626]
3409. [contrib] contrib/dane/mkdane.sh: Tool to generate TLSA RR's
from X.509 certificates, for use with DANE
(DNS-based Authentication of Named Entities).
[RT #30513]
3406. [bug] mem.c: Fix compilation errors when building with
ISC_MEM_TRACKLINES or ISC_MEMPOOL_NAMES disabled.
Also, ISC_MEM_DEBUG is no longer optional. [RT #31559]
3405. [bug] Handle time going backwards in acache. [RT #31253]
3404. [bug] dnssec-signzone: When re-signing a zone, remove
RRSIG and NSEC records from nodes that used to be
in-zone but are now below a zone cut. [RT #31556]
3403. [bug] Silence noisy OpenSSL logging. [RT #31497]
3402. [test] The IPv6 interface numbers used for system
tests were incorrect on some platforms. [RT #25085]
3401. [bug] Addressed Coverity warnings. [RT #31484]
3400. [cleanup] "named -V" can now report a source ID string, defined
in the "srcid" file in the build tree and normally set
to the most recent git hash. [RT #31494]
3397. [bug] dig crashed when using +nssearch with +tcp. [RT #25298]
3396. [bug] OPT records were incorrectly removed from signed,
truncated responses. [RT #31439]
3395. [protocol] Add RFC 6598 reverse zones to built in empty zones
list, 64.100.IN-ADDR.ARPA ... 127.100.IN-ADDR.ARPA.
[RT #31336]
3394. [bug] Adjust 'successfully validated after lower casing
signer' log level and category. [RT #31414]
3393. [bug] 'host -C' could core dump if REFUSED was received.
[RT #31381]
3391. [bug] A DNSKEY lookup that encountered a CNAME failed.
[RT #31262]
3390. [bug] Silence clang compiler warnings. [RT #30417]
3389. [bug] Always return NOERROR (not 0) in TSIG. [RT #31275]
3388. [bug] Fixed several Coverity warnings.
Note: This change includes a fix for a bug that
was subsequently determined to be an exploitable
security vulnerability, CVE-2012-5688: named could
die on specific queries with dns64 enabled.
[RT #30996]
3386. [bug] Address locking violation when generating new NSEC /
NSEC3 chains. [RT #31224]
3384. [bug] Improved logging of crypto errors. [RT #30963]
3383. [security] A certain combination of records in the RBT could
cause named to hang while populating the additional
section of a response. [RT #31090]
cause named to hang while populating the additional
section of a response. [RT #31090]
3382. [bug] SOA query from slave used use-v6-udp-ports range,
if set, regardless of the address family in use.
[RT #24173]
3381. [contrib] Update queryperf to support more RR types.
[RT #30762]
3380. [bug] named could die if a nonexistent master list was
referenced in a also-notify. [RT #31004]
3379. [bug] isc_interval_zero and isc_time_epoch should be
"const (type)* const". [RT #31069]
3378. [bug] Handle missing 'managed-keys-directory' better.
[RT #30625]
3376. [bug] Lack of EDNS support was being recorded without a
successful response. [RT #30811]
3375. [func] Check that 'rndc dumpdb' works on a empty cache.
[RT #30808]
3374. [bug] isc_parse_uint32 failed to return a range error on
systems with 64 bit longs. [RT #30232]
3372. [bug] Silence spurious "deleted from unreachable cache"
messages. [RT #30501]
3371. [bug] AD=1 should behave like DO=1 when deciding whether to
add NS RRsets to the additional section or not.
[RT #30479]
--- 9.8.4 released ---
3373. [bug] win32: open raw files in binary mode. [RT #30944]
@ -135,11 +501,11 @@
--- 9.8.3 released ---
3318. [tuning] Reduce the amount of work performed while holding a
bucket lock when finshed with a fetch context.
bucket lock when finished with a fetch context.
[RT #29239]
3314. [bug] The masters list could be updated while refesh_callback
and stub_callback were using it. [RT #26732]
3314. [bug] The masters list could be updated while stub_callback
or refresh_callback were using it. [RT #26732]
3313. [protocol] Add TLSA record type. [RT #28989]
@ -151,7 +517,7 @@
3310. [test] Increase table size for mutex profiling. [RT #28809]
3309. [bug] resolver.c:fctx_finddone() was not threadsafe.
3309. [bug] resolver.c:fctx_finddone() was not thread safe.
[RT #27995]
3307. [bug] Add missing ISC_LANG_BEGINDECLS and ISC_LANG_ENDDECLS.
@ -328,7 +694,7 @@
3234. [bug] 'make depend' produced invalid makefiles. [RT #26830]
3231. [bug] named could fail to send a uncompressable zone.
3231. [bug] named could fail to send a incompressible zone.
[RT #26796]
3230. [bug] 'dig axfr' failed to properly handle a multi-message
@ -345,7 +711,7 @@
3226. [bug] Address minor resource leakages. [RT #26624]
3221. [bug] Fixed a potential coredump on shutdown due to
3221. [bug] Fixed a potential core dump on shutdown due to
referencing fetch context after it's been freed.
[RT #26720]
@ -369,7 +735,7 @@
3209. [func] Add "dnssec-lookaside 'no'". [RT #24858]
3208. [bug] 'dig -y' handle unknown tsig alorithm better.
3208. [bug] 'dig -y' handle unknown tsig algorithm better.
[RT #25522]
3207. [contrib] Fixed build error in Berkeley DB DLZ module. [RT #26444]
@ -672,7 +1038,7 @@
3077. [bug] zone.c:zone_refreshkeys() incorrectly called
dns_zone_attach(), use zone->irefs instead. [RT #23303]
3075. [bug] dns_dnssec_findzonekeys{2} used a inconsistant
3075. [bug] dns_dnssec_findzonekeys{2} used a inconsistent
timestamp when determining which keys are active.
[RT #23642]
@ -686,7 +1052,7 @@
3072. [bug] dns_dns64_aaaaok() potential NULL pointer dereference.
[RT #20256]
3071. [bug] has_nsec could be used unintialised in
3071. [bug] has_nsec could be used uninitialized in
update.c:next_active. [RT #20256]
3070. [bug] dnssec-signzone potential NULL pointer dereference.
@ -732,7 +1098,7 @@
3052. [test] Fixed last autosign test report. [RT #23256]
3051. [bug] NS records obsure DNAME records at the bottom of the
3051. [bug] NS records obscure DNAME records at the bottom of the
zone if both are present. [RT #23035]
3050. [bug] The autosign system test was timing dependent.
@ -742,7 +1108,7 @@
3049. [bug] Save and restore the gid when creating creating
named.pid at startup. [RT #23290]
3048. [bug] Fully separate view key mangement. [RT #23419]
3048. [bug] Fully separate view key management. [RT #23419]
3047. [bug] DNSKEY NODATA responses not cached fixed in
validator.c. Tests added to dnssec system test.
@ -1079,7 +1445,7 @@
no data response. [RT #21744]
2952. [port] win32: named-checkzone and named-checkconf failed
to initialise winsock. [RT #21932]
to initialize winsock. [RT #21932]
2951. [bug] named failed to generate a correct signed response
in a optout, delegation only zone with no secure
@ -1125,7 +1491,7 @@
in use. [RT# 21868]
2938. [bug] When generating signed responses, from a signed zone
that uses NSEC3, named would use a uninitialised
that uses NSEC3, named would use a uninitialized
pointer if it needed to skip a NSEC3 record because
it didn't match the selected NSEC3PARAM record for
zone. [RT# 21868]
@ -1179,7 +1545,7 @@
revisit the issue and complete the fix later.
[RT #21710]
2930. [experimental] New "rndc addzone" and "rndc delzone" commads
2930. [experimental] New "rndc addzone" and "rndc delzone" commands
allow dynamic addition and deletion of zones.
To enable this feature, specify a "new-zone-file"
option at the view or options level in named.conf.
@ -1355,7 +1721,7 @@
successfully responds to the query using plain DNS.
[RT #20930]
2873. [bug] Cancelling a dynamic update via the dns/client module
2873. [bug] Canceling a dynamic update via the dns/client module
could trigger an assertion failure. [RT #21133]
2872. [bug] Modify dns/client.c:dns_client_createx() to only
@ -1397,7 +1763,7 @@
2860. [bug] named-checkconf's usage was out of date. [RT #21039]
2859. [bug] When cancelling validation it was possible to leak
2859. [bug] When canceling validation it was possible to leak
memory. [RT #20800]
2858. [bug] RTT estimates were not being adjusted on ICMP errors.
@ -1950,7 +2316,7 @@
2695. [func] DHCP/DDNS - update fdwatch code for use by
DHCP. Modify the api to isc_sockfdwatch_t (the
callback functon for isc_socket_fdwatchcreate)
callback function for isc_socket_fdwatchcreate)
to include information about the direction (read
or write) and add isc_socket_fdwatchpoke.
[RT #20253]
@ -2015,7 +2381,7 @@
sets the time when a key is no longer used for
signing but is still published.
- The "unpublished" date (-U) is deprecated in
favour of "deleted" (-D).
favor of "deleted" (-D).
[RT #20247]
2676. [bug] --with-export-installdir should have been
@ -2461,7 +2827,7 @@
2553. [bug] Reference leak on DNSSEC validation errors. [RT #19291]
2552. [bug] zero-no-soa-ttl-cache was not being honoured.
2552. [bug] zero-no-soa-ttl-cache was not being honored.
[RT #19340]
2551. [bug] Potential Reference leak on return. [RT #19341]
@ -2514,7 +2880,7 @@
2534. [func] Check NAPTR records regular expressions and
replacement strings to ensure they are syntactically
valid and consistant. [RT #18168]
valid and consistent. [RT #18168]
2533. [doc] ARM: document @ (at-sign). [RT #17144]

View File

@ -1,4 +1,4 @@
Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
Copyright (C) 1996-2003 Internet Software Consortium.
Permission to use, copy, modify, and/or distribute this software for any

4
FAQ
View File

@ -1,6 +1,6 @@
Frequently Asked Questions about BIND 9
Copyright © 2004-2010 Internet Systems Consortium, Inc. ("ISC")
Copyright © 2004-2010, 2013 Internet Systems Consortium, Inc. ("ISC")
Copyright © 2000-2003 Internet Software Consortium.
@ -869,7 +869,7 @@ A: If you run Tiger(Mac OS 10.4) or later then this is all you need to do:
Copy the key statement from /etc/rndc.conf into /etc/rndc.key, e.g.:
key "rndc-key" {
algorithm hmac-md5;
algorithm hmac-sha256;
secret "uvceheVuqf17ZwIcTydddw==";
};

View File

@ -1,7 +1,7 @@
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" []>
<!--
- Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2004-2010, 2013 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@ -30,6 +30,7 @@
<year>2008</year>
<year>2009</year>
<year>2010</year>
<year>2013</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
<copyright>
@ -1564,7 +1565,7 @@ rand_irqs="3 14 15"</programlisting>
<informalexample>
<programlisting>
key "rndc-key" {
algorithm hmac-md5;
algorithm hmac-sha256;
secret "uvceheVuqf17ZwIcTydddw==";
};</programlisting>
</informalexample>

View File

@ -1,4 +1,4 @@
# Copyright (C) 2004-2009, 2011, 2012 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2004-2009, 2011-2013 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 1998-2002 Internet Software Consortium.
#
# Permission to use, copy, modify, and/or distribute this software for any
@ -61,9 +61,21 @@ tags:
rm -f TAGS
find lib bin -name "*.[ch]" -print | @ETAGS@ -
check: test
test check:
@if test -n "`${PERL} ${top_srcdir}/bin/tests/system/testsock.pl 2>&- || echo fail`"; then \
echo I: NOTE: The tests were not run because they require that; \
echo I: the IP addresses 10.53.0.1 through 10.53.0.8 are configured; \
echo I: as alias addresses on the loopback interface. Please run; \
echo I: \'bin/tests/system/ifconfig.sh up\' as root to configure; \
echo I: them, then rerun the tests. Run make force-test to run the; \
echo I: tests anyway.; \
exit 1; \
fi
${MAKE} test-force
test:
force-test: test-force
test-force:
status=0; \
(cd bin/tests && ${MAKE} ${MAKEDEFS} test) || status=1; \
(test -f unit/unittest.sh && $(SHELL) unit/unittest.sh) || status=1; \

5
README
View File

@ -51,6 +51,11 @@ BIND 9
For up-to-date release notes and errata, see
http://www.isc.org/software/bind9/releasenotes
BIND 9.8.5
BIND 9.8.5 includes several bug fixes and patches security
flaws described in CVE-2012-5688, CVE-2012-5689 and CVE-2013-2266.
BIND 9.8.4
BIND 9.8.4 includes several bug fixes and patches security

7
aclocal.m4 vendored
View File

@ -1,2 +1,5 @@
sinclude(./libtool.m4)dnl
sinclude(libtool.m4/libtool.m4)dnl
sinclude(libtool.m4/ltoptions.m4)dnl
sinclude(libtool.m4/ltsugar.m4)dnl
sinclude(libtool.m4/ltversion.m4)dnl
sinclude(libtool.m4/lt~obsolete.m4)dnl

View File

@ -1,4 +1,4 @@
# Copyright (C) 2004, 2007, 2009, 2012 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2004, 2007, 2009, 2012, 2013 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 1998-2001 Internet Software Consortium.
#
# Permission to use, copy, modify, and/or distribute this software for any
@ -19,7 +19,7 @@ srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
SUBDIRS = named rndc dig dnssec tests tools nsupdate \
SUBDIRS = named rndc dig dnssec tools tests nsupdate \
check confgen @PKCS11_TOOLS@
TARGETS =

View File

@ -1,5 +1,5 @@
/*
* Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2004-2010, 2012 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000-2002 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@ -196,6 +196,10 @@ checkns(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner,
a->type == dns_rdatatype_a);
REQUIRE(aaaa == NULL || !dns_rdataset_isassociated(aaaa) ||
aaaa->type == dns_rdatatype_aaaa);
if (a == NULL || aaaa == NULL)
return (answer);
memset(&hints, 0, sizeof(hints));
hints.ai_flags = AI_CANONNAME;
hints.ai_family = PF_UNSPEC;
@ -258,8 +262,7 @@ checkns(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner,
}
return (ISC_TRUE);
}
if (a == NULL || aaaa == NULL)
return (answer);
/*
* Check that all glue records really exist.
*/
@ -597,7 +600,7 @@ load_zone(isc_mem_t *mctx, const char *zonename, const char *filename,
dns_zone_settype(zone, dns_zone_master);
isc_buffer_init(&buffer, zonename, strlen(zonename));
isc_buffer_constinit(&buffer, zonename, strlen(zonename));
isc_buffer_add(&buffer, strlen(zonename));
dns_fixedname_init(&fixorigin);
origin = dns_fixedname_name(&fixorigin);

View File

@ -1,5 +1,5 @@
/*
* Copyright (C) 2004-2007, 2009-2011 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2004-2007, 2009-2013 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2002 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@ -294,6 +294,18 @@ configure_zone(const char *vclass, const char *view,
zone_options &= ~DNS_ZONEOPT_CHECKSIBLING;
}
obj = NULL;
if (get_maps(maps, "check-spf", &obj)) {
if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
zone_options |= DNS_ZONEOPT_CHECKSPF;
} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
zone_options &= ~DNS_ZONEOPT_CHECKSPF;
} else
INSIST(0);
} else {
zone_options |= DNS_ZONEOPT_CHECKSPF;
}
obj = NULL;
if (get_checknames(maps, &obj)) {
if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
@ -471,6 +483,7 @@ main(int argc, char **argv) {
if (isc_commandline_option != '?')
fprintf(stderr, "%s: invalid argument -%c\n",
program, isc_commandline_option);
/* FALLTHROUGH */
case 'h':
usage();

View File

@ -1,4 +1,4 @@
.\" Copyright (C) 2004-2007, 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2004-2007, 2009, 2010, 2013 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2000-2002 Internet Software Consortium.
.\"
.\" Permission to use, copy, modify, and/or distribute this software for any
@ -33,9 +33,9 @@
named\-checkzone, named\-compilezone \- zone file validity checking or converting tool
.SH "SYNOPSIS"
.HP 16
\fBnamed\-checkzone\fR [\fB\-d\fR] [\fB\-h\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIformat\fR\fR] [\fB\-F\ \fR\fB\fIformat\fR\fR] [\fB\-i\ \fR\fB\fImode\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-m\ \fR\fB\fImode\fR\fR] [\fB\-M\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-o\ \fR\fB\fIfilename\fR\fR] [\fB\-r\ \fR\fB\fImode\fR\fR] [\fB\-s\ \fR\fB\fIstyle\fR\fR] [\fB\-S\ \fR\fB\fImode\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-W\ \fR\fB\fImode\fR\fR] {zonename} {filename}
\fBnamed\-checkzone\fR [\fB\-d\fR] [\fB\-h\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIformat\fR\fR] [\fB\-F\ \fR\fB\fIformat\fR\fR] [\fB\-i\ \fR\fB\fImode\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-m\ \fR\fB\fImode\fR\fR] [\fB\-M\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-o\ \fR\fB\fIfilename\fR\fR] [\fB\-r\ \fR\fB\fImode\fR\fR] [\fB\-s\ \fR\fB\fIstyle\fR\fR] [\fB\-S\ \fR\fB\fImode\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-T\ \fR\fB\fImode\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-W\ \fR\fB\fImode\fR\fR] {zonename} {filename}
.HP 18
\fBnamed\-compilezone\fR [\fB\-d\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-C\ \fR\fB\fImode\fR\fR] [\fB\-f\ \fR\fB\fIformat\fR\fR] [\fB\-F\ \fR\fB\fIformat\fR\fR] [\fB\-i\ \fR\fB\fImode\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-m\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-r\ \fR\fB\fImode\fR\fR] [\fB\-s\ \fR\fB\fIstyle\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-W\ \fR\fB\fImode\fR\fR] {\fB\-o\ \fR\fB\fIfilename\fR\fR} {zonename} {filename}
\fBnamed\-compilezone\fR [\fB\-d\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-C\ \fR\fB\fImode\fR\fR] [\fB\-f\ \fR\fB\fIformat\fR\fR] [\fB\-F\ \fR\fB\fIformat\fR\fR] [\fB\-i\ \fR\fB\fImode\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-m\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-r\ \fR\fB\fImode\fR\fR] [\fB\-s\ \fR\fB\fIstyle\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-T\ \fR\fB\fImode\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-W\ \fR\fB\fImode\fR\fR] {\fB\-o\ \fR\fB\fIfilename\fR\fR} {zonename} {filename}
.SH "DESCRIPTION"
.PP
\fBnamed\-checkzone\fR
@ -236,6 +236,14 @@ Chroot to
so that include directives in the configuration file are processed as if run by a similarly chrooted named.
.RE
.PP
\-T \fImode\fR
.RS 4
Check if Sender Policy Framework records (TXT and SPF) both exist or both don't exist. A warning is issued if they don't match. Possible modes are
\fB"warn"\fR
(default),
\fB"ignore"\fR.
.RE
.PP
\-w \fIdirectory\fR
.RS 4
chdir to
@ -281,7 +289,7 @@ BIND 9 Administrator Reference Manual.
.PP
Internet Systems Consortium
.SH "COPYRIGHT"
Copyright \(co 2004\-2007, 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
Copyright \(co 2004\-2007, 2009, 2010, 2013 Internet Systems Consortium, Inc. ("ISC")
.br
Copyright \(co 2000\-2002 Internet Software Consortium.
.br

View File

@ -1,5 +1,5 @@
/*
* Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@ -145,19 +145,21 @@ main(int argc, char **argv) {
if (progmode == progmode_compile) {
zone_options |= (DNS_ZONEOPT_CHECKNS |
DNS_ZONEOPT_FATALNS |
DNS_ZONEOPT_CHECKSPF |
DNS_ZONEOPT_CHECKDUPRR |
DNS_ZONEOPT_CHECKNAMES |
DNS_ZONEOPT_CHECKNAMESFAIL |
DNS_ZONEOPT_CHECKWILDCARD);
} else
zone_options |= DNS_ZONEOPT_CHECKDUPRR;
zone_options |= (DNS_ZONEOPT_CHECKDUPRR |
DNS_ZONEOPT_CHECKSPF);
#define ARGCMP(X) (strcmp(isc_commandline_argument, X) == 0)
isc_commandline_errprint = ISC_FALSE;
while ((c = isc_commandline_parse(argc, argv,
"c:df:hi:jk:m:n:qr:s:t:o:vw:DF:M:S:W:"))
"c:df:hi:jk:m:n:qr:s:t:o:vw:DF:M:S:T:W:"))
!= EOF) {
switch (c) {
case 'c':
@ -363,6 +365,18 @@ main(int argc, char **argv) {
}
break;
case 'T':
if (ARGCMP("warn")) {
zone_options |= DNS_ZONEOPT_CHECKSPF;
} else if (ARGCMP("ignore")) {
zone_options &= ~DNS_ZONEOPT_CHECKSPF;
} else {
fprintf(stderr, "invalid argument to -T: %s\n",
isc_commandline_argument);
exit(1);
}
break;
case 'W':
if (ARGCMP("warn"))
zone_options |= DNS_ZONEOPT_CHECKWILDCARD;
@ -374,6 +388,7 @@ main(int argc, char **argv) {
if (isc_commandline_option != '?')
fprintf(stderr, "%s: invalid argument -%c\n",
prog_name, isc_commandline_option);
/* FALLTHROUGH */
case 'h':
usage();

View File

@ -2,7 +2,7 @@
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) 2004-2007, 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2004-2007, 2009, 2010, 2013 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2002 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@ -38,6 +38,7 @@
<year>2007</year>
<year>2009</year>
<year>2010</year>
<year>2013</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
<copyright>
@ -75,6 +76,7 @@
<arg><option>-s <replaceable class="parameter">style</replaceable></option></arg>
<arg><option>-S <replaceable class="parameter">mode</replaceable></option></arg>
<arg><option>-t <replaceable class="parameter">directory</replaceable></option></arg>
<arg><option>-T <replaceable class="parameter">mode</replaceable></option></arg>
<arg><option>-w <replaceable class="parameter">directory</replaceable></option></arg>
<arg><option>-D</option></arg>
<arg><option>-W <replaceable class="parameter">mode</replaceable></option></arg>
@ -98,6 +100,7 @@
<arg><option>-r <replaceable class="parameter">mode</replaceable></option></arg>
<arg><option>-s <replaceable class="parameter">style</replaceable></option></arg>
<arg><option>-t <replaceable class="parameter">directory</replaceable></option></arg>
<arg><option>-T <replaceable class="parameter">mode</replaceable></option></arg>
<arg><option>-w <replaceable class="parameter">directory</replaceable></option></arg>
<arg><option>-D</option></arg>
<arg><option>-W <replaceable class="parameter">mode</replaceable></option></arg>
@ -379,6 +382,18 @@
</listitem>
</varlistentry>
<varlistentry>
<term>-T <replaceable class="parameter">mode</replaceable></term>
<listitem>
<para>
Check if Sender Policy Framework records (TXT and SPF)
both exist or both don't exist. A warning is issued
if they don't match. Possible modes are
<command>"warn"</command> (default), <command>"ignore"</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-w <replaceable class="parameter">directory</replaceable></term>
<listitem>

View File

@ -1,5 +1,5 @@
<!--
- Copyright (C) 2004-2007, 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2004-2007, 2009, 2010, 2013 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2002 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@ -29,11 +29,11 @@
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">named-checkzone</code> [<code class="option">-d</code>] [<code class="option">-h</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-M <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-o <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-r <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-S <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {zonename} {filename}</p></div>
<div class="cmdsynopsis"><p><code class="command">named-compilezone</code> [<code class="option">-d</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-C <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-r <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {<code class="option">-o <em class="replaceable"><code>filename</code></em></code>} {zonename} {filename}</p></div>
<div class="cmdsynopsis"><p><code class="command">named-checkzone</code> [<code class="option">-d</code>] [<code class="option">-h</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-M <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-o <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-r <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-S <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-T <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {zonename} {filename}</p></div>
<div class="cmdsynopsis"><p><code class="command">named-compilezone</code> [<code class="option">-d</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-C <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-r <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-T <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {<code class="option">-o <em class="replaceable"><code>filename</code></em></code>} {zonename} {filename}</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543696"></a><h2>DESCRIPTION</h2>
<a name="id2543716"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">named-checkzone</strong></span>
checks the syntax and integrity of a zone file. It performs the
same checks as <span><strong class="command">named</strong></span> does when loading a
@ -53,7 +53,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543731"></a><h2>OPTIONS</h2>
<a name="id2543751"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-d</span></dt>
<dd><p>
@ -214,6 +214,13 @@
directives in the configuration file are processed as if
run by a similarly chrooted named.
</p></dd>
<dt><span class="term">-T <em class="replaceable"><code>mode</code></em></span></dt>
<dd><p>
Check if Sender Policy Framework records (TXT and SPF)
both exist or both don't exist. A warning is issued
if they don't match. Possible modes are
<span><strong class="command">"warn"</strong></span> (default), <span><strong class="command">"ignore"</strong></span>.
</p></dd>
<dt><span class="term">-w <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
chdir to <code class="filename">directory</code> so that
@ -247,14 +254,14 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2544446"></a><h2>RETURN VALUES</h2>
<a name="id2544422"></a><h2>RETURN VALUES</h2>
<p><span><strong class="command">named-checkzone</strong></span>
returns an exit status of 1 if
errors were detected and 0 otherwise.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2544458"></a><h2>SEE ALSO</h2>
<a name="id2544434"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">named-checkconf</span>(8)</span>,
<em class="citetitle">RFC 1035</em>,
@ -262,7 +269,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2544491"></a><h2>AUTHOR</h2>
<a name="id2544603"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>

View File

@ -1,5 +1,5 @@
/*
* Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2009, 2012, 2013 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
@ -126,13 +126,17 @@ generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg,
switch (alg) {
case DST_ALG_HMACMD5:
case DST_ALG_HMACSHA1:
case DST_ALG_HMACSHA224:
case DST_ALG_HMACSHA256:
if (keysize < 1 || keysize > 512)
fatal("keysize %d out of range (must be 1-512)\n",
keysize);
break;
case DST_ALG_HMACSHA256:
if (keysize < 1 || keysize > 256)
fatal("keysize %d out of range (must be 1-256)\n",
case DST_ALG_HMACSHA384:
case DST_ALG_HMACSHA512:
if (keysize < 1 || keysize > 1024)
fatal("keysize %d out of range (must be 1-1024)\n",
keysize);
break;
default:

View File

@ -1,5 +1,5 @@
/*
* Copyright (C) 2004, 2005, 2007-2009, 2011 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2004, 2005, 2007-2009, 2011, 2013 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2001, 2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@ -140,8 +140,6 @@ main(int argc, char **argv) {
keysize = strtol(isc_commandline_argument, &p, 10);
if (*p != '\0' || keysize < 0)
fatal("-b requires a non-negative number");
if (keysize < 1 || keysize > 512)
fatal("-b must be in the range 1 through 512");
break;
case 'c':
keyfile = isc_commandline_argument;

View File

@ -1,4 +1,4 @@
.\" Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2004-2010, 2013 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2000-2003 Internet Software Consortium.
.\"
.\" Permission to use, copy, modify, and/or distribute this software for any
@ -57,7 +57,9 @@ allows multiple lookups to be issued from the command line.
Unless it is told to query a specific name server,
\fBdig\fR
will try each of the servers listed in
\fI/etc/resolv.conf\fR.
\fI/etc/resolv.conf\fR. If no usable server addreses are found,
\fBdig\fR
will send the query to the local host.
.PP
When no command line arguments or options are given,
\fBdig\fR
@ -95,13 +97,20 @@ is the name or IP address of the name server to query. This can be an IPv4 addre
\fIserver\fR
argument is a hostname,
\fBdig\fR
resolves that name before querying that name server. If no
resolves that name before querying that name server.
.sp
If no
\fIserver\fR
argument is provided,
\fBdig\fR
consults
\fI/etc/resolv.conf\fR
and queries the name servers listed there. The reply from the name server that responds is displayed.
\fI/etc/resolv.conf\fR; if an address is found there, it queries the name server at that address. If either of the
\fB\-4\fR
or
\fB\-6\fR
options are in use, then only addresses for the corresponding transport will be tried. If no usable addresses are found,
\fBdig\fR
will send the query to the local host. The reply from the name server that responds is displayed.
.RE
.PP
\fBname\fR
@ -567,7 +576,7 @@ RFC1035.
.PP
There are probably too many query options.
.SH "COPYRIGHT"
Copyright \(co 2004\-2010 Internet Systems Consortium, Inc. ("ISC")
Copyright \(co 2004\-2010, 2013 Internet Systems Consortium, Inc. ("ISC")
.br
Copyright \(co 2000\-2003 Internet Software Consortium.
.br

View File

@ -1,5 +1,5 @@
/*
* Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@ -186,7 +186,7 @@ help(void) {
" +domain=### (Set default domainname)\n"
" +bufsize=### (Set EDNS0 Max UDP packet size)\n"
" +ndots=### (Set NDOTS value)\n"
" +edns=### (Set EDNS version)\n"
" +[no]edns[=###] (Set EDNS version) [0]\n"
" +[no]search (Set whether to use searchlist)\n"
" +[no]showsearch (Search with intermediate results)\n"
" +[no]defname (Ditto)\n"
@ -240,6 +240,8 @@ received(int bytes, isc_sockaddr_t *from, dig_query_t *query) {
isc_uint64_t diff;
isc_time_t now;
time_t tnow;
struct tm tmnow;
char time_str[100];
char fromtext[ISC_SOCKADDR_FORMATSIZE];
isc_sockaddr_format(from, fromtext, sizeof(fromtext));
@ -251,7 +253,10 @@ received(int bytes, isc_sockaddr_t *from, dig_query_t *query) {
printf(";; Query time: %ld msec\n", (long int)diff/1000);
printf(";; SERVER: %s(%s)\n", fromtext, query->servname);
time(&tnow);
printf(";; WHEN: %s", ctime(&tnow));
tmnow = *localtime(&tnow);
if (strftime(time_str, sizeof(time_str),
"%a %b %d %H:%M:%S %Z %Y", &tmnow) > 0U)
printf(";; WHEN: %s\n", time_str);
if (query->lookup->doing_xfr) {
printf(";; XFR size: %u records (messages %u, "
"bytes %" ISC_PRINT_QUADFORMAT "u)\n",
@ -259,7 +264,6 @@ received(int bytes, isc_sockaddr_t *from, dig_query_t *query) {
query->byte_count);
} else {
printf(";; MSG SIZE rcvd: %u\n", bytes);
}
if (key != NULL) {
if (!validated)
@ -276,7 +280,7 @@ received(int bytes, isc_sockaddr_t *from, dig_query_t *query) {
"from %s(%s) in %d ms\n\n",
query->lookup->doing_xfr ?
query->byte_count : (isc_uint64_t)bytes,
fromtext, query->servname,
fromtext, query->userarg,
(int)diff/1000);
}
}
@ -525,6 +529,13 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
printf(";; WARNING: recursion requested "
"but not available\n");
}
if (msg != query->lookup->sendmsg &&
query->lookup->edns != -1 && msg->opt == NULL &&
(msg->rcode == dns_rcode_formerr ||
msg->rcode == dns_rcode_notimp))
printf("\n;; WARNING: EDNS query returned status "
"%s - retry with '+noedns'\n",
rcode_totext(msg->rcode));
if (msg != query->lookup->sendmsg && extrabytes != 0U)
printf(";; WARNING: Messages has %u extra byte%s at "
"end\n", extrabytes, extrabytes != 0 ? "s" : "");
@ -855,8 +866,10 @@ plus_option(char *option, isc_boolean_t is_batchfile,
lookup->edns = -1;
break;
}
if (value == NULL)
goto need_value;
if (value == NULL) {
lookup->edns = 0;
break;
}
result = parse_uint(&num, value, 255, "edns");
if (result != ISC_R_SUCCESS)
fatal("Couldn't parse edns");

View File

@ -2,7 +2,7 @@
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2004-2010, 2013 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@ -45,6 +45,7 @@
<year>2008</year>
<year>2009</year>
<year>2010</year>
<year>2013</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
<copyright>
@ -116,9 +117,10 @@
<para>
Unless it is told to query a specific name server,
<command>dig</command> will try each of the servers listed
in
<filename>/etc/resolv.conf</filename>.
<command>dig</command> will try each of the servers listed in
<filename>/etc/resolv.conf</filename>. If no usable server addreses
are found, <command>dig</command> will send the query to the local
host.
</para>
<para>
@ -157,20 +159,25 @@
<term><constant>server</constant></term>
<listitem>
<para>
is the name or IP address of the name server to query. This can
be an IPv4
address in dotted-decimal notation or an IPv6
is the name or IP address of the name server to query. This
can be an IPv4 address in dotted-decimal notation or an IPv6
address in colon-delimited notation. When the supplied
<parameter>server</parameter> argument is a
hostname,
<command>dig</command> resolves that name before
querying that name
server. If no <parameter>server</parameter>
argument is provided,
<command>dig</command> consults <filename>/etc/resolv.conf</filename>
and queries the name servers listed there. The reply from the
name
server that responds is displayed.
<parameter>server</parameter> argument is a hostname,
<command>dig</command> resolves that name before querying
that name server.
</para>
<para>
If no <parameter>server</parameter> argument is
provided, <command>dig</command> consults
<filename>/etc/resolv.conf</filename>; if an
address is found there, it queries the name server at
that address. If either of the <option>-4</option> or
<option>-6</option> options are in use, then
only addresses for the corresponding transport
will be tried. If no usable addresses are found,
<command>dig</command> will send the query to the
local host. The reply from the name server that
responds is displayed.
</para>
</listitem>
</varlistentry>

View File

@ -1,5 +1,5 @@
<!--
- Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2004-2010, 2013 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@ -34,7 +34,7 @@
<div class="cmdsynopsis"><p><code class="command">dig</code> [global-queryopt...] [query...]</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543524"></a><h2>DESCRIPTION</h2>
<a name="id2543527"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dig</strong></span>
(domain information groper) is a flexible tool
for interrogating DNS name servers. It performs DNS lookups and
@ -57,9 +57,10 @@
</p>
<p>
Unless it is told to query a specific name server,
<span><strong class="command">dig</strong></span> will try each of the servers listed
in
<code class="filename">/etc/resolv.conf</code>.
<span><strong class="command">dig</strong></span> will try each of the servers listed in
<code class="filename">/etc/resolv.conf</code>. If no usable server addreses
are found, <span><strong class="command">dig</strong></span> will send the query to the local
host.
</p>
<p>
When no command line arguments or options are given,
@ -80,7 +81,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543597"></a><h2>SIMPLE USAGE</h2>
<a name="id2543606"></a><h2>SIMPLE USAGE</h2>
<p>
A typical invocation of <span><strong class="command">dig</strong></span> looks like:
</p>
@ -91,22 +92,29 @@
</p>
<div class="variablelist"><dl>
<dt><span class="term"><code class="constant">server</code></span></dt>
<dd><p>
is the name or IP address of the name server to query. This can
be an IPv4
address in dotted-decimal notation or an IPv6
<dd>
<p>
is the name or IP address of the name server to query. This
can be an IPv4 address in dotted-decimal notation or an IPv6
address in colon-delimited notation. When the supplied
<em class="parameter"><code>server</code></em> argument is a
hostname,
<span><strong class="command">dig</strong></span> resolves that name before
querying that name
server. If no <em class="parameter"><code>server</code></em>
argument is provided,
<span><strong class="command">dig</strong></span> consults <code class="filename">/etc/resolv.conf</code>
and queries the name servers listed there. The reply from the
name
server that responds is displayed.
</p></dd>
<em class="parameter"><code>server</code></em> argument is a hostname,
<span><strong class="command">dig</strong></span> resolves that name before querying
that name server.
</p>
<p>
If no <em class="parameter"><code>server</code></em> argument is
provided, <span><strong class="command">dig</strong></span> consults
<code class="filename">/etc/resolv.conf</code>; if an
address is found there, it queries the name server at
that address. If either of the <code class="option">-4</code> or
<code class="option">-6</code> options are in use, then
only addresses for the corresponding transport
will be tried. If no usable addresses are found,
<span><strong class="command">dig</strong></span> will send the query to the
local host. The reply from the name server that
responds is displayed.
</p>
</dd>
<dt><span class="term"><code class="constant">name</code></span></dt>
<dd><p>
is the name of the resource record that is to be looked up.
@ -126,7 +134,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543688"></a><h2>OPTIONS</h2>
<a name="id2543709"></a><h2>OPTIONS</h2>
<p>
The <code class="option">-b</code> option sets the source IP address of the query
to <em class="parameter"><code>address</code></em>. This must be a valid
@ -230,7 +238,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2544037"></a><h2>QUERY OPTIONS</h2>
<a name="id2544058"></a><h2>QUERY OPTIONS</h2>
<p><span><strong class="command">dig</strong></span>
provides a number of query options which affect
the way in which lookups are made and the results displayed. Some of
@ -561,7 +569,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2545186"></a><h2>MULTIPLE QUERIES</h2>
<a name="id2545207"></a><h2>MULTIPLE QUERIES</h2>
<p>
The BIND 9 implementation of <span><strong class="command">dig </strong></span>
supports
@ -607,7 +615,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2545248"></a><h2>IDN SUPPORT</h2>
<a name="id2545337"></a><h2>IDN SUPPORT</h2>
<p>
If <span><strong class="command">dig</strong></span> has been built with IDN (internationalized
domain name) support, it can accept and display non-ASCII domain names.
@ -621,14 +629,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2545338"></a><h2>FILES</h2>
<a name="id2545360"></a><h2>FILES</h2>
<p><code class="filename">/etc/resolv.conf</code>
</p>
<p><code class="filename">${HOME}/.digrc</code>
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2545355"></a><h2>SEE ALSO</h2>
<a name="id2545377"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">host</span>(1)</span>,
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
@ -636,7 +644,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2545393"></a><h2>BUGS</h2>
<a name="id2545414"></a><h2>BUGS</h2>
<p>
There are probably too many query options.
</p>

View File

@ -1,5 +1,5 @@
/*
* Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@ -794,6 +794,7 @@ make_empty_lookup(void) {
dns_fixedname_init(&looknew->fdomain);
ISC_LINK_INIT(looknew, link);
ISC_LIST_INIT(looknew->q);
ISC_LIST_INIT(looknew->connecting);
ISC_LIST_INIT(looknew->my_server_list);
return (looknew);
}
@ -815,11 +816,11 @@ clone_lookup(dig_lookup_t *lookold, isc_boolean_t servers) {
looknew = make_empty_lookup();
INSIST(looknew != NULL);
strncpy(looknew->textname, lookold->textname, MXNAME);
strlcpy(looknew->textname, lookold->textname, MXNAME);
#if DIG_SIGCHASE_TD
strncpy(looknew->textnamesigchase, lookold->textnamesigchase, MXNAME);
strlcpy(looknew->textnamesigchase, lookold->textnamesigchase, MXNAME);
#endif
strncpy(looknew->cmdline, lookold->cmdline, MXNAME);
strlcpy(looknew->cmdline, lookold->cmdline, MXNAME);
looknew->textname[MXNAME-1] = 0;
looknew->rdtype = lookold->rdtype;
looknew->qrdtype = lookold->qrdtype;
@ -998,7 +999,7 @@ parse_hmac(const char *hmac) {
len = strlen(hmac);
if (len >= (int) sizeof(buf))
fatal("unknown key type '%.*s'", len, hmac);
strncpy(buf, hmac, sizeof(buf));
strlcpy(buf, hmac, sizeof(buf));
digestbits = 0;
@ -1080,8 +1081,8 @@ read_confkey(void) {
secretstr = cfg_obj_asstring(secretobj);
algorithm = cfg_obj_asstring(algorithmobj);
strncpy(keynametext, keyname, sizeof(keynametext));
strncpy(keysecret, secretstr, sizeof(keysecret));
strlcpy(keynametext, keyname, sizeof(keynametext));
strlcpy(keysecret, secretstr, sizeof(keysecret));
parse_hmac(algorithm);
setup_text_key();
@ -1164,7 +1165,7 @@ make_searchlist_entry(char *domain) {
if (search == NULL)
fatal("memory allocation failure in %s:%d",
__FILE__, __LINE__);
strncpy(search->origin, domain, MXNAME);
strlcpy(search->origin, domain, MXNAME);
search->origin[MXNAME-1] = 0;
ISC_LINK_INIT(search, link);
return (search);
@ -1473,7 +1474,10 @@ clear_query(dig_query_t *query) {
if (lookup->current_query == query)
lookup->current_query = NULL;
ISC_LIST_UNLINK(lookup->q, query, link);
if (ISC_LINK_LINKED(query, link))
ISC_LIST_UNLINK(lookup->q, query, link);
if (ISC_LINK_LINKED(query, clink))
ISC_LIST_UNLINK(lookup->connecting, query, clink);
if (ISC_LINK_LINKED(&query->recvbuf, link))
ISC_LIST_DEQUEUE(query->recvlist, &query->recvbuf,
link);
@ -1481,6 +1485,7 @@ clear_query(dig_query_t *query) {
ISC_LIST_DEQUEUE(query->lengthlist, &query->lengthbuf,
link);
INSIST(query->recvspace != NULL);
if (query->sock != NULL) {
isc_socket_detach(&query->sock);
sockcount--;
@ -1508,13 +1513,22 @@ try_clear_lookup(dig_lookup_t *lookup) {
debug("try_clear_lookup(%p)", lookup);
if (ISC_LIST_HEAD(lookup->q) != NULL) {
if (ISC_LIST_HEAD(lookup->q) != NULL ||
ISC_LIST_HEAD(lookup->connecting) != NULL)
{
if (debugging) {
q = ISC_LIST_HEAD(lookup->q);
while (q != NULL) {
debug("query to %s still pending", q->servname);
q = ISC_LIST_NEXT(q, link);
}
q = ISC_LIST_HEAD(lookup->connecting);
while (q != NULL) {
debug("query to %s still connecting",
q->servname);
q = ISC_LIST_NEXT(q, clink);
}
}
return (ISC_FALSE);
}
@ -1642,7 +1656,7 @@ start_lookup(void) {
= current_lookup->rdclassset;
current_lookup->rdclass = dns_rdataclass_in;
strncpy(current_lookup->textnamesigchase,
strlcpy(current_lookup->textnamesigchase,
current_lookup->textname, MXNAME);
current_lookup->trace_root_sigchase = ISC_TRUE;
@ -1654,7 +1668,7 @@ start_lookup(void) {
check_result(result, "dns_name_totext");
isc_buffer_usedregion(b, &r);
r.base[r.length] = '\0';
strncpy(current_lookup->textname, (char*)r.base,
strlcpy(current_lookup->textname, (char*)r.base,
MXNAME);
isc_buffer_free(&b);
@ -2290,7 +2304,6 @@ setup_lookup(dig_lookup_t *lookup) {
query->rr_count = 0;
query->msg_count = 0;
query->byte_count = 0;
ISC_LINK_INIT(query, link);
ISC_LIST_INIT(query->recvlist);
ISC_LIST_INIT(query->lengthlist);
query->sock = NULL;
@ -2303,6 +2316,7 @@ setup_lookup(dig_lookup_t *lookup) {
isc_buffer_init(&query->slbuf, query->slspace, 2);
query->sendbuf = lookup->renderbuf;
ISC_LINK_INIT(query, clink);
ISC_LINK_INIT(query, link);
ISC_LIST_ENQUEUE(lookup->q, query, link);
}
@ -2424,6 +2438,7 @@ static void
force_timeout(dig_lookup_t *l, dig_query_t *query) {
isc_event_t *event;
debug("force_timeout ()");
event = isc_event_allocate(mctx, query, ISC_TIMEREVENT_IDLE,
connect_timeout, l,
sizeof(isc_event_t));
@ -2491,6 +2506,7 @@ send_tcp_connect(dig_query_t *query) {
send_tcp_connect(next);
return;
}
INSIST(query->sock == NULL);
result = isc_socket_create(socketmgr,
isc_sockaddr_pf(&query->sockaddr),
@ -2521,6 +2537,9 @@ send_tcp_connect(dig_query_t *query) {
if (l->ns_search_only && !l->trace_root) {
debug("sending next, since searching");
next = ISC_LIST_NEXT(query, link);
if (ISC_LINK_LINKED(query, link))
ISC_LIST_DEQUEUE(l->q, query, link);
ISC_LIST_ENQUEUE(l->connecting, query, clink);
if (next != NULL)
send_tcp_connect(next);
}
@ -2601,7 +2620,7 @@ send_udp(dig_query_t *query) {
static void
connect_timeout(isc_task_t *task, isc_event_t *event) {
dig_lookup_t *l = NULL;
dig_query_t *query = NULL, *cq;
dig_query_t *query = NULL, *next, *cq;
UNUSED(task);
REQUIRE(event->ev_type == ISC_TIMEREVENT_IDLE);
@ -2625,7 +2644,9 @@ connect_timeout(isc_task_t *task, isc_event_t *event) {
if (query->sock != NULL)
isc_socket_cancel(query->sock, NULL,
ISC_SOCKCANCEL_ALL);
send_tcp_connect(ISC_LIST_NEXT(cq, link));
next = ISC_LIST_NEXT(cq, link);
if (next != NULL)
send_tcp_connect(next);
}
UNLOCK_LOOKUP;
return;
@ -2868,9 +2889,8 @@ connect_done(isc_task_t *task, isc_event_t *event) {
if (next != NULL) {
bringup_timer(next, TCP_TIMEOUT);
send_tcp_connect(next);
} else {
} else
check_next_lookup(l);
}
UNLOCK_LOOKUP;
return;
}
@ -3427,6 +3447,7 @@ recv_done(isc_task_t *task, isc_event_t *event) {
if (n == 0)
docancel = ISC_TRUE;
l->trace_root = ISC_FALSE;
usesearch = ISC_FALSE;
} else
#ifdef DIG_SIGCHASE
if (!do_sigchase)
@ -3603,15 +3624,19 @@ getaddresses(dig_lookup_t *lookup, const char *host, isc_result_t *resultp) {
*/
void
do_lookup(dig_lookup_t *lookup) {
dig_query_t *query;
REQUIRE(lookup != NULL);
debug("do_lookup()");
lookup->pending = ISC_TRUE;
if (lookup->tcp_mode)
send_tcp_connect(ISC_LIST_HEAD(lookup->q));
else
send_udp(ISC_LIST_HEAD(lookup->q));
query = ISC_LIST_HEAD(lookup->q);
if (query != NULL) {
if (lookup->tcp_mode)
send_tcp_connect(query);
else
send_udp(query);
}
}
/*%
@ -4083,7 +4108,7 @@ sigchase_scanname(dns_rdatatype_t type, dns_rdatatype_t covers,
check_result(result, "dns_name_totext");
isc_buffer_usedregion(b, &r);
r.base[r.length] = '\0';
strcpy(lookup->textname, (char*)r.base);
strlcpy(lookup->textname, (char*)r.base, sizeof(lookup->textname));
isc_buffer_free(&b);
if (type == dns_rdatatype_rrsig)
@ -4208,7 +4233,7 @@ opentmpkey(isc_mem_t *mctx, const char *file, char **tempp, FILE **fp) {
return (ISC_R_NOMEMORY);
memset(tempnamekey, 0, tempnamekeylen);
strncpy(tempnamekey, tempname, tempnamelen);
strlcpy(tempnamekey, tempname, tempnamelen);
strcat(tempnamekey ,".key");
@ -4342,7 +4367,7 @@ prepare_lookup(dns_name_t *name)
lookup->new_search = ISC_TRUE;
lookup->trace_root_sigchase = ISC_FALSE;
strncpy(lookup->textname, lookup->textnamesigchase, MXNAME);
strlcpy(lookup->textname, lookup->textnamesigchase, MXNAME);
lookup->rdtype = lookup->rdtype_sigchase;
lookup->rdtypeset = ISC_TRUE;
@ -4401,7 +4426,7 @@ prepare_lookup(dns_name_t *name)
dns_rdata_totext(&aaaa, &ns.name, b);
isc_buffer_usedregion(b, &r);
r.base[r.length] = '\0';
strncpy(namestr, (char*)r.base,
strlcpy(namestr, (char*)r.base,
DNS_NAME_FORMATSIZE);
isc_buffer_free(&b);
dns_rdata_reset(&aaaa);
@ -4430,7 +4455,7 @@ prepare_lookup(dns_name_t *name)
dns_rdata_totext(&a, &ns.name, b);
isc_buffer_usedregion(b, &r);
r.base[r.length] = '\0';
strncpy(namestr, (char*)r.base,
strlcpy(namestr, (char*)r.base,
DNS_NAME_FORMATSIZE);
isc_buffer_free(&b);
dns_rdata_reset(&a);
@ -4609,7 +4634,6 @@ contains_trusted_key(dns_name_t *name, dns_rdataset_t *rdataset,
{
isc_result_t result;
dns_rdata_t rdata = DNS_RDATA_INIT;
dst_key_t *trustedKey = NULL;
dst_key_t *dnsseckey = NULL;
int i;
@ -4653,10 +4677,6 @@ contains_trusted_key(dns_name_t *name, dns_rdataset_t *rdataset,
dst_key_free(&dnsseckey);
} while (dns_rdataset_next(rdataset) == ISC_R_SUCCESS);
if (trustedKey != NULL)
dst_key_free(&trustedKey);
trustedKey = NULL;
return (ISC_R_NOTFOUND);
}

