diff options
Diffstat (limited to 'contrib/bind9/doc/arm/Bv9ARM.ch06.html')
-rw-r--r-- | contrib/bind9/doc/arm/Bv9ARM.ch06.html | 512 |
1 files changed, 382 insertions, 130 deletions
diff --git a/contrib/bind9/doc/arm/Bv9ARM.ch06.html b/contrib/bind9/doc/arm/Bv9ARM.ch06.html index e26bf6a..bd260dc 100644 --- a/contrib/bind9/doc/arm/Bv9ARM.ch06.html +++ b/contrib/bind9/doc/arm/Bv9ARM.ch06.html @@ -48,58 +48,58 @@ <dt><span class="sect1"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt> <dd><dl> <dt><span class="sect2"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574405">Comment Syntax</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574711">Comment Syntax</a></span></dt> </dl></dd> <dt><span class="sect1"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt> <dd><dl> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574990"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575371"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt> <dt><span class="sect2"><a href="Bv9ARM.ch06.html#acl"><span><strong class="command">acl</strong></span> Statement Definition and Usage</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575180"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575561"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt> <dt><span class="sect2"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span><strong class="command">controls</strong></span> Statement Definition and Usage</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575472"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575489"><span><strong class="command">include</strong></span> Statement Definition and +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575921"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575938"><span><strong class="command">include</strong></span> Statement Definition and Usage</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575649"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575672"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575763"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575889"><span><strong class="command">logging</strong></span> Statement Definition and +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575961"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575985"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576075"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576269"><span><strong class="command">logging</strong></span> Statement Definition and Usage</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577914"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577988"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578120"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578164"><span><strong class="command">masters</strong></span> Statement Definition and +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578364"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578438"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578502"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578546"><span><strong class="command">masters</strong></span> Statement Definition and Usage</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578179"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578567"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt> <dt><span class="sect2"><a href="Bv9ARM.ch06.html#options"><span><strong class="command">options</strong></span> Statement Definition and Usage</a></span></dt> <dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span><strong class="command">server</strong></span> Statement Grammar</a></span></dt> <dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span><strong class="command">server</strong></span> Statement Definition and Usage</a></span></dt> <dt><span class="sect2"><a href="Bv9ARM.ch06.html#statschannels"><span><strong class="command">statistics-channels</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590070"><span><strong class="command">statistics-channels</strong></span> Statement Definition and +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590613"><span><strong class="command">statistics-channels</strong></span> Statement Definition and Usage</a></span></dt> <dt><span class="sect2"><a href="Bv9ARM.ch06.html#trusted-keys"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590278"><span><strong class="command">trusted-keys</strong></span> Statement Definition +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590920"><span><strong class