View File

@ -1,5 +1,5 @@
/*
* Copyright (C) 2004-2007, 2009-2011 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2004-2007, 2009-2012 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@ -446,10 +446,18 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
if (msg->rcode != 0) {
char namestr[DNS_NAME_FORMATSIZE];
dns_name_format(query->lookup->name, namestr, sizeof(namestr));
printf("Host %s not found: %d(%s)\n",
(msg->rcode != dns_rcode_nxdomain) ? namestr :
query->lookup->textname, msg->rcode,
rcode_totext(msg->rcode));
if (query->lookup->identify_previous_line)
printf("Nameserver %s:\n\t%s not found: %d(%s)\n",
query->servname,
(msg->rcode != dns_rcode_nxdomain) ? namestr :
query->lookup->textname, msg->rcode,
rcode_totext(msg->rcode));
else
printf("Host %s not found: %d(%s)\n",
(msg->rcode != dns_rcode_nxdomain) ? namestr :
query->lookup->textname, msg->rcode,
rcode_totext(msg->rcode));
return (ISC_R_SUCCESS);
}

View File

@ -1,5 +1,5 @@
/*
* Copyright (C) 2004-2009, 2011 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2004-2009, 2011, 2012 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@ -168,6 +168,7 @@ isc_boolean_t sigchase;
dns_name_t *oname;
ISC_LINK(dig_lookup_t) link;
ISC_LIST(dig_query_t) q;
ISC_LIST(dig_query_t) connecting;
dig_query_t *current_query;
dig_serverlist_t my_server_list;
dig_searchlist_t *origin;
@ -214,6 +215,7 @@ struct dig_query {
slspace[4];
isc_socket_t *sock;
ISC_LINK(dig_query_t) link;
ISC_LINK(dig_query_t) clink;
isc_sockaddr_t sockaddr;
isc_time_t time_sent;
isc_uint64_t byte_count;

View File

@ -356,6 +356,8 @@ main(int argc, char **argv) {
fprintf(stderr, "The use of RSA (RSAMD5) is not recommended.\n"
"If you still wish to use RSA (RSAMD5) please "
"specify \"-a RSAMD5\"\n");
if (freeit != NULL)
free(freeit);
return (1);
} else {
r.base = algname;

View File

@ -1,5 +1,5 @@
/*
* Portions Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
* Portions Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
* Portions Copyright (C) 1999-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@ -526,6 +526,7 @@ main(int argc, char **argv) {
"recommended.\nIf you still wish to "
"use RSA (RSAMD5) please specify "
"\"-a RSAMD5\"\n");
INSIST(freeit == NULL);
return (1);
} else if (strcasecmp(algname, "HMAC-MD5") == 0)
alg = DST_ALG_HMACMD5;
@ -960,8 +961,15 @@ main(int argc, char **argv) {
dst_key_settime(key, DST_TIME_INACTIVE,
inactive);
if (setdel)
if (setdel) {
if (setinact && delete < inactive)
fprintf(stderr, "%s: warning: Key is "
"scheduled to be deleted "
"before it is scheduled to be "
"made inactive.\n",
program);
dst_key_settime(key, DST_TIME_DELETE, delete);
}
} else {
if (setpub || setact || setrev || setinact ||
setdel || unsetpub || unsetact ||

View File

@ -1,5 +1,5 @@
/*
* Copyright (C) 2009-2011 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2009-2012 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
@ -20,7 +20,6 @@
#include <config.h>
#include <libgen.h>
#include <stdlib.h>
#include <unistd.h>

View File

@ -1,5 +1,5 @@
/*
* Copyright (C) 2009-2012 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2009-2013 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
@ -20,7 +20,6 @@
#include <config.h>
#include <libgen.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
@ -140,6 +139,7 @@ main(int argc, char **argv) {
int prepub = -1;
isc_stdtime_t now;
isc_stdtime_t pub = 0, act = 0, rev = 0, inact = 0, del = 0;
isc_stdtime_t prevact = 0, previnact = 0, prevdel = 0;
isc_boolean_t setpub = ISC_FALSE, setact = ISC_FALSE;
isc_boolean_t setrev = ISC_FALSE, setinact = ISC_FALSE;
isc_boolean_t setdel = ISC_FALSE;
@ -344,7 +344,6 @@ main(int argc, char **argv) {
if (predecessor != NULL) {
char keystr[DST_KEY_FORMATSIZE];
isc_stdtime_t when;
int major, minor;
if (prepub == -1)
@ -376,19 +375,20 @@ main(int argc, char **argv) {
fatal("Predecessor has incompatible format "
"version %d.%d\n\t", major, minor);
result = dst_key_gettime(prevkey, DST_TIME_ACTIVATE, &when);
result = dst_key_gettime(prevkey, DST_TIME_ACTIVATE, &prevact);
if (result != ISC_R_SUCCESS)
fatal("Predecessor has no activation date. "
"You must set one before\n\t"
"generating a successor.");
result = dst_key_gettime(prevkey, DST_TIME_INACTIVE, &act);
result = dst_key_gettime(prevkey, DST_TIME_INACTIVE,
&previnact);
if (result != ISC_R_SUCCESS)
fatal("Predecessor has no inactivation date. "
"You must set one before\n\t"
"generating a successor.");
pub = act - prepub;
pub = prevact - prepub;
if (pub < now && prepub != 0)
fatal("Predecessor will become inactive before the\n\t"
"prepublication period ends. Either change "
@ -396,13 +396,18 @@ main(int argc, char **argv) {
"or use the -i option to set a shorter "
"prepublication interval.");
result = dst_key_gettime(prevkey, DST_TIME_DELETE, &when);
result = dst_key_gettime(prevkey, DST_TIME_DELETE, &prevdel);
if (result != ISC_R_SUCCESS)
fprintf(stderr, "%s: WARNING: Predecessor has no "
fprintf(stderr, "%s: warning: Predecessor has no "
"removal date;\n\t"
"it will remain in the zone "
"indefinitely after rollover.\n",
program);
else if (prevdel < previnact)
fprintf(stderr, "%s: warning: Predecessor is "
"scheduled to be deleted\n\t"
"before it is scheduled to be "
"inactive.\n", program);
changed = setpub = setact = ISC_TRUE;
dst_key_free(&prevkey);
@ -464,6 +469,20 @@ main(int argc, char **argv) {
fatal("Key flags mismatch");
}
prevdel = previnact = 0;
if ((setdel && setinact && del < inact) ||
(dst_key_gettime(key, DST_TIME_INACTIVE,
&previnact) == ISC_R_SUCCESS &&
setdel && !setinact && del < previnact) ||
(dst_key_gettime(key, DST_TIME_DELETE,
&prevdel) == ISC_R_SUCCESS &&
setinact && !setdel && prevdel < inact) ||
(!setdel && !setinact && prevdel < previnact))
fprintf(stderr, "%s: warning: Key is scheduled to "
"be deleted before it is\n\t"
"scheduled to be inactive.\n",
program);
if (force)
set_keyversion(key);
else

View File

@ -1,5 +1,5 @@
/*
* Portions Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC")
* Portions Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
* Portions Copyright (C) 1999-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@ -646,6 +646,8 @@ hashlist_add(hashlist_t *l, const unsigned char *hash, size_t len)
if (l->entries == l->size) {
l->size = l->size * 2 + 100;
l->hashbuf = realloc(l->hashbuf, l->size * l->length);
if (l->hashbuf == NULL)
fatal("unable to grow hashlist: out of memory");
}
memset(l->hashbuf + l->entries * l->length, 0, l->length);
memcpy(l->hashbuf + l->entries * l->length, hash, len);
@ -2027,7 +2029,9 @@ add_ds(dns_name_t *name, dns_dbnode_t *node, isc_uint32_t nsttl) {
* Remove records of the given type and their signatures.
*/
static void
remove_records(dns_dbnode_t *node, dns_rdatatype_t which) {
remove_records(dns_dbnode_t *node, dns_rdatatype_t which,
isc_boolean_t checknsec)
{
isc_result_t result;
dns_rdatatype_t type, covers;
dns_rdatasetiter_t *rdsiter = NULL;
@ -2048,10 +2052,12 @@ remove_records(dns_dbnode_t *node, dns_rdatatype_t which) {
covers = rdataset.covers;
dns_rdataset_disassociate(&rdataset);
if (type == which || covers == which) {
if (which == dns_rdatatype_nsec && !update_chain)
if (which == dns_rdatatype_nsec &&
checknsec && !update_chain)
fatal("Zone contains NSEC records. Use -u "
"to update to NSEC3.");
if (which == dns_rdatatype_nsec3param && !update_chain)
if (which == dns_rdatatype_nsec3param &&
checknsec && !update_chain)
fatal("Zone contains NSEC3 chains. Use -u "
"to update to NSEC.");
result = dns_db_deleterdataset(gdb, node, gversion,
@ -2063,6 +2069,39 @@ remove_records(dns_dbnode_t *node, dns_rdatatype_t which) {
dns_rdatasetiter_destroy(&rdsiter);
}
/*
* Remove signatures covering the given type (0 == all signatures).
*/
static void
remove_sigs(dns_dbnode_t *node, dns_rdatatype_t which) {
isc_result_t result;
dns_rdatatype_t type, covers;
dns_rdatasetiter_t *rdsiter = NULL;
dns_rdataset_t rdataset;
dns_rdataset_init(&rdataset);
result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter);
check_result(result, "dns_db_allrdatasets()");
for (result = dns_rdatasetiter_first(rdsiter);
result == ISC_R_SUCCESS;
result = dns_rdatasetiter_next(rdsiter)) {
dns_rdatasetiter_current(rdsiter, &rdataset);
type = rdataset.type;
covers = rdataset.covers;
dns_rdataset_disassociate(&rdataset);
if (type == dns_rdatatype_rrsig &&
(covers == which || which == 0))
{
result = dns_db_deleterdataset(gdb, node, gversion,
type, covers);
check_result(result, "dns_db_deleterdataset()");
continue;
}
}
dns_rdatasetiter_destroy(&rdsiter);
}
/*%
* Generate NSEC records for the zone and remove NSEC3/NSEC3PARAM records.
*/
@ -2139,14 +2178,17 @@ nsecify(void) {
}
if (dns_name_equal(name, gorigin))
remove_records(node, dns_rdatatype_nsec3param);
remove_records(node, dns_rdatatype_nsec3param,
ISC_TRUE);
if (delegation(name, node, &nsttl)) {
zonecut = dns_fixedname_name(&fzonecut);
dns_name_copy(name, zonecut, NULL);
remove_sigs(node, 0);
if (generateds)
add_ds(name, node, nsttl);
}
result = dns_dbiterator_next(dbiter);
nextnode = NULL;
while (result == ISC_R_SUCCESS) {
@ -2164,6 +2206,9 @@ nsecify(void) {
(zonecut != NULL &&
dns_name_issubdomain(nextname, zonecut)))
{
remove_sigs(nextnode, 0);
remove_records(nextnode, dns_rdatatype_nsec,
ISC_FALSE);
dns_db_detachnode(gdb, &nextnode);
result = dns_dbiterator_next(dbiter);
continue;
@ -2555,7 +2600,7 @@ nsec3ify(unsigned int hashalg, unsigned int iterations,
}
if (dns_name_equal(name, gorigin))
remove_records(node, dns_rdatatype_nsec);
remove_records(node, dns_rdatatype_nsec, ISC_TRUE);
result = dns_dbiterator_next(dbiter);
nextnode = NULL;
@ -2572,6 +2617,7 @@ nsec3ify(unsigned int hashalg, unsigned int iterations,
if (!dns_name_issubdomain(nextname, gorigin) ||
(zonecut != NULL &&
dns_name_issubdomain(nextname, zonecut))) {
remove_sigs(nextnode, 0);
dns_db_detachnode(gdb, &nextnode);
result = dns_dbiterator_next(dbiter);
continue;
@ -2579,6 +2625,7 @@ nsec3ify(unsigned int hashalg, unsigned int iterations,
if (delegation(nextname, nextnode, &nsttl)) {
zonecut = dns_fixedname_name(&fzonecut);
dns_name_copy(nextname, zonecut, NULL);
remove_sigs(nextnode, 0);
if (generateds)
add_ds(nextname, nextnode, nsttl);
if (OPTOUT(nsec3flags) &&
@ -3011,7 +3058,7 @@ set_nsec3params(isc_boolean_t update_chain, isc_boolean_t set_salt,
dns_rdata_nsec3_t nsec3;
dns_fixedname_t fname;
dns_name_t *hashname;
unsigned char orig_salt[256];
unsigned char orig_salt[255];
size_t orig_saltlen;
dns_hash_t orig_hash;
isc_uint16_t orig_iter;

View File

@ -1,4 +1,4 @@
# Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 1998-2002 Internet Software Consortium.
#
# Permission to use, copy, modify, and/or distribute this software for any
@ -21,6 +21,12 @@ top_srcdir = @top_srcdir@
@BIND9_VERSION@
@BIND9_PRODUCT@
@BIND9_DESCRIPTION@
@BIND9_SRCID@
@BIND9_CONFIGARGS@
@BIND9_MAKE_INCLUDES@
@ -114,6 +120,9 @@ MANOBJS = ${MANPAGES} ${HTMLPAGES}
main.@O@: main.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-DVERSION=\"${VERSION}\" \
-DPRODUCT=\"${PRODUCT}\" \
-DDESCRIPTION=\"${DESCRIPTION}\" \
-DSRCID=\"${SRCID}\" \
-DCONFIGARGS="\"${CONFIGARGS}\"" \
-DNS_LOCALSTATEDIR=\"${localstatedir}\" \
-DNS_SYSCONFDIR=\"${sysconfdir}\" -c ${srcdir}/main.c
@ -124,6 +133,7 @@ bind.keys.h: ${top_srcdir}/bind.keys ${srcdir}/bindkeys.pl
config.@O@: config.c bind.keys.h
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-DVERSION=\"${VERSION}\" \
-DSRCID=\"${SRCID}\" \
-DNS_LOCALSTATEDIR=\"${localstatedir}\" \
-DNS_SYSCONFDIR=\"${sysconfdir}\" \
-c ${srcdir}/config.c
@ -167,3 +177,6 @@ install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs
${INSTALL_DATA} ${srcdir}/named.conf.5 ${DESTDIR}${mandir}/man5
@DLZ_DRIVER_RULES@
named-symtbl.@O@: named-symtbl.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -c named-symtbl.c

View File

@ -1394,10 +1394,9 @@ client_request(isc_task_t *task, isc_event_t *event) {
INSIST(client->recursionquota == NULL);
INSIST(client->state ==
TCP_CLIENT(client) ?
NS_CLIENTSTATE_READING :
NS_CLIENTSTATE_READY);
INSIST(client->state == (TCP_CLIENT(client) ?
NS_CLIENTSTATE_READING :
NS_CLIENTSTATE_READY));
ns_client_requests++;
@ -2408,6 +2407,9 @@ ns_client_replace(ns_client_t *client) {
CTRACE("replace");
REQUIRE(client != NULL);
REQUIRE(client->manager != NULL);
result = ns_clientmgr_createclients(client->manager,
1, client->interface,
(TCP_CLIENT(client) ?

View File

@ -1,5 +1,5 @@
/*
* Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2001-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@ -150,6 +150,7 @@ options {\n\
check-names response ignore;\n\
check-dup-records warn;\n\
check-mx warn;\n\
check-spf warn;\n\
acache-enable no;\n\
acache-cleaning-interval 60;\n\
max-acache-size 16M;\n\
@ -639,17 +640,16 @@ ns_config_getipandkeylist(const cfg_obj_t *config, const cfg_obj_t *list,
if (isc_sockaddr_getport(&addrs[i]) == 0)
isc_sockaddr_setport(&addrs[i], port);
keys[i] = NULL;
if (!cfg_obj_isstring(key)) {
i++;
i++; /* Increment here so that cleanup on error works. */
if (!cfg_obj_isstring(key))
continue;
}
keys[i] = isc_mem_get(mctx, sizeof(dns_name_t));
if (keys[i] == NULL)
keys[i - 1] = isc_mem_get(mctx, sizeof(dns_name_t));
if (keys[i - 1] == NULL)
goto cleanup;
dns_name_init(keys[i], NULL);
dns_name_init(keys[i - 1], NULL);
keystr = cfg_obj_asstring(key);
isc_buffer_init(&b, keystr, strlen(keystr));
isc_buffer_constinit(&b, keystr, strlen(keystr));
isc_buffer_add(&b, strlen(keystr));
dns_fixedname_init(&fname);
result = dns_name_fromtext(dns_fixedname_name(&fname), &b,
@ -657,10 +657,9 @@ ns_config_getipandkeylist(const cfg_obj_t *config, const cfg_obj_t *list,
if (result != ISC_R_SUCCESS)
goto cleanup;
result = dns_name_dup(dns_fixedname_name(&fname), mctx,
keys[i]);
keys[i - 1]);
if (result != ISC_R_SUCCESS)
goto cleanup;
i++;
}
if (pushed != 0) {
pushed--;
@ -716,7 +715,7 @@ ns_config_getipandkeylist(const cfg_obj_t *config, const cfg_obj_t *list,
if (addrs != NULL)
isc_mem_put(mctx, addrs, addrcount * sizeof(isc_sockaddr_t));
if (keys != NULL) {
for (j = 0; j <= i; j++) {
for (j = 0; j < i; j++) {
if (keys[j] == NULL)
continue;
if (dns_name_dynamic(keys[j]))

View File

@ -1,5 +1,5 @@
/*
* Copyright (C) 2004-2007, 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2004-2007, 2009, 2010, 2012 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2001-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@ -61,7 +61,7 @@ command_compare(const char *text, const char *command) {
isc_result_t
ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) {
isccc_sexpr_t *data;
char *command;
char *command = NULL;
isc_result_t result;
int log_level;
#ifdef HAVE_LIBSCF

View File

@ -1,5 +1,5 @@
/*
* Copyright (C) 2004-2008, 2011, 2012 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2004-2008, 2011-2013 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2001-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@ -149,7 +149,7 @@ free_listener(controllistener_t *listener) {
if (listener->acl != NULL)
dns_acl_detach(&listener->acl);
isc_mem_put(listener->mctx, listener, sizeof(*listener));
isc_mem_putanddetach(&listener->mctx, listener, sizeof(*listener));
}
static void
@ -1066,8 +1066,9 @@ add_listener(ns_controls_t *cp, controllistener_t **listenerp,
result = ISC_R_NOMEMORY;
if (result == ISC_R_SUCCESS) {
listener->mctx = NULL;
isc_mem_attach(mctx, &listener->mctx);
listener->controls = cp;
listener->mctx = mctx;
listener->task = cp->server->task;
listener->address = *addr;
listener->sock = NULL;

View File

@ -165,16 +165,17 @@ struct ns_client {
#define NS_CLIENT_MAGIC ISC_MAGIC('N','S','C','c')
#define NS_CLIENT_VALID(c) ISC_MAGIC_VALID(c, NS_CLIENT_MAGIC)
#define NS_CLIENTATTR_TCP 0x01
#define NS_CLIENTATTR_RA 0x02 /*%< Client gets recursive service */
#define NS_CLIENTATTR_PKTINFO 0x04 /*%< pktinfo is valid */
#define NS_CLIENTATTR_MULTICAST 0x08 /*%< recv'd from multicast */
#define NS_CLIENTATTR_WANTDNSSEC 0x10 /*%< include dnssec records */
#define NS_CLIENTATTR_WANTNSID 0x20 /*%< include nameserver ID */
#define NS_CLIENTATTR_TCP 0x001
#define NS_CLIENTATTR_RA 0x002 /*%< Client gets recursive service */
#define NS_CLIENTATTR_PKTINFO 0x004 /*%< pktinfo is valid */
#define NS_CLIENTATTR_MULTICAST 0x008 /*%< recv'd from multicast */
#define NS_CLIENTATTR_WANTDNSSEC 0x010 /*%< include dnssec records */
#define NS_CLIENTATTR_WANTNSID 0x020 /*%< include nameserver ID */
#ifdef ALLOW_FILTER_AAAA_ON_V4
#define NS_CLIENTATTR_FILTER_AAAA 0x40 /*%< suppress AAAAs */
#define NS_CLIENTATTR_FILTER_AAAA_RC 0x80 /*%< recursing for A against AAAA */
#define NS_CLIENTATTR_FILTER_AAAA 0x040 /*%< suppress AAAAs */
#define NS_CLIENTATTR_FILTER_AAAA_RC 0x080 /*%< recursing for A against AAAA */
#endif
#define NS_CLIENTATTR_WANTAD 0x100 /*%< want AD in response if possible */
extern unsigned int ns_client_requests;

View File

@ -1,5 +1,5 @@
/*
* Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@ -66,6 +66,9 @@ EXTERN isc_timermgr_t * ns_g_timermgr INIT(NULL);
EXTERN isc_socketmgr_t * ns_g_socketmgr INIT(NULL);
EXTERN cfg_parser_t * ns_g_parser INIT(NULL);
EXTERN const char * ns_g_version INIT(VERSION);
EXTERN const char * ns_g_product INIT(PRODUCT);
EXTERN const char * ns_g_description INIT(DESCRIPTION);
EXTERN const char * ns_g_srcid INIT(SRCID);
EXTERN const char * ns_g_configargs INIT(CONFIGARGS);
EXTERN in_port_t ns_g_port INIT(0);
EXTERN in_port_t lwresd_g_listenport INIT(0);
@ -120,6 +123,7 @@ EXTERN isc_boolean_t ns_g_coreok INIT(ISC_TRUE);
EXTERN const char * ns_g_chrootdir INIT(NULL);
EXTERN isc_boolean_t ns_g_foreground INIT(ISC_FALSE);
EXTERN isc_boolean_t ns_g_logstderr INIT(ISC_FALSE);
EXTERN isc_boolean_t ns_g_nosyslog INIT(ISC_FALSE);
EXTERN const char * ns_g_defaultsessionkeyfile
INIT(NS_LOCALSTATEDIR "/run/named/"
@ -153,6 +157,7 @@ EXTERN isc_boolean_t ns_g_memstatistics INIT(ISC_FALSE);
EXTERN isc_boolean_t ns_g_clienttest INIT(ISC_FALSE);
EXTERN isc_boolean_t ns_g_nosoa INIT(ISC_FALSE);
EXTERN isc_boolean_t ns_g_noaa INIT(ISC_FALSE);
EXTERN isc_boolean_t ns_g_nonearest INIT(ISC_FALSE);
#undef EXTERN
#undef INIT

View File

@ -1,5 +1,5 @@
/*
* Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2004-2010, 2013 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@ -165,7 +165,9 @@ enum {
dns_nsstatscounter_updatefail = 34,
dns_nsstatscounter_updatebadprereq = 35,
dns_nsstatscounter_max = 36
dns_nsstatscounter_rpz_rewrites = 36,
dns_nsstatscounter_max = 37
};
void

View File

@ -1,5 +1,5 @@
/*
* Copyright (C) 2004-2009, 2011 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2004-2009, 2011, 2013 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2002 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@ -79,11 +79,13 @@ ns_interfacemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
if (mgr == NULL)
return (ISC_R_NOMEMORY);
mgr->mctx = NULL;
isc_mem_attach(mctx, &mgr->mctx);
result = isc_mutex_init(&mgr->lock);
if (result != ISC_R_SUCCESS)
goto cleanup_mem;
mgr->mctx = mctx;
mgr->taskmgr = taskmgr;
mgr->socketmgr = socketmgr;
mgr->dispatchmgr = dispatchmgr;
@ -115,7 +117,7 @@ ns_interfacemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
ns_listenlist_detach(&mgr->listenon4);
ns_listenlist_detach(&mgr->listenon6);
cleanup_mem:
isc_mem_put(mctx, mgr, sizeof(*mgr));
isc_mem_putanddetach(&mgr->mctx, mgr, sizeof(*mgr));
return (result);
}
@ -128,7 +130,7 @@ ns_interfacemgr_destroy(ns_interfacemgr_t *mgr) {
clearlistenon(mgr);
DESTROYLOCK(&mgr->lock);
mgr->magic = 0;
isc_mem_put(mgr->mctx, mgr, sizeof(*mgr));
isc_mem_putanddetach(&mgr->mctx, mgr, sizeof(*mgr));
}
dns_aclenv_t *

View File

@ -1,5 +1,5 @@
/*
* Copyright (C) 2004-2007, 2009 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2004-2007, 2009, 2013 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2002 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@ -201,7 +201,7 @@ isc_result_t
ns_log_setdefaultcategory(isc_logconfig_t *lcfg) {
isc_result_t result;
if (! ns_g_logstderr) {
if (! ns_g_logstderr && ! ns_g_nosyslog) {
result = isc_log_usechannel(lcfg, "default_syslog",
ISC_LOGCATEGORY_DEFAULT, NULL);
if (result != ISC_R_SUCCESS)

View File

@ -1,5 +1,5 @@
/*
* Copyright (C) 2004-2007, 2011 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2004-2007, 2011, 2013 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2001 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@ -246,14 +246,16 @@ channel_fromconf(const cfg_obj_t *channel, isc_logconfig_t *lctx) {
isc_result_totext(result));
} else
(void)isc_stdio_close(fp);
} else {
syslog(LOG_ERR, "isc_file_isplainfile '%s' failed: %s",
dest.file.name, isc_result_totext(result));
fprintf(stderr, "isc_file_isplainfile '%s' failed: %s",
dest.file.name, isc_result_totext(result));
goto done;
}
if (!ns_g_nosyslog)
syslog(LOG_ERR, "isc_file_isplainfile '%s' failed: %s",
dest.file.name, isc_result_totext(result));
fprintf(stderr, "isc_file_isplainfile '%s' failed: %s",
dest.file.name, isc_result_totext(result));
}
done:
return (result);
}

View File

@ -1,5 +1,5 @@
/*
* Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2004-2009, 2012 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@ -368,7 +368,7 @@ ns_lwdmanager_create(isc_mem_t *mctx, const cfg_obj_t *lwres,
dns_fixedname_init(&fname);
name = dns_fixedname_name(&fname);
isc_buffer_init(&namebuf, searchstr,
isc_buffer_constinit(&namebuf, searchstr,
strlen(searchstr));
isc_buffer_add(&namebuf, strlen(searchstr));
result = dns_name_fromtext(name, &namebuf,

View File

@ -1,5 +1,5 @@
/*
* Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@ -523,6 +523,10 @@ parse_command_line(int argc, char *argv[]) {
maxudp = 512;
else if (!strcmp(isc_commandline_argument, "maxudp1460"))
maxudp = 1460;
else if (!strcmp(isc_commandline_argument, "nosyslog"))
ns_g_nosyslog = ISC_TRUE;
else if (!strcmp(isc_commandline_argument, "nonearest"))
ns_g_nonearest = ISC_TRUE;
else
fprintf(stderr, "unknown -T flag '%s\n",
isc_commandline_argument);
@ -531,10 +535,16 @@ parse_command_line(int argc, char *argv[]) {
ns_g_username = isc_commandline_argument;
break;
case 'v':
printf("BIND %s\n", ns_g_version);
printf("%s %s", ns_g_product, ns_g_version);
if (*ns_g_description != 0)
printf(" %s", ns_g_description);
printf("\n");
exit(0);
case 'V':
printf("BIND %s built with %s\n", ns_g_version,
printf("%s %s", ns_g_product, ns_g_version);
if (*ns_g_description != 0)
printf(" %s", ns_g_description);
printf(" <id:%s> built with %s\n", ns_g_srcid,
ns_g_configargs);
#ifdef OPENSSL
printf("using OpenSSL version: %s\n",
@ -787,8 +797,8 @@ setup(void) {
isc_result_totext(result));
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
ISC_LOG_NOTICE, "starting BIND %s%s", ns_g_version,
saved_command_line);
ISC_LOG_NOTICE, "starting %s %s%s", ns_g_product,
ns_g_version, saved_command_line);
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
ISC_LOG_NOTICE, "built with %s", ns_g_configargs);
@ -1029,9 +1039,9 @@ main(int argc, char *argv[]) {
*/
strlcat(version,
#if defined(NO_VERSION_DATE) || !defined(__DATE__)
"named version: BIND " VERSION,
"named version: BIND " VERSION " <" SRCID ">",
#else
"named version: BIND " VERSION " (" __DATE__ ")",
"named version: BIND " VERSION " <" SRCID "> (" __DATE__ ")",
#endif
sizeof(version));
result = isc_file_progname(*argv, program_name, sizeof(program_name));

View File

@ -1,4 +1,4 @@
.\" Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2004-2011, 2013 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" Permission to use, copy, modify, and/or distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
@ -187,7 +187,7 @@ options {
random\-device \fIquoted_string\fR;
recursive\-clients \fIinteger\fR;
serial\-query\-rate \fIinteger\fR;
server\-id ( \fIquoted_string\fR | none |;
server\-id ( \fIquoted_string\fR | none );
stacksize \fIsize\fR;
statistics\-file \fIquoted_string\fR;
statistics\-interval \fIinteger\fR; // not yet implemented
@ -592,5 +592,5 @@ zone \fIstring\fR \fIoptional_class\fR {
\fBrndc\fR(8),
BIND 9 Administrator Reference Manual.
.SH "COPYRIGHT"
Copyright \(co 2004\-2011 Internet Systems Consortium, Inc. ("ISC")
Copyright \(co 2004\-2011, 2013 Internet Systems Consortium, Inc. ("ISC")
.br

View File

@ -2,7 +2,7 @@
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2004-2011, 2013 Internet Systems Consortium, Inc. ("ISC")
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
@ -44,6 +44,7 @@
<year>2009</year>
<year>2010</year>
<year>2011</year>
<year>2013</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>
@ -218,7 +219,7 @@ options {
random-device <replaceable>quoted_string</replaceable>;
recursive-clients <replaceable>integer</replaceable>;
serial-query-rate <replaceable>integer</replaceable>;
server-id ( <replaceable>quoted_string</replaceable> | none |;
server-id ( <replaceable>quoted_string</replaceable> | none );
stacksize <replaceable>size</replaceable>;
statistics-file <replaceable>quoted_string</replaceable>;
statistics-interval <replaceable>integer</replaceable>; // not yet implemented

View File

@ -1,5 +1,5 @@
<!--
- Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2004-2011, 2013 Internet Systems Consortium, Inc. ("ISC")
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
@ -31,7 +31,7 @@
<div class="cmdsynopsis"><p><code class="command">named.conf</code> </p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543353"></a><h2>DESCRIPTION</h2>
<a name="id2543356"></a><h2>DESCRIPTION</h2>
<p><code class="filename">named.conf</code> is the configuration file
for
<span><strong class="command">named</strong></span>. Statements are enclosed
@ -50,14 +50,14 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543381"></a><h2>ACL</h2>
<a name="id2543384"></a><h2>ACL</h2>
<div class="literallayout"><p><br>
acl <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
<br>
</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543397"></a><h2>KEY</h2>
<a name="id2543400"></a><h2>KEY</h2>
<div class="literallayout"><p><br>
key <em class="replaceable"><code>domain_name</code></em> {<br>
algorithm <em class="replaceable"><code>string</code></em>;<br>
@ -66,7 +66,7 @@ key
</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543416"></a><h2>MASTERS</h2>
<a name="id2543419"></a><h2>MASTERS</h2>
<div class="literallayout"><p><br>
masters <em class="replaceable"><code>string</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] |<br>
@ -75,7 +75,7 @@ masters
</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543462"></a><h2>SERVER</h2>
<a name="id2543465"></a><h2>SERVER</h2>
<div class="literallayout"><p><br>
server ( <em class="replaceable"><code>ipv4_address[<span class="optional">/prefixlen</span>]</code></em> | <em class="replaceable"><code>ipv6_address[<span class="optional">/prefixlen</span>]</code></em> ) {<br>
bogus <em class="replaceable"><code>boolean</code></em>;<br>
@ -97,7 +97,7 @@ server
</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543530"></a><h2>TRUSTED-KEYS</h2>
<a name="id2543533"></a><h2>TRUSTED-KEYS</h2>
<div class="literallayout"><p><br>
trusted-keys {<br>
<em class="replaceable"><code>domain_name</code></em> <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key</code></em>; ... <br>
@ -105,7 +105,7 @@ trusted-keys
</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543556"></a><h2>MANAGED-KEYS</h2>
<a name="id2543559"></a><h2>MANAGED-KEYS</h2>
<div class="literallayout"><p><br>
managed-keys {<br>
<em class="replaceable"><code>domain_name</code></em> <code class="constant">initial-key</code> <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key</code></em>; ... <br>
@ -113,7 +113,7 @@ managed-keys
</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543585"></a><h2>CONTROLS</h2>
<a name="id2543588"></a><h2>CONTROLS</h2>
<div class="literallayout"><p><br>
controls {<br>
inet ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
@ -125,7 +125,7 @@ controls
</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543620"></a><h2>LOGGING</h2>
<a name="id2543623"></a><h2>LOGGING</h2>
<div class="literallayout"><p><br>
logging {<br>
channel <em class="replaceable"><code>string</code></em> {<br>
@ -143,7 +143,7 @@ logging
</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543658"></a><h2>LWRES</h2>
<a name="id2543661"></a><h2>LWRES</h2>
<div class="literallayout"><p><br>
lwres {<br>
listen-on [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
@ -156,7 +156,7 @@ lwres
</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543700"></a><h2>OPTIONS</h2>
<a name="id2543703"></a><h2>OPTIONS</h2>
<div class="literallayout"><p><br>
options {<br>
avoid-v4-udp-ports { <em class="replaceable"><code>port</code></em>; ... };<br>
@ -184,7 +184,7 @@ options
random-device <em class="replaceable"><code>quoted_string</code></em>;<br>
recursive-clients <em class="replaceable"><code>integer</code></em>;<br>
serial-query-rate <em class="replaceable"><code>integer</code></em>;<br>
server-id ( <em class="replaceable"><code>quoted_string</code></em> | none |;<br>
server-id ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
stacksize <em class="replaceable"><code>size</code></em>;<br>
statistics-file <em class="replaceable"><code>quoted_string</code></em>;<br>
statistics-interval <em class="replaceable"><code>integer</code></em>; // not yet implemented<br>
@ -360,7 +360,7 @@ options
</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2544574"></a><h2>VIEW</h2>
<a name="id2544578"></a><h2>VIEW</h2>
<div class="literallayout"><p><br>
view <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>optional_class</code></em> {<br>
match-clients { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
@ -523,7 +523,7 @@ view
</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2545284"></a><h2>ZONE</h2>
<a name="id2545287"></a><h2>ZONE</h2>
<div class="literallayout"><p><br>
zone <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>optional_class</code></em> {<br>
type ( master | slave | stub | hint |<br>
@ -618,12 +618,12 @@ zone
</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2545664"></a><h2>FILES</h2>
<a name="id2545667"></a><h2>FILES</h2>
<p><code class="filename">/etc/named.conf</code>
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2545675"></a><h2>SEE ALSO</h2>
<a name="id2545678"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">named-checkconf</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,

View File

@ -1,5 +1,5 @@
/*
* Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@ -94,6 +94,10 @@
/*% Want DNSSEC? */
#define WANTDNSSEC(c) (((c)->attributes & \
NS_CLIENTATTR_WANTDNSSEC) != 0)
/*% Want WANTAD? */
#define WANTAD(c) (((c)->attributes & \
NS_CLIENTATTR_WANTAD) != 0)
/*% No authority? */
#define NOAUTHORITY(c) (((c)->query.attributes & \
NS_QUERYATTR_NOAUTHORITY) != 0)
@ -651,7 +655,7 @@ query_validatezonedb(ns_client_t *client, dns_name_t *name,
dns_dbversion_t **versionp)
{
isc_result_t result;
dns_acl_t *queryacl;
dns_acl_t *queryacl, *queryonacl;
ns_dbversion_t *dbversion;
REQUIRE(zone != NULL);
@ -763,6 +767,21 @@ query_validatezonedb(ns_client_t *client, dns_name_t *name,
client->query.attributes |= NS_QUERYATTR_QUERYOKVALID;
}
/* If and only if we've gotten this far, check allow-query-on too */
if (result == ISC_R_SUCCESS) {
queryonacl = dns_zone_getqueryonacl(zone);
if (queryonacl == NULL)
queryonacl = client->view->queryonacl;
result = ns_client_checkaclsilent(client, NULL,
queryonacl, ISC_TRUE);
if ((options & DNS_GETDB_NOLOG) == 0 &&
result != ISC_R_SUCCESS)
ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
NS_LOGMODULE_QUERY, ISC_LOG_INFO,
"query-on denied");
}
dbversion->acl_checked = ISC_TRUE;
if (result != ISC_R_SUCCESS) {
dbversion->queryok = ISC_FALSE;
@ -831,12 +850,29 @@ query_getzonedb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype,
}
static void
rpz_log_rewrite(ns_client_t *client, const char *disabled,
rpz_log_rewrite(ns_client_t *client, isc_boolean_t disabled,
dns_rpz_policy_t policy, dns_rpz_type_t type,
dns_name_t *rpz_qname) {
dns_zone_t *zone, dns_name_t *rpz_qname)
{
isc_stats_t *zonestats;
char qname_buf[DNS_NAME_FORMATSIZE];
char rpz_qname_buf[DNS_NAME_FORMATSIZE];
/*
* Count enabled rewrites in the global counter.
* Count both enabled and disabled rewrites for each zone.
*/
if (!disabled && policy != DNS_RPZ_POLICY_PASSTHRU) {
isc_stats_increment(ns_g_server->nsstats,
dns_nsstatscounter_rpz_rewrites);
}
if (zone != NULL) {
zonestats = dns_zone_getrequeststats(zone);
if (zonestats != NULL)
isc_stats_increment(zonestats,
dns_nsstatscounter_rpz_rewrites);
}
if (!isc_log_wouldlog(ns_g_lctx, DNS_RPZ_INFO_LEVEL))
return;
@ -845,7 +881,7 @@ rpz_log_rewrite(ns_client_t *client, const char *disabled,
ns_client_log(client, DNS_LOGCATEGORY_RPZ, NS_LOGMODULE_QUERY,
DNS_RPZ_INFO_LEVEL, "%srpz %s %s rewrite %s via %s",
disabled,
disabled ? "disabled " : "",
dns_rpz_type2str(type), dns_rpz_policy2str(policy),
qname_buf, rpz_qname_buf);
}
@ -861,6 +897,9 @@ rpz_log_fail(ns_client_t *client, int level,
if (!isc_log_wouldlog(ns_g_lctx, level))
return;
/*
* bin/tests/system/rpz/tests.sh looks for "rpz.*failed".
*/
dns_name_format(client->query.qname, namebuf1, sizeof(namebuf1));
dns_name_format(name, namebuf2, sizeof(namebuf2));
ns_client_log(client, NS_LOGCATEGORY_QUERY_EERRORS,
@ -3074,6 +3113,14 @@ query_addbestns(ns_client_t *client) {
SECURE(client) && WANTDNSSEC(client))
goto cleanup;
/*
* If the answer is secure only add NS records if they are secure * when the client may be looking for AD in the response.
*/
if (SECURE(client) && (WANTDNSSEC(client) || WANTAD(client)) &&
((rdataset->trust != dns_trust_secure) ||
(sigrdataset != NULL && sigrdataset->trust != dns_trust_secure)))
goto cleanup;
/*
* If the client doesn't want DNSSEC we can discard the sigrdataset
* now.
@ -4028,6 +4075,8 @@ rpz_rewrite_rrset(ns_client_t *client, dns_rpz_type_t rpz_type,
rdatasetp, resuming);
switch (result) {
case ISC_R_SUCCESS:
case DNS_R_GLUE:
case DNS_R_ZONECUT:
result = rpz_rewrite_ip(client, *rdatasetp, rpz_type);
break;
case DNS_R_EMPTYNAME:
@ -4121,6 +4170,8 @@ rpz_find(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qnamef,
dns_name_t *found;
isc_result_t result;
REQUIRE(nodep != NULL);
result = rpz_ready(client, zonep, dbp, nodep, rdatasetp);
if (result != ISC_R_SUCCESS) {
*policyp = DNS_RPZ_POLICY_ERROR;
@ -4204,26 +4255,32 @@ rpz_find(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qnamef,
result = DNS_R_CNAME;
}
break;
case DNS_R_NXRRSET:
policy = DNS_RPZ_POLICY_NODATA;
break;
case DNS_R_DNAME:
/*
* DNAME policy RRs have very few if any uses that are not
* better served with simple wildcards. Making the work would
* require complications to get the number of labels matched
* in the name or the found name to the main DNS_R_DNAME case
* in query_find(). So fall through to treat them as NODATA.
* in query_find().
*/
dns_rdataset_disassociate(*rdatasetp);
dns_db_detachnode(*dbp, nodep);
/*
* Fall through to treat it as a miss.
*/
case DNS_R_NXRRSET:
policy = DNS_RPZ_POLICY_NODATA;
break;
case DNS_R_NXDOMAIN:
case DNS_R_EMPTYNAME:
/*
* If we don't get a qname hit,
* see if it is worth looking for other types.
*/
dns_db_rpz_enabled(*dbp, client->query.rpz_st);
(void)dns_db_rpz_enabled(*dbp, client->query.rpz_st);
dns_db_detach(dbp);
dns_zone_detach(zonep);
result = DNS_R_NXDOMAIN;
policy = DNS_RPZ_POLICY_MISS;
break;
default:
@ -4231,9 +4288,7 @@ rpz_find(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qnamef,
dns_zone_detach(zonep);
rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, rpz_type, qnamef,
"", result);
policy = DNS_RPZ_POLICY_ERROR;
result = DNS_R_SERVFAIL;
break;
return (DNS_R_SERVFAIL);
}
*policyp = policy;
@ -4299,6 +4354,9 @@ rpz_rewrite_name(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qname,
if (result == ISC_R_SUCCESS)
break;
INSIST(result == DNS_R_NAMETOOLONG);
/*
* Trim the name until it is not too long.
*/
labels = dns_name_countlabels(prefix);
if (labels < 2) {
rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL,
@ -4322,7 +4380,6 @@ rpz_rewrite_name(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qname,
rdatasetp, &policy);
switch (result) {
case DNS_R_NXDOMAIN:
case DNS_R_EMPTYNAME:
break;
case DNS_R_SERVFAIL:
rpz_clean(&zone, &db, &node, rdatasetp);
@ -4345,13 +4402,45 @@ rpz_rewrite_name(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qname,
(st->m.type == rpz_type &&
0 >= dns_name_compare(rpz_qname, st->qname))))
continue;
#if 0
/*
* This code would block a customer reported information
* leak of rpz rules by rewriting requests in the
* rpz-ip, rpz-nsip, rpz-nsdname,and rpz-passthru TLDs.
* Without this code, a bad guy could request
* 24.0.3.2.10.rpz-ip. to find the policy rule for
* 10.2.3.0/14. It is an insignificant leak and this
* code is not worth its cost, because the bad guy
* could publish "evil.com A 10.2.3.4" and request
* evil.com to get the same information.
* Keep code with "#if 0" in case customer demand
* is irresistible.
*
* We have the less frequent case of a triggered
* policy. Check that we have not trigger on one
* of the pretend RPZ TLDs.
* This test would make it impossible to rewrite
* names in TLDs that start with "rpz-" should
* ICANN ever allow such TLDs.
*/
labels = dns_name_countlabels(qname);
if (labels >= 2) {
dns_label_t label;
dns_name_getlabel(qname, labels-2, &label);
if (label.length >= sizeof(DNS_RPZ_PREFIX)-1 &&
strncasecmp((const char *)label.base+1,
DNS_RPZ_PREFIX,
sizeof(DNS_RPZ_PREFIX)-1) == 0)
continue;
}
#endif
/*
* Merely log DNS_RPZ_POLICY_DISABLED hits.
*/
if (rpz->policy == DNS_RPZ_POLICY_DISABLED) {
rpz_log_rewrite(client, "disabled ",
policy, rpz_type, rpz_qname);
rpz_log_rewrite(client, ISC_TRUE, policy,
rpz_type, zone, rpz_qname);
continue;
}
@ -4482,7 +4571,7 @@ rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype, isc_result_t qresult,
rdataset = NULL;
if ((st->state & DNS_RPZ_DONE_QNAME) == 0) {
/*
* Check rules for the query name if this it the first time
* Check rules for the query name if this is the first time
* for the current qname, i.e. we've not been recursing.
* There is a first time for each name in a CNAME chain.
*/
@ -4524,7 +4613,7 @@ rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype, isc_result_t qresult,
dns_fixedname_init(&nsnamef);
dns_name_clone(client->query.qname, dns_fixedname_name(&nsnamef));
while (st->r.label > 1) {
while (st->r.label > client->view->rpz_min_ns_labels) {
/*
* Get NS rrset for each domain in the current qname.
*/
@ -4655,8 +4744,8 @@ rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype, isc_result_t qresult,
st->m.policy == DNS_RPZ_POLICY_ERROR) {
if (st->m.policy == DNS_RPZ_POLICY_PASSTHRU &&
result != DNS_R_DELEGATION)
rpz_log_rewrite(client, "", st->m.policy, st->m.type,
st->qname);
rpz_log_rewrite(client, ISC_FALSE, st->m.policy,
st->m.type, st->m.zone, st->qname);
rpz_match_clear(st);
}
if (st->m.policy == DNS_RPZ_POLICY_ERROR) {
@ -4671,7 +4760,7 @@ rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype, isc_result_t qresult,
}
/*
* See if response policy zone rewriting is allowed a lack of interest
* See if response policy zone rewriting is allowed by a lack of interest
* by the client in DNSSEC or a lack of signatures.
*/
static isc_boolean_t
@ -4766,7 +4855,8 @@ rpz_add_cname(ns_client_t *client, dns_rpz_st_t *st,
fname, dns_trust_authanswer, st->m.ttl);
if (result != ISC_R_SUCCESS)
return (result);
rpz_log_rewrite(client, "", st->m.policy, st->m.type, st->qname);
rpz_log_rewrite(client, ISC_FALSE, st->m.policy,
st->m.type, st->m.zone, st->qname);
ns_client_qnamereplace(client, fname);
/*
* Turn off DNSSEC because the results of a
@ -5703,9 +5793,10 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
client->attributes &= ~(NS_CLIENTATTR_WANTDNSSEC |
DNS_MESSAGEFLAG_AD);
query_putrdataset(client, &sigrdataset);
rpz_st->q.is_zone = is_zone;
is_zone = ISC_TRUE;
rpz_log_rewrite(client, "", rpz_st->m.policy,
rpz_st->m.type, rpz_st->qname);
rpz_log_rewrite(client, ISC_FALSE, rpz_st->m.policy,
rpz_st->m.type, zone, rpz_st->qname);
}
}
@ -6080,6 +6171,15 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
rdataset = NULL;
sigrdataset = NULL;
type = qtype = dns_rdatatype_a;
rpz_st = client->query.rpz_st;
if (rpz_st != NULL) {
/*
* Arrange for RPZ rewriting of any A records.
*/
if ((rpz_st->state & DNS_RPZ_REWRITTEN) != 0)
is_zone = rpz_st->q.is_zone;
rpz_st_clear(client);
}
dns64 = ISC_TRUE;
goto db_find;
}
@ -6108,7 +6208,10 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
* closest provable encloser.
*/
if (dns_rdataset_isassociated(rdataset) &&
!dns_name_equal(qname, found)) {
!dns_name_equal(qname, found) &&
!(ns_g_nonearest &&
qtype != dns_rdatatype_ds))
{
unsigned int count;
unsigned int skip;
@ -6338,6 +6441,15 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
sigrdataset = NULL;
fname = NULL;
type = qtype = dns_rdatatype_a;
rpz_st = client->query.rpz_st;
if (rpz_st != NULL) {
/*
* Arrange for RPZ rewriting of any A records.
*/
if ((rpz_st->state & DNS_RPZ_REWRITTEN) != 0)
is_zone = rpz_st->q.is_zone;
rpz_st_clear(client);
}
dns64 = ISC_TRUE;
goto db_find;
}
@ -6838,6 +6950,15 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
rdataset = NULL;
sigrdataset = NULL;
type = qtype = dns_rdatatype_a;
rpz_st = client->query.rpz_st;
if (rpz_st != NULL) {
/*
* Arrange for RPZ rewriting of any A records.
*/
if ((rpz_st->state & DNS_RPZ_REWRITTEN) != 0)
is_zone = rpz_st->q.is_zone;
rpz_st_clear(client);
}
dns64_exclude = dns64 = ISC_TRUE;
goto db_find;
}
@ -7124,7 +7245,6 @@ ns_query_start(ns_client_t *client) {
dns_rdatatype_t qtype;
unsigned int saved_extflags = client->extflags;
unsigned int saved_flags = client->message->flags;
isc_boolean_t want_ad;
CTRACE("ns_query_start");
@ -7286,13 +7406,11 @@ ns_query_start(ns_client_t *client) {
client->query.attributes &= ~NS_QUERYATTR_SECURE;
/*
* Set 'want_ad' if the client has set AD in the query.
* Set NS_CLIENTATTR_WANTDNSSEC if the client has set AD in the query.
* This allows AD to be returned on queries without DO set.
*/
if ((message->flags & DNS_MESSAGEFLAG_AD) != 0)
want_ad = ISC_TRUE;
else
want_ad = ISC_FALSE;
client->attributes |= NS_CLIENTATTR_WANTAD;
/*
* This is an ordinary query.
@ -7317,7 +7435,7 @@ ns_query_start(ns_client_t *client) {
* Set AD. We must clear it if we add non-validated data to a
* response.
*/
if (WANTDNSSEC(client) || want_ad)
if (WANTDNSSEC(client) || WANTAD(client))
message->flags |= DNS_MESSAGEFLAG_AD;
qclient = NULL;

View File

@ -1,5 +1,5 @@
/*
* Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@ -159,7 +159,7 @@
* a cache. Only effective when a finite max-cache-size is specified.
* This is currently defined to be 8MB.
*/
#define MAX_ADB_SIZE_FOR_CACHESHARE 8388608
#define MAX_ADB_SIZE_FOR_CACHESHARE 8388608U
struct ns_dispatch {
isc_sockaddr_t addr;
@ -242,6 +242,72 @@ static const struct {
{ "31.172.IN-ADDR.ARPA", ISC_TRUE },
{ "168.192.IN-ADDR.ARPA", ISC_TRUE },
/* RFC 6598 */
{ "64.100.IN-ADDR.ARPA", ISC_FALSE },
{ "65.100.IN-ADDR.ARPA", ISC_FALSE },
{ "66.100.IN-ADDR.ARPA", ISC_FALSE },
{ "67.100.IN-ADDR.ARPA", ISC_FALSE },
{ "68.100.IN-ADDR.ARPA", ISC_FALSE },
{ "69.100.IN-ADDR.ARPA", ISC_FALSE },
{ "70.100.IN-ADDR.ARPA", ISC_FALSE },
{ "71.100.IN-ADDR.ARPA", ISC_FALSE },
{ "72.100.IN-ADDR.ARPA", ISC_FALSE },
{ "73.100.IN-ADDR.ARPA", ISC_FALSE },
{ "74.100.IN-ADDR.ARPA", ISC_FALSE },
{ "75.100.IN-ADDR.ARPA", ISC_FALSE },
{ "76.100.IN-ADDR.ARPA", ISC_FALSE },
{ "77.100.IN-ADDR.ARPA", ISC_FALSE },
{ "78.100.IN-ADDR.ARPA", ISC_FALSE },
{ "79.100.IN-ADDR.ARPA", ISC_FALSE },
{ "80.100.IN-ADDR.ARPA", ISC_FALSE },
{ "81.100.IN-ADDR.ARPA", ISC_FALSE },
{ "82.100.IN-ADDR.ARPA", ISC_FALSE },
{ "83.100.IN-ADDR.ARPA", ISC_FALSE },
{ "84.100.IN-ADDR.ARPA", ISC_FALSE },
{ "85.100.IN-ADDR.ARPA", ISC_FALSE },
{ "86.100.IN-ADDR.ARPA", ISC_FALSE },
{ "87.100.IN-ADDR.ARPA", ISC_FALSE },
{ "88.100.IN-ADDR.ARPA", ISC_FALSE },
{ "89.100.IN-ADDR.ARPA", ISC_FALSE },
{ "90.100.IN-ADDR.ARPA", ISC_FALSE },
{ "91.100.IN-ADDR.ARPA", ISC_FALSE },
{ "92.100.IN-ADDR.ARPA", ISC_FALSE },
{ "93.100.IN-ADDR.ARPA", ISC_FALSE },
{ "94.100.IN-ADDR.ARPA", ISC_FALSE },
{ "95.100.IN-ADDR.ARPA", ISC_FALSE },
{ "96.100.IN-ADDR.ARPA", ISC_FALSE },
{ "97.100.IN-ADDR.ARPA", ISC_FALSE },
{ "98.100.IN-ADDR.ARPA", ISC_FALSE },
{ "99.100.IN-ADDR.ARPA", ISC_FALSE },
{ "100.100.IN-ADDR.ARPA", ISC_FALSE },
{ "101.100.IN-ADDR.ARPA", ISC_FALSE },
{ "102.100.IN-ADDR.ARPA", ISC_FALSE },
{ "103.100.IN-ADDR.ARPA", ISC_FALSE },
{ "104.100.IN-ADDR.ARPA", ISC_FALSE },
{ "105.100.IN-ADDR.ARPA", ISC_FALSE },
{ "106.100.IN-ADDR.ARPA", ISC_FALSE },
{ "107.100.IN-ADDR.ARPA", ISC_FALSE },
{ "108.100.IN-ADDR.ARPA", ISC_FALSE },
{ "109.100.IN-ADDR.ARPA", ISC_FALSE },
{ "110.100.IN-ADDR.ARPA", ISC_FALSE },
{ "111.100.IN-ADDR.ARPA", ISC_FALSE },
{ "112.100.IN-ADDR.ARPA", ISC_FALSE },
{ "113.100.IN-ADDR.ARPA", ISC_FALSE },
{ "114.100.IN-ADDR.ARPA", ISC_FALSE },
{ "115.100.IN-ADDR.ARPA", ISC_FALSE },
{ "116.100.IN-ADDR.ARPA", ISC_FALSE },
{ "117.100.IN-ADDR.ARPA", ISC_FALSE },
{ "118.100.IN-ADDR.ARPA", ISC_FALSE },
{ "119.100.IN-ADDR.ARPA", ISC_FALSE },
{ "120.100.IN-ADDR.ARPA", ISC_FALSE },
{ "121.100.IN-ADDR.ARPA", ISC_FALSE },
{ "122.100.IN-ADDR.ARPA", ISC_FALSE },
{ "123.100.IN-ADDR.ARPA", ISC_FALSE },
{ "124.100.IN-ADDR.ARPA", ISC_FALSE },
{ "125.100.IN-ADDR.ARPA", ISC_FALSE },
{ "126.100.IN-ADDR.ARPA", ISC_FALSE },
{ "127.100.IN-ADDR.ARPA", ISC_FALSE },
/* RFC 5735 and RFC 5737 */
{ "0.IN-ADDR.ARPA", ISC_FALSE }, /* THIS NETWORK */
{ "127.IN-ADDR.ARPA", ISC_FALSE }, /* LOOPBACK */
@ -447,7 +513,7 @@ configure_view_nametable(const cfg_obj_t *vconfig, const cfg_obj_t *config,
element = cfg_list_next(element)) {
nameobj = cfg_listelt_value(element);
str = cfg_obj_asstring(nameobj);
isc_buffer_init(&b, str, strlen(str));
isc_buffer_constinit(&b, str, strlen(str));
isc_buffer_add(&b, strlen(str));
CHECK(dns_name_fromtext(name, &b, dns_rootname, 0, NULL));
/*
@ -564,7 +630,7 @@ dstkey_fromconfig(const cfg_obj_t *vconfig, const cfg_obj_t *key,
keystruct.common.rdtype,
&keystruct, &rrdatabuf));
dns_fixedname_init(&fkeyname);
isc_buffer_init(&namebuf, keynamestr, strlen(keynamestr));
isc_buffer_constinit(&namebuf, keynamestr, strlen(keynamestr));
isc_buffer_add(&namebuf, strlen(keynamestr));
CHECK(dns_name_fromtext(keyname, &namebuf, dns_rootname, 0, NULL));
CHECK(dst_key_fromdns(keyname, viewclass, &rrdatabuf,
@ -798,7 +864,17 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
*/
obj = NULL;
(void)ns_config_get(maps, "managed-keys-directory", &obj);
directory = obj != NULL ? cfg_obj_asstring(obj) : NULL;
directory = (obj != NULL ? cfg_obj_asstring(obj) : NULL);
if (directory != NULL)
result = isc_file_isdirectory(directory);
if (result != ISC_R_SUCCESS) {
isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
"invalid managed-keys-directory %s: %s",
directory, isc_result_totext(result));
goto cleanup;
}
CHECK(add_keydata_zone(view, directory, ns_g_mctx));
cleanup:
@ -824,7 +900,7 @@ mustbesecure(const cfg_obj_t *mbs, dns_resolver_t *resolver) {
{
obj = cfg_listelt_value(element);
str = cfg_obj_asstring(cfg_tuple_get(obj, "name"));
isc_buffer_init(&b, str, strlen(str));
isc_buffer_constinit(&b, str, strlen(str));
isc_buffer_add(&b, strlen(str));
CHECK(dns_name_fromtext(name, &b, dns_rootname, 0, NULL));
value = cfg_obj_asboolean(cfg_tuple_get(obj, "value"));
@ -977,7 +1053,7 @@ configure_order(dns_order_t *order, const cfg_obj_t *ent) {
else
str = "*";
addroot = ISC_TF(strcmp(str, "*") == 0);
isc_buffer_init(&b, str, strlen(str));
isc_buffer_constinit(&b, str, strlen(str));
isc_buffer_add(&b, strlen(str));
dns_fixedname_init(&fixed);
result = dns_name_fromtext(dns_fixedname_name(&fixed), &b,
@ -1163,7 +1239,7 @@ disable_algorithms(const cfg_obj_t *disabled, dns_resolver_t *resolver) {
dns_fixedname_init(&fixed);
name = dns_fixedname_name(&fixed);
str = cfg_obj_asstring(cfg_tuple_get(disabled, "name"));
isc_buffer_init(&b, str, strlen(str));
isc_buffer_constinit(&b, str, strlen(str));
isc_buffer_add(&b, strlen(str));
CHECK(dns_name_fromtext(name, &b, dns_rootname, 0, NULL));
@ -1215,7 +1291,7 @@ on_disable_list(const cfg_obj_t *disablelist, dns_name_t *zonename) {
{
value = cfg_listelt_value(element);
str = cfg_obj_asstring(value);
isc_buffer_init(&b, str, strlen(str));
isc_buffer_constinit(&b, str, strlen(str));
isc_buffer_add(&b, strlen(str));
result = dns_name_fromtext(name, &b, dns_rootname,
0, NULL);
@ -1399,7 +1475,7 @@ dns64_reverse(dns_view_t *view, isc_mem_t *mctx, isc_netaddr_t *na,
dns64_dbtype[3] = contact;
dns_fixedname_init(&fixed);
name = dns_fixedname_name(&fixed);
isc_buffer_init(&b, reverse, strlen(reverse));
isc_buffer_constinit(&b, reverse, strlen(reverse));
isc_buffer_add(&b, strlen(reverse));
CHECK(dns_name_fromtext(name, &b, dns_rootname, 0, NULL));
CHECK(dns_zone_create(&zone, mctx));
@ -1429,40 +1505,58 @@ dns64_reverse(dns_view_t *view, isc_mem_t *mctx, isc_netaddr_t *na,
return (result);
}
static isc_result_t
configure_rpz_name(dns_view_t *view, const cfg_obj_t *obj, dns_name_t *name,
const char *str, const char *msg)
{
isc_result_t result;
result = dns_name_fromstring(name, str, DNS_NAME_DOWNCASE, view->mctx);
if (result != ISC_R_SUCCESS)
cfg_obj_log(obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
"invalid %s '%s'", msg, str);
return (result);
}
static isc_result_t
configure_rpz_name2(dns_view_t *view, const cfg_obj_t *obj, dns_name_t *name,
const char *str, const dns_name_t *origin)
{
isc_result_t result;
result = dns_name_fromstring2(name, str, origin, DNS_NAME_DOWNCASE,
view->mctx);
if (result != ISC_R_SUCCESS)
cfg_obj_log(obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
"invalid zone '%s'", str);
return (result);
}
static isc_result_t
configure_rpz(dns_view_t *view, const cfg_listelt_t *element,
isc_boolean_t recursive_only_def, dns_ttl_t ttl_def)
{
const cfg_obj_t *rpz_obj, *policy_obj, *obj;
const cfg_obj_t *rpz_obj, *obj;
const char *str;
dns_rpz_zone_t *old, *new;
dns_zone_t *zone = NULL;
isc_result_t result;
rpz_obj = cfg_listelt_value(element);
new = isc_mem_get(view->mctx, sizeof(*new));
if (new == NULL) {
result = ISC_R_NOMEMORY;
goto cleanup;
cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
"no memory for response policy zones");
return (ISC_R_NOMEMORY);
}
memset(new, 0, sizeof(*new));
dns_name_init(&new->origin, NULL);
dns_name_init(&new->nsdname, NULL);
dns_name_init(&new->cname, NULL);
dns_name_init(&new->passthru, NULL);
dns_name_init(&new->cname, NULL);
ISC_LIST_INITANDAPPEND(view->rpz_zones, new, link);
rpz_obj = cfg_listelt_value(element);
policy_obj = cfg_tuple_get(rpz_obj, "policy");
if (cfg_obj_isvoid(policy_obj)) {
new->policy = DNS_RPZ_POLICY_GIVEN;
} else {
str = cfg_obj_asstring(cfg_tuple_get(policy_obj,
"policy name"));
new->policy = dns_rpz_str2policy(str);
INSIST(new->policy != DNS_RPZ_POLICY_ERROR);
}
obj = cfg_tuple_get(rpz_obj, "recursive-only");
if (cfg_obj_isvoid(obj)) {
new->recursive_only = recursive_only_def;
@ -1480,47 +1574,14 @@ configure_rpz(dns_view_t *view, const cfg_listelt_t *element,
}
str = cfg_obj_asstring(cfg_tuple_get(rpz_obj, "zone name"));
result = dns_name_fromstring(&new->origin, str, DNS_NAME_DOWNCASE,
view->mctx);
if (result != ISC_R_SUCCESS) {
result = configure_rpz_name(view, rpz_obj, &new->origin, str, "zone");
if (result != ISC_R_SUCCESS)
return (result);
if (dns_name_equal(&new->origin, dns_rootname)) {
cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
"invalid zone '%s'", str);
goto cleanup;
"invalid zone name '%s'", str);
return (DNS_R_EMPTYLABEL);
}
result = dns_name_fromstring2(&new->nsdname, DNS_RPZ_NSDNAME_ZONE,
&new->origin, DNS_NAME_DOWNCASE,
view->mctx);
if (result != ISC_R_SUCCESS) {
cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
"invalid zone '%s'", str);
goto cleanup;
}
result = dns_name_fromstring(&new->passthru, DNS_RPZ_PASSTHRU_ZONE,
DNS_NAME_DOWNCASE, view->mctx);
if (result != ISC_R_SUCCESS) {
cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
"invalid zone '%s'", str);
goto cleanup;
}
result = dns_view_findzone(view, &new->origin, &zone);
if (result != ISC_R_SUCCESS) {
cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
"unknown zone '%s'", str);
goto cleanup;
}
if (dns_zone_gettype(zone) != dns_zone_master &&
dns_zone_gettype(zone) != dns_zone_slave) {
cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
"zone '%s' is neither master nor slave", str);
dns_zone_detach(&zone);
result = DNS_R_NOTMASTER;
goto cleanup;
}
dns_zone_detach(&zone);
for (old = ISC_LIST_HEAD(view->rpz_zones);
old != new;
old = ISC_LIST_NEXT(old, link)) {
@ -1529,26 +1590,37 @@ configure_rpz(dns_view_t *view, const cfg_listelt_t *element,
cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
"duplicate '%s'", str);
result = DNS_R_DUPLICATE;
goto cleanup;
return (result);
}
}
if (new->policy == DNS_RPZ_POLICY_CNAME) {
str = cfg_obj_asstring(cfg_tuple_get(policy_obj, "cname"));
result = dns_name_fromstring(&new->cname, str,
DNS_NAME_DOWNCASE, view->mctx);
if (result != ISC_R_SUCCESS) {
cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
"invalid cname '%s'", str);
goto cleanup;
result = configure_rpz_name2(view, rpz_obj, &new->nsdname,
DNS_RPZ_NSDNAME_ZONE, &new->origin);
if (result != ISC_R_SUCCESS)
return (result);
result = configure_rpz_name(view, rpz_obj, &new->passthru,
DNS_RPZ_PASSTHRU_ZONE, "zone");
if (result != ISC_R_SUCCESS)
return (result);
obj = cfg_tuple_get(rpz_obj, "policy");
if (cfg_obj_isvoid(obj)) {
new->policy = DNS_RPZ_POLICY_GIVEN;
} else {
str = cfg_obj_asstring(cfg_tuple_get(obj, "policy name"));
new->policy = dns_rpz_str2policy(str);
INSIST(new->policy != DNS_RPZ_POLICY_ERROR);
if (new->policy == DNS_RPZ_POLICY_CNAME) {
str = cfg_obj_asstring(cfg_tuple_get(obj, "cname"));
result = configure_rpz_name(view, rpz_obj, &new->cname,
str, "cname");
if (result != ISC_R_SUCCESS)
return (result);
}
}
return (ISC_R_SUCCESS);
cleanup:
dns_rpz_view_destroy(view);
return (result);
}
/*
@ -1617,6 +1689,7 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
dns_acl_t *clients = NULL, *mapped = NULL, *excluded = NULL;
unsigned int query_timeout;
struct cfg_context *nzctx;
dns_rpz_zone_t *rpz;
REQUIRE(DNS_VIEW_VALID(view));
@ -1714,6 +1787,53 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
&view->queryacl));
}
/*
* Make the list of response policy zone names for a view that
* is used for real lookups and so cares about hints.
*/
obj = NULL;
if (view->rdclass == dns_rdataclass_in && need_hints &&
ns_config_get(maps, "response-policy", &obj) == ISC_R_SUCCESS) {
const cfg_obj_t *rpz_obj;
isc_boolean_t recursive_only_def;
dns_ttl_t ttl_def;
rpz_obj = cfg_tuple_get(obj, "recursive-only");
if (!cfg_obj_isvoid(rpz_obj) &&
!cfg_obj_asboolean(rpz_obj))
recursive_only_def = ISC_FALSE;
else
recursive_only_def = ISC_TRUE;
rpz_obj = cfg_tuple_get(obj, "break-dnssec");
if (!cfg_obj_isvoid(rpz_obj) &&
cfg_obj_asboolean(rpz_obj))
view->rpz_break_dnssec = ISC_TRUE;
else
view->rpz_break_dnssec = ISC_FALSE;
rpz_obj = cfg_tuple_get(obj, "max-policy-ttl");
if (cfg_obj_isuint32(rpz_obj))
ttl_def = cfg_obj_asuint32(rpz_obj);
else
ttl_def = DNS_RPZ_MAX_TTL_DEFAULT;
rpz_obj = cfg_tuple_get(obj, "min-ns-dots");
if (cfg_obj_isuint32(rpz_obj))
view->rpz_min_ns_labels = cfg_obj_asuint32(rpz_obj) + 1;
else
view->rpz_min_ns_labels = 2;
element = cfg_list_first(cfg_tuple_get(obj, "zone list"));
while (element != NULL) {
result = configure_rpz(view, element,
recursive_only_def, ttl_def);
if (result != ISC_R_SUCCESS)
goto cleanup;
element = cfg_list_next(element);
}
}
/*
* Configure the zones.
*/
@ -1735,6 +1855,22 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
actx, ISC_FALSE));
}
for (rpz = ISC_LIST_HEAD(view->rpz_zones);
rpz != NULL;
rpz = ISC_LIST_NEXT(rpz, link))
{
if (!rpz->defined) {
char namebuf[DNS_NAME_FORMATSIZE];
dns_name_format(&rpz->origin, namebuf, sizeof(namebuf));
cfg_obj_log(obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
"'%s' is not a master or slave zone",
namebuf);
result = ISC_R_NOTFOUND;
goto cleanup;
}
}
/*
* If we're allowing added zones, then load zone configuration
* from the newzone file for zones that were added during previous
@ -2161,9 +2297,9 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
* MAX_ADB_SIZE_FOR_CACHESHARE when the cache is shared.
*/
max_adb_size = 0;
if (max_cache_size != 0) {
if (max_cache_size != 0U) {
max_adb_size = max_cache_size / 8;
if (max_adb_size == 0)
if (max_adb_size == 0U)
max_adb_size = 1; /* Force minimum. */
if (view != nsc->primaryview &&
max_adb_size > MAX_ADB_SIZE_FOR_CACHESHARE) {
@ -2638,7 +2774,7 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
obj = cfg_listelt_value(element);
str = cfg_obj_asstring(cfg_tuple_get(obj,
"trust-anchor"));
isc_buffer_init(&b, str, strlen(str));
isc_buffer_constinit(&b, str, strlen(str));
isc_buffer_add(&b, strlen(str));
dlv = dns_fixedname_name(&view->dlv_fixed);
CHECK(dns_name_fromtext(dlv, &b, dns_rootname,
@ -2691,7 +2827,7 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
element = cfg_list_next(element)) {
exclude = cfg_listelt_value(element);
str = cfg_obj_asstring(exclude);
isc_buffer_init(&b, str, strlen(str));
isc_buffer_constinit(&b, str, strlen(str));
isc_buffer_add(&b, strlen(str));
CHECK(dns_name_fromtext(name, &b, dns_rootname,
0, NULL));
@ -2745,7 +2881,7 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
result = ns_config_get(maps, "empty-server", &obj);
if (result == ISC_R_SUCCESS) {
str = cfg_obj_asstring(obj);
isc_buffer_init(&buffer, str, strlen(str));
isc_buffer_constinit(&buffer, str, strlen(str));
isc_buffer_add(&buffer, strlen(str));
CHECK(dns_name_fromtext(name, &buffer, dns_rootname, 0,
NULL));
@ -2760,7 +2896,7 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
result = ns_config_get(maps, "empty-contact", &obj);
if (result == ISC_R_SUCCESS) {
str = cfg_obj_asstring(obj);
isc_buffer_init(&buffer, str, strlen(str));
isc_buffer_constinit(&buffer, str, strlen(str));
isc_buffer_add(&buffer, strlen(str));
CHECK(dns_name_fromtext(name, &buffer, dns_rootname, 0,
NULL));
@ -2784,7 +2920,7 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
dns_forwarders_t *forwarders = NULL;
dns_view_t *pview = NULL;
isc_buffer_init(&buffer, empty, strlen(empty));
isc_buffer_constinit(&buffer, empty, strlen(empty));
isc_buffer_add(&buffer, strlen(empty));
/*
* Look for zone on drop list.
@ -2800,7 +2936,6 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
*/
(void)dns_view_findzone(view, name, &zone);
if (zone != NULL) {
CHECK(setquerystats(zone, mctx, zonestats_on));
dns_zone_detach(&zone);
continue;
}
@ -2886,49 +3021,6 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
}
}
/*
* Make the list of response policy zone names for views that
* are used for real lookups and so care about hints.
*/
obj = NULL;
if (view->rdclass == dns_rdataclass_in && need_hints &&
ns_config_get(maps, "response-policy", &obj) == ISC_R_SUCCESS) {
const cfg_obj_t *recursive_only_obj;
const cfg_obj_t *break_dnssec_obj, *ttl_obj;
isc_boolean_t recursive_only_def;
dns_ttl_t ttl_def;
recursive_only_obj = cfg_tuple_get(obj, "recursive-only");
if (!cfg_obj_isvoid(recursive_only_obj) &&
!cfg_obj_asboolean(recursive_only_obj))
recursive_only_def = ISC_FALSE;
else
recursive_only_def = ISC_TRUE;
break_dnssec_obj = cfg_tuple_get(obj, "break-dnssec");
if (!cfg_obj_isvoid(break_dnssec_obj) &&
cfg_obj_asboolean(break_dnssec_obj))
view->rpz_break_dnssec = ISC_TRUE;
else
view->rpz_break_dnssec = ISC_FALSE;
ttl_obj = cfg_tuple_get(obj, "max-policy-ttl");
if (cfg_obj_isuint32(ttl_obj))
ttl_def = cfg_obj_asuint32(ttl_obj);
else
ttl_def = DNS_RPZ_MAX_TTL_DEFAULT;
for (element = cfg_list_first(cfg_tuple_get(obj, "zone list"));
element != NULL;
element = cfg_list_next(element)) {
result = configure_rpz(view, element,
recursive_only_def, ttl_def);
if (result != ISC_R_SUCCESS)
goto cleanup;
dns_rpz_set_need(ISC_TRUE);
}
}
result = ISC_R_SUCCESS;
cleanup:
@ -3028,7 +3120,7 @@ configure_alternates(const cfg_obj_t *config, dns_view_t *view,
isc_buffer_t buffer;
in_port_t myport = port;
isc_buffer_init(&buffer, str, strlen(str));
isc_buffer_constinit(&buffer, str, strlen(str));
isc_buffer_add(&buffer, strlen(str));
dns_fixedname_init(&fixed);
name = dns_fixedname_name(&fixed);
@ -3280,6 +3372,8 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
const char *zname;
dns_rdataclass_t zclass;
const char *ztypestr;
isc_boolean_t is_rpz;
dns_rpz_zone_t *rpz;
options = NULL;
(void)cfg_map_get(config, "options", &options);
@ -3290,7 +3384,7 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
* Get the zone origin as a dns_name_t.
*/
zname = cfg_obj_asstring(cfg_tuple_get(zconfig, "name"));
isc_buffer_init(&buffer, zname, strlen(zname));
isc_buffer_constinit(&buffer, zname, strlen(zname));
isc_buffer_add(&buffer, strlen(zname));
dns_fixedname_init(&fixorigin);
CHECK(dns_name_fromtext(dns_fixedname_name(&fixorigin),
@ -3408,6 +3502,21 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
}
INSIST(dupzone == NULL);
/*
* Note whether this is a response policy zone.
*/
is_rpz = ISC_FALSE;
for (rpz = ISC_LIST_HEAD(view->rpz_zones);
rpz != NULL;
rpz = ISC_LIST_NEXT(rpz, link))
{
if (dns_name_equal(&rpz->origin, origin)) {
is_rpz = ISC_TRUE;
rpz->defined = ISC_TRUE;
break;
}
}
/*
* See if we can reuse an existing zone. This is
* only possible if all of these are true:
@ -3416,6 +3525,7 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
* - The zone is compatible with the config
* options (e.g., an existing master zone cannot
* be reused if the options specify a slave zone)
* - The zone was and is or was not and is not a policy zone
*/
result = dns_viewlist_find(&ns_g_server->viewlist,
view->name, view->rdclass,
@ -3429,6 +3539,9 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
if (zone != NULL && !ns_zone_reusable(zone, zconfig))
dns_zone_detach(&zone);
if (zone != NULL && is_rpz != dns_zone_get_rpz(zone))
dns_zone_detach(&zone);
if (zone != NULL) {
/*
* We found a reusable zone. Make it use the
@ -3451,6 +3564,19 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
dns_zone_setstats(zone, ns_g_server->zonestats);
}
if (is_rpz) {
result = dns_zone_rpz_enable(zone);
if (result != ISC_R_SUCCESS) {
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
"zone '%s': incompatible"
" masterfile-format or database"
" for a response policy zone",
zname);
goto cleanup;
}
}
/*
* If the zone contains a 'forwarders' statement, configure
* selective forwarding.
@ -4126,7 +4252,7 @@ configure_session_key(const cfg_obj_t **maps, ns_server_t *server,
INSIST(result == ISC_R_SUCCESS);
keynamestr = cfg_obj_asstring(obj);
dns_fixedname_init(&fname);
isc_buffer_init(&buffer, keynamestr, strlen(keynamestr));
isc_buffer_constinit(&buffer, keynamestr, strlen(keynamestr));
isc_buffer_add(&buffer, strlen(keynamestr));
keyname = dns_fixedname_name(&fname);
result = dns_name_fromtext(keyname, &buffer, dns_rootname, 0, NULL);
@ -5858,6 +5984,7 @@ zone_from_args(ns_server_t *server, char *args, dns_zone_t **zonep,
dns_rdataclass_t rdclass;
REQUIRE(zonep != NULL && *zonep == NULL);
REQUIRE(zonename == NULL || *zonename == NULL);
input = args;
@ -5870,7 +5997,7 @@ zone_from_args(ns_server_t *server, char *args, dns_zone_t **zonep,
zonetxt = next_token(&input, " \t");
if (zonetxt == NULL)
return (ISC_R_SUCCESS);
if (zonename)
if (zonename != NULL)
*zonename = zonetxt;
/* Look for the optional class name. */
@ -5880,7 +6007,7 @@ zone_from_args(ns_server_t *server, char *args, dns_zone_t **zonep,
viewtxt = next_token(&input, " \t");
}
isc_buffer_init(&buf, zonetxt, strlen(zonetxt));
isc_buffer_constinit(&buf, zonetxt, strlen(zonetxt));
isc_buffer_add(&buf, strlen(zonetxt));
dns_fixedname_init(&name);
result = dns_name_fromtext(dns_fixedname_name(&name),
@ -6788,7 +6915,7 @@ ns_server_flushname(ns_server_t *server, char *args) {
if (target == NULL)
return (ISC_R_UNEXPECTEDEND);
isc_buffer_init(&b, target, strlen(target));
isc_buffer_constinit(&b, target, strlen(target));
isc_buffer_add(&b, strlen(target));
dns_fixedname_init(&fixed);
name = dns_fixedname_name(&fixed);
@ -7342,7 +7469,7 @@ ns_server_add_zone(ns_server_t *server, char *args) {
CHECK(cfg_map_get(config, "addzone", &parms));
zonename = cfg_obj_asstring(cfg_tuple_get(parms, "name"));
isc_buffer_init(&buf, zonename, strlen(zonename));
isc_buffer_constinit(&buf, zonename, strlen(zonename));
isc_buffer_add(&buf, strlen(zonename));
dns_name_init(&dnsname, NULL);
isc_buffer_allocate(server->mctx, &nbuf, 256);
@ -7406,7 +7533,8 @@ ns_server_add_zone(ns_server_t *server, char *args) {
CHECK(isc_stdio_open(view->new_zone_file, "a", &fp));
/* Mark view unfrozen so that zone can be added */
isc_task_beginexclusive(server->task);
result = isc_task_beginexclusive(server->task);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
dns_view_thaw(view);
result = configure_zone(cfg->config, parms, vconfig,
server->mctx, view, cfg->actx, ISC_FALSE);
@ -7515,8 +7643,7 @@ ns_server_del_zone(ns_server_t *server, char *args) {
/* Parse parameters */
CHECK(zone_from_args(server, args, &zone, &zonename));
if (result != ISC_R_SUCCESS)
return (result);
if (zone == NULL) {
result = ISC_R_UNEXPECTEDEND;
goto cleanup;
@ -7531,8 +7658,8 @@ ns_server_del_zone(ns_server_t *server, char *args) {
goto cleanup;
}
if (zonename != NULL)
znamelen = strlen(zonename);
INSIST(zonename != NULL);
znamelen = strlen(zonename);
/* Dig out configuration for this zone */
view = dns_zone_getview(zone);

View File

@ -1,5 +1,5 @@
/*
* Copyright (C) 2008-2012 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2008-2013 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
@ -202,6 +202,8 @@ init_desc(void) {
SET_NSSTATDESC(updatebadprereq,
"updates rejected due to prerequisite failure",
"UpdateBadPrereq");
SET_NSSTATDESC(rpz_rewrites, "response policy zone rewrites",
"RPZRewrites");
INSIST(i == dns_nsstatscounter_max);
/* Initialize resolver statistics */
@ -877,11 +879,11 @@ generatexml(ns_server_t *server, int *buflen, xmlChar **buf) {
TRY0(xmlTextWriterEndElement(writer)); /* views */
TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "socketmgr"));
isc_socketmgr_renderxml(ns_g_socketmgr, writer);
TRY0(isc_socketmgr_renderxml(ns_g_socketmgr, writer));
TRY0(xmlTextWriterEndElement(writer)); /* socketmgr */
TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "taskmgr"));
isc_taskmgr_renderxml(ns_g_taskmgr, writer);
TRY0(isc_taskmgr_renderxml(ns_g_taskmgr, writer));
TRY0(xmlTextWriterEndElement(writer)); /* taskmgr */
TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "server"));
@ -944,7 +946,7 @@ generatexml(ns_server_t *server, int *buflen, xmlChar **buf) {
TRY0(xmlTextWriterEndElement(writer)); /* server */
TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "memory"));
isc_mem_renderxml(writer);
TRY0(isc_mem_renderxml(writer));
TRY0(xmlTextWriterEndElement(writer)); /* memory */
TRY0(xmlTextWriterEndElement(writer)); /* statistics */

View File

@ -1,5 +1,5 @@
/*
* Copyright (C) 2004-2007, 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2004-2007, 2009, 2010, 2012 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2001 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@ -73,7 +73,7 @@ ns_tkeyctx_fromconfig(const cfg_obj_t *options, isc_mem_t *mctx,
if (result == ISC_R_SUCCESS) {
s = cfg_obj_asstring(cfg_tuple_get(obj, "name"));
n = cfg_obj_asuint32(cfg_tuple_get(obj, "keyid"));
isc_buffer_init(&b, s, strlen(s));
isc_buffer_constinit(&b, s, strlen(s));
isc_buffer_add(&b, strlen(s));
dns_fixedname_init(&fname);
name = dns_fixedname_name(&fname);
@ -87,7 +87,7 @@ ns_tkeyctx_fromconfig(const cfg_obj_t *options, isc_mem_t *mctx,
result = cfg_map_get(options, "tkey-domain", &obj);
if (result == ISC_R_SUCCESS) {
s = cfg_obj_asstring(obj);
isc_buffer_init(&b, s, strlen(s));
isc_buffer_constinit(&b, s, strlen(s));
isc_buffer_add(&b, strlen(s));
dns_fixedname_init(&fname);
name = dns_fixedname_name(&fname);
@ -106,7 +106,7 @@ ns_tkeyctx_fromconfig(const cfg_obj_t *options, isc_mem_t *mctx,
if (result == ISC_R_SUCCESS) {
s = cfg_obj_asstring(obj);
isc_buffer_init(&b, s, strlen(s));
isc_buffer_constinit(&b, s, strlen(s));
isc_buffer_add(&b, strlen(s));
dns_fixedname_init(&fname);
name = dns_fixedname_name(&fname);

View File

@ -1,5 +1,5 @@
/*
* Copyright (C) 2004-2007, 2009, 2011 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2004-2007, 2009, 2011, 2012 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2001 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@ -78,7 +78,7 @@ add_initial_keys(const cfg_obj_t *list, dns_tsig_keyring_t *ring,
* Create the key name.
*/
dns_name_init(&keyname, NULL);
isc_buffer_init(&keynamesrc, keyid, strlen(keyid));
isc_buffer_constinit(&keynamesrc, keyid, strlen(keyid));
isc_buffer_add(&keynamesrc, strlen(keyid));
isc_buffer_init(&keynamebuf, keynamedata, sizeof(keynamedata));
ret = dns_name_fromtext(&keyname, &keynamesrc, dns_rootname,

View File

@ -1,5 +1,5 @@
/*
* Copyright (C) 2011, 2012 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2011-2013 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
@ -225,7 +225,9 @@ dlopen_dlz_create(const char *dlzname, unsigned int argc, char *argv[],
return (ISC_R_FAILURE);
}
isc_mem_create(0, 0, &mctx);
result = isc_mem_create(0, 0, &mctx);
if (result != ISC_R_SUCCESS)
return (result);
cd = isc_mem_get(mctx, sizeof(*cd));
if (cd == NULL) {
@ -247,7 +249,9 @@ dlopen_dlz_create(const char *dlzname, unsigned int argc, char *argv[],
}
/* Initialize the lock */
isc_mutex_init(&cd->lock);
result = isc_mutex_init(&cd->lock);
if (result != ISC_R_SUCCESS)
goto failed;
/* Open the library */
dlopen_flags = RTLD_NOW|RTLD_GLOBAL;
@ -351,11 +355,11 @@ dlopen_dlz_create(const char *dlzname, unsigned int argc, char *argv[],
failed:
dlopen_log(ISC_LOG_ERROR, "dlz_dlopen of '%s' failed", dlzname);
if (cd->dl_path)
if (cd->dl_path != NULL)
isc_mem_free(mctx, cd->dl_path);
if (cd->dlzname)
if (cd->dlzname != NULL)
isc_mem_free(mctx, cd->dlzname);
if (dlopen_flags)
if (dlopen_flags != 0)
(void) isc_mutex_destroy(&cd->lock);
#ifdef HAVE_DLCLOSE
if (cd->dl_handle)

View File

@ -1,5 +1,5 @@
/*
* Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@ -3500,7 +3500,8 @@ add_signing_records(dns_db_t *db, dns_rdatatype_t privatetype,
ISC_LIST_UNLINK(temp_diff.tuples, tuple, link);
ISC_LIST_APPEND(diff->tuples, tuple, link);
dns_rdata_tostruct(&tuple->rdata, &dnskey, NULL);
result = dns_rdata_tostruct(&tuple->rdata, &dnskey, NULL);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
if ((dnskey.flags &
(DNS_KEYFLAG_OWNERMASK|DNS_KEYTYPE_NOAUTH))
!= DNS_KEYOWNER_ZONE)

View File

@ -1,5 +1,5 @@
/*
* Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2004-2011, 2013 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@ -833,14 +833,6 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) {
FAILQ(DNS_R_NOTAUTH, "non-authoritative zone",
question_name, question_class);
is_dlz = ISC_TRUE;
/*
* DLZ only support full zone transfer, not incremental
*/
if (reqtype != dns_rdatatype_axfr) {
mnemonic = "AXFR-style IXFR";
reqtype = dns_rdatatype_axfr;
}
} else {
/*
* not DLZ and not in normal zone table, we are
@ -852,12 +844,14 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) {
} else {
/* zone table has a match */
switch(dns_zone_gettype(zone)) {
/* Master and slave zones are OK for transfer. */
case dns_zone_master:
case dns_zone_slave:
case dns_zone_dlz:
break; /* Master and slave zones are OK for transfer. */
break;
default:
FAILQ(DNS_R_NOTAUTH, "non-authoritative zone", question_name, question_class);
FAILQ(DNS_R_NOTAUTH, "non-authoritative zone",
question_name, question_class);
}
CHECK(dns_zone_getdb(zone, &db));
dns_db_currentversion(db, &ver);
@ -992,7 +986,7 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) {
is_poll = ISC_TRUE;
goto have_stream;
}
journalfile = dns_zone_getjournal(zone);
journalfile = is_dlz ? NULL : dns_zone_getjournal(zone);
if (journalfile != NULL)
result = ixfr_rrstream_create(mctx,
journalfile,

View File

@ -1,5 +1,5 @@
/*
* Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@ -56,6 +56,7 @@
typedef enum {
allow_notify,
allow_query,
allow_query_on,
allow_transfer,
allow_update,
allow_update_forwarding
@ -104,6 +105,11 @@ configure_zone_acl(const cfg_obj_t *zconfig, const cfg_obj_t *vconfig,
aclp = &view->queryacl;
aclname = "allow-query";
break;
case allow_query_on:
if (view != NULL)
aclp = &view->queryonacl;
aclname = "allow-query-on";
break;
case allow_transfer:
if (view != NULL)
aclp = &view->transferacl;
@ -269,7 +275,7 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone,
dns_fixedname_init(&fident);
str = cfg_obj_asstring(identity);
isc_buffer_init(&b, str, strlen(str));
isc_buffer_constinit(&b, str, strlen(str));
isc_buffer_add(&b, strlen(str));
result = dns_name_fromtext(dns_fixedname_name(&fident), &b,
dns_rootname, 0, NULL);
@ -292,7 +298,7 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone,
}
} else {
str = cfg_obj_asstring(dname);
isc_buffer_init(&b, str, strlen(str));
isc_buffer_constinit(&b, str, strlen(str));
isc_buffer_add(&b, strlen(str));
result = dns_name_fromtext(dns_fixedname_name(&fname),
&b, dns_rootname, 0, NULL);
@ -525,7 +531,7 @@ configure_staticstub_servernames(const cfg_obj_t *zconfig, dns_zone_t *zone,
dns_fixedname_init(&fixed_name);
nsname = dns_fixedname_name(&fixed_name);
isc_buffer_init(&b, str, strlen(str));
isc_buffer_constinit(&b, str, strlen(str));
isc_buffer_add(&b, strlen(str));
result = dns_name_fromtext(nsname, &b, dns_rootname, 0, NULL);
if (result != ISC_R_SUCCESS) {
@ -934,6 +940,11 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
dns_zone_setqueryacl,
dns_zone_clearqueryacl));
RETERR(configure_zone_acl(zconfig, vconfig, config,
allow_query_on, ac, zone,
dns_zone_setqueryonacl,
dns_zone_clearqueryonacl));
obj = NULL;
result = ns_config_get(maps, "dialup", &obj);
INSIST(result == ISC_R_SUCCESS && obj != NULL);
@ -1111,6 +1122,17 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
dns_zone_setoption(zone, DNS_ZONEOPT_CHECKSIBLING,
cfg_obj_asboolean(obj));
obj = NULL;
result = ns_config_get(maps, "check-spf", &obj);
INSIST(result == ISC_R_SUCCESS && obj != NULL);
if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
check = ISC_TRUE;
} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
check = ISC_FALSE;
} else
INSIST(0);
dns_zone_setoption(zone, DNS_ZONEOPT_CHECKSPF, check);
obj = NULL;
result = ns_config_get(maps, "zero-no-soa-ttl", &obj);
INSIST(result == ISC_R_SUCCESS && obj != NULL);

View File

@ -1,5 +1,5 @@
/*
* Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@ -930,7 +930,7 @@ get_address(char *host, in_port_t port, isc_sockaddr_t *sockaddr) {
INSIST(count == 1);
}
#define PARSE_ARGS_FMT "dDML:y:ghlovk:p:rR::t:u:"
#define PARSE_ARGS_FMT "dDML:y:ghlovk:p:r:R::t:u:"
static void
pre_parse_args(int argc, char **argv) {

View File

@ -1,5 +1,5 @@
/*
* Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@ -771,6 +771,7 @@ main(int argc, char **argv) {
program, isc_commandline_option);
usage(1);
}
/* FALLTHROUGH */
case 'h':
usage(0);
break;

View File

@ -1,5 +1,5 @@
/*
* Copyright (C) 2004, 2005, 2007, 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2004, 2005, 2007, 2009, 2010, 2012 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@ -93,6 +93,7 @@ main(int argc, char **argv) {
if (isc_commandline_option != '?')
fprintf(stderr, "%s: invalid argument -%c\n",
program, isc_commandline_option);
/* FALLTHROUGH */
case 'h':
usage();

View File

@ -1,4 +1,4 @@
.\" Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2010, 2013 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" Permission to use, copy, modify, and/or distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
@ -23,7 +23,7 @@
.\" Manual: BIND9
.\" Source: BIND9
.\"
.TH "ISC\-HMAC\-FIXUP" "1" "January 5, 2010" "BIND9" "BIND9"
.TH "ISC\-HMAC\-FIXUP" "8" "January 5, 2010" "BIND9" "BIND9"
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
@ -57,5 +57,5 @@ RFC 2104.
.PP
Internet Systems Consortium
.SH "COPYRIGHT"
Copyright \(co 2010 Internet Systems Consortium, Inc. ("ISC")
Copyright \(co 2010, 2013 Internet Systems Consortium, Inc. ("ISC")
.br

View File

@ -2,7 +2,7 @@
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2010, 2013 Internet Systems Consortium, Inc. ("ISC")
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
@ -25,7 +25,7 @@
<refmeta>
<refentrytitle><application>isc-hmac-fixup</application></refentrytitle>
<manvolnum>1</manvolnum>
<manvolnum>8</manvolnum>
<refmiscinfo>BIND9</refmiscinfo>
</refmeta>
@ -37,6 +37,7 @@
<docinfo>
<copyright>
<year>2010</year>
<year>2013</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>

View File

@ -1,5 +1,5 @@
<!--
- Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2010, 2013 Internet Systems Consortium, Inc. ("ISC")
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
@ -31,7 +31,7 @@
<div class="cmdsynopsis"><p><code class="command">isc-hmac-fixup</code> {<em class="replaceable"><code>algorithm</code></em>} {<em class="replaceable"><code>secret</code></em>}</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543352"></a><h2>DESCRIPTION</h2>
<a name="id2543355"></a><h2>DESCRIPTION</h2>
<p>
Versions of BIND 9 up to and including BIND 9.6 had a bug causing
HMAC-SHA* TSIG keys which were longer than the digest length of the
@ -57,7 +57,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543376"></a><h2>SECURITY CONSIDERATIONS</h2>
<a name="id2543379"></a><h2>SECURITY CONSIDERATIONS</h2>
<p>
Secrets that have been converted by <span><strong class="command">isc-hmac-fixup</strong></span>
are shortened, but as this is how the HMAC protocol works in
@ -68,14 +68,14 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543389"></a><h2>SEE ALSO</h2>
<a name="id2543393"></a><h2>SEE ALSO</h2>
<p>
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 2104</em>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543406"></a><h2>AUTHOR</h2>
<a name="id2543410"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>

View File

@ -283,9 +283,15 @@ int sigwait(const unsigned int *set, int *sig);
/* Define to 1 if you have the <net/if6.h> header file. */
#undef HAVE_NET_IF6_H
/* Define if your OpenSSL version supports ECDSA. */
#undef HAVE_OPENSSL_ECDSA
/* Define if your OpenSSL version supports GOST. */
#undef HAVE_OPENSSL_GOST
/* Define to 1 if you have the <regex.h> header file. */
#undef HAVE_REGEX_H
/* Define to 1 if you have the `setegid' function. */
#undef HAVE_SETEGID
@ -367,6 +373,10 @@ int sigwait(const unsigned int *set, int *sig);
/* Define to allow building of objects for dlopen(). */
#undef ISC_DLZ_DLOPEN
/* Define to the sub-directory in which libtool stores uninstalled libraries.
*/
#undef LT_OBJDIR
/* Defined if extern char *optarg is not declared. */
#undef NEED_OPTARG

View File

@ -60,7 +60,7 @@ case $host in
esac
AC_ARG_ENABLE(threads,
[ --enable-threads enable multithreading])
[ --enable-threads enable multithreading])
case "$enable_threads" in
yes)
use_threads=true

View File

@ -1,4 +1,4 @@
# Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 1998-2003 Internet Software Consortium.
#
# Permission to use, copy, modify, and/or distribute this software for any
@ -24,6 +24,7 @@ AC_INIT(lib/dns/name.c)
AC_PREREQ(2.59)
AC_CONFIG_HEADER(config.h)
AC_CONFIG_MACRO_DIR([libtool.m4])
AC_CANONICAL_HOST
@ -62,14 +63,13 @@ It is available from http://www.isc.org as a separate download.])
;;
esac
AC_ARG_ENABLE(developer, [ --enable-developer enable developer build settings])
AC_ARG_ENABLE(developer, [ --enable-developer enable developer build settings])
case "$enable_developer" in
yes)
STD_CDEFINES="$STD_CDEFINES -DISC_LIST_CHECKINIT=1"
test "${enable_fixed_rrset+set}" = set || enable_fixed_rrset=yes
test "${with_atf+set}" = set || with_atf=yes
test "${enable_filter_aaaa+set}" = set || enable_filter_aaaa=yes
test "${enable_rpz_nsip+set}" = set || enable_rpz_nsip=yes
test "${enable_rpz_nsdname+set}" = set || enable_rpz_nsdname=yes
test "${with_dlz_filesystem+set}" = set || with_dlz_filesystem=yes
case "$host" in
*-darwin*)
@ -298,7 +298,7 @@ esac
AC_HEADER_STDC
AC_CHECK_HEADERS(fcntl.h sys/time.h unistd.h sys/sockio.h sys/select.h sys/param.h sys/sysctl.h net/if6.h,,,
AC_CHECK_HEADERS(fcntl.h regex.h sys/time.h unistd.h sys/sockio.h sys/select.h sys/param.h sys/sysctl.h net/if6.h,,,
[$ac_includes_default
#ifdef HAVE_SYS_PARAM_H
# include <sys/param.h>
@ -322,17 +322,15 @@ AC_CHECK_FUNCS(setegid setresgid)
# is reported to not support "static inline" (RT #1212).
#
AC_MSG_CHECKING(for static inline breakage)
AC_TRY_COMPILE(, [
foo1();
}
AC_TRY_COMPILE([
static inline int foo1() {
return 0;
}
static inline int foo2() {
return foo1();
],
}
], [foo1();],
[AC_MSG_RESULT(no)],
[AC_MSG_RESULT(yes)
AC_DEFINE(inline, ,[Define to empty if your compiler does not support "static inline".])])
@ -445,6 +443,8 @@ int main() {
[AC_MSG_RESULT(yes)
ISC_PLATFORM_HAVEEPOLL="#define ISC_PLATFORM_HAVEEPOLL 1"],
[AC_MSG_RESULT(no)
ISC_PLATFORM_HAVEEPOLL="#undef ISC_PLATFORM_HAVEEPOLL"],
[AC_MSG_RESULT(no)
ISC_PLATFORM_HAVEEPOLL="#undef ISC_PLATFORM_HAVEEPOLL"])
;;
yes)
@ -550,12 +550,16 @@ case "$use_openssl" in
AC_MSG_RESULT(no)
DST_OPENSSL_INC=""
USE_OPENSSL=""
OPENSSLGOSTLINKOBJS=""
OPENSSLGOSTLINKSRS=""
OPENSSLLINKOBJS=""
OPENSSLLINKSRCS=""
;;
auto)
DST_OPENSSL_INC=""
USE_OPENSSL=""
OPENSSLGOSTLINKOBJS=""
OPENSSLGOSTLINKSRS=""
OPENSSLLINKOBJS=""
OPENSSLLINKSRCS=""
AC_MSG_ERROR(
@ -691,20 +695,20 @@ no)
;;
esac
AC_MSG_CHECKING(for OpenSSL DSA support)
if test -f $use_openssl/include/openssl/dsa.h
then
AC_DEFINE(HAVE_OPENSSL_DSA)
AC_MSG_RESULT(yes)
else
AC_MSG_RESULT(no)
fi
AC_MSG_CHECKING(for OpenSSL DSA support)
if test -f $use_openssl/include/openssl/dsa.h
then
AC_DEFINE(HAVE_OPENSSL_DSA)
AC_MSG_RESULT(yes)
else
AC_MSG_RESULT(no)
fi
AC_CHECK_FUNCS(EVP_sha256 EVP_sha384 EVP_sha512)
AC_CHECK_FUNCS(EVP_sha256 EVP_sha384 EVP_sha512)
AC_MSG_CHECKING(for OpenSSL ECDSA support)
have_ecdsa=""
AC_TRY_RUN([
AC_MSG_CHECKING(for OpenSSL ECDSA support)
have_ecdsa=""
AC_TRY_RUN([
#include <stdio.h>
#include <openssl/ecdsa.h>
#include <openssl/objects.h>
@ -721,22 +725,42 @@ int main() {
return (0);
}
],
[AC_MSG_RESULT(yes)
have_ecdsa="yes"],
[AC_MSG_RESULT(no)
have_ecdsa="no"])
case $have_ecdsa in
yes)
OPENSSL_ECDSA="yes"
AC_DEFINE(HAVE_OPENSSL_ECDSA)
;;
*)
;;
esac
[AC_MSG_RESULT(yes)
have_ecdsa="yes"],
[AC_MSG_RESULT(no)
have_ecdsa="no"],
[AC_MSG_RESULT(using --with-ecdsa)])
AC_ARG_WITH(ecdsa, [ --with-ecdsa OpenSSL ECDSA],
with_ecdsa="$withval", with_ecdsa="auto")
case "$with_ecdsa" in
yes)
case "$have_ecdsa" in
no) AC_MSG_ERROR([ecdsa not supported]) ;;
*) have_ecdsa=yes ;;
esac
;;
no)
have_ecdsa=no ;;
*)
case "$have_ecdsa" in
yes|no) ;;
*) AC_MSG_ERROR([need --with-ecdsa=[[yes or no]]]) ;;
esac
;;
esac
case $have_ecdsa in
yes)
OPENSSL_ECDSA="yes"
AC_DEFINE(HAVE_OPENSSL_ECDSA, 1,
[Define if your OpenSSL version supports ECDSA.])
;;
*)
;;
esac
AC_MSG_CHECKING(for OpenSSL GOST support)
have_gost=""
AC_TRY_RUN([
AC_MSG_CHECKING(for OpenSSL GOST support)
have_gost=""
AC_TRY_RUN([
#include <openssl/conf.h>
#include <openssl/engine.h>
int main() {
@ -758,43 +782,46 @@ int main() {
#endif
}
],
[AC_MSG_RESULT(yes)
have_gost="yes"],
[AC_MSG_RESULT(no)
have_gost="no"],
[AC_MSG_RESULT(using --with-gost)])
AC_ARG_WITH(gost, , with_gost="$withval", with_gost="auto")
case "$with_gost" in
yes)
case "$have_gost" in
no) AC_MSG_ERROR([gost not supported]) ;;
*) have_gost=yes ;;
esac
;;
no)
have_gost=no ;;
*)
case "$have_gost" in
yes|no) ;;
*) AC_MSG_ERROR([need --with-gost=[[yes or no]]]) ;;
esac
;;
esac
case $have_gost in
yes)
OPENSSL_GOST="yes"
AC_DEFINE(HAVE_OPENSSL_GOST, 1,
[Define if your OpenSSL version supports GOST.])
;;
*)
;;
esac
CFLAGS="$saved_cflags"
LIBS="$saved_libs"
OPENSSLLINKOBJS='${OPENSSLLINKOBJS}'
OPENSSLLINKSRCS='${OPENSSLLINKSRCS}'
[AC_MSG_RESULT(yes)
have_gost="yes"],
[AC_MSG_RESULT(no)
have_gost="no"],
[AC_MSG_RESULT(using --with-gost)])
AC_ARG_WITH(gost, [ --with-gost OpenSSL GOST],
with_gost="$withval", with_gost="auto")
case "$with_gost" in
yes)
case "$have_gost" in
no) AC_MSG_ERROR([gost not supported]) ;;
*) have_gost=yes ;;
esac
;;
no)
have_gost=no ;;
*)
case "$have_gost" in
yes|no) ;;
*) AC_MSG_ERROR([need --with-gost=[[yes or no]]]) ;;
esac
;;
esac
case $have_gost in
yes)
OPENSSL_GOST="yes"
OPENSSLGOSTLINKOBJS='${OPENSSLGOSTLINKOBJS}'
OPENSSLGOSTLINKSRCS='${OPENSSLGOSTLINKSRCS}'
AC_DEFINE(HAVE_OPENSSL_GOST, 1,
[Define if your OpenSSL version supports GOST.])
;;
*)
;;
esac
CFLAGS="$saved_cflags"
LIBS="$saved_libs"
OPENSSLLINKOBJS='${OPENSSLLINKOBJS}'
OPENSSLLINKSRCS='${OPENSSLLINKSRCS}'
;;
esac
#
@ -804,6 +831,8 @@ esac
AC_SUBST(USE_OPENSSL)
AC_SUBST(DST_OPENSSL_INC)
AC_SUBST(OPENSSLGOSTLINKOBJS)
AC_SUBST(OPENSSLGOSTLINKSRCS)
AC_SUBST(OPENSSLLINKOBJS)
AC_SUBST(OPENSSLLINKSRCS)
AC_SUBST(OPENSSL_ECDSA)
@ -1075,6 +1104,11 @@ AC_ARG_WITH(randomdev,
case "$use_randomdev" in
unspec)
case "$cross_compiling" in
yes)
AC_MSG_RESULT(unspecified)
AC_MSG_ERROR([ need --with-randomdev=PATH or --with-randomdev=no])
esac
case "$host" in
*-openbsd*)
devrandom=/dev/arandom
@ -1087,6 +1121,7 @@ case "$use_randomdev" in
AC_CHECK_FILE($devrandom,
AC_DEFINE_UNQUOTED(PATH_RANDOMDEV,
"$devrandom"),)
;;
yes)
AC_MSG_ERROR([--with-randomdev must specify a path])
@ -1258,7 +1293,7 @@ case "$use_libxml2" in
;;
auto|yes)
case X`(xml2-config --version) 2>/dev/null` in
X2.[[678]].*)
X2.[[6789]].*)
libxml2_libs=`xml2-config --libs`
libxml2_cflags=`xml2-config --cflags`
;;
@ -1595,8 +1630,8 @@ AC_SUBST(LIBTOOL_IN_MAIN)
# build exportable DNS library?
#
AC_ARG_ENABLE(exportlib,
[ --enable-exportlib build exportable library (GNU make required)
[[default=no]]])
[ --enable-exportlib build exportable library (GNU make required)
[[default=no]]])
case "$enable_exportlib" in
yes)
gmake=
@ -1621,8 +1656,8 @@ AC_SUBST(BIND9_CO_RULE)
AC_ARG_WITH(export-libdir,
[ --with-export-libdir[=PATH]
installation directory for the export library
[[EPREFIX/lib/bind9]]],
installation directory for the export library
[[EPREFIX/lib/bind9]]],
export_libdir="$withval",)
if test -z "$export_libdir"; then
export_libdir="\${exec_prefix}/lib/bind9/"
@ -1631,8 +1666,8 @@ AC_SUBST(export_libdir)
AC_ARG_WITH(export-includedir,
[ --with-export-includedir[=PATH]
installation directory for the header files of the
export library [[PREFIX/include/bind9]]],
installation directory for the header files of the
export library [[PREFIX/include/bind9]]],
export_includedir="$withval",)
if test -z "$export_includedir"; then
export_includedir="\${prefix}/include/bind9/"
@ -2827,9 +2862,9 @@ esac
# Enable response policy rewriting using NS IP addresses
#
AC_ARG_ENABLE(rpz-nsip,
[ --enable-rpz-nsip enable rpz-nsip rules [[default=no]]],
[ --disable-rpz-nsip disable rpz-nsip rules [[default=enabled]]],
enable_nsip="$enableval",
enable_nsip="no")
enable_nsip="yes")
case "$enable_nsip" in
yes)
AC_DEFINE(ENABLE_RPZ_NSIP, 1,
@ -2845,9 +2880,9 @@ esac
# Enable response policy rewriting using NS name
#
AC_ARG_ENABLE(rpz-nsdname,
[ --enable-rpz-nsdname enable rpz-nsdname rules [[default=no]]],
[ --disable-rpz-nsdname disable rpz-nsdname rules [[default=enabled]]],
enable_nsdname="$enableval",
enable_nsdname="no")
enable_nsdname="yes")
case "$enable_nsdname" in
yes)
AC_DEFINE(ENABLE_RPZ_NSDNAME, 1,
@ -2995,7 +3030,7 @@ AC_ARG_WITH(docbook-xsl,
case "$docbook_path" in
auto)
AC_MSG_RESULT(auto)
docbook_xsl_trees="/usr/pkg/share/xsl/docbook /usr/local/share/xsl/docbook /usr/share/xsl/docbook"
docbook_xsl_trees="/usr/pkg/share/xsl/docbook /usr/local/share/xsl/docbook /usr/share/xsl/docbook /opt/local/share/xsl/docbook-xsl"
;;
*)
docbook_xsl_trees="$withval"
@ -3131,14 +3166,22 @@ AC_SUBST(IDNLIBS)
# Check whether to build Automated Test Framework unit tests
#
AC_ARG_WITH(atf,
[ --with-atf=ARG Automated Test Framework support],
[ --with-atf=ARG Automated Test Framework support],
atf="$withval", atf="no")
if test "$atf" = yes; then
atf=`pwd`/unit/atf
ATFBUILD=atf-src
AC_SUBST(ATFBUILD)
AC_CONFIG_COMMANDS([atf-config],
[cd unit/atf-src; ${SHELL} ./configure MISSING=: --prefix $atfdir; cd ../..],
[(
mkdir -p unit/atf-src;
cd unit/atf-src;
case "$srcdir" in
/*) ;;
*) srcdir="../../$srcdir";;
esac
${SHELL} ${srcdir}${srcdir:+/unit/atf-src/}./configure MISSING=: --prefix $atfdir;
) ],
[atfdir=`pwd`/unit/atf])
AC_MSG_RESULT(building ATF from bind9/unit/atf-src)
fi
@ -3149,6 +3192,9 @@ if test "$atf" != no; then
STD_CINCLUDES="$STD_CINCLUDES -I$atf/include"
ATFBIN="$atf/bin"
ATFLIBS="-L$atf/lib -latf-c"
if test "$want_openssl_hash" = yes; then
ATFLIBS="-L$atf/lib -latf-c $DNS_CRYPTO_LIBS"
fi
UNITTESTS=tests
fi
AC_SUBST(ATFBIN)
@ -3193,9 +3239,20 @@ AC_SUBST_FILE(BIND9_MAKE_RULES)
BIND9_MAKE_RULES=$BIND9_TOP_BUILDDIR/make/rules
. $srcdir/version
BIND9_PRODUCT="PRODUCT=\"${PRODUCT}\""
AC_SUBST(BIND9_PRODUCT)
BIND9_DESCRIPTION="DESCRIPTION=\"${DESCRIPTION}\""
AC_SUBST(BIND9_DESCRIPTION)
BIND9_VERSION="VERSION=${MAJORVER}.${MINORVER}${PATCHVER:+.}${PATCHVER}${RELEASETYPE}${RELEASEVER}"
AC_SUBST(BIND9_VERSION)
BIND9_SRCID="SRCID=unset"
if test -f $srcdir/srcid; then
. $srcdir/srcid
BIND9_SRCID="SRCID=$SRCID"
fi
AC_SUBST(BIND9_SRCID)
if test -z "$ac_configure_args"; then
BIND9_CONFIGARGS="defaults"
else
@ -3264,6 +3321,11 @@ AC_ARG_WITH(dlopen,
[ --with-dlopen=ARG Support dynamically loadable DLZ drivers],
dlopen="$withval", dlopen="yes")
case $host in
*-sunos*) dlopen="no"
;;
esac
if test "$dlopen" = "yes"; then
AC_CHECK_LIB(dl, dlopen, have_dl=yes, have_dl=no)
if test "$have_dl" = "yes"; then
@ -3278,7 +3340,11 @@ if test "$dlopen" = "yes"; then
SO_CFLAGS="-fPIC"
if test "$have_dl" = "yes"
then
SO_LD="${CC} -shared"
if test "$use_libtool" = "yes"; then
SO_LD="${CC} -Xcompiler -shared"
else
SO_LD="${CC} -shared"
fi
else
SO_LD="ld -shared"
fi
@ -3484,6 +3550,21 @@ AC_CONFIG_FILES([
bin/tests/atomic/Makefile
bin/tests/db/Makefile
bin/tests/dst/Makefile
bin/tests/dst/Kdh.+002+18602.key
bin/tests/dst/Kdh.+002+18602.private
bin/tests/dst/Kdh.+002+48957.key
bin/tests/dst/Kdh.+002+48957.private
bin/tests/dst/Ktest.+001+00002.key
bin/tests/dst/Ktest.+001+54622.key
bin/tests/dst/Ktest.+001+54622.private
bin/tests/dst/Ktest.+003+23616.key
bin/tests/dst/Ktest.+003+23616.private
bin/tests/dst/Ktest.+003+49667.key
bin/tests/dst/dst_2_data
bin/tests/dst/t2_data_1
bin/tests/dst/t2_data_2
bin/tests/dst/t2_dsasig
bin/tests/dst/t2_rsasig
bin/tests/hashes/Makefile
bin/tests/headerdep_test.sh
bin/tests/master/Makefile

View File

@ -2,7 +2,7 @@
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@ -33,6 +33,7 @@
<year>2010</year>
<year>2011</year>
<year>2012</year>
<year>2013</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
<copyright>
@ -1480,7 +1481,7 @@ zone "eng.example.com" {
<optional><replaceable>view</replaceable></optional></term>
<listitem>
<para>
Delete a given TKEY-negotated key from the server.
Delete a given TKEY-negotiated key from the server.
(This does not apply to statically configured TSIG
keys.)
</para>
@ -3274,31 +3275,45 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
</entry>
<entry colname="2">
<para>
A number, the word <userinput>unlimited</userinput>,
or the word <userinput>default</userinput>.
</para>
<para>
An <varname>unlimited</varname> <varname>size_spec</varname> requests unlimited
use, or the maximum available amount. A <varname>default size_spec</varname> uses
the limit that was in force when the server was started.
A 64-bit unsigned integer, or the keywords
<userinput>unlimited</userinput> or
<userinput>default</userinput>.
</para>
<para>
A <varname>number</varname> can optionally be
followed by a scaling factor:
Integers may take values
0 &lt;= value &lt;= 18446744073709551615, though
certain parameters may use a more limited range
within these extremes. In most cases, setting a
value to 0 does not literally mean zero; it means
"undefined" or "as big as psosible", depending on
the context. See the expalantions of particular
parameters that use <varname>size_spec</varname>
for details on how they interpret its use.
</para>
<para>
Numeric values can optionally be followed by a
scaling factor:
<userinput>K</userinput> or <userinput>k</userinput>
for kilobytes,
<userinput>M</userinput> or <userinput>m</userinput>
for megabytes, and
<userinput>G</userinput> or <userinput>g</userinput> for gigabytes,
which scale by 1024, 1024*1024, and 1024*1024*1024
respectively.
<userinput>G</userinput> or <userinput>g</userinput>
for gigabytes, which scale by 1024, 1024*1024, and
1024*1024*1024 respectively.
</para>
<para>
The value must be representable as a 64-bit unsigned integer
(0 to 18446744073709551615, inclusive).
Using <varname>unlimited</varname> is the best
way
to safely set a really large number.
<para>
<varname>unlimited</varname> generally means
"as big as possible", though in certain contexts,
(including <option>max-cache-size</option>), it may
mean the largest possible 32-bit unsigned integer
(0xffffffff); this distinction can be important when
dealing with larger quantities.
<varname>unlimited</varname> is usually the best way
to safely set a very large number.
</para>
<para>
<varname>default</varname>
uses the limit that was in force when the server was started.
</para>
</entry>
</row>
@ -4031,7 +4046,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
[ <command>channel</command> <replaceable>channel_name</replaceable> {
( <command>file</command> <replaceable>path_name</replaceable>
[ <command>versions</command> ( <replaceable>number</replaceable> | <command>unlimited</command> ) ]
[ <command>size</command> <replaceable>size spec</replaceable> ]
[ <command>size</command> <replaceable>size_spec</replaceable> ]
| <command>syslog</command> <replaceable>syslog_facility</replaceable>
| <command>stderr</command>
| <command>null</command> );
@ -5057,6 +5072,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
<optional> multiple-cnames <replaceable>yes_or_no</replaceable>; </optional>
<optional> notify <replaceable>yes_or_no</replaceable> | <replaceable>explicit</replaceable> | <replaceable>master-only</replaceable>; </optional>
<optional> recursion <replaceable>yes_or_no</replaceable>; </optional>
<optional> request-nsid <replaceable>yes_or_no</replaceable>; </optional>
<optional> rfc2308-type1 <replaceable>yes_or_no</replaceable>; </optional>
<optional> use-id-pool <replaceable>yes_or_no</replaceable>; </optional>
<optional> maintain-ixfr-base <replaceable>yes_or_no</replaceable>; </optional>
@ -5083,6 +5099,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
<optional> check-mx-cname ( <replaceable>warn</replaceable> | <replaceable>fail</replaceable> | <replaceable>ignore</replaceable> ); </optional>
<optional> check-srv-cname ( <replaceable>warn</replaceable> | <replaceable>fail</replaceable> | <replaceable>ignore</replaceable> ); </optional>
<optional> check-sibling <replaceable>yes_or_no</replaceable>; </optional>
<optional> check-spf ( <replaceable>warn</replaceable> | <replaceable>fail</replaceable> | <replaceable>ignore</replaceable> ); </optional>
<optional> allow-new-zones { <replaceable>yes_or_no</replaceable> }; </optional>
<optional> allow-notify { <replaceable>address_match_list</replaceable> }; </optional>
<optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional>
@ -5216,7 +5233,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
<optional> policy given | disabled | passthru | nxdomain | nodata | cname <replaceable>domain</replaceable> </optional>
<optional> recursive-only <replaceable>yes_or_no</replaceable> </optional> <optional> max-policy-ttl <replaceable>number</replaceable> </optional> ;
} <optional> recursive-only <replaceable>yes_or_no</replaceable> </optional> <optional> max-policy-ttl <replaceable>number</replaceable> </optional>
<optional> break-dnssec <replaceable>yes_or_no</replaceable> </optional> ; </optional>
<optional> break-dnssec <replaceable>yes_or_no</replaceable> </optional> <optional> min-ns-dots <replaceable>number</replaceable> </optional> ; </optional>
};
</programlisting>
@ -5374,11 +5391,18 @@ badresp:1,adberr:0,findfail:0,valfail:0]
<term><command>managed-keys-directory</command></term>
<listitem>
<para>
The directory used to hold the files used to track managed keys.
By default it is the working directory. It there are no
views then the file <filename>managed-keys.bind</filename>
otherwise a SHA256 hash of the view name is used with
<filename>.mkeys</filename> extension added.
Specifies the directory in which to store the files that
track managed DNSSEC keys. By default, this is the working
directory.
</para>
<para>
If <command>named</command> is not configured to use views,
then managed keys for the server will be tracked in a single
file called <filename>managed-keys.bind</filename>.
Otherwise, managed keys will be tracked in separate files,
one file per view; each file name will be the SHA256 hash
of the view name, followed by the extension
<filename>.mkeys</filename>.
</para>
</listitem>
</varlistentry>
@ -5760,7 +5784,8 @@ options {
installed along with <acronym>BIND</acronym> 9, and is
current as of the release date. If the DLV key expires, a
new copy of <filename>bind.keys</filename> can be downloaded
from <ulink>https://www.isc.org/solutions/dlv</ulink>.
from <ulink url="https://www.isc.org/solutions/dlv/"
>https://www.isc.org/solutions/dlv/</ulink>.
</para>
<para>
(To prevent problems if <filename>bind.keys</filename> is
@ -6348,6 +6373,22 @@ options {
</listitem>
</varlistentry>
<varlistentry>
<term><command>request-nsid</command></term>
<listitem>
<para>
If <userinput>yes</userinput>, then an empty EDNS(0)
NSID (Name Server Identifier) option is sent with all
queries to authoritative name servers during iterative
resolution. If the authoritative server returns an NSID
option in its response, then its contents are logged in
the <command>resolver</command> category at level
<command>info</command>.
The default is <userinput>no</userinput>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>rfc2308-type1</command></term>
<listitem>
@ -6808,6 +6849,13 @@ options {
checks use <command>named-checkzone</command>).
The default is <command>yes</command>.
</para>
<para>
Check that the two forms of Sender Policy Framework
records (TXT records starting with "v=spf1" and SPF) either
both exist or both don't exist. Warnings are
emitted it they don't and be suppressed with
<command>check-spf</command>.
</para>
</listitem>
</varlistentry>
@ -6843,6 +6891,19 @@ options {
</listitem>
</varlistentry>
<varlistentry>
<term><command>check-spf</command></term>
<listitem>
<para>
When performing integrity checks, check that the
two forms of Sender Policy Framwork records (TXT
records starting with "v=spf1" and SPF) both exist
or both don't exist and issue a warning if not
met. The default is <command>warn</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>zero-no-soa-ttl</command></term>
<listitem>
@ -7105,6 +7166,12 @@ options {
disallow them on external-facing ones, without
necessarily knowing the internal network's addresses.
</para>
<para>
Note that <command>allow-query-on</command> is only
checked for queries that are permitted by
<command>allow-query</command>. A query must be
allowed by both ACLs, or it will be refused.
</para>
<para>
<command>allow-query-on</command> may
also be specified in the <command>zone</command>
@ -8819,12 +8886,16 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
built-in view (see <xref linkend="view_statement_grammar"/>) of
class
<command>CHAOS</command> which is separate from the
default view of
class <command>IN</command>; therefore, any global
server options
such as <command>allow-query</command> do not apply
the these zones.
If you feel the need to disable these zones, use the options
default view of class <command>IN</command>. Most global
configuration options (<command>allow-query</command>,
etc) will apply to this view, but some are locally
overridden: <command>notify</command>,
<command>recursion</command> and
<command>allow-new-zones</command> are
always set to <userinput>no</userinput>.
</para>
<para>
If you need to disable these zones, use the options
below, or hide the built-in <command>CHAOS</command>
view by
defining an explicit view of class <command>CHAOS</command>
@ -8897,7 +8968,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
servers. The official servers which cover these namespaces
return NXDOMAIN responses to these queries. In particular,
these cover the reverse namespaces for addresses from
RFC 1918, RFC 4193, and RFC 5737. They also include the
RFC 1918, RFC 4193, RFC 5737 and RFC 6598. They also include the
reverse namespace for IPv6 local address (locally assigned),
IPv6 link local addresses, the IPv6 loopback address and the
IPv6 unknown address.
@ -8928,6 +8999,70 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
<listitem>30.172.IN-ADDR.ARPA</listitem>
<listitem>31.172.IN-ADDR.ARPA</listitem>
<listitem>168.192.IN-ADDR.ARPA</listitem>
<listitem>64.100.IN-ADDR.ARPA</listitem>
<listitem>65.100.IN-ADDR.ARPA</listitem>
<listitem>66.100.IN-ADDR.ARPA</listitem>
<listitem>67.100.IN-ADDR.ARPA</listitem>
<listitem>68.100.IN-ADDR.ARPA</listitem>
<listitem>69.100.IN-ADDR.ARPA</listitem>
<listitem>70.100.IN-ADDR.ARPA</listitem>
<listitem>71.100.IN-ADDR.ARPA</listitem>
<listitem>72.100.IN-ADDR.ARPA</listitem>
<listitem>73.100.IN-ADDR.ARPA</listitem>
<listitem>74.100.IN-ADDR.ARPA</listitem>
<listitem>75.100.IN-ADDR.ARPA</listitem>
<listitem>76.100.IN-ADDR.ARPA</listitem>
<listitem>77.100.IN-ADDR.ARPA</listitem>
<listitem>78.100.IN-ADDR.ARPA</listitem>
<listitem>79.100.IN-ADDR.ARPA</listitem>
<listitem>80.100.IN-ADDR.ARPA</listitem>
<listitem>81.100.IN-ADDR.ARPA</listitem>
<listitem>82.100.IN-ADDR.ARPA</listitem>
<listitem>83.100.IN-ADDR.ARPA</listitem>
<listitem>84.100.IN-ADDR.ARPA</listitem>
<listitem>85.100.IN-ADDR.ARPA</listitem>
<listitem>86.100.IN-ADDR.ARPA</listitem>
<listitem>87.100.IN-ADDR.ARPA</listitem>
<listitem>88.100.IN-ADDR.ARPA</listitem>
<listitem>89.100.IN-ADDR.ARPA</listitem>
<listitem>90.100.IN-ADDR.ARPA</listitem>
<listitem>91.100.IN-ADDR.ARPA</listitem>
<listitem>92.100.IN-ADDR.ARPA</listitem>
<listitem>93.100.IN-ADDR.ARPA</listitem>
<listitem>94.100.IN-ADDR.ARPA</listitem>
<listitem>95.100.IN-ADDR.ARPA</listitem>
<listitem>96.100.IN-ADDR.ARPA</listitem>
<listitem>97.100.IN-ADDR.ARPA</listitem>
<listitem>98.100.IN-ADDR.ARPA</listitem>
<listitem>99.100.IN-ADDR.ARPA</listitem>
<listitem>100.100.IN-ADDR.ARPA</listitem>
<listitem>101.100.IN-ADDR.ARPA</listitem>
<listitem>102.100.IN-ADDR.ARPA</listitem>
<listitem>103.100.IN-ADDR.ARPA</listitem>
<listitem>104.100.IN-ADDR.ARPA</listitem>
<listitem>105.100.IN-ADDR.ARPA</listitem>
<listitem>106.100.IN-ADDR.ARPA</listitem>
<listitem>107.100.IN-ADDR.ARPA</listitem>
<listitem>108.100.IN-ADDR.ARPA</listitem>
<listitem>109.100.IN-ADDR.ARPA</listitem>
<listitem>110.100.IN-ADDR.ARPA</listitem>
<listitem>111.100.IN-ADDR.ARPA</listitem>
<listitem>112.100.IN-ADDR.ARPA</listitem>
<listitem>113.100.IN-ADDR.ARPA</listitem>
<listitem>114.100.IN-ADDR.ARPA</listitem>
<listitem>115.100.IN-ADDR.ARPA</listitem>
<listitem>116.100.IN-ADDR.ARPA</listitem>
<listitem>117.100.IN-ADDR.ARPA</listitem>
<listitem>118.100.IN-ADDR.ARPA</listitem>
<listitem>119.100.IN-ADDR.ARPA</listitem>
<listitem>120.100.IN-ADDR.ARPA</listitem>
<listitem>121.100.IN-ADDR.ARPA</listitem>
<listitem>122.100.IN-ADDR.ARPA</listitem>
<listitem>123.100.IN-ADDR.ARPA</listitem>
<listitem>124.100.IN-ADDR.ARPA</listitem>
<listitem>125.100.IN-ADDR.ARPA</listitem>
<listitem>126.100.IN-ADDR.ARPA</listitem>
<listitem>127.100.IN-ADDR.ARPA</listitem>
<listitem>0.IN-ADDR.ARPA</listitem>
<listitem>127.IN-ADDR.ARPA</listitem>
<listitem>254.169.IN-ADDR.ARPA</listitem>
@ -9188,7 +9323,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
to get access to an internal node of your local network
that couldn't be externally accessed otherwise.
See the paper available at
<ulink>
<ulink url="http://portal.acm.org/citation.cfm?id=1315245.1315298">
http://portal.acm.org/citation.cfm?id=1315245.1315298
</ulink>
for more details about the attacks.
@ -9328,14 +9463,15 @@ deny-answer-aliases { "example.net"; };
They are encoded as subdomains of
<userinput>rpz-nsdomain</userinput> relativized
to the RPZ origin name.
</para>
<para>
NSIP triggers match IP addresses in A and
AAAA RRsets for domains that can be checked against NSDNAME
policy records.
NSIP triggers are encoded like IP triggers except as subdomains of
<userinput>rpz-nsip</userinput>.
NSDNAME and NSIP triggers are checked only for names with at
least <command>min-ns-dots</command> dots.
The default value of <command>min-ns-dots</command> is 1 to
exclude top level domains.
</para>
<para>
@ -9374,17 +9510,6 @@ deny-answer-aliases { "example.net"; };
and addresses.
</para>
<para>
Authority verification issues and variations in authority data
can cause inconsistent results for NSIP and NSDNAME policy records.
Glue NS records often differ from authoritative NS records.
So they are available
only when <acronym>BIND</acronym> is built with the
<userinput>--enable-rpz-nsip</userinput> or
<userinput>--enable-rpz-nsdname</userinput> options
on the "configure" command line.
</para>
<para>
RPZ record sets are sets of any types of DNS record except
DNAME or DNSSEC that encode actions or responses to queries.
@ -9409,7 +9534,7 @@ deny-answer-aliases { "example.net"; };
walled garden's authority DNS server.
</listitem>
<listitem>The <command>PASSTHRU</command> policy is specified
by a CNAME whose target is <command>rpz_passthru.</command>
by a CNAME whose target is <command>rpz-passthru.</command>
It causes the response to not be rewritten
and is most often used to "poke holes" in policies for
CIDR blocks.
@ -9523,6 +9648,26 @@ bzone.domain.com CNAME garden.example.com.
ns.domain.com.rpz-nsdname CNAME .
48.zz.2.2001.rpz-nsip CNAME .
</programlisting>
<para>
RPZ can affect server performance.
Each configured response policy zone requires the server to
perform one to four additional database lookups before a
query can be answered.
For example, a DNS server with four policy zones, each with all
four kinds of response triggers, QNAME, IP, NSIP, and
NSDNAME, requires a total of 17 times as many database
lookups as a similar DNS server with no response policy zones.
A <acronym>BIND9</acronym> server with adequate memory and one
response policy zone with QNAME and IP triggers might achieve a
maximum queries-per-second rate about 20% lower.
A server with four response policy zones with QNAME and IP
triggers might have a maximum QPS rate about 50% lower.
</para>
<para>
Responses rewritten by RPZ are counted in the
<command>RPZRewrites</command> statistics.
</para>
</sect3>
</sect2>
@ -9864,8 +10009,8 @@ ns.domain.com.rpz-nsdname CNAME .
<title><command>managed-keys</command> Statement Grammar</title>
<programlisting><command>managed-keys</command> {
<replaceable>string</replaceable> initial-key <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ;
<optional> <replaceable>string</replaceable> initial-key <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ; <optional>...</optional></optional>
<replaceable>name</replaceable> <literal>initial-key</literal> <replaceable>flags</replaceable> <replaceable>protocol</replaceable> <replaceable>algorithm</replaceable> <replaceable>key-data</replaceable> ;
<optional> <replaceable>name</replaceable> <literal>initial-key</literal> <replaceable>flags</replaceable> <replaceable>protocol</replaceable> <replaceable>algorithm</replaceable> <replaceable>key-data</replaceable> ; <optional>...</optional></optional>
};
</programlisting>
@ -9973,13 +10118,16 @@ ns.domain.com.rpz-nsdname CNAME .
<command>named</command>.)
</para>
<para>
If the <command>dnssec-lookaside</command> option is
If the <command>dnssec-validation</command> option is
set to <userinput>auto</userinput>, <command>named</command>
will automatically initialize a managed key for the
zone <literal>dlv.isc.org</literal>. The key that is
used to initialize the key maintenance process is built
into <command>named</command>, and can be overridden
from <command>bindkeys-file</command>.
root zone. Similarly, if the <command>dnssec-lookaside</command>
option is set to <userinput>auto</userinput>,
<command>named</command> will automatically initialize
a managed key for the zone <literal>dlv.isc.org</literal>.
In both cases, the key that is used to initialize the key
maintenance process is built into <command>named</command>,
and can be overridden from <command>bindkeys-file</command>.
</para>
</sect2>
@ -10141,6 +10289,7 @@ view "external" {
<optional> check-names (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional>
<optional> check-mx (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional>
<optional> check-wildcard <replaceable>yes_or_no</replaceable>; </optional>
<optional> check-spf ( <replaceable>warn</replaceable> | <replaceable>fail</replaceable> | <replaceable>ignore</replaceable> ); </optional>
<optional> check-integrity <replaceable>yes_or_no</replaceable> ; </optional>
<optional> dialup <replaceable>dialup_option</replaceable> ; </optional>
<optional> file <replaceable>string</replaceable> ; </optional>
@ -10706,6 +10855,16 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
</listitem>
</varlistentry>
<varlistentry>
<term><command>check-spf</command></term>
<listitem>
<para>
See the description of
<command>check-spf</command> in <xref linkend="boolean_options"/>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>check-wildcard</command></term>
<listitem>
@ -14094,6 +14253,19 @@ HOST-127.EXAMPLE. MX 0 .
</para>
</entry>
</row>
<row rowsep="0">
<entry colname="1">
<para><command>RPZRewrites</command></para>
</entry>
<entry colname="2">
<para><command></command></para>
</entry>
<entry colname="3">
<para>
Response policy zone rewrites.
</para>
</entry>
</row>
</tbody>
</tgroup>
</informaltable>
@ -14915,14 +15087,6 @@ zone "example.com" {
This allows recursive queries of the server from the outside
unless recursion has been previously disabled.
</para>
<para>
For more information on how to use ACLs to protect your server,
see the <emphasis>AUSCERT</emphasis> advisory at:
</para>
<para>
<ulink url="ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos"
>ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos</ulink>
</para>
</sect1>
<sect1>
<title><command>Chroot</command> and <command>Setuid</command></title>

View File

@ -1,5 +1,5 @@
<!--
- Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@ -45,17 +45,17 @@
<div class="toc">
<p><b>Table of Contents</b></p>
<dl>
<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564375">Scope of Document</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564398">Organization of This Document</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564538">Conventions Used in This Document</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564720">The Domain Name System (<acronym class="acronym">DNS</acronym>)</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564378">Scope of Document</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564402">Organization of This Document</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564541">Conventions Used in This Document</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564723">The Domain Name System (<acronym class="acronym">DNS</acronym>)</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564741">DNS Fundamentals</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564775">Domains and Domain Names</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567180">Zones</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567257">Authoritative Name Servers</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567430">Caching Name Servers</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567560">Name Servers in Multiple Roles</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564744">DNS Fundamentals</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564846">Domains and Domain Names</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567184">Zones</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567260">Authoritative Name Servers</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567433">Caching Name Servers</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567563">Name Servers in Multiple Roles</a></span></dt>
</dl></dd>
</dl>
</div>
@ -71,7 +71,7 @@
</p>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2564375"></a>Scope of Document</h2></div></div></div>
<a name="id2564378"></a>Scope of Document</h2></div></div></div>
<p>
The Berkeley Internet Name Domain
(<acronym class="acronym">BIND</acronym>) implements a
@ -87,7 +87,7 @@
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2564398"></a>Organization of This Document</h2></div></div></div>
<a name="id2564402"></a>Organization of This Document</h2></div></div></div>
<p>
In this document, <span class="emphasis"><em>Chapter 1</em></span> introduces
the basic <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym> concepts. <span class="emphasis"><em>Chapter 2</em></span>
@ -116,7 +116,7 @@
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2564538"></a>Conventions Used in This Document</h2></div></div></div>
<a name="id2564541"></a>Conventions Used in This Document</h2></div></div></div>
<p>
In this document, we use the following general typographic
conventions:
@ -243,7 +243,7 @@
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2564720"></a>The Domain Name System (<acronym class="acronym">DNS</acronym>)</h2></div></div></div>
<a name="id2564723"></a>The Domain Name System (<acronym class="acronym">DNS</acronym>)</h2></div></div></div>
<p>
The purpose of this document is to explain the installation
and upkeep of the <acronym class="acronym">BIND</acronym> (Berkeley Internet
@ -253,7 +253,7 @@
</p>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2564741"></a>DNS Fundamentals</h3></div></div></div>
<a name="id2564744"></a>DNS Fundamentals</h3></div></div></div>
<p>
The Domain Name System (DNS) is a hierarchical, distributed
database. It stores information for mapping Internet host names to
@ -275,7 +275,7 @@
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2564775"></a>Domains and Domain Names</h3></div></div></div>
<a name="id2564846"></a>Domains and Domain Names</h3></div></div></div>
<p>
The data stored in the DNS is identified by <span class="emphasis"><em>domain names</em></span> that are organized as a tree according to
organizational or administrative boundaries. Each node of the tree,
@ -321,7 +321,7 @@
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2567180"></a>Zones</h3></div></div></div>
<a name="id2567184"></a>Zones</h3></div></div></div>
<p>
To properly operate a name server, it is important to understand
the difference between a <span class="emphasis"><em>zone</em></span>
@ -374,7 +374,7 @@
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2567257"></a>Authoritative Name Servers</h3></div></div></div>
<a name="id2567260"></a>Authoritative Name Servers</h3></div></div></div>
<p>
Each zone is served by at least
one <span class="emphasis"><em>authoritative name server</em></span>,
@ -391,7 +391,7 @@
</p>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2567281"></a>The Primary Master</h4></div></div></div>
<a name="id2567284"></a>The Primary Master</h4></div></div></div>
<p>
The authoritative server where the master copy of the zone
data is maintained is called the
@ -411,7 +411,7 @@
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2567379"></a>Slave Servers</h4></div></div></div>
<a name="id2567382"></a>Slave Servers</h4></div></div></div>
<p>
The other authoritative servers, the <span class="emphasis"><em>slave</em></span>
servers (also known as <span class="emphasis"><em>secondary</em></span> servers)
@ -427,7 +427,7 @@
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2567400"></a>Stealth Servers</h4></div></div></div>
<a name="id2567403"></a>Stealth Servers</h4></div></div></div>
<p>
Usually all of the zone's authoritative servers are listed in
NS records in the parent zone. These NS records constitute
@ -462,7 +462,7 @@
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2567430"></a>Caching Name Servers</h3></div></div></div>
<a name="id2567433"></a>Caching Name Servers</h3></div></div></div>
<p>
The resolver libraries provided by most operating systems are
<span class="emphasis"><em>stub resolvers</em></span>, meaning that they are not
@ -489,7 +489,7 @@
</p>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2567533"></a>Forwarding</h4></div></div></div>
<a name="id2567537"></a>Forwarding</h4></div></div></div>
<p>
Even a caching name server does not necessarily perform
the complete recursive lookup itself. Instead, it can
@ -516,7 +516,7 @@
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2567560"></a>Name Servers in Multiple Roles</h3></div></div></div>
<a name="id2567563"></a>Name Servers in Multiple Roles</h3></div></div></div>
<p>
The <acronym class="acronym">BIND</acronym> name server can
simultaneously act as

View File

@ -1,5 +1,5 @@
<!--
- Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@ -45,16 +45,16 @@
<div class="toc">
<p><b>Table of Contents</b></p>
<dl>
<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567594">Hardware requirements</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567621">CPU Requirements</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567634">Memory Requirements</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567729">Name Server Intensive Environment Issues</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567739">Supported Operating Systems</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567597">Hardware requirements</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567624">CPU Requirements</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567637">Memory Requirements</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567732">Name Server Intensive Environment Issues</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567742">Supported Operating Systems</a></span></dt>
</dl>
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2567594"></a>Hardware requirements</h2></div></div></div>
<a name="id2567597"></a>Hardware requirements</h2></div></div></div>
<p>
<acronym class="acronym">DNS</acronym> hardware requirements have
traditionally been quite modest.
@ -73,7 +73,7 @@
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2567621"></a>CPU Requirements</h2></div></div></div>
<a name="id2567624"></a>CPU Requirements</h2></div></div></div>
<p>
CPU requirements for <acronym class="acronym">BIND</acronym> 9 range from
i486-class machines
@ -84,7 +84,7 @@
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2567634"></a>Memory Requirements</h2></div></div></div>
<a name="id2567637"></a>Memory Requirements</h2></div></div></div>
<p>
The memory of the server has to be large enough to fit the
cache and zones loaded off disk. The <span><strong class="command">max-cache-size</strong></span>
@ -107,7 +107,7 @@
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2567729"></a>Name Server Intensive Environment Issues</h2></div></div></div>
<a name="id2567732"></a>Name Server Intensive Environment Issues</h2></div></div></div>
<p>
For name server intensive environments, there are two alternative
configurations that may be used. The first is where clients and
@ -124,7 +124,7 @@
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2567739"></a>Supported Operating Systems</h2></div></div></div>
<a name="id2567742"></a>Supported Operating Systems</h2></div></div></div>
<p>
ISC <acronym class="acronym">BIND</acronym> 9 compiles and runs on a large
number

View File

@ -1,5 +1,5 @@
<!--
- Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@ -47,14 +47,14 @@
<dl>
<dt><span class="sect1"><a href="Bv9ARM.ch03.html#sample_configuration">Sample Configurations</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2567771">A Caching-only Name Server</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2567992">An Authoritative-only Name Server</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2567774">A Caching-only Name Server</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2567995">An Authoritative-only Name Server</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568014">Load Balancing</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568369">Name Server Operations</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568018">Load Balancing</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568372">Name Server Operations</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2568374">Tools for Use With the Name Server Daemon</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2570421">Signals</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2568377">Tools for Use With the Name Server Daemon</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2570424">Signals</a></span></dt>
</dl></dd>
</dl>
</div>
@ -68,7 +68,7 @@
<a name="sample_configuration"></a>Sample Configurations</h2></div></div></div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2567771"></a>A Caching-only Name Server</h3></div></div></div>
<a name="id2567774"></a>A Caching-only Name Server</h3></div></div></div>
<p>
The following sample configuration is appropriate for a caching-only
name server for use by clients internal to a corporation. All
@ -98,7 +98,7 @@ zone "0.0.127.in-addr.arpa" {
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2567992"></a>An Authoritative-only Name Server</h3></div></div></div>
<a name="id2567995"></a>An Authoritative-only Name Server</h3></div></div></div>
<p>
This sample configuration is for an authoritative-only server
that is the master server for "<code class="filename">example.com</code>"
@ -146,7 +146,7 @@ zone "eng.example.com" {
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2568014"></a>Load Balancing</h2></div></div></div>
<a name="id2568018"></a>Load Balancing</h2></div></div></div>
<p>
A primitive form of load balancing can be achieved in
the <acronym class="acronym">DNS</acronym> by using multiple records
@ -289,10 +289,10 @@ zone "eng.example.com" {
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2568369"></a>Name Server Operations</h2></div></div></div>
<a name="id2568372"></a>Name Server Operations</h2></div></div></div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2568374"></a>Tools for Use With the Name Server Daemon</h3></div></div></div>
<a name="id2568377"></a>Tools for Use With the Name Server Daemon</h3></div></div></div>
<p>
This section describes several indispensable diagnostic,
administrative and monitoring tools available to the system
@ -681,7 +681,7 @@ zone "eng.example.com" {
<em class="replaceable"><code>keyname</code></em>
[<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span></dt>
<dd><p>
Delete a given TKEY-negotated key from the server.
Delete a given TKEY-negotiated key from the server.
(This does not apply to statically configured TSIG
keys.)
</p></dd>
@ -888,7 +888,7 @@ controls {
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2570421"></a>Signals</h3></div></div></div>
<a name="id2570424"></a>Signals</h3></div></div></div>
<p>
Certain UNIX signals cause the name server to take specific
actions, as described in the following table. These signals can

View File

@ -1,5 +1,5 @@
<!--
- Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@ -49,59 +49,59 @@
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dynamic_update">Dynamic Update</a></span></dt>
<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#journal">The journal file</a></span></dt></dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#incremental_zone_transfers">Incremental Zone Transfers (IXFR)</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2570934">Split DNS</a></span></dt>
<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570952">Example split DNS setup</a></span></dt></dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2570937">Split DNS</a></span></dt>
<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570955">Example split DNS setup</a></span></dt></dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#tsig">TSIG</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2564012">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2564086">Copying the Shared Secret to Both Machines</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571811">Informing the Servers of the Key's Existence</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571847">Instructing the Server to Use the Key</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571905">TSIG Key Based Access Control</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571954">Errors</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2564016">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2564089">Copying the Shared Secret to Both Machines</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571814">Informing the Servers of the Key's Existence</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571850">Instructing the Server to Use the Key</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571908">TSIG Key Based Access Control</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571957">Errors</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571968">TKEY</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2572153">SIG(0)</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571971">TKEY</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2572156">SIG(0)</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572221">Generating Keys</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572300">Signing the Zone</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572381">Configuring Servers</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572225">Generating Keys</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572304">Signing the Zone</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572385">Configuring Servers</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dnssec.dynamic.zones">DNSSEC, Dynamic Zones, and Automatic Signing</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571475">Converting from insecure to secure</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571512">Dynamic DNS update method</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563493">Fully automatic zone signing</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563575">Private-type records</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563612">DNSKEY rollovers</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563762">Dynamic DNS update method</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563795">Automatic key rollovers</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563821">NSEC3PARAM rollovers via UPDATE</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563899">Converting from NSEC to NSEC3</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563909">Converting from NSEC3 to NSEC</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563922">Converting from secure to insecure</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571605">Periodic re-signing</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571614">NSEC3 and OPTOUT</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2608395">Converting from insecure to secure</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563581">Dynamic DNS update method</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563754">Fully automatic zone signing</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563836">Private-type records</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563874">DNSKEY rollovers</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563886">Dynamic DNS update method</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563920">Automatic key rollovers</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563946">NSEC3PARAM rollovers via UPDATE</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563956">Converting from NSEC to NSEC3</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571406">Converting from NSEC3 to NSEC</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571419">Converting from secure to insecure</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571457">Periodic re-signing</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571466">NSEC3 and OPTOUT</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#rfc5011.support">Dynamic Trust Anchor Management</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2607510">Validating Resolver</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571692">Authoritative Server</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571658">Validating Resolver</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571681">Authoritative Server</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#pkcs11">PKCS #11 (Cryptoki) support</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2610637">Prerequisites</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2608477">Building BIND 9 with PKCS#11</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2608602">PKCS #11 Tools</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2634916">Using the HSM</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2635114">Specifying the engine on the command line</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2635160">Running named with automatic zone re-signing</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2611650">Prerequisites</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2608875">Building BIND 9 with PKCS#11</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2609137">PKCS #11 Tools</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2635518">Using the HSM</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2635785">Specifying the engine on the command line</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2635831">Running named with automatic zone re-signing</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2572669">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2572604">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572868">Address Lookups Using AAAA Records</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572889">Address to Name Lookups Using Nibble Format</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572871">Address Lookups Using AAAA Records</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572892">Address to Name Lookups Using Nibble Format</a></span></dt>
</dl></dd>
</dl>
</div>
@ -258,7 +258,7 @@
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2570934"></a>Split DNS</h2></div></div></div>
<a name="id2570937"></a>Split DNS</h2></div></div></div>
<p>
Setting up different views, or visibility, of the DNS space to
internal and external resolvers is usually referred to as a
@ -288,7 +288,7 @@
</p>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2570952"></a>Example split DNS setup</h3></div></div></div>
<a name="id2570955"></a>Example split DNS setup</h3></div></div></div>
<p>
Let's say a company named <span class="emphasis"><em>Example, Inc.</em></span>
(<code class="literal">example.com</code>)
@ -545,7 +545,7 @@ nameserver 172.16.72.4
</p>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2564012"></a>Generate Shared Keys for Each Pair of Hosts</h3></div></div></div>
<a name="id2564016"></a>Generate Shared Keys for Each Pair of Hosts</h3></div></div></div>
<p>
A shared secret is generated to be shared between <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host2</em></span>.
An arbitrary key name is chosen: "host1-host2.". The key name must
@ -553,7 +553,7 @@ nameserver 172.16.72.4
</p>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2564029"></a>Automatic Generation</h4></div></div></div>
<a name="id2564033"></a>Automatic Generation</h4></div></div></div>
<p>
The following command will generate a 128-bit (16 byte) HMAC-SHA256
key as described above. Longer keys are better, but shorter keys
@ -577,7 +577,7 @@ nameserver 172.16.72.4
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2564068"></a>Manual Generation</h4></div></div></div>
<a name="id2564071"></a>Manual Generation</h4></div></div></div>
<p>
The shared secret is simply a random sequence of bits, encoded
in base-64. Most ASCII strings are valid base-64 strings (assuming
@ -592,7 +592,7 @@ nameserver 172.16.72.4
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2564086"></a>Copying the Shared Secret to Both Machines</h3></div></div></div>
<a name="id2564089"></a>Copying the Shared Secret to Both Machines</h3></div></div></div>
<p>
This is beyond the scope of DNS. A secure transport mechanism
should be used. This could be secure FTP, ssh, telephone, etc.
@ -600,7 +600,7 @@ nameserver 172.16.72.4
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2571811"></a>Informing the Servers of the Key's Existence</h3></div></div></div>
<a name="id2571814"></a>Informing the Servers of the Key's Existence</h3></div></div></div>
<p>
Imagine <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host 2</em></span>
are
@ -627,7 +627,7 @@ key host1-host2. {
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2571847"></a>Instructing the Server to Use the Key</h3></div></div></div>
<a name="id2571850"></a>Instructing the Server to Use the Key</h3></div></div></div>
<p>
Since keys are shared between two hosts only, the server must
be told when keys are to be used. The following is added to the <code class="filename">named.conf</code> file
@ -659,7 +659,7 @@ server 10.1.2.3 {
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2571905"></a>TSIG Key Based Access Control</h3></div></div></div>
<a name="id2571908"></a>TSIG Key Based Access Control</h3></div></div></div>
<p>
<acronym class="acronym">BIND</acronym> allows IP addresses and ranges
to be specified in ACL
@ -686,7 +686,7 @@ allow-update { key host1-host2. ;};
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2571954"></a>Errors</h3></div></div></div>
<a name="id2571957"></a>Errors</h3></div></div></div>
<p>
The processing of TSIG signed messages can result in
several errors. If a signed message is sent to a non-TSIG aware
@ -712,7 +712,7 @@ allow-update { key host1-host2. ;};
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2571968"></a>TKEY</h2></div></div></div>
<a name="id2571971"></a>TKEY</h2></div></div></div>
<p><span><strong class="command">TKEY</strong></span>
is a mechanism for automatically generating a shared secret
between two hosts. There are several "modes" of
@ -748,7 +748,7 @@ allow-update { key host1-host2. ;};
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2572153"></a>SIG(0)</h2></div></div></div>
<a name="id2572156"></a>SIG(0)</h2></div></div></div>
<p>
<acronym class="acronym">BIND</acronym> 9 partially supports DNSSEC SIG(0)
transaction signatures as specified in RFC 2535 and RFC 2931.
@ -809,7 +809,7 @@ allow-update { key host1-host2. ;};
</p>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2572221"></a>Generating Keys</h3></div></div></div>
<a name="id2572225"></a>Generating Keys</h3></div></div></div>
<p>
The <span><strong class="command">dnssec-keygen</strong></span> program is used to
generate keys.
@ -865,7 +865,7 @@ allow-update { key host1-host2. ;};
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2572300"></a>Signing the Zone</h3></div></div></div>
<a name="id2572304"></a>Signing the Zone</h3></div></div></div>
<p>
The <span><strong class="command">dnssec-signzone</strong></span> program is used
to sign a zone.
@ -907,7 +907,7 @@ allow-update { key host1-host2. ;};
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2572381"></a>Configuring Servers</h3></div></div></div>
<a name="id2572385"></a>Configuring Servers</h3></div></div></div>
<p>
To enable <span><strong class="command">named</strong></span> to respond appropriately
to DNS requests from DNSSEC aware clients,
@ -1067,7 +1067,7 @@ options {
from insecure to signed and back again. A secure zone can use
either NSEC or NSEC3 chains.</p>
<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
<a name="id2571475"></a>Converting from insecure to secure</h3></div></div></div></div>
<a name="id2608395"></a>Converting from insecure to secure</h3></div></div></div></div>
<p>Changing a zone from insecure to secure can be done in two
ways: using a dynamic DNS update, or the
<span><strong class="command">auto-dnssec</strong></span> zone option.</p>
@ -1093,7 +1093,7 @@ options {
well. An NSEC chain will be generated as part of the initial
signing process.</p>
<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
<a name="id2571512"></a>Dynamic DNS update method</h3></div></div></div></div>
<a name="id2563581"></a>Dynamic DNS update method</h3></div></div></div></div>
<p>To insert the keys via dynamic update:</p>
<pre class="screen">
% nsupdate
@ -1129,7 +1129,7 @@ options {
<p>While the initial signing and NSEC/NSEC3 chain generation
is happening, other updates are possible as well.</p>
<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
<a name="id2563493"></a>Fully automatic zone signing</h3></div></div></div></div>
<a name="id2563754"></a>Fully automatic zone signing</h3></div></div></div></div>
<p>To enable automatic signing, add the
<span><strong class="command">auto-dnssec</strong></span> option to the zone statement in
<code class="filename">named.conf</code>.
@ -1164,7 +1164,7 @@ options {
configuration. If this has not been done, the configuration will
fail.</p>
<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
<a name="id2563575"></a>Private-type records</h3></div></div></div></div>
<a name="id2563836"></a>Private-type records</h3></div></div></div></div>
<p>The state of the signing process is signaled by
private-type records (with a default type value of 65534). When
signing is complete, these records will have a nonzero value for
@ -1205,12 +1205,12 @@ options {
<p>
</p>
<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
<a name="id2563612"></a>DNSKEY rollovers</h3></div></div></div></div>
<a name="id2563874"></a>DNSKEY rollovers</h3></div></div></div></div>
<p>As with insecure-to-secure conversions, rolling DNSSEC
keys can be done in two ways: using a dynamic DNS update, or the
<span><strong class="command">auto-dnssec</strong></span> zone option.</p>
<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
<a name="id2563762"></a>Dynamic DNS update method</h3></div></div></div></div>
<a name="id2563886"></a>Dynamic DNS update method</h3></div></div></div></div>
<p> To perform key rollovers via dynamic update, you need to add
the <code class="filename">K*</code> files for the new keys so that
<span><strong class="command">named</strong></span> can find them. You can then add the new
@ -1232,7 +1232,7 @@ options {
<span><strong class="command">named</strong></span> will clean out any signatures generated
by the old key after the update completes.</p>
<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
<a name="id2563795"></a>Automatic key rollovers</h3></div></div></div></div>
<a name="id2563920"></a>Automatic key rollovers</h3></div></div></div></div>
<p>When a new key reaches its activation date (as set by
<span><strong class="command">dnssec-keygen</strong></span> or <span><strong class="command">dnssec-settime</strong></span>),
if the <span><strong class="command">auto-dnssec</strong></span> zone option is set to
@ -1247,27 +1247,27 @@ options {
completes in 30 days, after which it will be safe to remove the
old key from the DNSKEY RRset.</p>
<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
<a name="id2563821"></a>NSEC3PARAM rollovers via UPDATE</h3></div></div></div></div>
<a name="id2563946"></a>NSEC3PARAM rollovers via UPDATE</h3></div></div></div></div>
<p>Add the new NSEC3PARAM record via dynamic update. When the
new NSEC3 chain has been generated, the NSEC3PARAM flag field
will be zero. At this point you can remove the old NSEC3PARAM
record. The old chain will be removed after the update request
completes.</p>
<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
<a name="id2563899"></a>Converting from NSEC to NSEC3</h3></div></div></div></div>
<a name="id2563956"></a>Converting from NSEC to NSEC3</h3></div></div></div></div>
<p>To do this, you just need to add an NSEC3PARAM record. When
the conversion is complete, the NSEC chain will have been removed
and the NSEC3PARAM record will have a zero flag field. The NSEC3
chain will be generated before the NSEC chain is
destroyed.</p>
<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
<a name="id2563909"></a>Converting from NSEC3 to NSEC</h3></div></div></div></div>
<a name="id2571406"></a>Converting from NSEC3 to NSEC</h3></div></div></div></div>
<p>To do this, use <span><strong class="command">nsupdate</strong></span> to
remove all NSEC3PARAM records with a zero flag
field. The NSEC chain will be generated before the NSEC3 chain is
removed.</p>
<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
<a name="id2563922"></a>Converting from secure to insecure</h3></div></div></div></div>
<a name="id2571419"></a>Converting from secure to insecure</h3></div></div></div></div>
<p>To convert a signed zone to unsigned using dynamic DNS,
delete all the DNSKEY records from the zone apex using
<span><strong class="command">nsupdate</strong></span>. All signatures, NSEC or NSEC3 chains,
@ -1282,14 +1282,14 @@ options {
<span><strong class="command">allow</strong></span> instead (or it will re-sign).
</p>
<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
<a name="id2571605"></a>Periodic re-signing</h3></div></div></div></div>
<a name="id2571457"></a>Periodic re-signing</h3></div></div></div></div>
<p>In any secure zone which supports dynamic updates, named
will periodically re-sign RRsets which have not been re-signed as
a result of some update action. The signature lifetimes will be
adjusted so as to spread the re-sign load over time rather than
all at once.</p>
<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
<a name="id2571614"></a>NSEC3 and OPTOUT</h3></div></div></div></div>
<a name="id2571466"></a>NSEC3 and OPTOUT</h3></div></div></div></div>
<p>
<span><strong class="command">named</strong></span> only supports creating new NSEC3 chains
where all the NSEC3 records in the zone have the same OPTOUT
@ -1311,7 +1311,7 @@ options {
configuration files.</p>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2607510"></a>Validating Resolver</h3></div></div></div>
<a name="id2571658"></a>Validating Resolver</h3></div></div></div>
<p>To configure a validating resolver to use RFC 5011 to
maintain a trust anchor, configure the trust anchor using a
<span><strong class="command">managed-keys</strong></span> statement. Information about
@ -1322,7 +1322,7 @@ options {
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2571692"></a>Authoritative Server</h3></div></div></div>
<a name="id2571681"></a>Authoritative Server</h3></div></div></div>
<p>To set up an authoritative zone for RFC 5011 trust anchor
maintenance, generate two (or more) key signing keys (KSKs) for
the zone. Sign the zone with one of them; this is the "active"
@ -1396,7 +1396,7 @@ $ <strong class="userinput"><code>dnssec-signzone -S -K keys example.net</code><
Debian Linux, Solaris x86 and Windows Server 2003.</p>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2610637"></a>Prerequisites</h3></div></div></div>
<a name="id2611650"></a>Prerequisites</h3></div></div></div>
<p>See the HSM vendor documentation for information about
installing, initializing, testing and troubleshooting the
HSM.</p>
@ -1410,7 +1410,7 @@ $ <strong class="userinput"><code>dnssec-signzone -S -K keys example.net</code><
This is a shared library object, providing a low-level PKCS #11
interface to the HSM hardware. It is dynamically loaded by
OpenSSL at runtime. The PKCS #11 provider comes from the HSM
vendor, and and is specific to the HSM to be controlled.</p>
vendor, and is specific to the HSM to be controlled.</p>
<p>There are two "flavors" of PKCS #11 support provided by
the patched OpenSSL, one of which must be chosen at
configuration time. The correct choice depends on the HSM
@ -1473,7 +1473,7 @@ $ <strong class="userinput"><code>patch -p1 -d openssl-0.9.8s \
when we configure BIND 9.</p>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2608071"></a>Building OpenSSL for the AEP Keyper on Linux</h4></div></div></div>
<a name="id2608605"></a>Building OpenSSL for the AEP Keyper on Linux</h4></div></div></div>
<p>The AEP Keyper is a highly secure key storage device,
but does not provide hardware cryptographic acceleration. It
can carry out cryptographic operations, but it is probably
@ -1505,7 +1505,7 @@ $ <strong class="userinput"><code>./Configure linux-generic32 -m32 -pthread \
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2608140"></a>Building OpenSSL for the SCA 6000 on Solaris</h4></div></div></div>
<a name="id2608675"></a>Building OpenSSL for the SCA 6000 on Solaris</h4></div></div></div>
<p>The SCA-6000 PKCS #11 provider is installed as a system
library, libpkcs11. It is a true crypto accelerator, up to 4
times faster than any CPU, so the flavor shall be
@ -1527,7 +1527,7 @@ $ <strong class="userinput"><code>./Configure solaris64-x86_64-cc \
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2608189"></a>Building OpenSSL for SoftHSM</h4></div></div></div>
<a name="id2608724"></a>Building OpenSSL for SoftHSM</h4></div></div></div>
<p>SoftHSM is a software library provided by the OpenDNSSEC
project (http://www.opendnssec.org) which provides a PKCS#11
interface to a virtual HSM, implemented in the form of encrypted
@ -1587,12 +1587,12 @@ $ <strong class="userinput"><code>./Configure linux-x86_64 -pthread \
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2608477"></a>Building BIND 9 with PKCS#11</h3></div></div></div>
<a name="id2608875"></a>Building BIND 9 with PKCS#11</h3></div></div></div>
<p>When building BIND 9, the location of the custom-built
OpenSSL library must be specified via configure.</p>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2608486"></a>Configuring BIND 9 for Linux with the AEP Keyper</h4></div></div></div>
<a name="id2608952"></a>Configuring BIND 9 for Linux with the AEP Keyper</h4></div></div></div>
<p>To link with the PKCS #11 provider, threads must be
enabled in the BIND 9 build.</p>
<p>The PKCS #11 library for the AEP Keyper is currently
@ -1608,7 +1608,7 @@ $ <strong class="userinput"><code>./configure CC="gcc -m32" --enable-threads \
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2608518"></a>Configuring BIND 9 for Solaris with the SCA 6000</h4></div></div></div>
<a name="id2608984"></a>Configuring BIND 9 for Solaris with the SCA 6000</h4></div></div></div>
<p>To link with the PKCS #11 provider, threads must be
enabled in the BIND 9 build.</p>
<pre class="screen">
@ -1626,7 +1626,7 @@ $ <strong class="userinput"><code>./configure CC="cc -xarch=amd64" --enable-thre
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2608554"></a>Configuring BIND 9 for SoftHSM</h4></div></div></div>
<a name="id2609089"></a>Configuring BIND 9 for SoftHSM</h4></div></div></div>
<pre class="screen">
$ <strong class="userinput"><code>cd ../bind9</code></strong>
$ <strong class="userinput"><code>./configure --enable-threads \
@ -1643,7 +1643,7 @@ $ <strong class="userinput"><code>./configure --enable-threads \
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2608602"></a>PKCS #11 Tools</h3></div></div></div>
<a name="id2609137"></a>PKCS #11 Tools</h3></div></div></div>
<p>BIND 9 includes a minimal set of tools to operate the
HSM, including
<span><strong class="command">pkcs11-keygen</strong></span> to generate a new key pair
@ -1661,7 +1661,7 @@ $ <strong class="userinput"><code>./configure --enable-threads \
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2634916"></a>Using the HSM</h3></div></div></div>
<a name="id2635518"></a>Using the HSM</h3></div></div></div>
<p>First, we must set up the runtime environment so the
OpenSSL and PKCS #11 libraries can be loaded:</p>
<pre class="screen">
@ -1749,7 +1749,7 @@ example.net.signed
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2635114"></a>Specifying the engine on the command line</h3></div></div></div>
<a name="id2635785"></a>Specifying the engine on the command line</h3></div></div></div>
<p>The OpenSSL engine can be specified in
<span><strong class="command">named</strong></span> and all of the BIND
<span><strong class="command">dnssec-*</strong></span> tools by using the "-E
@ -1770,7 +1770,7 @@ $ <strong class="userinput"><code>dnssec-signzone -E '' -S example.net</code></s
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2635160"></a>Running named with automatic zone re-signing</h3></div></div></div>
<a name="id2635831"></a>Running named with automatic zone re-signing</h3></div></div></div>
<p>If you want
<span><strong class="command">named</strong></span> to dynamically re-sign zones using HSM
keys, and/or to to sign new records inserted via nsupdate, then
@ -1806,7 +1806,7 @@ $ <strong class="userinput"><code>dnssec-signzone -E '' -S example.net</code></s
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2572669"></a>IPv6 Support in <acronym class="acronym">BIND</acronym> 9</h2></div></div></div>
<a name="id2572604"></a>IPv6 Support in <acronym class="acronym">BIND</acronym> 9</h2></div></div></div>
<p>
<acronym class="acronym">BIND</acronym> 9 fully supports all currently
defined forms of IPv6 name to address and address to name
@ -1844,7 +1844,7 @@ $ <strong class="userinput"><code>dnssec-signzone -E '' -S example.net</code></s
</p>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2572868"></a>Address Lookups Using AAAA Records</h3></div></div></div>
<a name="id2572871"></a>Address Lookups Using AAAA Records</h3></div></div></div>
<p>
The IPv6 AAAA record is a parallel to the IPv4 A record,
and, unlike the deprecated A6 record, specifies the entire
@ -1863,7 +1863,7 @@ host 3600 IN AAAA 2001:db8::1
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2572889"></a>Address to Name Lookups Using Nibble Format</h3></div></div></div>
<a name="id2572892"></a>Address to Name Lookups Using Nibble Format</h3></div></div></div>
<p>
When looking up an address in nibble format, the address
components are simply reversed, just as in IPv4, and

View File

@ -1,5 +1,5 @@
<!--
- Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@ -45,13 +45,13 @@
<div class="toc">
<p><b>Table of Contents</b></p>
<dl>
<dt><span class="sect1"><a href="Bv9ARM.ch05.html#id2572922">The Lightweight Resolver Library</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch05.html#id2572925">The Lightweight Resolver Library</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch05.html#lwresd">Running a Resolver Daemon</a></span></dt>
</dl>
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2572922"></a>The Lightweight Resolver Library</h2></div></div></div>
<a name="id2572925"></a>The Lightweight Resolver Library</h2></div></div></div>
<p>
Traditionally applications have been linked with a stub resolver
library that sends recursive DNS queries to a local caching name

View File

@ -1,5 +1,5 @@
<!--
- Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@ -48,58 +48,58 @@
<dt><span class="sect1"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574332">Comment Syntax</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574405">Comment Syntax</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574986"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574990"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#acl"><span><strong class="command">acl</strong></span> Statement Definition and
Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575176"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575180"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span><strong class="command">controls</strong></span> Statement Definition and
Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575467"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575484"><span><strong class="command">include</strong></span> Statement Definition and
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575472"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575489"><span><strong class="command">include</strong></span> Statement Definition and
Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575576"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575600"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575758"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575884"><span><strong class="command">logging</strong></span> Statement Definition and
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575649"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575672"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575763"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575889"><span><strong class="command">logging</strong></span> Statement Definition and
Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577910"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577984"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578116"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578160"><span><strong class="command">masters</strong></span> Statement Definition and
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577914"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577988"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578120"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578164"><span><strong class="command">masters</strong></span> Statement Definition and
Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578174"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578179"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#options"><span><strong class="command">options</strong></span> Statement Definition and
Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span><strong class="command">server</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span><strong class="command">server</strong></span> Statement Definition and
Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#statschannels"><span><strong class="command">statistics-channels</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2589534"><span><strong class="command">statistics-channels</strong></span> Statement Definition and
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590070"><span><strong class="command">statistics-channels</strong></span> Statement Definition and
Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#trusted-keys"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2589742"><span><strong class="command">trusted-keys</strong></span> Statement Definition
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590278"><span><strong class="command">trusted-keys</strong></span> Statement Definition
and Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2589858"><span><strong class="command">managed-keys</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590325"><span><strong class="command">managed-keys</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#managed-keys"><span><strong class="command">managed-keys</strong></span> Statement Definition
and Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#view_statement_grammar"><span><strong class="command">view</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590352"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590766"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span><strong class="command">zone</strong></span>
Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591902"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2592398"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2595170">Zone File</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2595755">Zone File</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2597537">Discussion of MX Records</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2597986">Discussion of MX Records</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2598084">Inverse Mapping in IPv4</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2598211">Other Zone File Directives</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2598552"><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2598601">Inverse Mapping in IPv4</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2598796">Other Zone File Directives</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2599138"><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zonefile_format">Additional File Formats</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch06.html#statistics">BIND9 Statistics</a></span></dt>
@ -409,31 +409,45 @@
</td>
<td>
<p>
A number, the word <strong class="userinput"><code>unlimited</code></strong>,
or the word <strong class="userinput"><code>default</code></strong>.
A 64-bit unsigned integer, or the keywords
<strong class="userinput"><code>unlimited</code></strong> or
<strong class="userinput"><code>default</code></strong>.
</p>
<p>
An <code class="varname">unlimited</code> <code class="varname">size_spec</code> requests unlimited
use, or the maximum available amount. A <code class="varname">default size_spec</code> uses
the limit that was in force when the server was started.
Integers may take values
0 &lt;= value &lt;= 18446744073709551615, though
certain parameters may use a more limited range
within these extremes. In most cases, setting a
value to 0 does not literally mean zero; it means
"undefined" or "as big as psosible", depending on
the context. See the expalantions of particular
parameters that use <code class="varname">size_spec</code>
for details on how they interpret its use.
</p>
<p>
A <code class="varname">number</code> can optionally be
followed by a scaling factor:
Numeric values can optionally be followed by a
scaling factor:
<strong class="userinput"><code>K</code></strong> or <strong class="userinput"><code>k</code></strong>
for kilobytes,
<strong class="userinput"><code>M</code></strong> or <strong class="userinput"><code>m</code></strong>
for megabytes, and
<strong class="userinput"><code>G</code></strong> or <strong class="userinput"><code>g</code></strong> for gigabytes,
which scale by 1024, 1024*1024, and 1024*1024*1024
respectively.
<strong class="userinput"><code>G</code></strong> or <strong class="userinput"><code>g</code></strong>
for gigabytes, which scale by 1024, 1024*1024, and
1024*1024*1024 respectively.
</p>
<p>
The value must be representable as a 64-bit unsigned integer
(0 to 18446744073709551615, inclusive).
Using <code class="varname">unlimited</code> is the best
way
to safely set a really large number.
<code class="varname">unlimited</code> generally means
"as big as possible", though in certain contexts,
(including <code class="option">max-cache-size</code>), it may
mean the largest possible 32-bit unsigned integer
(0xffffffff); this distinction can be important when
dealing with larger quantities.
<code class="varname">unlimited</code> is usually the best way
to safely set a very large number.
</p>
<p>
<code class="varname">default</code>
uses the limit that was in force when the server was started.
</p>
</td>
</tr>
@ -477,7 +491,7 @@
<a name="address_match_lists"></a>Address Match Lists</h3></div></div></div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2574099"></a>Syntax</h4></div></div></div>
<a name="id2574103"></a>Syntax</h4></div></div></div>
<pre class="programlisting"><code class="varname">address_match_list</code> = address_match_list_element ;
[<span class="optional"> address_match_list_element; ... </span>]
<code class="varname">address_match_list_element</code> = [<span class="optional"> ! </span>] (ip_address [<span class="optional">/length</span>] |
@ -486,7 +500,7 @@
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2574126"></a>Definition and Usage</h4></div></div></div>
<a name="id2574131"></a>Definition and Usage</h4></div></div></div>
<p>
Address match lists are primarily used to determine access
control for various server operations. They are also used in
@ -570,7 +584,7 @@
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2574332"></a>Comment Syntax</h3></div></div></div>
<a name="id2574405"></a>Comment Syntax</h3></div></div></div>
<p>
The <acronym class="acronym">BIND</acronym> 9 comment syntax allows for
comments to appear
@ -580,7 +594,7 @@
</p>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2574347"></a>Syntax</h4></div></div></div>
<a name="id2574420"></a>Syntax</h4></div></div></div>
<p>
</p>
<pre class="programlisting">/* This is a <acronym class="acronym">BIND</acronym> comment as in C */</pre>
@ -596,7 +610,7 @@
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2574377"></a>Definition and Usage</h4></div></div></div>
<a name="id2574450"></a>Definition and Usage</h4></div></div></div>
<p>
Comments may appear anywhere that whitespace may appear in
a <acronym class="acronym">BIND</acronym> configuration file.
@ -848,7 +862,7 @@
</p>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2574986"></a><span><strong class="command">acl</strong></span> Statement Grammar</h3></div></div></div>
<a name="id2574990"></a><span><strong class="command">acl</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting"><span><strong class="command">acl</strong></span> acl-name {
address_match_list
};
@ -930,7 +944,7 @@
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2575176"></a><span><strong class="command">controls</strong></span> Statement Grammar</h3></div></div></div>
<a name="id2575180"></a><span><strong class="command">controls</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting"><span><strong class="command">controls</strong></span> {
[ inet ( ip_addr | * ) [ port ip_port ]
allow { <em class="replaceable"><code> address_match_list </code></em> }
@ -1054,12 +1068,12 @@
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2575467"></a><span><strong class="command">include</strong></span> Statement Grammar</h3></div></div></div>
<a name="id2575472"></a><span><strong class="command">include</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting"><span><strong class="command">include</strong></span> <em class="replaceable"><code>filename</code></em>;</pre>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2575484"></a><span><strong class="command">include</strong></span> Statement Definition and
<a name="id2575489"></a><span><strong class="command">include</strong></span> Statement Definition and
Usage</h3></div></div></div>
<p>
The <span><strong class="command">include</strong></span> statement inserts the
@ -1074,7 +1088,7 @@
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2575576"></a><span><strong class="command">key</strong></span> Statement Grammar</h3></div></div></div>
<a name="id2575649"></a><span><strong class="command">key</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting"><span><strong class="command">key</strong></span> <em class="replaceable"><code>key_id</code></em> {
algorithm <em class="replaceable"><code>string</code></em>;
secret <em class="replaceable"><code>string</code></em>;
@ -1083,7 +1097,7 @@
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2575600"></a><span><strong class="command">key</strong></span> Statement Definition and Usage</h3></div></div></div>
<a name="id2575672"></a><span><strong class="command">key</strong></span> Statement Definition and Usage</h3></div></div></div>
<p>
The <span><strong class="command">key</strong></span> statement defines a shared
secret key for use with TSIG (see <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called &#8220;TSIG&#8221;</a>)
@ -1130,12 +1144,12 @@
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2575758"></a><span><strong class="command">logging</strong></span> Statement Grammar</h3></div></div></div>
<a name="id2575763"></a><span><strong class="command">logging</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting"><span><strong class="command">logging</strong></span> {
[ <span><strong class="command">channel</strong></span> <em class="replaceable"><code>channel_name</code></em> {
( <span><strong class="command">file</strong></span> <em class="replaceable"><code>path_name</code></em>
[ <span><strong class="command">versions</strong></span> ( <em class="replaceable"><code>number</code></em> | <span><strong class="command">unlimited</strong></span> ) ]
[ <span><strong class="command">size</strong></span> <em class="replaceable"><code>size spec</code></em> ]
[ <span><strong class="command">size</strong></span> <em class="replaceable"><code>size_spec</code></em> ]
| <span><strong class="command">syslog</strong></span> <em class="replaceable"><code>syslog_facility</code></em>
| <span><strong class="command">stderr</strong></span>
| <span><strong class="command">null</strong></span> );
@ -1154,7 +1168,7 @@
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2575884"></a><span><strong class="command">logging</strong></span> Statement Definition and
<a name="id2575889"></a><span><strong class="command">logging</strong></span> Statement Definition and
Usage</h3></div></div></div>
<p>
The <span><strong class="command">logging</strong></span> statement configures a
@ -1188,7 +1202,7 @@
</p>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2576005"></a>The <span><strong class="command">channel</strong></span> Phrase</h4></div></div></div>
<a name="id2576009"></a>The <span><strong class="command">channel</strong></span> Phrase</h4></div></div></div>
<p>
All log output goes to one or more <span class="emphasis"><em>channels</em></span>;
you can make as many of them as you want.
@ -1766,7 +1780,7 @@ category notify { null; };
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2577322"></a>The <span><strong class="command">query-errors</strong></span> Category</h4></div></div></div>
<a name="id2577326"></a>The <span><strong class="command">query-errors</strong></span> Category</h4></div></div></div>
<p>
The <span><strong class="command">query-errors</strong></span> category is
specifically intended for debugging purposes: To identify
@ -1994,7 +2008,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2577910"></a><span><strong class="command">lwres</strong></span> Statement Grammar</h3></div></div></div>
<a name="id2577914"></a><span><strong class="command">lwres</strong></span> Statement Grammar</h3></div></div></div>
<p>
This is the grammar of the <span><strong class="command">lwres</strong></span>
statement in the <code class="filename">named.conf</code> file:
@ -2010,7 +2024,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2577984"></a><span><strong class="command">lwres</strong></span> Statement Definition and Usage</h3></div></div></div>
<a name="id2577988"></a><span><strong class="command">lwres</strong></span> Statement Definition and Usage</h3></div></div></div>
<p>
The <span><strong class="command">lwres</strong></span> statement configures the
name
@ -2061,7 +2075,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2578116"></a><span><strong class="command">masters</strong></span> Statement Grammar</h3></div></div></div>
<a name="id2578120"></a><span><strong class="command">masters</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting">
<span><strong class="command">masters</strong></span> <em class="replaceable"><code>name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> |
<em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] };
@ -2069,7 +2083,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2578160"></a><span><strong class="command">masters</strong></span> Statement Definition and
<a name="id2578164"></a><span><strong class="command">masters</strong></span> Statement Definition and
Usage</h3></div></div></div>
<p><span><strong class="command">masters</strong></span>
lists allow for a common set of masters to be easily used by
@ -2078,7 +2092,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2578174"></a><span><strong class="command">options</strong></span> Statement Grammar</h3></div></div></div>
<a name="id2578179"></a><span><strong class="command">options</strong></span> Statement Grammar</h3></div></div></div>
<p>
This is the grammar of the <span><strong class="command">options</strong></span>
statement in the <code class="filename">named.conf</code> file:
@ -2122,6 +2136,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
[<span class="optional"> multiple-cnames <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em>; </span>]
[<span class="optional"> recursion <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> request-nsid <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> rfc2308-type1 <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> use-id-pool <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em>; </span>]
@ -2148,6 +2163,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
[<span class="optional"> check-mx-cname ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
[<span class="optional"> check-srv-cname ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
[<span class="optional"> check-sibling <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> check-spf ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
[<span class="optional"> allow-new-zones { <em class="replaceable"><code>yes_or_no</code></em> }; </span>]
[<span class="optional"> allow-notify { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
@ -2281,7 +2297,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
[<span class="optional"> policy given | disabled | passthru | nxdomain | nodata | cname <em class="replaceable"><code>domain</code></em> </span>]
[<span class="optional"> recursive-only <em class="replaceable"><code>yes_or_no</code></em> </span>] [<span class="optional"> max-policy-ttl <em class="replaceable"><code>number</code></em> </span>] ;
} [<span class="optional"> recursive-only <em class="replaceable"><code>yes_or_no</code></em> </span>] [<span class="optional"> max-policy-ttl <em class="replaceable"><code>number</code></em> </span>]
[<span class="optional"> break-dnssec <em class="replaceable"><code>yes_or_no</code></em> </span>] ; </span>]
[<span class="optional"> break-dnssec <em class="replaceable"><code>yes_or_no</code></em> </span>] [<span class="optional"> min-ns-dots <em class="replaceable"><code>number</code></em> </span>] ; </span>]
};
</pre>
</div>
@ -2411,13 +2427,22 @@ badresp:1,adberr:0,findfail:0,valfail:0]
<code class="filename">session.key</code>.)
</p></dd>
<dt><span class="term"><span><strong class="command">managed-keys-directory</strong></span></span></dt>
<dd><p>
The directory used to hold the files used to track managed keys.
By default it is the working directory. It there are no
views then the file <code class="filename">managed-keys.bind</code>
otherwise a SHA256 hash of the view name is used with
<code class="filename">.mkeys</code> extension added.
</p></dd>
<dd>
<p>
Specifies the directory in which to store the files that
track managed DNSSEC keys. By default, this is the working
directory.
</p>
<p>
If <span><strong class="command">named</strong></span> is not configured to use views,
then managed keys for the server will be tracked in a single
file called <code class="filename">managed-keys.bind</code>.
Otherwise, managed keys will be tracked in separate files,
one file per view; each file name will be the SHA256 hash
of the view name, followed by the extension
<code class="filename">.mkeys</code>.
</p>
</dd>
<dt><span class="term"><span><strong class="command">named-xfer</strong></span></span></dt>
<dd><p>
<span class="emphasis"><em>This option is obsolete.</em></span> It
@ -2691,7 +2716,7 @@ options {
installed along with <acronym class="acronym">BIND</acronym> 9, and is
current as of the release date. If the DLV key expires, a
new copy of <code class="filename">bind.keys</code> can be downloaded
from <a href="" target="_top">https://www.isc.org/solutions/dlv</a>.
from <a href="https://www.isc.org/solutions/dlv/" target="_top">https://www.isc.org/solutions/dlv/</a>.
</p>
<p>
(To prevent problems if <code class="filename">bind.keys</code> is
@ -3188,6 +3213,17 @@ options {
operation, such as NOTIFY address lookups.
See also <span><strong class="command">fetch-glue</strong></span> above.
</p></dd>
<dt><span class="term"><span><strong class="command">request-nsid</strong></span></span></dt>
<dd><p>
If <strong class="userinput"><code>yes</code></strong>, then an empty EDNS(0)
NSID (Name Server Identifier) option is sent with all
queries to authoritative name servers during iterative
resolution. If the authoritative server returns an NSID
option in its response, then its contents are logged in
the <span><strong class="command">resolver</strong></span> category at level
<span><strong class="command">info</strong></span>.
The default is <strong class="userinput"><code>no</code></strong>.
</p></dd>
<dt><span class="term"><span><strong class="command">rfc2308-type1</strong></span></span></dt>
<dd>
<p>
@ -3546,7 +3582,8 @@ options {
for non-terminal wildcards and issue a warning.
</p></dd>
<dt><span class="term"><span><strong class="command">check-integrity</strong></span></span></dt>
<dd><p>
<dd>
<p>
Perform post load zone integrity checks on master
zones. This checks that MX and SRV records refer
to address (A or AAAA) records and that glue
@ -3558,7 +3595,15 @@ options {
checked (for out-of-zone names and glue consistency
checks use <span><strong class="command">named-checkzone</strong></span>).
The default is <span><strong class="command">yes</strong></span>.
</p></dd>
</p>
<p>
Check that the two forms of Sender Policy Framework
records (TXT records starting with "v=spf1" and SPF) either
both exist or both don't exist. Warnings are
emitted it they don't and be suppressed with
<span><strong class="command">check-spf</strong></span>.
</p>
</dd>
<dt><span class="term"><span><strong class="command">check-mx-cname</strong></span></span></dt>
<dd><p>
If <span><strong class="command">check-integrity</strong></span> is set then
@ -3576,6 +3621,14 @@ options {
When performing integrity checks, also check that
sibling glue exists. The default is <span><strong class="command">yes</strong></span>.
</p></dd>
<dt><span class="term"><span><strong class="command">check-spf</strong></span></span></dt>
<dd><p>
When performing integrity checks, check that the
two forms of Sender Policy Framwork records (TXT
records starting with "v=spf1" and SPF) both exist
or both don't exist and issue a warning if not
met. The default is <span><strong class="command">warn</strong></span>.
</p></dd>
<dt><span class="term"><span><strong class="command">zero-no-soa-ttl</strong></span></span></dt>
<dd><p>
When returning authoritative negative responses to
@ -3669,7 +3722,7 @@ options {
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2583675"></a>Forwarding</h4></div></div></div>
<a name="id2583834"></a>Forwarding</h4></div></div></div>
<p>
The forwarding facility can be used to create a large site-wide
cache on a few servers, reducing traffic over links to external
@ -3713,7 +3766,7 @@ options {
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2583734"></a>Dual-stack Servers</h4></div></div></div>
<a name="id2583893"></a>Dual-stack Servers</h4></div></div></div>
<p>
Dual-stack servers are used as servers of last resort to work
around
@ -3787,6 +3840,12 @@ options {
disallow them on external-facing ones, without
necessarily knowing the internal network's addresses.
</p>
<p>
Note that <span><strong class="command">allow-query-on</strong></span> is only
checked for queries that are permitted by
<span><strong class="command">allow-query</strong></span>. A query must be
allowed by both ACLs, or it will be refused.
</p>
<p>
<span><strong class="command">allow-query-on</strong></span> may
also be specified in the <span><strong class="command">zone</strong></span>
@ -3924,7 +3983,7 @@ options {
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2584422"></a>Interfaces</h4></div></div></div>
<a name="id2584590"></a>Interfaces</h4></div></div></div>
<p>
The interfaces and ports that the server will answer queries
from may be specified using the <span><strong class="command">listen-on</strong></span> option. <span><strong class="command">listen-on</strong></span> takes
@ -4383,7 +4442,7 @@ avoid-v6-udp-ports {};
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2585495"></a>UDP Port Lists</h4></div></div></div>
<a name="id2585664"></a>UDP Port Lists</h4></div></div></div>
<p>
<span><strong class="command">use-v4-udp-ports</strong></span>,
<span><strong class="command">avoid-v4-udp-ports</strong></span>,
@ -4425,7 +4484,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2585555"></a>Operating System Resource Limits</h4></div></div></div>
<a name="id2585723"></a>Operating System Resource Limits</h4></div></div></div>
<p>
The server's usage of many system resources can be limited.
Scaled values are allowed when specifying resource limits. For
@ -4587,7 +4646,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2586114"></a>Periodic Task Intervals</h4></div></div></div>
<a name="id2586350"></a>Periodic Task Intervals</h4></div></div></div>
<div class="variablelist"><dl>
<dt><span class="term"><span><strong class="command">cleaning-interval</strong></span></span></dt>
<dd><p>
@ -5171,12 +5230,16 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
built-in view (see <a href="Bv9ARM.ch06.html#view_statement_grammar" title="view Statement Grammar">the section called &#8220;<span><strong class="command">view</strong></span> Statement Grammar&#8221;</a>) of
class
<span><strong class="command">CHAOS</strong></span> which is separate from the
default view of
class <span><strong class="command">IN</strong></span>; therefore, any global
server options
such as <span><strong class="command">allow-query</strong></span> do not apply
the these zones.
If you feel the need to disable these zones, use the options
default view of class <span><strong class="command">IN</strong></span>. Most global
configuration options (<span><strong class="command">allow-query</strong></span>,
etc) will apply to this view, but some are locally
overridden: <span><strong class="command">notify</strong></span>,
<span><strong class="command">recursion</strong></span> and
<span><strong class="command">allow-new-zones</strong></span> are
always set to <strong class="userinput"><code>no</code></strong>.
</p>
<p>
If you need to disable these zones, use the options
below, or hide the built-in <span><strong class="command">CHAOS</strong></span>
view by
defining an explicit view of class <span><strong class="command">CHAOS</strong></span>
@ -5231,7 +5294,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
servers. The official servers which cover these namespaces
return NXDOMAIN responses to these queries. In particular,
these cover the reverse namespaces for addresses from
RFC 1918, RFC 4193, and RFC 5737. They also include the
RFC 1918, RFC 4193, RFC 5737 and RFC 6598. They also include the
reverse namespace for IPv6 local address (locally assigned),
IPv6 link local addresses, the IPv6 loopback address and the
IPv6 unknown address.
@ -5263,6 +5326,70 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
<li>30.172.IN-ADDR.ARPA</li>
<li>31.172.IN-ADDR.ARPA</li>
<li>168.192.IN-ADDR.ARPA</li>
<li>64.100.IN-ADDR.ARPA</li>
<li>65.100.IN-ADDR.ARPA</li>
<li>66.100.IN-ADDR.ARPA</li>
<li>67.100.IN-ADDR.ARPA</li>
<li>68.100.IN-ADDR.ARPA</li>
<li>69.100.IN-ADDR.ARPA</li>
<li>70.100.IN-ADDR.ARPA</li>
<li>71.100.IN-ADDR.ARPA</li>
<li>72.100.IN-ADDR.ARPA</li>
<li>73.100.IN-ADDR.ARPA</li>
<li>74.100.IN-ADDR.ARPA</li>
<li>75.100.IN-ADDR.ARPA</li>
<li>76.100.IN-ADDR.ARPA</li>
<li>77.100.IN-ADDR.ARPA</li>
<li>78.100.IN-ADDR.ARPA</li>
<li>79.100.IN-ADDR.ARPA</li>
<li>80.100.IN-ADDR.ARPA</li>
<li>81.100.IN-ADDR.ARPA</li>
<li>82.100.IN-ADDR.ARPA</li>
<li>83.100.IN-ADDR.ARPA</li>
<li>84.100.IN-ADDR.ARPA</li>
<li>85.100.IN-ADDR.ARPA</li>
<li>86.100.IN-ADDR.ARPA</li>
<li>87.100.IN-ADDR.ARPA</li>
<li>88.100.IN-ADDR.ARPA</li>
<li>89.100.IN-ADDR.ARPA</li>
<li>90.100.IN-ADDR.ARPA</li>
<li>91.100.IN-ADDR.ARPA</li>
<li>92.100.IN-ADDR.ARPA</li>
<li>93.100.IN-ADDR.ARPA</li>
<li>94.100.IN-ADDR.ARPA</li>
<li>95.100.IN-ADDR.ARPA</li>
<li>96.100.IN-ADDR.ARPA</li>
<li>97.100.IN-ADDR.ARPA</li>
<li>98.100.IN-ADDR.ARPA</li>
<li>99.100.IN-ADDR.ARPA</li>
<li>100.100.IN-ADDR.ARPA</li>
<li>101.100.IN-ADDR.ARPA</li>
<li>102.100.IN-ADDR.ARPA</li>
<li>103.100.IN-ADDR.ARPA</li>
<li>104.100.IN-ADDR.ARPA</li>
<li>105.100.IN-ADDR.ARPA</li>
<li>106.100.IN-ADDR.ARPA</li>
<li>107.100.IN-ADDR.ARPA</li>
<li>108.100.IN-ADDR.ARPA</li>
<li>109.100.IN-ADDR.ARPA</li>
<li>110.100.IN-ADDR.ARPA</li>
<li>111.100.IN-ADDR.ARPA</li>
<li>112.100.IN-ADDR.ARPA</li>
<li>113.100.IN-ADDR.ARPA</li>
<li>114.100.IN-ADDR.ARPA</li>
<li>115.100.IN-ADDR.ARPA</li>
<li>116.100.IN-ADDR.ARPA</li>
<li>117.100.IN-ADDR.ARPA</li>
<li>118.100.IN-ADDR.ARPA</li>
<li>119.100.IN-ADDR.ARPA</li>
<li>120.100.IN-ADDR.ARPA</li>
<li>121.100.IN-ADDR.ARPA</li>
<li>122.100.IN-ADDR.ARPA</li>
<li>123.100.IN-ADDR.ARPA</li>
<li>124.100.IN-ADDR.ARPA</li>
<li>125.100.IN-ADDR.ARPA</li>
<li>126.100.IN-ADDR.ARPA</li>
<li>127.100.IN-ADDR.ARPA</li>
<li>0.IN-ADDR.ARPA</li>
<li>127.IN-ADDR.ARPA</li>
<li>254.169.IN-ADDR.ARPA</li>
@ -5427,7 +5554,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2588152"></a>Content Filtering</h4></div></div></div>
<a name="id2588612"></a>Content Filtering</h4></div></div></div>
<p>
<acronym class="acronym">BIND</acronym> 9 provides the ability to filter
out DNS responses from external DNS servers containing
@ -5480,7 +5607,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
to get access to an internal node of your local network
that couldn't be externally accessed otherwise.
See the paper available at
<a href="" target="_top">
<a href="http://portal.acm.org/citation.cfm?id=1315245.1315298" target="_top">
http://portal.acm.org/citation.cfm?id=1315245.1315298
</a>
for more details about the attacks.
@ -5550,7 +5677,7 @@ deny-answer-aliases { "example.net"; };
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2588343"></a>Response Policy Zone (RPZ) Rewriting</h4></div></div></div>
<a name="id2588738"></a>Response Policy Zone (RPZ) Rewriting</h4></div></div></div>
<p>
<acronym class="acronym">BIND</acronym> 9 includes a limited
mechanism to modify DNS responses for requests
@ -5606,13 +5733,15 @@ deny-answer-aliases { "example.net"; };
They are encoded as subdomains of
<strong class="userinput"><code>rpz-nsdomain</code></strong> relativized
to the RPZ origin name.
</p>
<p>
NSIP triggers match IP addresses in A and
AAAA RRsets for domains that can be checked against NSDNAME
policy records.
NSIP triggers are encoded like IP triggers except as subdomains of
<strong class="userinput"><code>rpz-nsip</code></strong>.
NSDNAME and NSIP triggers are checked only for names with at
least <span><strong class="command">min-ns-dots</strong></span> dots.
The default value of <span><strong class="command">min-ns-dots</strong></span> is 1 to
exclude top level domains.
</p>
<p>
The query response is checked against all RPZs, so
@ -5650,16 +5779,6 @@ deny-answer-aliases { "example.net"; };
all RPZs are again consulted for the DNAME or CNAME names
and addresses.
</p>
<p>
Authority verification issues and variations in authority data
can cause inconsistent results for NSIP and NSDNAME policy records.
Glue NS records often differ from authoritative NS records.
So they are available
only when <acronym class="acronym">BIND</acronym> is built with the
<strong class="userinput"><code>--enable-rpz-nsip</code></strong> or
<strong class="userinput"><code>--enable-rpz-nsdname</code></strong> options
on the "configure" command line.
</p>
<p>
RPZ record sets are sets of any types of DNS record except
DNAME or DNSSEC that encode actions or responses to queries.
@ -5685,7 +5804,7 @@ deny-answer-aliases { "example.net"; };
walled garden's authority DNS server.
</li>
<li>The <span><strong class="command">PASSTHRU</strong></span> policy is specified
by a CNAME whose target is <span><strong class="command">rpz_passthru.</strong></span>
by a CNAME whose target is <span><strong class="command">rpz-passthru.</strong></span>
It causes the response to not be rewritten
and is most often used to "poke holes" in policies for
CIDR blocks.
@ -5803,6 +5922,25 @@ bzone.domain.com CNAME garden.example.com.
ns.domain.com.rpz-nsdname CNAME .
48.zz.2.2001.rpz-nsip CNAME .
</pre>
<p>
RPZ can affect server performance.
Each configured response policy zone requires the server to
perform one to four additional database lookups before a
query can be answered.
For example, a DNS server with four policy zones, each with all
four kinds of response triggers, QNAME, IP, NSIP, and
NSDNAME, requires a total of 17 times as many database
lookups as a similar DNS server with no response policy zones.
A <acronym class="acronym">BIND9</acronym> server with adequate memory and one
response policy zone with QNAME and IP triggers might achieve a
maximum queries-per-second rate about 20% lower.
A server with four response policy zones with QNAME and IP
triggers might have a maximum QPS rate about 50% lower.
</p>
<p>
Responses rewritten by RPZ are counted in the
<span><strong class="command">RPZRewrites</strong></span> statistics.
</p>
</div>
</div>
<div class="sect2" lang="en">
@ -6013,7 +6151,7 @@ ns.domain.com.rpz-nsdname CNAME .
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2589534"></a><span><strong class="command">statistics-channels</strong></span> Statement Definition and
<a name="id2590070"></a><span><strong class="command">statistics-channels</strong></span> Statement Definition and
Usage</h3></div></div></div>
<p>
The <span><strong class="command">statistics-channels</strong></span> statement
@ -6073,7 +6211,7 @@ ns.domain.com.rpz-nsdname CNAME .
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2589742"></a><span><strong class="command">trusted-keys</strong></span> Statement Definition
<a name="id2590278"></a><span><strong class="command">trusted-keys</strong></span> Statement Definition
and Usage</h3></div></div></div>
<p>
The <span><strong class="command">trusted-keys</strong></span> statement defines
@ -6113,10 +6251,10 @@ ns.domain.com.rpz-nsdname CNAME .
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2589858"></a><span><strong class="command">managed-keys</strong></span> Statement Grammar</h3></div></div></div>
<a name="id2590325"></a><span><strong class="command">managed-keys</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting"><span><strong class="command">managed-keys</strong></span> {
<em class="replaceable"><code>string</code></em> initial-key <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ;
[<span class="optional"> <em class="replaceable"><code>string</code></em> initial-key <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; [<span class="optional">...</span>]</span>]
<em class="replaceable"><code>name</code></em> <code class="literal">initial-key</code> <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key-data</code></em> ;
[<span class="optional"> <em class="replaceable"><code>name</code></em> <code class="literal">initial-key</code> <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key-data</code></em> ; [<span class="optional">...</span>]</span>]
};
</pre>
</div>
@ -6224,13 +6362,16 @@ ns.domain.com.rpz-nsdname CNAME .
<span><strong class="command">named</strong></span>.)
</p>
<p>
If the <span><strong class="command">dnssec-lookaside</strong></span> option is
If the <span><strong class="command">dnssec-validation</strong></span> option is
set to <strong class="userinput"><code>auto</code></strong>, <span><strong class="command">named</strong></span>
will automatically initialize a managed key for the
zone <code class="literal">dlv.isc.org</code>. The key that is
used to initialize the key maintenance process is built
into <span><strong class="command">named</strong></span>, and can be overridden
from <span><strong class="command">bindkeys-file</strong></span>.
root zone. Similarly, if the <span><strong class="command">dnssec-lookaside</strong></span>
option is set to <strong class="userinput"><code>auto</code></strong>,
<span><strong class="command">named</strong></span> will automatically initialize
a managed key for the zone <code class="literal">dlv.isc.org</code>.
In both cases, the key that is used to initialize the key
maintenance process is built into <span><strong class="command">named</strong></span>,
and can be overridden from <span><strong class="command">bindkeys-file</strong></span>.
</p>
</div>
<div class="sect2" lang="en">
@ -6248,7 +6389,7 @@ ns.domain.com.rpz-nsdname CNAME .
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2590352"></a><span><strong class="command">view</strong></span> Statement Definition and Usage</h3></div></div></div>
<a name="id2590766"></a><span><strong class="command">view</strong></span> Statement Definition and Usage</h3></div></div></div>
<p>
The <span><strong class="command">view</strong></span> statement is a powerful
feature
@ -6382,6 +6523,7 @@ view "external" {
[<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
[<span class="optional"> check-mx (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
[<span class="optional"> check-wildcard <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> check-spf ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
[<span class="optional"> check-integrity <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em> ; </span>]
[<span class="optional"> file <em class="replaceable"><code>string</code></em> ; </span>]
@ -6537,10 +6679,10 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2591902"></a><span><strong class="command">zone</strong></span> Statement Definition and Usage</h3></div></div></div>
<a name="id2592398"></a><span><strong class="command">zone</strong></span> Statement Definition and Usage</h3></div></div></div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2591910"></a>Zone Types</h4></div></div></div>
<a name="id2592406"></a>Zone Types</h4></div></div></div>
<div class="informaltable"><table border="1">
<colgroup>
<col>
@ -6800,7 +6942,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2592455"></a>Class</h4></div></div></div>
<a name="id2593019"></a>Class</h4></div></div></div>
<p>
The zone's name may optionally be followed by a class. If
a class is not specified, class <code class="literal">IN</code> (for <code class="varname">Internet</code>),
@ -6822,7 +6964,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2592488"></a>Zone Options</h4></div></div></div>
<a name="id2593052"></a>Zone Options</h4></div></div></div>
<div class="variablelist"><dl>
<dt><span class="term"><span><strong class="command">allow-notify</strong></span></span></dt>
<dd><p>
@ -6894,6 +7036,11 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
See the description of
<span><strong class="command">check-mx</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
</p></dd>
<dt><span class="term"><span><strong class="command">check-spf</strong></span></span></dt>
<dd><p>
See the description of
<span><strong class="command">check-spf</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
</p></dd>
<dt><span class="term"><span><strong class="command">check-wildcard</strong></span></span></dt>
<dd><p>
See the description of
@ -7699,7 +7846,7 @@ example.com. NS ns2.example.net.
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2595170"></a>Zone File</h2></div></div></div>
<a name="id2595755"></a>Zone File</h2></div></div></div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="types_of_resource_records_and_when_to_use_them"></a>Types of Resource Records and When to Use Them</h3></div></div></div>
@ -7712,7 +7859,7 @@ example.com. NS ns2.example.net.
</p>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2595188"></a>Resource Records</h4></div></div></div>
<a name="id2595842"></a>Resource Records</h4></div></div></div>
<p>
A domain name identifies a node. Each node has a set of
resource information, which may be empty. The set of resource
@ -8449,7 +8596,7 @@ example.com. NS ns2.example.net.
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2596880"></a>Textual expression of RRs</h4></div></div></div>
<a name="id2597465"></a>Textual expression of RRs</h4></div></div></div>
<p>
RRs are represented in binary form in the packets of the DNS
protocol, and are usually represented in highly encoded form
@ -8652,7 +8799,7 @@ example.com. NS ns2.example.net.
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2597537"></a>Discussion of MX Records</h3></div></div></div>
<a name="id2597986"></a>Discussion of MX Records</h3></div></div></div>
<p>
As described above, domain servers store information as a
series of resource records, each of which contains a particular
@ -8908,7 +9055,7 @@ example.com. NS ns2.example.net.
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2598084"></a>Inverse Mapping in IPv4</h3></div></div></div>
<a name="id2598601"></a>Inverse Mapping in IPv4</h3></div></div></div>
<p>
Reverse name resolution (that is, translation from IP address
to name) is achieved by means of the <span class="emphasis"><em>in-addr.arpa</em></span> domain
@ -8969,7 +9116,7 @@ example.com. NS ns2.example.net.
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2598211"></a>Other Zone File Directives</h3></div></div></div>
<a name="id2598796"></a>Other Zone File Directives</h3></div></div></div>
<p>
The Master File Format was initially defined in RFC 1035 and
has subsequently been extended. While the Master File Format
@ -8984,7 +9131,7 @@ example.com. NS ns2.example.net.
</p>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2598233"></a>The <span><strong class="command">@</strong></span> (at-sign)</h4></div></div></div>
<a name="id2598819"></a>The <span><strong class="command">@</strong></span> (at-sign)</h4></div></div></div>
<p>
When used in the label (or name) field, the asperand or
at-sign (@) symbol represents the current origin.
@ -8995,7 +9142,7 @@ example.com. NS ns2.example.net.
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2598249"></a>The <span><strong class="command">$ORIGIN</strong></span> Directive</h4></div></div></div>
<a name="id2598835"></a>The <span><strong class="command">$ORIGIN</strong></span> Directive</h4></div></div></div>
<p>
Syntax: <span><strong class="command">$ORIGIN</strong></span>
<em class="replaceable"><code>domain-name</code></em>
@ -9024,7 +9171,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2598446"></a>The <span><strong class="command">$INCLUDE</strong></span> Directive</h4></div></div></div>
<a name="id2598964"></a>The <span><strong class="command">$INCLUDE</strong></span> Directive</h4></div></div></div>
<p>
Syntax: <span><strong class="command">$INCLUDE</strong></span>
<em class="replaceable"><code>filename</code></em>
@ -9060,7 +9207,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2598516"></a>The <span><strong class="command">$TTL</strong></span> Directive</h4></div></div></div>
<a name="id2599101"></a>The <span><strong class="command">$TTL</strong></span> Directive</h4></div></div></div>
<p>
Syntax: <span><strong class="command">$TTL</strong></span>
<em class="replaceable"><code>default-ttl</code></em>
@ -9079,7 +9226,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2598552"></a><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</h3></div></div></div>
<a name="id2599138"></a><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</h3></div></div></div>
<p>
Syntax: <span><strong class="command">$GENERATE</strong></span>
<em class="replaceable"><code>range</code></em>
@ -9503,7 +9650,7 @@ HOST-127.EXAMPLE. MX 0 .
</p>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2599437"></a>Name Server Statistics Counters</h4></div></div></div>
<a name="id2600091"></a>Name Server Statistics Counters</h4></div></div></div>
<div class="informaltable"><table border="1">
<colgroup>
<col>
@ -10055,12 +10202,25 @@ HOST-127.EXAMPLE. MX 0 .
</p>
</td>
</tr>
<tr>
<td>
<p><span><strong class="command">RPZRewrites</strong></span></p>
</td>
<td>
<p><span><strong class="command"></strong></span></p>
</td>
<td>
<p>
Response policy zone rewrites.
</p>
</td>
</tr>
</tbody>
</table></div>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2601047"></a>Zone Maintenance Statistics Counters</h4></div></div></div>
<a name="id2601596"></a>Zone Maintenance Statistics Counters</h4></div></div></div>
<div class="informaltable"><table border="1">
<colgroup>
<col>
@ -10214,7 +10374,7 @@ HOST-127.EXAMPLE. MX 0 .
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2601498"></a>Resolver Statistics Counters</h4></div></div></div>
<a name="id2601979"></a>Resolver Statistics Counters</h4></div></div></div>
<div class="informaltable"><table border="1">
<colgroup>
<col>
@ -10597,7 +10757,7 @@ HOST-127.EXAMPLE. MX 0 .
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2602588"></a>Socket I/O Statistics Counters</h4></div></div></div>
<a name="id2603138"></a>Socket I/O Statistics Counters</h4></div></div></div>
<p>
Socket I/O statistics counters are defined per socket
types, which are
@ -10752,7 +10912,7 @@ HOST-127.EXAMPLE. MX 0 .
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2602962"></a>Compatibility with <span class="emphasis"><em>BIND</em></span> 8 Counters</h4></div></div></div>
<a name="id2603579"></a>Compatibility with <span class="emphasis"><em>BIND</em></span> 8 Counters</h4></div></div></div>
<p>
Most statistics counters that were available
in <span><strong class="command">BIND</strong></span> 8 are also supported in

View File

@ -1,5 +1,5 @@
<!--
- Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@ -46,10 +46,10 @@
<p><b>Table of Contents</b></p>
<dl>
<dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2603136"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2603806"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2603285">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2603345">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2603888">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2603947">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
</dl>
@ -111,17 +111,10 @@ zone "example.com" {
This allows recursive queries of the server from the outside
unless recursion has been previously disabled.
</p>
<p>
For more information on how to use ACLs to protect your server,
see the <span class="emphasis"><em>AUSCERT</em></span> advisory at:
</p>
<p>
<a href="ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos" target="_top">ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos</a>
</p>
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2603136"></a><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span>
<a name="id2603806"></a><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span>
</h2></div></div></div>
<p>
On UNIX servers, it is possible to run <acronym class="acronym">BIND</acronym>
@ -147,7 +140,7 @@ zone "example.com" {
</p>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2603285"></a>The <span><strong class="command">chroot</strong></span> Environment</h3></div></div></div>
<a name="id2603888"></a>The <span><strong class="command">chroot</strong></span> Environment</h3></div></div></div>
<p>
In order for a <span><strong class="command">chroot</strong></span> environment
to
@ -175,7 +168,7 @@ zone "example.com" {
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2603345"></a>Using the <span><strong class="command">setuid</strong></span> Function</h3></div></div></div>
<a name="id2603947"></a>Using the <span><strong class="command">setuid</strong></span> Function</h3></div></div></div>
<p>
Prior to running the <span><strong class="command">named</strong></span> daemon,
use

View File

@ -1,5 +1,5 @@
<!--
- Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@ -45,18 +45,18 @@
<div class="toc">
<p><b>Table of Contents</b></p>
<dl>
<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2603561">Common Problems</a></span></dt>
<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch08.html#id2603566">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2603578">Incrementing and Changing the Serial Number</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2603595">Where Can I Get Help?</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2604027">Common Problems</a></span></dt>
<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch08.html#id2604101">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2604113">Incrementing and Changing the Serial Number</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2604130">Where Can I Get Help?</a></span></dt>
</dl>
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2603561"></a>Common Problems</h2></div></div></div>
<a name="id2604027"></a>Common Problems</h2></div></div></div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2603566"></a>It's not working; how can I figure out what's wrong?</h3></div></div></div>
<a name="id2604101"></a>It's not working; how can I figure out what's wrong?</h3></div></div></div>
<p>
The best solution to solving installation and
configuration issues is to take preventative measures by setting
@ -68,7 +68,7 @@
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2603578"></a>Incrementing and Changing the Serial Number</h2></div></div></div>
<a name="id2604113"></a>Incrementing and Changing the Serial Number</h2></div></div></div>
<p>
Zone serial numbers are just numbers &#8212; they aren't
date related. A lot of people set them to a number that
@ -95,7 +95,7 @@
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2603595"></a>Where Can I Get Help?</h2></div></div></div>
<a name="id2604130"></a>Where Can I Get Help?</h2></div></div></div>
<p>
The Internet Systems Consortium
(<acronym class="acronym">ISC</acronym>) offers a wide range

View File

@ -1,5 +1,5 @@
<!--
- Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@ -45,31 +45,31 @@
<div class="toc">
<p><b>Table of Contents</b></p>
<dl>
<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2603657">Acknowledgments</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2604192">Acknowledgments</a></span></dt>
<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#historical_dns_information">A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></a></span></dt></dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2603761">General <acronym class="acronym">DNS</acronym> Reference Information</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2604363">General <acronym class="acronym">DNS</acronym> Reference Information</a></span></dt>
<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#ipv6addresses">IPv6 addresses (AAAA)</a></span></dt></dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch09.html#bibliography">Bibliography (and Suggested Reading)</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch09.html#rfcs">Request for Comments (RFCs)</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch09.html#internet_drafts">Internet Drafts</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2607177">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2607712">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch09.html#bind9.library">BIND 9 DNS Library Support</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2608265">Prerequisite</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2608275">Compilation</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2608299">Installation</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2608330">Known Defects/Restrictions</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2608680">The dns.conf File</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2608707">Sample Applications</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2609611">Library References</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2609824">Prerequisite</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2609833">Compilation</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2609175">Installation</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2609206">Known Defects/Restrictions</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2609283">The dns.conf File</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2609309">Sample Applications</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2610282">Library References</a></span></dt>
</dl></dd>
</dl>
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2603657"></a>Acknowledgments</h2></div></div></div>
<a name="id2604192"></a>Acknowledgments</h2></div></div></div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="historical_dns_information"></a>A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym>
@ -172,7 +172,7 @@
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2603761"></a>General <acronym class="acronym">DNS</acronym> Reference Information</h2></div></div></div>
<a name="id2604363"></a>General <acronym class="acronym">DNS</acronym> Reference Information</h2></div></div></div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="ipv6addresses"></a>IPv6 addresses (AAAA)</h3></div></div></div>
@ -260,17 +260,17 @@
</p>
<div class="bibliography">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2604017"></a>Bibliography</h4></div></div></div>
<a name="id2604619"></a>Bibliography</h4></div></div></div>
<div class="bibliodiv">
<h3 class="title">Standards</h3>
<div class="biblioentry">
<a name="id2604027"></a><p>[<abbr class="abbrev">RFC974</abbr>] <span class="author"><span class="firstname">C.</span> <span class="surname">Partridge</span>. </span><span class="title"><i>Mail Routing and the Domain System</i>. </span><span class="pubdate">January 1986. </span></p>
<a name="id2604630"></a><p>[<abbr class="abbrev">RFC974</abbr>] <span class="author"><span class="firstname">C.</span> <span class="surname">Partridge</span>. </span><span class="title"><i>Mail Routing and the Domain System</i>. </span><span class="pubdate">January 1986. </span></p>
</div>
<div class="biblioentry">
<a name="id2604051"></a><p>[<abbr class="abbrev">RFC1034</abbr>] <span class="author"><span class="firstname">P.V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>Domain Names &#8212; Concepts and Facilities</i>. </span><span class="pubdate">November 1987. </span></p>
<a name="id2604653"></a><p>[<abbr class="abbrev">RFC1034</abbr>] <span class="author"><span class="firstname">P.V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>Domain Names &#8212; Concepts and Facilities</i>. </span><span class="pubdate">November 1987. </span></p>
</div>
<div class="biblioentry">
<a name="id2604074"></a><p>[<abbr class="abbrev">RFC1035</abbr>] <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>Domain Names &#8212; Implementation and
<a name="id2604677"></a><p>[<abbr class="abbrev">RFC1035</abbr>] <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>Domain Names &#8212; Implementation and
Specification</i>. </span><span class="pubdate">November 1987. </span></p>
</div>
</div>
@ -278,42 +278,42 @@
<h3 class="title">
<a name="proposed_standards"></a>Proposed Standards</h3>
<div class="biblioentry">
<a name="id2604110"></a><p>[<abbr class="abbrev">RFC2181</abbr>] <span class="author"><span class="firstname">R., R. Bush</span> <span class="surname">Elz</span>. </span><span class="title"><i>Clarifications to the <acronym class="acronym">DNS</acronym>
<a name="id2604713"></a><p>[<abbr class="abbrev">RFC2181</abbr>] <span class="author"><span class="firstname">R., R. Bush</span> <span class="surname">Elz</span>. </span><span class="title"><i>Clarifications to the <acronym class="acronym">DNS</acronym>
Specification</i>. </span><span class="pubdate">July 1997. </span></p>
</div>
<div class="biblioentry">
<a name="id2604137"></a><p>[<abbr class="abbrev">RFC2308</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Andrews</span>. </span><span class="title"><i>Negative Caching of <acronym class="acronym">DNS</acronym>
<a name="id2604740"></a><p>[<abbr class="abbrev">RFC2308</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Andrews</span>. </span><span class="title"><i>Negative Caching of <acronym class="acronym">DNS</acronym>
Queries</i>. </span><span class="pubdate">March 1998. </span></p>
</div>
<div class="biblioentry">
<a name="id2604163"></a><p>[<abbr class="abbrev">RFC1995</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Ohta</span>. </span><span class="title"><i>Incremental Zone Transfer in <acronym class="acronym">DNS</acronym></i>. </span><span class="pubdate">August 1996. </span></p>
<a name="id2604765"></a><p>[<abbr class="abbrev">RFC1995</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Ohta</span>. </span><span class="title"><i>Incremental Zone Transfer in <acronym class="acronym">DNS</acronym></i>. </span><span class="pubdate">August 1996. </span></p>
</div>
<div class="biblioentry">
<a name="id2604187"></a><p>[<abbr class="abbrev">RFC1996</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>A Mechanism for Prompt Notification of Zone Changes</i>. </span><span class="pubdate">August 1996. </span></p>
<a name="id2604858"></a><p>[<abbr class="abbrev">RFC1996</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>A Mechanism for Prompt Notification of Zone Changes</i>. </span><span class="pubdate">August 1996. </span></p>
</div>
<div class="biblioentry">
<a name="id2604211"></a><p>[<abbr class="abbrev">RFC2136</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">Y.</span> <span class="surname">Rekhter</span>, and <span class="firstname">J.</span> <span class="surname">Bound</span>. </span><span class="title"><i>Dynamic Updates in the Domain Name System</i>. </span><span class="pubdate">April 1997. </span></p>
<a name="id2604882"></a><p>[<abbr class="abbrev">RFC2136</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">Y.</span> <span class="surname">Rekhter</span>, and <span class="firstname">J.</span> <span class="surname">Bound</span>. </span><span class="title"><i>Dynamic Updates in the Domain Name System</i>. </span><span class="pubdate">April 1997. </span></p>
</div>
<div class="biblioentry">
<a name="id2604266"></a><p>[<abbr class="abbrev">RFC2671</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Extension Mechanisms for DNS (EDNS0)</i>. </span><span class="pubdate">August 1997. </span></p>
<a name="id2604937"></a><p>[<abbr class="abbrev">RFC2671</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Extension Mechanisms for DNS (EDNS0)</i>. </span><span class="pubdate">August 1997. </span></p>
</div>
<div class="biblioentry">
<a name="id2604293"></a><p>[<abbr class="abbrev">RFC2672</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span>. </span><span class="title"><i>Non-Terminal DNS Name Redirection</i>. </span><span class="pubdate">August 1999. </span></p>
<a name="id2604964"></a><p>[<abbr class="abbrev">RFC2672</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span>. </span><span class="title"><i>Non-Terminal DNS Name Redirection</i>. </span><span class="pubdate">August 1999. </span></p>
</div>
<div class="biblioentry">
<a name="id2604320"></a><p>[<abbr class="abbrev">RFC2845</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>, <span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, and <span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Secret Key Transaction Authentication for <acronym class="acronym">DNS</acronym> (TSIG)</i>. </span><span class="pubdate">May 2000. </span></p>
<a name="id2604990"></a><p>[<abbr class="abbrev">RFC2845</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>, <span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, and <span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Secret Key Transaction Authentication for <acronym class="acronym">DNS</acronym> (TSIG)</i>. </span><span class="pubdate">May 2000. </span></p>
</div>
<div class="biblioentry">
<a name="id2604381"></a><p>[<abbr class="abbrev">RFC2930</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Secret Key Establishment for DNS (TKEY RR)</i>. </span><span class="pubdate">September 2000. </span></p>
<a name="id2605052"></a><p>[<abbr class="abbrev">RFC2930</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Secret Key Establishment for DNS (TKEY RR)</i>. </span><span class="pubdate">September 2000. </span></p>
</div>
<div class="biblioentry">
<a name="id2604411"></a><p>[<abbr class="abbrev">RFC2931</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>DNS Request and Transaction Signatures (SIG(0)s)</i>. </span><span class="pubdate">September 2000. </span></p>
<a name="id2605082"></a><p>[<abbr class="abbrev">RFC2931</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>DNS Request and Transaction Signatures (SIG(0)s)</i>. </span><span class="pubdate">September 2000. </span></p>
</div>
<div class="biblioentry">
<a name="id2604441"></a><p>[<abbr class="abbrev">RFC3007</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Secure Domain Name System (DNS) Dynamic Update</i>. </span><span class="pubdate">November 2000. </span></p>
<a name="id2605112"></a><p>[<abbr class="abbrev">RFC3007</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Secure Domain Name System (DNS) Dynamic Update</i>. </span><span class="pubdate">November 2000. </span></p>
</div>
<div class="biblioentry">
<a name="id2604468"></a><p>[<abbr class="abbrev">RFC3645</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Kwan</span>, <span class="firstname">P.</span> <span class="surname">Garg</span>, <span class="firstname">J.</span> <span class="surname">Gilroy</span>, <span class="firstname">L.</span> <span class="surname">Esibov</span>, <span class="firstname">J.</span> <span class="surname">Westhead</span>, and <span class="firstname">R.</span> <span class="surname">Hall</span>. </span><span class="title"><i>Generic Security Service Algorithm for Secret
<a name="id2605139"></a><p>[<abbr class="abbrev">RFC3645</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Kwan</span>, <span class="firstname">P.</span> <span class="surname">Garg</span>, <span class="firstname">J.</span> <span class="surname">Gilroy</span>, <span class="firstname">L.</span> <span class="surname">Esibov</span>, <span class="firstname">J.</span> <span class="surname">Westhead</span>, and <span class="firstname">R.</span> <span class="surname">Hall</span>. </span><span class="title"><i>Generic Security Service Algorithm for Secret
Key Transaction Authentication for DNS
(GSS-TSIG)</i>. </span><span class="pubdate">October 2003. </span></p>
</div>
@ -322,19 +322,19 @@
<h3 class="title">
<acronym class="acronym">DNS</acronym> Security Proposed Standards</h3>
<div class="biblioentry">
<a name="id2604618"></a><p>[<abbr class="abbrev">RFC3225</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Conrad</span>. </span><span class="title"><i>Indicating Resolver Support of DNSSEC</i>. </span><span class="pubdate">December 2001. </span></p>
<a name="id2605221"></a><p>[<abbr class="abbrev">RFC3225</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Conrad</span>. </span><span class="title"><i>Indicating Resolver Support of DNSSEC</i>. </span><span class="pubdate">December 2001. </span></p>
</div>
<div class="biblioentry">
<a name="id2604645"></a><p>[<abbr class="abbrev">RFC3833</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Atkins</span> and <span class="firstname">R.</span> <span class="surname">Austein</span>. </span><span class="title"><i>Threat Analysis of the Domain Name System (DNS)</i>. </span><span class="pubdate">August 2004. </span></p>
<a name="id2605248"></a><p>[<abbr class="abbrev">RFC3833</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Atkins</span> and <span class="firstname">R.</span> <span class="surname">Austein</span>. </span><span class="title"><i>Threat Analysis of the Domain Name System (DNS)</i>. </span><span class="pubdate">August 2004. </span></p>
</div>
<div class="biblioentry">
<a name="id2604681"></a><p>[<abbr class="abbrev">RFC4033</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>DNS Security Introduction and Requirements</i>. </span><span class="pubdate">March 2005. </span></p>
<a name="id2605284"></a><p>[<abbr class="abbrev">RFC4033</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>DNS Security Introduction and Requirements</i>. </span><span class="pubdate">March 2005. </span></p>
</div>
<div class="biblioentry">
<a name="id2604746"></a><p>[<abbr class="abbrev">RFC4034</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Resource Records for the DNS Security Extensions</i>. </span><span class="pubdate">March 2005. </span></p>
<a name="id2605349"></a><p>[<abbr class="abbrev">RFC4034</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Resource Records for the DNS Security Extensions</i>. </span><span class="pubdate">March 2005. </span></p>
</div>
<div class="biblioentry">
<a name="id2604811"></a><p>[<abbr class="abbrev">RFC4035</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Protocol Modifications for the DNS
<a name="id2605414"></a><p>[<abbr class="abbrev">RFC4035</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Protocol Modifications for the DNS
Security Extensions</i>. </span><span class="pubdate">March 2005. </span></p>
</div>
</div>
@ -342,146 +342,146 @@
<h3 class="title">Other Important RFCs About <acronym class="acronym">DNS</acronym>
Implementation</h3>
<div class="biblioentry">
<a name="id2604885"></a><p>[<abbr class="abbrev">RFC1535</abbr>] <span class="author"><span class="firstname">E.</span> <span class="surname">Gavron</span>. </span><span class="title"><i>A Security Problem and Proposed Correction With Widely
<a name="id2605488"></a><p>[<abbr class="abbrev">RFC1535</abbr>] <span class="author"><span class="firstname">E.</span> <span class="surname">Gavron</span>. </span><span class="title"><i>A Security Problem and Proposed Correction With Widely
Deployed <acronym class="acronym">DNS</acronym> Software.</i>. </span><span class="pubdate">October 1993. </span></p>
</div>
<div class="biblioentry">
<a name="id2604910"></a><p>[<abbr class="abbrev">RFC1536</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Kumar</span>, <span class="firstname">J.</span> <span class="surname">Postel</span>, <span class="firstname">C.</span> <span class="surname">Neuman</span>, <span class="firstname">P.</span> <span class="surname">Danzig</span>, and <span class="firstname">S.</span> <span class="surname">Miller</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Implementation
<a name="id2605513"></a><p>[<abbr class="abbrev">RFC1536</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Kumar</span>, <span class="firstname">J.</span> <span class="surname">Postel</span>, <span class="firstname">C.</span> <span class="surname">Neuman</span>, <span class="firstname">P.</span> <span class="surname">Danzig</span>, and <span class="firstname">S.</span> <span class="surname">Miller</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Implementation
Errors and Suggested Fixes</i>. </span><span class="pubdate">October 1993. </span></p>
</div>
<div class="biblioentry">
<a name="id2605047"></a><p>[<abbr class="abbrev">RFC1982</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Elz</span> and <span class="firstname">R.</span> <span class="surname">Bush</span>. </span><span class="title"><i>Serial Number Arithmetic</i>. </span><span class="pubdate">August 1996. </span></p>
<a name="id2605581"></a><p>[<abbr class="abbrev">RFC1982</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Elz</span> and <span class="firstname">R.</span> <span class="surname">Bush</span>. </span><span class="title"><i>Serial Number Arithmetic</i>. </span><span class="pubdate">August 1996. </span></p>
</div>
<div class="biblioentry">
<a name="id2605082"></a><p>[<abbr class="abbrev">RFC4074</abbr>] <span class="authorgroup"><span class="firstname">Y.</span> <span class="surname">Morishita</span> and <span class="firstname">T.</span> <span class="surname">Jinmei</span>. </span><span class="title"><i>Common Misbehaviour Against <acronym class="acronym">DNS</acronym>
<a name="id2605617"></a><p>[<abbr class="abbrev">RFC4074</abbr>] <span class="authorgroup"><span class="firstname">Y.</span> <span class="surname">Morishita</span> and <span class="firstname">T.</span> <span class="surname">Jinmei</span>. </span><span class="title"><i>Common Misbehaviour Against <acronym class="acronym">DNS</acronym>
Queries for IPv6 Addresses</i>. </span><span class="pubdate">May 2005. </span></p>
</div>
</div>
<div class="bibliodiv">
<h3 class="title">Resource Record Types</h3>
<div class="biblioentry">
<a name="id2605128"></a><p>[<abbr class="abbrev">RFC1183</abbr>] <span class="authorgroup"><span class="firstname">C.F.</span> <span class="surname">Everhart</span>, <span class="firstname">L. A.</span> <span class="surname">Mamakos</span>, <span class="firstname">R.</span> <span class="surname">Ullmann</span>, and <span class="firstname">P.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>New <acronym class="acronym">DNS</acronym> RR Definitions</i>. </span><span class="pubdate">October 1990. </span></p>
<a name="id2605662"></a><p>[<abbr class="abbrev">RFC1183</abbr>] <span class="authorgroup"><span class="firstname">C.F.</span> <span class="surname">Everhart</span>, <span class="firstname">L. A.</span> <span class="surname">Mamakos</span>, <span class="firstname">R.</span> <span class="surname">Ullmann</span>, and <span class="firstname">P.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>New <acronym class="acronym">DNS</acronym> RR Definitions</i>. </span><span class="pubdate">October 1990. </span></p>
</div>
<div class="biblioentry">
<a name="id2605186"></a><p>[<abbr class="abbrev">RFC1706</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">R.</span> <span class="surname">Colella</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> NSAP Resource Records</i>. </span><span class="pubdate">October 1994. </span></p>
<a name="id2605720"></a><p>[<abbr class="abbrev">RFC1706</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">R.</span> <span class="surname">Colella</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> NSAP Resource Records</i>. </span><span class="pubdate">October 1994. </span></p>
</div>
<div class="biblioentry">
<a name="id2605223"></a><p>[<abbr class="abbrev">RFC2168</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Daniel</span> and <span class="firstname">M.</span> <span class="surname">Mealling</span>. </span><span class="title"><i>Resolution of Uniform Resource Identifiers using
<a name="id2605757"></a><p>[<abbr class="abbrev">RFC2168</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Daniel</span> and <span class="firstname">M.</span> <span class="surname">Mealling</span>. </span><span class="title"><i>Resolution of Uniform Resource Identifiers using
the Domain Name System</i>. </span><span class="pubdate">June 1997. </span></p>
</div>
<div class="biblioentry">
<a name="id2605258"></a><p>[<abbr class="abbrev">RFC1876</abbr>] <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Davis</span>, <span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">T.</span>, and <span class="firstname">I.</span> <span class="surname">Dickinson</span>. </span><span class="title"><i>A Means for Expressing Location Information in the
<a name="id2605793"></a><p>[<abbr class="abbrev">RFC1876</abbr>] <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Davis</span>, <span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">T.</span>, and <span class="firstname">I.</span> <span class="surname">Dickinson</span>. </span><span class="title"><i>A Means for Expressing Location Information in the
Domain
Name System</i>. </span><span class="pubdate">January 1996. </span></p>
</div>
<div class="biblioentry">
<a name="id2605313"></a><p>[<abbr class="abbrev">RFC2052</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>A <acronym class="acronym">DNS</acronym> RR for Specifying the
<a name="id2605847"></a><p>[<abbr class="abbrev">RFC2052</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>A <acronym class="acronym">DNS</acronym> RR for Specifying the
Location of
Services.</i>. </span><span class="pubdate">October 1996. </span></p>
</div>
<div class="biblioentry">
<a name="id2605351"></a><p>[<abbr class="abbrev">RFC2163</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Allocchio</span>. </span><span class="title"><i>Using the Internet <acronym class="acronym">DNS</acronym> to
<a name="id2605885"></a><p>[<abbr class="abbrev">RFC2163</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Allocchio</span>. </span><span class="title"><i>Using the Internet <acronym class="acronym">DNS</acronym> to
Distribute MIXER
Conformant Global Address Mapping</i>. </span><span class="pubdate">January 1998. </span></p>
</div>
<div class="biblioentry">
<a name="id2605377"></a><p>[<abbr class="abbrev">RFC2230</abbr>] <span class="author"><span class="firstname">R.</span> <span class="surname">Atkinson</span>. </span><span class="title"><i>Key Exchange Delegation Record for the <acronym class="acronym">DNS</acronym></i>. </span><span class="pubdate">October 1997. </span></p>
<a name="id2605911"></a><p>[<abbr class="abbrev">RFC2230</abbr>] <span class="author"><span class="firstname">R.</span> <span class="surname">Atkinson</span>. </span><span class="title"><i>Key Exchange Delegation Record for the <acronym class="acronym">DNS</acronym></i>. </span><span class="pubdate">October 1997. </span></p>
</div>
<div class="biblioentry">
<a name="id2605402"></a><p>[<abbr class="abbrev">RFC2536</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>DSA KEYs and SIGs in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
<a name="id2605937"></a><p>[<abbr class="abbrev">RFC2536</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>DSA KEYs and SIGs in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
</div>
<div class="biblioentry">
<a name="id2605429"></a><p>[<abbr class="abbrev">RFC2537</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>RSA/MD5 KEYs and SIGs in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
<a name="id2606032"></a><p>[<abbr class="abbrev">RFC2537</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>RSA/MD5 KEYs and SIGs in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
</div>
<div class="biblioentry">
<a name="id2605456"></a><p>[<abbr class="abbrev">RFC2538</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Storing Certificates in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
<a name="id2606058"></a><p>[<abbr class="abbrev">RFC2538</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Storing Certificates in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
</div>
<div class="biblioentry">
<a name="id2605495"></a><p>[<abbr class="abbrev">RFC2539</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Storage of Diffie-Hellman Keys in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
<a name="id2606098"></a><p>[<abbr class="abbrev">RFC2539</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Storage of Diffie-Hellman Keys in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
</div>
<div class="biblioentry">
<a name="id2605525"></a><p>[<abbr class="abbrev">RFC2540</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Detached Domain Name System (DNS) Information</i>. </span><span class="pubdate">March 1999. </span></p>
<a name="id2606128"></a><p>[<abbr class="abbrev">RFC2540</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Detached Domain Name System (DNS) Information</i>. </span><span class="pubdate">March 1999. </span></p>
</div>
<div class="biblioentry">
<a name="id2605555"></a><p>[<abbr class="abbrev">RFC2782</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span>. </span><span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="author"><span class="firstname">L.</span> <span class="surname">Esibov</span>. </span><span class="title"><i>A DNS RR for specifying the location of services (DNS SRV)</i>. </span><span class="pubdate">February 2000. </span></p>
<a name="id2606157"></a><p>[<abbr class="abbrev">RFC2782</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span>. </span><span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="author"><span class="firstname">L.</span> <span class="surname">Esibov</span>. </span><span class="title"><i>A DNS RR for specifying the location of services (DNS SRV)</i>. </span><span class="pubdate">February 2000. </span></p>
</div>
<div class="biblioentry">
<a name="id2605597"></a><p>[<abbr class="abbrev">RFC2915</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Mealling</span>. </span><span class="author"><span class="firstname">R.</span> <span class="surname">Daniel</span>. </span><span class="title"><i>The Naming Authority Pointer (NAPTR) DNS Resource Record</i>. </span><span class="pubdate">September 2000. </span></p>
<a name="id2606200"></a><p>[<abbr class="abbrev">RFC2915</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Mealling</span>. </span><span class="author"><span class="firstname">R.</span> <span class="surname">Daniel</span>. </span><span class="title"><i>The Naming Authority Pointer (NAPTR) DNS Resource Record</i>. </span><span class="pubdate">September 2000. </span></p>
</div>
<div class="biblioentry">
<a name="id2605630"></a><p>[<abbr class="abbrev">RFC3110</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)</i>. </span><span class="pubdate">May 2001. </span></p>
<a name="id2606233"></a><p>[<abbr class="abbrev">RFC3110</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)</i>. </span><span class="pubdate">May 2001. </span></p>
</div>
<div class="biblioentry">
<a name="id2605657"></a><p>[<abbr class="abbrev">RFC3123</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Koch</span>. </span><span class="title"><i>A DNS RR Type for Lists of Address Prefixes (APL RR)</i>. </span><span class="pubdate">June 2001. </span></p>
<a name="id2606260"></a><p>[<abbr class="abbrev">RFC3123</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Koch</span>. </span><span class="title"><i>A DNS RR Type for Lists of Address Prefixes (APL RR)</i>. </span><span class="pubdate">June 2001. </span></p>
</div>
<div class="biblioentry">
<a name="id2605681"></a><p>[<abbr class="abbrev">RFC3596</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">C.</span> <span class="surname">Huitema</span>, <span class="firstname">V.</span> <span class="surname">Ksinant</span>, and <span class="firstname">M.</span> <span class="surname">Souissi</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Extensions to support IP
<a name="id2606283"></a><p>[<abbr class="abbrev">RFC3596</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">C.</span> <span class="surname">Huitema</span>, <span class="firstname">V.</span> <span class="surname">Ksinant</span>, and <span class="firstname">M.</span> <span class="surname">Souissi</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Extensions to support IP
version 6</i>. </span><span class="pubdate">October 2003. </span></p>
</div>
<div class="biblioentry">
<a name="id2605738"></a><p>[<abbr class="abbrev">RFC3597</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Gustafsson</span>. </span><span class="title"><i>Handling of Unknown DNS Resource Record (RR) Types</i>. </span><span class="pubdate">September 2003. </span></p>
<a name="id2606341"></a><p>[<abbr class="abbrev">RFC3597</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Gustafsson</span>. </span><span class="title"><i>Handling of Unknown DNS Resource Record (RR) Types</i>. </span><span class="pubdate">September 2003. </span></p>
</div>
</div>
<div class="bibliodiv">
<h3 class="title">
<acronym class="acronym">DNS</acronym> and the Internet</h3>
<div class="biblioentry">
<a name="id2605770"></a><p>[<abbr class="abbrev">RFC1101</abbr>] <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Encoding of Network Names
<a name="id2606373"></a><p>[<abbr class="abbrev">RFC1101</abbr>] <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Encoding of Network Names
and Other Types</i>. </span><span class="pubdate">April 1989. </span></p>
</div>
<div class="biblioentry">
<a name="id2605796"></a><p>[<abbr class="abbrev">RFC1123</abbr>] <span class="author"><span class="surname">Braden</span>. </span><span class="title"><i>Requirements for Internet Hosts - Application and
<a name="id2606398"></a><p>[<abbr class="abbrev">RFC1123</abbr>] <span class="author"><span class="surname">Braden</span>. </span><span class="title"><i>Requirements for Internet Hosts - Application and
Support</i>. </span><span class="pubdate">October 1989. </span></p>
</div>
<div class="biblioentry">
<a name="id2605818"></a><p>[<abbr class="abbrev">RFC1591</abbr>] <span class="author"><span class="firstname">J.</span> <span class="surname">Postel</span>. </span><span class="title"><i>Domain Name System Structure and Delegation</i>. </span><span class="pubdate">March 1994. </span></p>
<a name="id2606421"></a><p>[<abbr class="abbrev">RFC1591</abbr>] <span class="author"><span class="firstname">J.</span> <span class="surname">Postel</span>. </span><span class="title"><i>Domain Name System Structure and Delegation</i>. </span><span class="pubdate">March 1994. </span></p>
</div>
<div class="biblioentry">
<a name="id2605842"></a><p>[<abbr class="abbrev">RFC2317</abbr>] <span class="authorgroup"><span class="firstname">H.</span> <span class="surname">Eidnes</span>, <span class="firstname">G.</span> <span class="surname">de Groot</span>, and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Classless IN-ADDR.ARPA Delegation</i>. </span><span class="pubdate">March 1998. </span></p>
<a name="id2606444"></a><p>[<abbr class="abbrev">RFC2317</abbr>] <span class="authorgroup"><span class="firstname">H.</span> <span class="surname">Eidnes</span>, <span class="firstname">G.</span> <span class="surname">de Groot</span>, and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Classless IN-ADDR.ARPA Delegation</i>. </span><span class="pubdate">March 1998. </span></p>
</div>
<div class="biblioentry">
<a name="id2605888"></a><p>[<abbr class="abbrev">RFC2826</abbr>] <span class="authorgroup"><span class="surname">Internet Architecture Board</span>. </span><span class="title"><i>IAB Technical Comment on the Unique DNS Root</i>. </span><span class="pubdate">May 2000. </span></p>
<a name="id2606490"></a><p>[<abbr class="abbrev">RFC2826</abbr>] <span class="authorgroup"><span class="surname">Internet Architecture Board</span>. </span><span class="title"><i>IAB Technical Comment on the Unique DNS Root</i>. </span><span class="pubdate">May 2000. </span></p>
</div>
<div class="biblioentry">
<a name="id2605911"></a><p>[<abbr class="abbrev">RFC2929</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, <span class="firstname">E.</span> <span class="surname">Brunner-Williams</span>, and <span class="firstname">B.</span> <span class="surname">Manning</span>. </span><span class="title"><i>Domain Name System (DNS) IANA Considerations</i>. </span><span class="pubdate">September 2000. </span></p>
<a name="id2606514"></a><p>[<abbr class="abbrev">RFC2929</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, <span class="firstname">E.</span> <span class="surname">Brunner-Williams</span>, and <span class="firstname">B.</span> <span class="surname">Manning</span>. </span><span class="title"><i>Domain Name System (DNS) IANA Considerations</i>. </span><span class="pubdate">September 2000. </span></p>
</div>
</div>
<div class="bibliodiv">
<h3 class="title">
<acronym class="acronym">DNS</acronym> Operations</h3>
<div class="biblioentry">
<a name="id2605969"></a><p>[<abbr class="abbrev">RFC1033</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Lottor</span>. </span><span class="title"><i>Domain administrators operations guide.</i>. </span><span class="pubdate">November 1987. </span></p>
<a name="id2606571"></a><p>[<abbr class="abbrev">RFC1033</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Lottor</span>. </span><span class="title"><i>Domain administrators operations guide.</i>. </span><span class="pubdate">November 1987. </span></p>
</div>
<div class="biblioentry">
<a name="id2605992"></a><p>[<abbr class="abbrev">RFC1537</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Beertema</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Data File
<a name="id2606595"></a><p>[<abbr class="abbrev">RFC1537</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Beertema</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Data File
Configuration Errors</i>. </span><span class="pubdate">October 1993. </span></p>
</div>
<div class="biblioentry">
<a name="id2606019"></a><p>[<abbr class="abbrev">RFC1912</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Barr</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Operational and
<a name="id2606621"></a><p>[<abbr class="abbrev">RFC1912</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Barr</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Operational and
Configuration Errors</i>. </span><span class="pubdate">February 1996. </span></p>
</div>
<div class="biblioentry">
<a name="id2606045"></a><p>[<abbr class="abbrev">RFC2010</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Operational Criteria for Root Name Servers.</i>. </span><span class="pubdate">October 1996. </span></p>
<a name="id2606648"></a><p>[<abbr class="abbrev">RFC2010</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Operational Criteria for Root Name Servers.</i>. </span><span class="pubdate">October 1996. </span></p>
</div>
<div class="biblioentry">
<a name="id2606082"></a><p>[<abbr class="abbrev">RFC2219</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Hamilton</span> and <span class="firstname">R.</span> <span class="surname">Wright</span>. </span><span class="title"><i>Use of <acronym class="acronym">DNS</acronym> Aliases for
<a name="id2606684"></a><p>[<abbr class="abbrev">RFC2219</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Hamilton</span> and <span class="firstname">R.</span> <span class="surname">Wright</span>. </span><span class="title"><i>Use of <acronym class="acronym">DNS</acronym> Aliases for
Network Services.</i>. </span><span class="pubdate">October 1997. </span></p>
</div>
</div>
<div class="bibliodiv">
<h3 class="title">Internationalized Domain Names</h3>
<div class="biblioentry">
<a name="id2606128"></a><p>[<abbr class="abbrev">RFC2825</abbr>] <span class="authorgroup"><span class="surname">IAB</span> and <span class="firstname">R.</span> <span class="surname">Daigle</span>. </span><span class="title"><i>A Tangled Web: Issues of I18N, Domain Names,
<a name="id2606730"></a><p>[<abbr class="abbrev">RFC2825</abbr>] <span class="authorgroup"><span class="surname">IAB</span> and <span class="firstname">R.</span> <span class="surname">Daigle</span>. </span><span class="title"><i>A Tangled Web: Issues of I18N, Domain Names,
and the Other Internet protocols</i>. </span><span class="pubdate">May 2000. </span></p>
</div>
<div class="biblioentry">
<a name="id2606160"></a><p>[<abbr class="abbrev">RFC3490</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Faltstrom</span>, <span class="firstname">P.</span> <span class="surname">Hoffman</span>, and <span class="firstname">A.</span> <span class="surname">Costello</span>. </span><span class="title"><i>Internationalizing Domain Names in Applications (IDNA)</i>. </span><span class="pubdate">March 2003. </span></p>
<a name="id2606762"></a><p>[<abbr class="abbrev">RFC3490</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Faltstrom</span>, <span class="firstname">P.</span> <span class="surname">Hoffman</span>, and <span class="firstname">A.</span> <span class="surname">Costello</span>. </span><span class="title"><i>Internationalizing Domain Names in Applications (IDNA)</i>. </span><span class="pubdate">March 2003. </span></p>
</div>
<div class="biblioentry">
<a name="id2606205"></a><p>[<abbr class="abbrev">RFC3491</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Hoffman</span> and <span class="firstname">M.</span> <span class="surname">Blanchet</span>. </span><span class="title"><i>Nameprep: A Stringprep Profile for Internationalized Domain Names</i>. </span><span class="pubdate">March 2003. </span></p>
<a name="id2606808"></a><p>[<abbr class="abbrev">RFC3491</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Hoffman</span> and <span class="firstname">M.</span> <span class="surname">Blanchet</span>. </span><span class="title"><i>Nameprep: A Stringprep Profile for Internationalized Domain Names</i>. </span><span class="pubdate">March 2003. </span></p>
</div>
<div class="biblioentry">
<a name="id2606241"></a><p>[<abbr class="abbrev">RFC3492</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Costello</span>. </span><span class="title"><i>Punycode: A Bootstring encoding of Unicode
<a name="id2606843"></a><p>[<abbr class="abbrev">RFC3492</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Costello</span>. </span><span class="title"><i>Punycode: A Bootstring encoding of Unicode
for Internationalized Domain Names in
Applications (IDNA)</i>. </span><span class="pubdate">March 2003. </span></p>
</div>
@ -497,47 +497,47 @@
</p>
</div>
<div class="biblioentry">
<a name="id2606354"></a><p>[<abbr class="abbrev">RFC1464</abbr>] <span class="author"><span class="firstname">R.</span> <span class="surname">Rosenbaum</span>. </span><span class="title"><i>Using the Domain Name System To Store Arbitrary String
<a name="id2606888"></a><p>[<abbr class="abbrev">RFC1464</abbr>] <span class="author"><span class="firstname">R.</span> <span class="surname">Rosenbaum</span>. </span><span class="title"><i>Using the Domain Name System To Store Arbitrary String
Attributes</i>. </span><span class="pubdate">May 1993. </span></p>
</div>
<div class="biblioentry">
<a name="id2606376"></a><p>[<abbr class="abbrev">RFC1713</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Romao</span>. </span><span class="title"><i>Tools for <acronym class="acronym">DNS</acronym> Debugging</i>. </span><span class="pubdate">November 1994. </span></p>
<a name="id2606910"></a><p>[<abbr class="abbrev">RFC1713</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Romao</span>. </span><span class="title"><i>Tools for <acronym class="acronym">DNS</acronym> Debugging</i>. </span><span class="pubdate">November 1994. </span></p>
</div>
<div class="biblioentry">
<a name="id2606402"></a><p>[<abbr class="abbrev">RFC1794</abbr>] <span class="author"><span class="firstname">T.</span> <span class="surname">Brisco</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Support for Load
<a name="id2606936"></a><p>[<abbr class="abbrev">RFC1794</abbr>] <span class="author"><span class="firstname">T.</span> <span class="surname">Brisco</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Support for Load
Balancing</i>. </span><span class="pubdate">April 1995. </span></p>
</div>
<div class="biblioentry">
<a name="id2606427"></a><p>[<abbr class="abbrev">RFC2240</abbr>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Legal Basis for Domain Name Allocation</i>. </span><span class="pubdate">November 1997. </span></p>
<a name="id2606962"></a><p>[<abbr class="abbrev">RFC2240</abbr>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Legal Basis for Domain Name Allocation</i>. </span><span class="pubdate">November 1997. </span></p>
</div>
<div class="biblioentry">
<a name="id2606451"></a><p>[<abbr class="abbrev">RFC2345</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>, <span class="firstname">T.</span> <span class="surname">Wolf</span>, and <span class="firstname">G.</span> <span class="surname">Oglesby</span>. </span><span class="title"><i>Domain Names and Company Name Retrieval</i>. </span><span class="pubdate">May 1998. </span></p>
<a name="id2606985"></a><p>[<abbr class="abbrev">RFC2345</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>, <span class="firstname">T.</span> <span class="surname">Wolf</span>, and <span class="firstname">G.</span> <span class="surname">Oglesby</span>. </span><span class="title"><i>Domain Names and Company Name Retrieval</i>. </span><span class="pubdate">May 1998. </span></p>
</div>
<div class="biblioentry">
<a name="id2606497"></a><p>[<abbr class="abbrev">RFC2352</abbr>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Convention For Using Legal Names as Domain Names</i>. </span><span class="pubdate">May 1998. </span></p>
<a name="id2607031"></a><p>[<abbr class="abbrev">RFC2352</abbr>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Convention For Using Legal Names as Domain Names</i>. </span><span class="pubdate">May 1998. </span></p>
</div>
<div class="biblioentry">
<a name="id2606520"></a><p>[<abbr class="abbrev">RFC3071</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>. </span><span class="title"><i>Reflections on the DNS, RFC 1591, and Categories of Domains</i>. </span><span class="pubdate">February 2001. </span></p>
<a name="id2607054"></a><p>[<abbr class="abbrev">RFC3071</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>. </span><span class="title"><i>Reflections on the DNS, RFC 1591, and Categories of Domains</i>. </span><span class="pubdate">February 2001. </span></p>
</div>
<div class="biblioentry">
<a name="id2606547"></a><p>[<abbr class="abbrev">RFC3258</abbr>] <span class="authorgroup"><span class="firstname">T.</span> <span class="surname">Hardie</span>. </span><span class="title"><i>Distributing Authoritative Name Servers via
<a name="id2607081"></a><p>[<abbr class="abbrev">RFC3258</abbr>] <span class="authorgroup"><span class="firstname">T.</span> <span class="surname">Hardie</span>. </span><span class="title"><i>Distributing Authoritative Name Servers via
Shared Unicast Addresses</i>. </span><span class="pubdate">April 2002. </span></p>
</div>
<div class="biblioentry">
<a name="id2606572"></a><p>[<abbr class="abbrev">RFC3901</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Durand</span> and <span class="firstname">J.</span> <span class="surname">Ihren</span>. </span><span class="title"><i>DNS IPv6 Transport Operational Guidelines</i>. </span><span class="pubdate">September 2004. </span></p>
<a name="id2607175"></a><p>[<abbr class="abbrev">RFC3901</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Durand</span> and <span class="firstname">J.</span> <span class="surname">Ihren</span>. </span><span class="title"><i>DNS IPv6 Transport Operational Guidelines</i>. </span><span class="pubdate">September 2004. </span></p>
</div>
</div>
<div class="bibliodiv">
<h3 class="title">Obsolete and Unimplemented Experimental RFC</h3>
<div class="biblioentry">
<a name="id2606616"></a><p>[<abbr class="abbrev">RFC1712</abbr>] <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Farrell</span>, <span class="firstname">M.</span> <span class="surname">Schulze</span>, <span class="firstname">S.</span> <span class="surname">Pleitner</span>, and <span class="firstname">D.</span> <span class="surname">Baldoni</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Encoding of Geographical
<a name="id2607219"></a><p>[<abbr class="abbrev">RFC1712</abbr>] <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Farrell</span>, <span class="firstname">M.</span> <span class="surname">Schulze</span>, <span class="firstname">S.</span> <span class="surname">Pleitner</span>, and <span class="firstname">D.</span> <span class="surname">Baldoni</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Encoding of Geographical
Location</i>. </span><span class="pubdate">November 1994. </span></p>
</div>
<div class="biblioentry">
<a name="id2606674"></a><p>[<abbr class="abbrev">RFC2673</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span>. </span><span class="title"><i>Binary Labels in the Domain Name System</i>. </span><span class="pubdate">August 1999. </span></p>
<a name="id2607276"></a><p>[<abbr class="abbrev">RFC2673</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span>. </span><span class="title"><i>Binary Labels in the Domain Name System</i>. </span><span class="pubdate">August 1999. </span></p>
</div>
<div class="biblioentry">
<a name="id2606700"></a><p>[<abbr class="abbrev">RFC2874</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span> and <span class="firstname">C.</span> <span class="surname">Huitema</span>. </span><span class="title"><i>DNS Extensions to Support IPv6 Address Aggregation
<a name="id2607303"></a><p>[<abbr class="abbrev">RFC2874</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span> and <span class="firstname">C.</span> <span class="surname">Huitema</span>. </span><span class="title"><i>DNS Extensions to Support IPv6 Address Aggregation
and Renumbering</i>. </span><span class="pubdate">July 2000. </span></p>
</div>
</div>
@ -551,39 +551,39 @@
</p>
</div>
<div class="biblioentry">
<a name="id2606748"></a><p>[<abbr class="abbrev">RFC2065</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">C.</span> <span class="surname">Kaufman</span>. </span><span class="title"><i>Domain Name System Security Extensions</i>. </span><span class="pubdate">January 1997. </span></p>
<a name="id2607351"></a><p>[<abbr class="abbrev">RFC2065</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">C.</span> <span class="surname">Kaufman</span>. </span><span class="title"><i>Domain Name System Security Extensions</i>. </span><span class="pubdate">January 1997. </span></p>
</div>
<div class="biblioentry">
<a name="id2606788"></a><p>[<abbr class="abbrev">RFC2137</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Secure Domain Name System Dynamic Update</i>. </span><span class="pubdate">April 1997. </span></p>
<a name="id2607390"></a><p>[<abbr class="abbrev">RFC2137</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Secure Domain Name System Dynamic Update</i>. </span><span class="pubdate">April 1997. </span></p>
</div>
<div class="biblioentry">
<a name="id2606814"></a><p>[<abbr class="abbrev">RFC2535</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Domain Name System Security Extensions</i>. </span><span class="pubdate">March 1999. </span></p>
<a name="id2607417"></a><p>[<abbr class="abbrev">RFC2535</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Domain Name System Security Extensions</i>. </span><span class="pubdate">March 1999. </span></p>
</div>
<div class="biblioentry">
<a name="id2606844"></a><p>[<abbr class="abbrev">RFC3008</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Domain Name System Security (DNSSEC)
<a name="id2607447"></a><p>[<abbr class="abbrev">RFC3008</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Domain Name System Security (DNSSEC)
Signing Authority</i>. </span><span class="pubdate">November 2000. </span></p>
</div>
<div class="biblioentry">
<a name="id2606870"></a><p>[<abbr class="abbrev">RFC3090</abbr>] <span class="authorgroup"><span class="firstname">E.</span> <span class="surname">Lewis</span>. </span><span class="title"><i>DNS Security Extension Clarification on Zone Status</i>. </span><span class="pubdate">March 2001. </span></p>
<a name="id2607473"></a><p>[<abbr class="abbrev">RFC3090</abbr>] <span class="authorgroup"><span class="firstname">E.</span> <span class="surname">Lewis</span>. </span><span class="title"><i>DNS Security Extension Clarification on Zone Status</i>. </span><span class="pubdate">March 2001. </span></p>
</div>
<div class="biblioentry">
<a name="id2606897"></a><p>[<abbr class="abbrev">RFC3445</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Massey</span> and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Limiting the Scope of the KEY Resource Record (RR)</i>. </span><span class="pubdate">December 2002. </span></p>
<a name="id2607499"></a><p>[<abbr class="abbrev">RFC3445</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Massey</span> and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Limiting the Scope of the KEY Resource Record (RR)</i>. </span><span class="pubdate">December 2002. </span></p>
</div>
<div class="biblioentry">
<a name="id2606933"></a><p>[<abbr class="abbrev">RFC3655</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span> and <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Redefinition of DNS Authenticated Data (AD) bit</i>. </span><span class="pubdate">November 2003. </span></p>
<a name="id2607536"></a><p>[<abbr class="abbrev">RFC3655</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span> and <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Redefinition of DNS Authenticated Data (AD) bit</i>. </span><span class="pubdate">November 2003. </span></p>
</div>
<div class="biblioentry">
<a name="id2607037"></a><p>[<abbr class="abbrev">RFC3658</abbr>] <span class="authorgroup"><span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Delegation Signer (DS) Resource Record (RR)</i>. </span><span class="pubdate">December 2003. </span></p>
<a name="id2607572"></a><p>[<abbr class="abbrev">RFC3658</abbr>] <span class="authorgroup"><span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Delegation Signer (DS) Resource Record (RR)</i>. </span><span class="pubdate">December 2003. </span></p>
</div>
<div class="biblioentry">
<a name="id2607064"></a><p>[<abbr class="abbrev">RFC3755</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Weiler</span>. </span><span class="title"><i>Legacy Resolver Compatibility for Delegation Signer (DS)</i>. </span><span class="pubdate">May 2004. </span></p>
<a name="id2607598"></a><p>[<abbr class="abbrev">RFC3755</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Weiler</span>. </span><span class="title"><i>Legacy Resolver Compatibility for Delegation Signer (DS)</i>. </span><span class="pubdate">May 2004. </span></p>
</div>
<div class="biblioentry">
<a name="id2607091"></a><p>[<abbr class="abbrev">RFC3757</abbr>] <span class="authorgroup"><span class="firstname">O.</span> <span class="surname">Kolkman</span>, <span class="firstname">J.</span> <span class="surname">Schlyter</span>, and <span class="firstname">E.</span> <span class="surname">Lewis</span>. </span><span class="title"><i>Domain Name System KEY (DNSKEY) Resource Record
<a name="id2607625"></a><p>[<abbr class="abbrev">RFC3757</abbr>] <span class="authorgroup"><span class="firstname">O.</span> <span class="surname">Kolkman</span>, <span class="firstname">J.</span> <span class="surname">Schlyter</span>, and <span class="firstname">E.</span> <span class="surname">Lewis</span>. </span><span class="title"><i>Domain Name System KEY (DNSKEY) Resource Record
(RR) Secure Entry Point (SEP) Flag</i>. </span><span class="pubdate">April 2004. </span></p>
</div>
<div class="biblioentry">
<a name="id2607136"></a><p>[<abbr class="abbrev">RFC3845</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Schlyter</span>. </span><span class="title"><i>DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format</i>. </span><span class="pubdate">August 2004. </span></p>
<a name="id2607670"></a><p>[<abbr class="abbrev">RFC3845</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Schlyter</span>. </span><span class="title"><i>DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format</i>. </span><span class="pubdate">August 2004. </span></p>
</div>
</div>
</div>
@ -604,14 +604,14 @@
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2607177"></a>Other Documents About <acronym class="acronym">BIND</acronym>
<a name="id2607712"></a>Other Documents About <acronym class="acronym">BIND</acronym>
</h3></div></div></div>
<p></p>
<div class="bibliography">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2607187"></a>Bibliography</h4></div></div></div>
<a name="id2607721"></a>Bibliography</h4></div></div></div>
<div class="biblioentry">
<a name="id2607189"></a><p><span class="authorgroup"><span class="firstname">Paul</span> <span class="surname">Albitz</span> and <span class="firstname">Cricket</span> <span class="surname">Liu</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></i>. </span><span class="copyright">Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. </span></p>
<a name="id2607723"></a><p><span class="authorgroup"><span class="firstname">Paul</span> <span class="surname">Albitz</span> and <span class="firstname">Cricket</span> <span class="surname">Liu</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></i>. </span><span class="copyright">Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. </span></p>
</div>
</div>
</div>
@ -648,7 +648,7 @@
</ul></div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2608265"></a>Prerequisite</h3></div></div></div>
<a name="id2609824"></a>Prerequisite</h3></div></div></div>
<p>GNU make is required to build the export libraries (other
part of BIND 9 can still be built with other types of make). In
the reminder of this document, "make" means GNU make. Note that
@ -657,7 +657,7 @@
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2608275"></a>Compilation</h3></div></div></div>
<a name="id2609833"></a>Compilation</h3></div></div></div>
<pre class="screen">
$ <strong class="userinput"><code>./configure --enable-exportlib <em class="replaceable"><code>[other flags]</code></em></code></strong>
$ <strong class="userinput"><code>make</code></strong>
@ -672,7 +672,7 @@ $ <strong class="userinput"><code>make</code></strong>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2608299"></a>Installation</h3></div></div></div>
<a name="id2609175"></a>Installation</h3></div></div></div>
<pre class="screen">
$ <strong class="userinput"><code>cd lib/export</code></strong>
$ <strong class="userinput"><code>make install</code></strong>
@ -694,7 +694,7 @@ $ <strong class="userinput"><code>make install</code></strong>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2608330"></a>Known Defects/Restrictions</h3></div></div></div>
<a name="id2609206"></a>Known Defects/Restrictions</h3></div></div></div>
<div class="itemizedlist"><ul type="disc">
<li><p>Currently, win32 is not supported for the export
library. (Normal BIND 9 application can be built as
@ -734,7 +734,7 @@ $ <strong class="userinput"><code>make</code></strong>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2608680"></a>The dns.conf File</h3></div></div></div>
<a name="id2609283"></a>The dns.conf File</h3></div></div></div>
<p>The IRS library supports an "advanced" configuration file
related to the DNS library for configuration parameters that
would be beyond the capability of the
@ -752,14 +752,14 @@ $ <strong class="userinput"><code>make</code></strong>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2608707"></a>Sample Applications</h3></div></div></div>
<a name="id2609309"></a>Sample Applications</h3></div></div></div>
<p>Some sample application programs using this API are
provided for reference. The following is a brief description of
these applications.
</p>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2608715"></a>sample: a simple stub resolver utility</h4></div></div></div>
<a name="id2609318"></a>sample: a simple stub resolver utility</h4></div></div></div>
<p>
It sends a query of a given name (of a given optional RR type) to a
specified recursive server, and prints the result as a list of
@ -823,7 +823,7 @@ $ <strong class="userinput"><code>make</code></strong>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2608806"></a>sample-async: a simple stub resolver, working asynchronously</h4></div></div></div>
<a name="id2609409"></a>sample-async: a simple stub resolver, working asynchronously</h4></div></div></div>
<p>
Similar to "sample", but accepts a list
of (query) domain names as a separate file and resolves the names
@ -864,7 +864,7 @@ $ <strong class="userinput"><code>make</code></strong>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2608859"></a>sample-request: a simple DNS transaction client</h4></div></div></div>
<a name="id2609462"></a>sample-request: a simple DNS transaction client</h4></div></div></div>
<p>
It sends a query to a specified server, and
prints the response with minimal processing. It doesn't act as a
@ -905,7 +905,7 @@ $ <strong class="userinput"><code>make</code></strong>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2608992"></a>sample-gai: getaddrinfo() and getnameinfo() test code</h4></div></div></div>
<a name="id2609526"></a>sample-gai: getaddrinfo() and getnameinfo() test code</h4></div></div></div>
<p>
This is a test program
to check getaddrinfo() and getnameinfo() behavior. It takes a
@ -922,7 +922,7 @@ $ <strong class="userinput"><code>make</code></strong>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2609006"></a>sample-update: a simple dynamic update client program</h4></div></div></div>
<a name="id2609541"></a>sample-update: a simple dynamic update client program</h4></div></div></div>
<p>
It accepts a single update command as a
command-line argument, sends an update request message to the
@ -1017,7 +1017,7 @@ $ <strong class="userinput"><code>sample-update -a sample-update -k Kxxx.+nnn+mm
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2609138"></a>nsprobe: domain/name server checker in terms of RFC 4074</h4></div></div></div>
<a name="id2610218"></a>nsprobe: domain/name server checker in terms of RFC 4074</h4></div></div></div>
<p>
It checks a set
of domains to see the name servers of the domains behave
@ -1074,7 +1074,7 @@ $ <strong class="userinput"><code>sample-update -a sample-update -k Kxxx.+nnn+mm
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2609611"></a>Library References</h3></div></div></div>
<a name="id2610282"></a>Library References</h3></div></div></div>
<p>As of this writing, there is no formal "manual" of the
libraries, except this document, header files (some of them
provide pretty detailed explanations), and sample application

View File

@ -1,5 +1,5 @@
<!--
- Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any

View File

@ -1,5 +1,5 @@
<!--
- Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@ -41,7 +41,7 @@
<div>
<div><h1 class="title">
<a name="id2563175"></a>BIND 9 Administrator Reference Manual</h1></div>
<div><p class="copyright">Copyright © 2004-2012 Internet Systems Consortium, Inc. ("ISC")</p></div>
<div><p class="copyright">Copyright © 2004-2013 Internet Systems Consortium, Inc. ("ISC")</p></div>
<div><p class="copyright">Copyright © 2000-2003 Internet Software Consortium.</p></div>
</div>
<hr>
@ -51,39 +51,39 @@
<dl>
<dt><span class="chapter"><a href="Bv9ARM.ch01.html">1. Introduction</a></span></dt>
<dd><dl>
<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564375">Scope of Document</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564398">Organization of This Document</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564538">Conventions Used in This Document</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564720">The Domain Name System (<acronym class="acronym">DNS</acronym>)</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564378">Scope of Document</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564402">Organization of This Document</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564541">Conventions Used in This Document</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564723">The Domain Name System (<acronym class="acronym">DNS</acronym>)</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564741">DNS Fundamentals</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564775">Domains and Domain Names</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567180">Zones</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567257">Authoritative Name Servers</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567430">Caching Name Servers</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567560">Name Servers in Multiple Roles</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564744">DNS Fundamentals</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564846">Domains and Domain Names</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567184">Zones</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567260">Authoritative Name Servers</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567433">Caching Name Servers</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567563">Name Servers in Multiple Roles</a></span></dt>
</dl></dd>
</dl></dd>
<dt><span class="chapter"><a href="Bv9ARM.ch02.html">2. <acronym class="acronym">BIND</acronym> Resource Requirements</a></span></dt>
<dd><dl>
<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567594">Hardware requirements</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567621">CPU Requirements</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567634">Memory Requirements</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567729">Name Server Intensive Environment Issues</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567739">Supported Operating Systems</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567597">Hardware requirements</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567624">CPU Requirements</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567637">Memory Requirements</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567732">Name Server Intensive Environment Issues</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567742">Supported Operating Systems</a></span></dt>
</dl></dd>
<dt><span class="chapter"><a href="Bv9ARM.ch03.html">3. Name Server Configuration</a></span></dt>
<dd><dl>
<dt><span class="sect1"><a href="Bv9ARM.ch03.html#sample_configuration">Sample Configurations</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2567771">A Caching-only Name Server</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2567992">An Authoritative-only Name Server</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2567774">A Caching-only Name Server</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2567995">An Authoritative-only Name Server</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568014">Load Balancing</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568369">Name Server Operations</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568018">Load Balancing</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568372">Name Server Operations</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2568374">Tools for Use With the Name Server Daemon</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2570421">Signals</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2568377">Tools for Use With the Name Server Daemon</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2570424">Signals</a></span></dt>
</dl></dd>
</dl></dd>
<dt><span class="chapter"><a href="Bv9ARM.ch04.html">4. Advanced DNS Features</a></span></dt>
@ -92,64 +92,64 @@
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dynamic_update">Dynamic Update</a></span></dt>
<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#journal">The journal file</a></span></dt></dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#incremental_zone_transfers">Incremental Zone Transfers (IXFR)</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2570934">Split DNS</a></span></dt>
<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570952">Example split DNS setup</a></span></dt></dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2570937">Split DNS</a></span></dt>
<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570955">Example split DNS setup</a></span></dt></dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#tsig">TSIG</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2564012">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2564086">Copying the Shared Secret to Both Machines</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571811">Informing the Servers of the Key's Existence</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571847">Instructing the Server to Use the Key</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571905">TSIG Key Based Access Control</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571954">Errors</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2564016">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2564089">Copying the Shared Secret to Both Machines</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571814">Informing the Servers of the Key's Existence</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571850">Instructing the Server to Use the Key</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571908">TSIG Key Based Access Control</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571957">Errors</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571968">TKEY</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2572153">SIG(0)</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571971">TKEY</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2572156">SIG(0)</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572221">Generating Keys</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572300">Signing the Zone</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572381">Configuring Servers</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572225">Generating Keys</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572304">Signing the Zone</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572385">Configuring Servers</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dnssec.dynamic.zones">DNSSEC, Dynamic Zones, and Automatic Signing</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571475">Converting from insecure to secure</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571512">Dynamic DNS update method</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563493">Fully automatic zone signing</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563575">Private-type records</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563612">DNSKEY rollovers</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563762">Dynamic DNS update method</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563795">Automatic key rollovers</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563821">NSEC3PARAM rollovers via UPDATE</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563899">Converting from NSEC to NSEC3</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563909">Converting from NSEC3 to NSEC</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563922">Converting from secure to insecure</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571605">Periodic re-signing</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571614">NSEC3 and OPTOUT</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2608395">Converting from insecure to secure</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563581">Dynamic DNS update method</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563754">Fully automatic zone signing</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563836">Private-type records</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563874">DNSKEY rollovers</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563886">Dynamic DNS update method</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563920">Automatic key rollovers</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563946">NSEC3PARAM rollovers via UPDATE</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563956">Converting from NSEC to NSEC3</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571406">Converting from NSEC3 to NSEC</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571419">Converting from secure to insecure</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571457">Periodic re-signing</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571466">NSEC3 and OPTOUT</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#rfc5011.support">Dynamic Trust Anchor Management</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2607510">Validating Resolver</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571692">Authoritative Server</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571658">Validating Resolver</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571681">Authoritative Server</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#pkcs11">PKCS #11 (Cryptoki) support</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2610637">Prerequisites</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2608477">Building BIND 9 with PKCS#11</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2608602">PKCS #11 Tools</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2634916">Using the HSM</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2635114">Specifying the engine on the command line</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2635160">Running named with automatic zone re-signing</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2611650">Prerequisites</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2608875">Building BIND 9 with PKCS#11</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2609137">PKCS #11 Tools</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2635518">Using the HSM</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2635785">Specifying the engine on the command line</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2635831">Running named with automatic zone re-signing</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2572669">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2572604">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572868">Address Lookups Using AAAA Records</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572889">Address to Name Lookups Using Nibble Format</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572871">Address Lookups Using AAAA Records</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572892">Address to Name Lookups Using Nibble Format</a></span></dt>
</dl></dd>
</dl></dd>
<dt><span class="chapter"><a href="Bv9ARM.ch05.html">5. The <acronym class="acronym">BIND</acronym> 9 Lightweight Resolver</a></span></dt>
<dd><dl>
<dt><span class="sect1"><a href="Bv9ARM.ch05.html#id2572922">The Lightweight Resolver Library</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch05.html#id2572925">The Lightweight Resolver Library</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch05.html#lwresd">Running a Resolver Daemon</a></span></dt>
</dl></dd>
<dt><span class="chapter"><a href="Bv9ARM.ch06.html">6. <acronym class="acronym">BIND</acronym> 9 Configuration Reference</a></span></dt>
@ -157,58 +157,58 @@
<dt><span class="sect1"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574332">Comment Syntax</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574405">Comment Syntax</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574986"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574990"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#acl"><span><strong class="command">acl</strong></span> Statement Definition and
Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575176"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575180"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span><strong class="command">controls</strong></span> Statement Definition and
Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575467"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575484"><span><strong class="command">include</strong></span> Statement Definition and
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575472"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575489"><span><strong class="command">include</strong></span> Statement Definition and
Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575576"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575600"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575758"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575884"><span><strong class="command">logging</strong></span> Statement Definition and
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575649"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575672"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575763"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575889"><span><strong class="command">logging</strong></span> Statement Definition and
Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577910"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577984"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578116"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578160"><span><strong class="command">masters</strong></span> Statement Definition and
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577914"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577988"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578120"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578164"><span><strong class="command">masters</strong></span> Statement Definition and
Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578174"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578179"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#options"><span><strong class="command">options</strong></span> Statement Definition and
Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span><strong class="command">server</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span><strong class="command">server</strong></span> Statement Definition and
Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#statschannels"><span><strong class="command">statistics-channels</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2589534"><span><strong class="command">statistics-channels</strong></span> Statement Definition and
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590070"><span><strong class="command">statistics-channels</strong></span> Statement Definition and
Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#trusted-keys"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2589742"><span><strong class="command">trusted-keys</strong></span> Statement Definition
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590278"><span><strong class="command">trusted-keys</strong></span> Statement Definition
and Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2589858"><span><strong class="command">managed-keys</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590325"><span><strong class="command">managed-keys</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#managed-keys"><span><strong class="command">managed-keys</strong></span> Statement Definition
and Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#view_statement_grammar"><span><strong class="command">view</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590352"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590766"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span><strong class="command">zone</strong></span>
Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591902"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2592398"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2595170">Zone File</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2595755">Zone File</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2597537">Discussion of MX Records</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2597986">Discussion of MX Records</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2598084">Inverse Mapping in IPv4</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2598211">Other Zone File Directives</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2598552"><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2598601">Inverse Mapping in IPv4</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2598796">Other Zone File Directives</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2599138"><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zonefile_format">Additional File Formats</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch06.html#statistics">BIND9 Statistics</a></span></dt>
@ -217,41 +217,41 @@
<dt><span class="chapter"><a href="Bv9ARM.ch07.html">7. <acronym class="acronym">BIND</acronym> 9 Security Considerations</a></span></dt>
<dd><dl>
<dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2603136"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2603806"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2603285">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2603345">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2603888">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2603947">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
</dl></dd>
<dt><span class="chapter"><a href="Bv9ARM.ch08.html">8. Troubleshooting</a></span></dt>
<dd><dl>
<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2603561">Common Problems</a></span></dt>
<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch08.html#id2603566">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2603578">Incrementing and Changing the Serial Number</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2603595">Where Can I Get Help?</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2604027">Common Problems</a></span></dt>
<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch08.html#id2604101">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2604113">Incrementing and Changing the Serial Number</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2604130">Where Can I Get Help?</a></span></dt>
</dl></dd>
<dt><span class="appendix"><a href="Bv9ARM.ch09.html">A. Appendices</a></span></dt>
<dd><dl>
<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2603657">Acknowledgments</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2604192">Acknowledgments</a></span></dt>
<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#historical_dns_information">A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></a></span></dt></dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2603761">General <acronym class="acronym">DNS</acronym> Reference Information</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2604363">General <acronym class="acronym">DNS</acronym> Reference Information</a></span></dt>
<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#ipv6addresses">IPv6 addresses (AAAA)</a></span></dt></dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch09.html#bibliography">Bibliography (and Suggested Reading)</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch09.html#rfcs">Request for Comments (RFCs)</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch09.html#internet_drafts">Internet Drafts</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2607177">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2607712">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch09.html#bind9.library">BIND 9 DNS Library Support</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2608265">Prerequisite</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2608275">Compilation</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2608299">Installation</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2608330">Known Defects/Restrictions</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2608680">The dns.conf File</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2608707">Sample Applications</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2609611">Library References</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2609824">Prerequisite</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2609833">Compilation</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2609175">Installation</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2609206">Known Defects/Restrictions</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2609283">The dns.conf File</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2609309">Sample Applications</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2610282">Library References</a></span></dt>
</dl></dd>
</dl></dd>
<dt><span class="reference"><a href="Bv9ARM.ch10.html">I. Manual pages</a></span></dt>

File diff suppressed because one or more lines are too long

View File

@ -1,5 +1,5 @@
<!--
- Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@ -50,20 +50,20 @@
<div class="cmdsynopsis"><p><code class="command">arpaname</code> {<em class="replaceable"><code>ipaddress </code></em>...}</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2618405"></a><h2>DESCRIPTION</h2>
<a name="id2617315"></a><h2>DESCRIPTION</h2>
<p>
<span><strong class="command">arpaname</strong></span> translates IP addresses (IPv4 and
IPv6) to the corresponding IN-ADDR.ARPA or IP6.ARPA names.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2618420"></a><h2>SEE ALSO</h2>
<a name="id2617330"></a><h2>SEE ALSO</h2>
<p>
<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2618434"></a><h2>AUTHOR</h2>
<a name="id2651272"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>

View File

@ -1,5 +1,5 @@
<!--
- Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@ -50,7 +50,7 @@
<div class="cmdsynopsis"><p><code class="command">ddns-confgen</code> [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [ -s <em class="replaceable"><code>name</code></em> | -z <em class="replaceable"><code>zone</code></em> ] [<code class="option">-q</code>] [name]</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2641910"></a><h2>DESCRIPTION</h2>
<a name="id2645394"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">ddns-confgen</strong></span>
generates a key for use by <span><strong class="command">nsupdate</strong></span>
and <span><strong class="command">named</strong></span>. It simplifies configuration
@ -77,7 +77,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2641997"></a><h2>OPTIONS</h2>
<a name="id2645481"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd><p>
@ -144,7 +144,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2642608"></a><h2>SEE ALSO</h2>
<a name="id2653328"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">nsupdate</span>(1)</span>,
<span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>,
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
@ -152,7 +152,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2642646"></a><h2>AUTHOR</h2>
<a name="id2653366"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>

View File

@ -1,5 +1,5 @@
<!--
- Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@ -52,7 +52,7 @@
<div class="cmdsynopsis"><p><code class="command">dig</code> [global-queryopt...] [query...]</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2609644"></a><h2>DESCRIPTION</h2>
<a name="id2610344"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dig</strong></span>
(domain information groper) is a flexible tool
for interrogating DNS name servers. It performs DNS lookups and
@ -75,9 +75,10 @@
</p>
<p>
Unless it is told to query a specific name server,
<span><strong class="command">dig</strong></span> will try each of the servers listed
in
<code class="filename">/etc/resolv.conf</code>.
<span><strong class="command">dig</strong></span> will try each of the servers listed in
<code class="filename">/etc/resolv.conf</code>. If no usable server addreses
are found, <span><strong class="command">dig</strong></span> will send the query to the local
host.
</p>
<p>
When no command line arguments or options are given,
@ -98,7 +99,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2609808"></a><h2>SIMPLE USAGE</h2>
<a name="id2610515"></a><h2>SIMPLE USAGE</h2>
<p>
A typical invocation of <span><strong class="command">dig</strong></span> looks like:
</p>
@ -109,22 +110,29 @@
</p>
<div class="variablelist"><dl>
<dt><span class="term"><code class="constant">server</code></span></dt>
<dd><p>
is the name or IP address of the name server to query. This can
be an IPv4
address in dotted-decimal notation or an IPv6
<dd>
<p>
is the name or IP address of the name server to query. This
can be an IPv4 address in dotted-decimal notation or an IPv6
address in colon-delimited notation. When the supplied
<em class="parameter"><code>server</code></em> argument is a
hostname,
<span><strong class="command">dig</strong></span> resolves that name before
querying that name
server. If no <em class="parameter"><code>server</code></em>
argument is provided,
<span><strong class="command">dig</strong></span> consults <code class="filename">/etc/resolv.conf</code>
and queries the name servers listed there. The reply from the
name
server that responds is displayed.
</p></dd>
<em class="parameter"><code>server</code></em> argument is a hostname,
<span><strong class="command">dig</strong></span> resolves that name before querying
that name server.
</p>
<p>
If no <em class="parameter"><code>server</code></em> argument is
provided, <span><strong class="command">dig</strong></span> consults
<code class="filename">/etc/resolv.conf</code>; if an
address is found there, it queries the name server at
that address. If either of the <code class="option">-4</code> or
<code class="option">-6</code> options are in use, then
only addresses for the corresponding transport
will be tried. If no usable addresses are found,
<span><strong class="command">dig</strong></span> will send the query to the
local host. The reply from the name server that
responds is displayed.
</p>
</dd>
<dt><span class="term"><code class="constant">name</code></span></dt>
<dd><p>
is the name of the resource record that is to be looked up.
@ -144,7 +152,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2610055"></a><h2>OPTIONS</h2>
<a name="id2610641"></a><h2>OPTIONS</h2>
<p>
The <code class="option">-b</code> option sets the source IP address of the query
to <em class="parameter"><code>address</code></em>. This must be a valid
@ -248,7 +256,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2662690"></a><h2>QUERY OPTIONS</h2>
<a name="id2663207"></a><h2>QUERY OPTIONS</h2>
<p><span><strong class="command">dig</strong></span>
provides a number of query options which affect
the way in which lookups are made and the results displayed. Some of
@ -579,7 +587,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2663772"></a><h2>MULTIPLE QUERIES</h2>
<a name="id2664290"></a><h2>MULTIPLE QUERIES</h2>
<p>
The BIND 9 implementation of <span><strong class="command">dig </strong></span>
supports
@ -625,7 +633,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2663858"></a><h2>IDN SUPPORT</h2>
<a name="id2664375"></a><h2>IDN SUPPORT</h2>
<p>
If <span><strong class="command">dig</strong></span> has been built with IDN (internationalized
domain name) support, it can accept and display non-ASCII domain names.
@ -639,14 +647,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2663886"></a><h2>FILES</h2>
<a name="id2664540"></a><h2>FILES</h2>
<p><code class="filename">/etc/resolv.conf</code>
</p>
<p><code class="filename">${HOME}/.digrc</code>
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2663908"></a><h2>SEE ALSO</h2>
<a name="id2664562"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">host</span>(1)</span>,
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
@ -654,7 +662,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2663945"></a><h2>BUGS</h2>
<a name="id2664599"></a><h2>BUGS</h2>
<p>
There are probably too many query options.
</p>

View File

@ -1,5 +1,5 @@
<!--
- Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@ -51,14 +51,14 @@
<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> {-s} [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-s</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-A</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {dnsname}</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2611633"></a><h2>DESCRIPTION</h2>
<a name="id2612124"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-dsfromkey</strong></span>
outputs the Delegation Signer (DS) resource record (RR), as defined in
RFC 3658 and RFC 4509, for the given key(s).
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2611646"></a><h2>OPTIONS</h2>
<a name="id2612138"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-1</span></dt>
<dd><p>
@ -120,7 +120,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2611835"></a><h2>EXAMPLE</h2>
<a name="id2612327"></a><h2>EXAMPLE</h2>
<p>
To build the SHA-256 DS RR from the
<strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
@ -135,7 +135,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2611872"></a><h2>FILES</h2>
<a name="id2612568"></a><h2>FILES</h2>
<p>
The keyfile can be designed by the key identification
<code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
@ -149,13 +149,13 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2611913"></a><h2>CAVEAT</h2>
<a name="id2612610"></a><h2>CAVEAT</h2>
<p>
A keyfile error can give a "file not found" even if the file exists.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2611923"></a><h2>SEE ALSO</h2>
<a name="id2612619"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
@ -165,7 +165,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2611962"></a><h2>AUTHOR</h2>
<a name="id2612659"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>

View File

@ -1,5 +1,5 @@
<!--
- Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@ -50,7 +50,7 @@
<div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code> {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-3</code>] [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-k</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-y</code>] {name}</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2612614"></a><h2>DESCRIPTION</h2>
<a name="id2613242"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-keyfromlabel</strong></span>
gets keys with the given label from a crypto hardware and builds
key files for DNSSEC (Secure DNS), as defined in RFC 2535
@ -63,7 +63,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2612634"></a><h2>OPTIONS</h2>
<a name="id2614013"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd>
@ -183,7 +183,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2613344"></a><h2>TIMING OPTIONS</h2>
<a name="id2614859"></a><h2>TIMING OPTIONS</h2>
<p>
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
@ -230,7 +230,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2615080"></a><h2>GENERATED KEY FILES</h2>
<a name="id2616323"></a><h2>GENERATED KEY FILES</h2>
<p>
When <span><strong class="command">dnssec-keyfromlabel</strong></span> completes
successfully,
@ -269,7 +269,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2615447"></a><h2>SEE ALSO</h2>
<a name="id2616417"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
@ -277,7 +277,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2615480"></a><h2>AUTHOR</h2>
<a name="id2616450"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>

View File

@ -1,5 +1,5 @@
<!--
- Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@ -50,7 +50,7 @@
<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-3</code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-C</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k</code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-q</code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] {name}</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2613979"></a><h2>DESCRIPTION</h2>
<a name="id2615154"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-keygen</strong></span>
generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
and RFC 4034. It can also generate keys for use with
@ -64,7 +64,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2614068"></a><h2>OPTIONS</h2>
<a name="id2615174"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd>
@ -269,7 +269,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2666124"></a><h2>TIMING OPTIONS</h2>
<a name="id2669210"></a><h2>TIMING OPTIONS</h2>
<p>
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
@ -340,7 +340,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2666314"></a><h2>GENERATED KEYS</h2>
<a name="id2669332"></a><h2>GENERATED KEYS</h2>
<p>
When <span><strong class="command">dnssec-keygen</strong></span> completes
successfully,
@ -386,7 +386,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2666422"></a><h2>EXAMPLE</h2>
<a name="id2669508"></a><h2>EXAMPLE</h2>
<p>
To generate a 768-bit DSA key for the domain
<strong class="userinput"><code>example.com</code></strong>, the following command would be
@ -407,7 +407,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2666478"></a><h2>SEE ALSO</h2>
<a name="id2669564"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 2539</em>,
@ -416,7 +416,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2666509"></a><h2>AUTHOR</h2>
<a name="id2669732"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>

View File

@ -1,5 +1,5 @@
<!--
- Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@ -50,7 +50,7 @@
<div class="cmdsynopsis"><p><code class="command">dnssec-revoke</code> [<code class="option">-hr</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f</code>] [<code class="option">-R</code>] {keyfile}</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2614416"></a><h2>DESCRIPTION</h2>
<a name="id2616000"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-revoke</strong></span>
reads a DNSSEC key file, sets the REVOKED bit on the key as defined
in RFC 5011, and creates a new pair of key files containing the
@ -58,7 +58,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2614429"></a><h2>OPTIONS</h2>
<a name="id2616013"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-h</span></dt>
<dd><p>
@ -96,14 +96,14 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2614550"></a><h2>SEE ALSO</h2>
<a name="id2616134"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 5011</em>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2614574"></a><h2>AUTHOR</h2>
<a name="id2616158"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>

View File

@ -1,5 +1,5 @@
<!--
- Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@ -50,7 +50,7 @@
<div class="cmdsynopsis"><p><code class="command">dnssec-settime</code> [<code class="option">-f</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] {keyfile}</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2614758"></a><h2>DESCRIPTION</h2>
<a name="id2616615"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-settime</strong></span>
reads a DNSSEC private key file and sets the key timing metadata
as specified by the <code class="option">-P</code>, <code class="option">-A</code>,
@ -76,7 +76,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2614817"></a><h2>OPTIONS</h2>
<a name="id2616742"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-f</span></dt>
<dd><p>
@ -109,7 +109,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2615184"></a><h2>TIMING OPTIONS</h2>
<a name="id2616836"></a><h2>TIMING OPTIONS</h2>
<p>
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
@ -188,7 +188,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2615322"></a><h2>PRINTING OPTIONS</h2>
<a name="id2616974"></a><h2>PRINTING OPTIONS</h2>
<p>
<span><strong class="command">dnssec-settime</strong></span> can also be used to print the
timing metadata associated with a key.
@ -214,7 +214,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2615607"></a><h2>SEE ALSO</h2>
<a name="id2617123"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
@ -222,7 +222,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2615640"></a><h2>AUTHOR</h2>
<a name="id2617156"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>

View File

@ -1,5 +1,5 @@
<!--
- Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@ -50,7 +50,7 @@
<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code> [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-p</code>] [<code class="option">-P</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S</code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-t</code>] [<code class="option">-u</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-x</code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2616228"></a><h2>DESCRIPTION</h2>
<a name="id2618290"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-signzone</strong></span>
signs a zone. It generates
NSEC and RRSIG records and produces a signed version of the
@ -61,7 +61,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2616247"></a><h2>OPTIONS</h2>
<a name="id2618309"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-a</span></dt>
<dd><p>
@ -397,7 +397,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2667564"></a><h2>EXAMPLE</h2>
<a name="id2672630"></a><h2>EXAMPLE</h2>
<p>
The following command signs the <strong class="userinput"><code>example.com</code></strong>
zone with the DSA key generated by <span><strong class="command">dnssec-keygen</strong></span>
@ -427,14 +427,14 @@ db.example.com.signed
%</pre>
</div>
<div class="refsect1" lang="en">
<a name="id2667643"></a><h2>SEE ALSO</h2>
<a name="id2672709"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 4033</em>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2667668"></a><h2>AUTHOR</h2>
<a name="id2672733"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>

View File

@ -1,5 +1,5 @@
<!--
- Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@ -50,7 +50,7 @@
<div class="cmdsynopsis"><p><code class="command">genrandom</code> [<code class="option">-n <em class="replaceable"><code>number</code></em></code>] {<em class="replaceable"><code>size</code></em>} {<em class="replaceable"><code>filename</code></em>}</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2642837"></a><h2>DESCRIPTION</h2>
<a name="id2653420"></a><h2>DESCRIPTION</h2>
<p>
<span><strong class="command">genrandom</strong></span>
generates a file or a set of files containing a specified quantity
@ -59,7 +59,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2642852"></a><h2>ARGUMENTS</h2>
<a name="id2653435"></a><h2>ARGUMENTS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-n <em class="replaceable"><code>number</code></em></span></dt>
<dd><p>
@ -77,14 +77,14 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2642913"></a><h2>SEE ALSO</h2>
<a name="id2653496"></a><h2>SEE ALSO</h2>
<p>
<span class="citerefentry"><span class="refentrytitle">rand</span>(3)</span>,
<span class="citerefentry"><span class="refentrytitle">arc4random</span>(3)</span>
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2642939"></a><h2>AUTHOR</h2>
<a name="id2653523"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>

View File

@ -1,5 +1,5 @@
<!--
- Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@ -50,7 +50,7 @@
<div class="cmdsynopsis"><p><code class="command">host</code> [<code class="option">-aCdlnrsTwv</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-N <em class="replaceable"><code>ndots</code></em></code>] [<code class="option">-R <em class="replaceable"><code>number</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-W <em class="replaceable"><code>wait</code></em></code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-4</code>] [<code class="option">-6</code>] {name} [server]</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2610871"></a><h2>DESCRIPTION</h2>
<a name="id2611090"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">host</strong></span>
is a simple utility for performing DNS lookups.
It is normally used to convert names to IP addresses and vice versa.
@ -202,7 +202,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2611317"></a><h2>IDN SUPPORT</h2>
<a name="id2611877"></a><h2>IDN SUPPORT</h2>
<p>
If <span><strong class="command">host</strong></span> has been built with IDN (internationalized
domain name) support, it can accept and display non-ASCII domain names.
@ -216,12 +216,12 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2611346"></a><h2>FILES</h2>
<a name="id2613954"></a><h2>FILES</h2>
<p><code class="filename">/etc/resolv.conf</code>
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2611360"></a><h2>SEE ALSO</h2>
<a name="id2613968"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>,
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>.
</p>

View File

@ -1,5 +1,5 @@
<!--
- Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@ -50,7 +50,7 @@
<div class="cmdsynopsis"><p><code class="command">isc-hmac-fixup</code> {<em class="replaceable"><code>algorithm</code></em>} {<em class="replaceable"><code>secret</code></em>}</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2619705"></a><h2>DESCRIPTION</h2>
<a name="id2617529"></a><h2>DESCRIPTION</h2>
<p>
Versions of BIND 9 up to and including BIND 9.6 had a bug causing
HMAC-SHA* TSIG keys which were longer than the digest length of the
@ -76,7 +76,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2643899"></a><h2>SECURITY CONSIDERATIONS</h2>
<a name="id2653602"></a><h2>SECURITY CONSIDERATIONS</h2>
<p>
Secrets that have been converted by <span><strong class="command">isc-hmac-fixup</strong></span>
are shortened, but as this is how the HMAC protocol works in
@ -87,14 +87,14 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2643915"></a><h2>SEE ALSO</h2>
<a name="id2653618"></a><h2>SEE ALSO</h2>
<p>
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 2104</em>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2643932"></a><h2>AUTHOR</h2>
<a name="id2653635"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>

View File

@ -1,5 +1,5 @@
<!--
- Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@ -50,7 +50,7 @@
<div class="cmdsynopsis"><p><code class="command">named-checkconf</code> [<code class="option">-h</code>] [<code class="option">-v</code>] [<code class="option">-j</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] {filename} [<code class="option">-p</code>] [<code class="option">-z</code>]</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2617093"></a><h2>DESCRIPTION</h2>
<a name="id2619428"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">named-checkconf</strong></span>
checks the syntax, but not the semantics, of a
<span><strong class="command">named</strong></span> configuration file. The file is parsed
@ -70,7 +70,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2617163"></a><h2>OPTIONS</h2>
<a name="id2619498"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-h</span></dt>
<dd><p>
@ -109,21 +109,21 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2617298"></a><h2>RETURN VALUES</h2>
<a name="id2619633"></a><h2>RETURN VALUES</h2>
<p><span><strong class="command">named-checkconf</strong></span>
returns an exit status of 1 if
errors were detected and 0 otherwise.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2617312"></a><h2>SEE ALSO</h2>
<a name="id2619646"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">named-checkzone</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2617341"></a><h2>AUTHOR</h2>
<a name="id2619676"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>

View File

@ -1,5 +1,5 @@
<!--
- Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@ -47,11 +47,11 @@
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">named-checkzone</code> [<code class="option">-d</code>] [<code class="option">-h</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-M <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-o <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-r <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-S <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {zonename} {filename}</p></div>
<div class="cmdsynopsis"><p><code class="command">named-compilezone</code> [<code class="option">-d</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-C <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-r <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {<code class="option">-o <em class="replaceable"><code>filename</code></em></code>} {zonename} {filename}</p></div>
<div class="cmdsynopsis"><p><code class="command">named-checkzone</code> [<code class="option">-d</code>] [<code class="option">-h</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-M <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-o <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-r <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-S <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-T <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {zonename} {filename}</p></div>
<div class="cmdsynopsis"><p><code class="command">named-compilezone</code> [<code class="option">-d</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-C <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-r <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-T <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {<code class="option">-o <em class="replaceable"><code>filename</code></em></code>} {zonename} {filename}</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2618775"></a><h2>DESCRIPTION</h2>
<a name="id2633210"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">named-checkzone</strong></span>
checks the syntax and integrity of a zone file. It performs the
same checks as <span><strong class="command">named</strong></span> does when loading a
@ -71,7 +71,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2618825"></a><h2>OPTIONS</h2>
<a name="id2674630"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-d</span></dt>
<dd><p>
@ -232,6 +232,13 @@
directives in the configuration file are processed as if
run by a similarly chrooted named.
</p></dd>
<dt><span class="term">-T <em class="replaceable"><code>mode</code></em></span></dt>
<dd><p>
Check if Sender Policy Framework records (TXT and SPF)
both exist or both don't exist. A warning is issued
if they don't match. Possible modes are
<span><strong class="command">"warn"</strong></span> (default), <span><strong class="command">"ignore"</strong></span>.
</p></dd>
<dt><span class="term">-w <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
chdir to <code class="filename">directory</code> so that
@ -265,14 +272,14 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2671342"></a><h2>RETURN VALUES</h2>
<a name="id2675429"></a><h2>RETURN VALUES</h2>
<p><span><strong class="command">named-checkzone</strong></span>
returns an exit status of 1 if
errors were detected and 0 otherwise.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2671356"></a><h2>SEE ALSO</h2>
<a name="id2675443"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">named-checkconf</span>(8)</span>,
<em class="citetitle">RFC 1035</em>,
@ -280,7 +287,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2671389"></a><h2>AUTHOR</h2>
<a name="id2675476"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>

View File

@ -1,5 +1,5 @@
<!--
- Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@ -50,7 +50,7 @@
<div class="cmdsynopsis"><p><code class="command">named-journalprint</code> {<em class="replaceable"><code>journal</code></em>}</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2616312"></a><h2>DESCRIPTION</h2>
<a name="id2613857"></a><h2>DESCRIPTION</h2>
<p>
<span><strong class="command">named-journalprint</strong></span>
prints the contents of a zone journal file in a human-readable
@ -76,7 +76,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2621956"></a><h2>SEE ALSO</h2>
<a name="id2639434"></a><h2>SEE ALSO</h2>
<p>
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">nsupdate</span>(8)</span>,
@ -84,7 +84,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2621987"></a><h2>AUTHOR</h2>
<a name="id2639465"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>

View File

@ -1,5 +1,5 @@
<!--
- Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@ -50,7 +50,7 @@
<div class="cmdsynopsis"><p><code class="command">named</code> [<code class="option">-4</code>] [<code class="option">-6</code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>debug-level</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine-name</code></em></code>] [<code class="option">-f</code>] [<code class="option">-g</code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-n <em class="replaceable"><code>#cpus</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-s</code>] [<code class="option">-S <em class="replaceable"><code>#max-socks</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>] [<code class="option">-v</code>] [<code class="option">-V</code>] [<code class="option">-x <em class="replaceable"><code>cache-file</code></em></code>]</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2619008"></a><h2>DESCRIPTION</h2>
<a name="id2633550"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">named</strong></span>
is a Domain Name System (DNS) server,
part of the BIND 9 distribution from ISC. For more
@ -65,7 +65,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2619038"></a><h2>OPTIONS</h2>
<a name="id2633581"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-4</span></dt>
<dd><p>
@ -246,7 +246,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2638843"></a><h2>SIGNALS</h2>
<a name="id2641303"></a><h2>SIGNALS</h2>
<p>
In routine operation, signals should not be used to control
the nameserver; <span><strong class="command">rndc</strong></span> should be used
@ -267,7 +267,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2660602"></a><h2>CONFIGURATION</h2>
<a name="id2641353"></a><h2>CONFIGURATION</h2>
<p>
The <span><strong class="command">named</strong></span> configuration file is too complex
to describe in detail here. A complete description is provided
@ -284,7 +284,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2660651"></a><h2>FILES</h2>
<a name="id2675740"></a><h2>FILES</h2>
<div class="variablelist"><dl>
<dt><span class="term"><code class="filename">/etc/named.conf</code></span></dt>
<dd><p>
@ -297,7 +297,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2660695"></a><h2>SEE ALSO</h2>
<a name="id2675784"></a><h2>SEE ALSO</h2>
<p><em class="citetitle">RFC 1033</em>,
<em class="citetitle">RFC 1034</em>,
<em class="citetitle">RFC 1035</em>,
@ -310,7 +310,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2675716"></a><h2>AUTHOR</h2>
<a name="id2675854"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>

View File

@ -1,5 +1,5 @@
<!--
- Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@ -48,7 +48,7 @@
<div class="cmdsynopsis"><p><code class="command">nsec3hash</code> {<em class="replaceable"><code>salt</code></em>} {<em class="replaceable"><code>algorithm</code></em>} {<em class="replaceable"><code>iterations</code></em>} {<em class="replaceable"><code>domain</code></em>}</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2643980"></a><h2>DESCRIPTION</h2>
<a name="id2653680"></a><h2>DESCRIPTION</h2>
<p>
<span><strong class="command">nsec3hash</strong></span> generates an NSEC3 hash based on
a set of NSEC3 parameters. This can be used to check the validity
@ -56,7 +56,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2643995"></a><h2>ARGUMENTS</h2>
<a name="id2653694"></a><h2>ARGUMENTS</h2>
<div class="variablelist"><dl>
<dt><span class="term">salt</span></dt>
<dd><p>
@ -80,14 +80,14 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2644125"></a><h2>SEE ALSO</h2>
<a name="id2653756"></a><h2>SEE ALSO</h2>
<p>
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 5155</em>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2644142"></a><h2>AUTHOR</h2>
<a name="id2653773"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>

View File

@ -1,5 +1,5 @@
<!--
- Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@ -50,7 +50,7 @@
<div class="cmdsynopsis"><p><code class="command">nsupdate</code> [<code class="option">-d</code>] [<code class="option">-D</code>] [[<code class="option">-g</code>] | [<code class="option">-o</code>] | [<code class="option">-l</code>] | [<code class="option">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]keyname:secret</code></em></code>] | [<code class="option">-k <em class="replaceable"><code>keyfile</code></em></code>]] [<code class="option">-t <em class="replaceable"><code>timeout</code></em></code>] [<code class="option">-u <em class="replaceable"><code>udptimeout</code></em></code>] [<code class="option">-r <em class="replaceable"><code>udpretries</code></em></code>] [<code class="option">-R <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-v</code>] [filename]</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2626656"></a><h2>DESCRIPTION</h2>
<a name="id2639765"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">nsupdate</strong></span>
is used to submit Dynamic DNS Update requests as defined in RFC 2136
to a name server.
@ -210,7 +210,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2633475"></a><h2>INPUT FORMAT</h2>
<a name="id2641532"></a><h2>INPUT FORMAT</h2>
<p><span><strong class="command">nsupdate</strong></span>
reads input from
<em class="parameter"><code>filename</code></em>
@ -498,7 +498,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2678828"></a><h2>EXAMPLES</h2>
<a name="id2676987"></a><h2>EXAMPLES</h2>
<p>
The examples below show how
<span><strong class="command">nsupdate</strong></span>
@ -552,7 +552,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2678878"></a><h2>FILES</h2>
<a name="id2677037"></a><h2>FILES</h2>
<div class="variablelist"><dl>
<dt><span class="term"><code class="constant">/etc/resolv.conf</code></span></dt>
<dd><p>
@ -575,7 +575,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2678962"></a><h2>SEE ALSO</h2>
<a name="id2677121"></a><h2>SEE ALSO</h2>
<p>
<em class="citetitle">RFC 2136</em>,
<em class="citetitle">RFC 3007</em>,
@ -590,7 +590,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2679019"></a><h2>BUGS</h2>
<a name="id2677246"></a><h2>BUGS</h2>
<p>
The TSIG key is redundantly stored in two separate files.
This is a consequence of nsupdate using the DST library

View File

@ -1,5 +1,5 @@
<!--
- Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@ -50,7 +50,7 @@
<div class="cmdsynopsis"><p><code class="command">rndc-confgen</code> [<code class="option">-a</code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-c <em class="replaceable"><code>keyfile</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [<code class="option">-s <em class="replaceable"><code>address</code></em></code>] [<code class="option">-t <em class="replaceable"><code>chrootdir</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>]</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2641110"></a><h2>DESCRIPTION</h2>
<a name="id2643706"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">rndc-confgen</strong></span>
generates configuration files
for <span><strong class="command">rndc</strong></span>. It can be used as a
@ -66,7 +66,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2641176"></a><h2>OPTIONS</h2>
<a name="id2643772"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-a</span></dt>
<dd>
@ -173,7 +173,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2641835"></a><h2>EXAMPLES</h2>
<a name="id2644978"></a><h2>EXAMPLES</h2>
<p>
To allow <span><strong class="command">rndc</strong></span> to be used with
no manual configuration, run
@ -190,7 +190,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2643189"></a><h2>SEE ALSO</h2>
<a name="id2645034"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
@ -198,7 +198,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2643842"></a><h2>AUTHOR</h2>
<a name="id2652650"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>

View File

@ -1,5 +1,5 @@
<!--
- Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@ -50,7 +50,7 @@
<div class="cmdsynopsis"><p><code class="command">rndc.conf</code> </p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2639872"></a><h2>DESCRIPTION</h2>
<a name="id2642400"></a><h2>DESCRIPTION</h2>
<p><code class="filename">rndc.conf</code> is the configuration file
for <span><strong class="command">rndc</strong></span>, the BIND 9 name server control
utility. This file has a similar structure and syntax to
@ -135,7 +135,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2640180"></a><h2>EXAMPLE</h2>
<a name="id2642571"></a><h2>EXAMPLE</h2>
<pre class="programlisting">
options {
default-server localhost;
@ -209,7 +209,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2640301"></a><h2>NAME SERVER CONFIGURATION</h2>
<a name="id2643239"></a><h2>NAME SERVER CONFIGURATION</h2>
<p>
The name server must be configured to accept rndc connections and
to recognize the key specified in the <code class="filename">rndc.conf</code>
@ -219,7 +219,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2640327"></a><h2>SEE ALSO</h2>
<a name="id2643265"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">mmencode</span>(1)</span>,
@ -227,7 +227,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2640365"></a><h2>AUTHOR</h2>
<a name="id2643303"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>

View File

@ -1,5 +1,5 @@
<!--
- Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@ -50,7 +50,7 @@
<div class="cmdsynopsis"><p><code class="command">rndc</code> [<code class="option">-b <em class="replaceable"><code>source-address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key-file</code></em></code>] [<code class="option">-s <em class="replaceable"><code>server</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-V</code>] [<code class="option">-y <em class="replaceable"><code>key_id</code></em></code>] {command}</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2638953"></a><h2>DESCRIPTION</h2>
<a name="id2641686"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">rndc</strong></span>
controls the operation of a name
server. It supersedes the <span><strong class="command">ndc</strong></span> utility
@ -79,7 +79,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2639003"></a><h2>OPTIONS</h2>
<a name="id2641736"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-b <em class="replaceable"><code>source-address</code></em></span></dt>
<dd><p>
@ -151,7 +151,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2639228"></a><h2>LIMITATIONS</h2>
<a name="id2642029"></a><h2>LIMITATIONS</h2>
<p><span><strong class="command">rndc</strong></span>
does not yet support all the commands of
the BIND 8 <span><strong class="command">ndc</strong></span> utility.
@ -165,7 +165,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2639259"></a><h2>SEE ALSO</h2>
<a name="id2642060"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
<span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
@ -175,7 +175,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2639315"></a><h2>AUTHOR</h2>
<a name="id2642116"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>

View File

@ -43,7 +43,7 @@
This is a shared library object, providing a low-level PKCS #11
interface to the HSM hardware. It is dynamically loaded by
OpenSSL at runtime. The PKCS #11 provider comes from the HSM
vendor, and and is specific to the HSM to be controlled.</para>
vendor, and is specific to the HSM to be controlled.</para>
<para>There are two "flavors" of PKCS #11 support provided by
the patched OpenSSL, one of which must be chosen at
configuration time. The correct choice depends on the HSM

View File

@ -86,6 +86,7 @@ options {
check-mx-cname ( fail | warn | ignore );
check-names ( master | slave | response ) ( fail | warn | ignore );
check-sibling <boolean>;
check-spf ( warn | ignore );
check-srv-cname ( fail | warn | ignore );
check-wildcard <boolean>;
cleaning-interval <integer>;
@ -200,7 +201,7 @@ options {
| passthru | no-op | nxdomain | nodata | cname <quoted_string>
) ] [ recursive-only <boolean> ] [ max-policy-ttl <integer> ];
... } [ recursive-only <boolean> ] [ break-dnssec <boolean> ] [
max-policy-ttl <integer> ];
max-policy-ttl <integer> ] [ min-ns-dots <integer> ];
rfc2308-type1 <boolean>; // not yet implemented
root-delegation-only [ exclude { <quoted_string>; ... } ];
rrset-order { [ class <string> ] [ type <string> ] [ name
@ -307,6 +308,7 @@ view <string> <optional_class> {
check-mx-cname ( fail | warn | ignore );
check-names ( master | slave | response ) ( fail | warn | ignore );
check-sibling <boolean>;
check-spf ( warn | ignore );
check-srv-cname ( fail | warn | ignore );
check-wildcard <boolean>;
cleaning-interval <integer>;
@ -405,7 +407,7 @@ view <string> <optional_class> {
| passthru | no-op | nxdomain | nodata | cname <quoted_string>
) ] [ recursive-only <boolean> ] [ max-policy-ttl <integer> ];
... } [ recursive-only <boolean> ] [ break-dnssec <boolean> ] [
max-policy-ttl <integer> ];
max-policy-ttl <integer> ] [ min-ns-dots <integer> ];
rfc2308-type1 <boolean>; // not yet implemented
root-delegation-only [ exclude { <quoted_string>; ... } ];
rrset-order { [ class <string> ] [ type <string> ] [ name
@ -470,6 +472,7 @@ view <string> <optional_class> {
check-mx-cname ( fail | warn | ignore );
check-names ( fail | warn | ignore );
check-sibling <boolean>;
check-spf ( warn | ignore );
check-srv-cname ( fail | warn | ignore );
check-wildcard <boolean>;
database <string>;
@ -558,6 +561,7 @@ zone <string> <optional_class> {
check-mx-cname ( fail | warn | ignore );
check-names ( fail | warn | ignore );
check-sibling <boolean>;
check-spf ( warn | ignore );
check-srv-cname ( fail | warn | ignore );
check-wildcard <boolean>;
database <string>;

View File

@ -1,6 +1,6 @@
#!/bin/sh
#
# Copyright (C) 2004, 2007, 2012 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2004, 2007, 2012, 2013 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
#
# Permission to use, copy, modify, and/or distribute this software for any
@ -20,6 +20,8 @@
prefix=@prefix@
exec_prefix=@exec_prefix@
exec_prefix_set=
includedir=@includedir@
libdir=@libdir@
usage()
{
@ -57,6 +59,7 @@ while test $# -gt 0; do
prefix=$optarg
if test "x$exec_prefix_set" = x ; then
exec_prefix=$prefix
exec_prefix_set=true
fi
;;
--prefix)
@ -64,6 +67,7 @@ while test $# -gt 0; do
;;
--exec-prefix=*)
exec_prefix=$optarg
exec_prefix_set=true
;;
--exec-prefix)
echo_exec_prefix=true
@ -115,14 +119,22 @@ if test x"$echo_exec_prefix" = x"true" ; then
echo $exec_prefix
fi
if test x"$echo_cflags" = x"true"; then
includes="-I${exec_prefix}/include"
if test x"${exec_prefix_set}" = x"true"; then
includes="-I${exec_prefix}/include"
else
includes="-I${includedir}"
fi
if test x"$libisc" = x"true"; then
includes="$includes @ALWAYS_DEFINES@ @STD_CINCLUDES@ @STD_CDEFINES@ @CCOPT@"
fi
echo $includes
fi
if test x"$echo_libs" = x"true"; then
libs=-L${exec_prefix}/lib
if test x"${exec_prefix_set}" = x"true"; then
includes="-L${exec_prefix}/lib"
else
libs="-L${libdir}"
fi
if test x"$liblwres" = x"true" ; then
libs="$libs -llwres"
fi

View File

@ -1,4 +1,4 @@
# Copyright (C) 2004, 2007, 2012 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2004, 2007, 2012, 2013 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 1998-2001, 2003 Internet Software Consortium.
#
# Permission to use, copy, modify, and/or distribute this software for any
@ -27,3 +27,8 @@ SUBDIRS = isc isccc dns isccfg bind9 lwres tests
TARGETS =
@BIND9_MAKE_RULES@
distclean::
@echo "making $@ in `pwd`/irs"; \
(cd irs; ${MAKE} ${MAKEDEFS} DESTDIR="${DESTDIR}" $@) || exit 1;

Some files were not shown because too many files have changed in this diff Show More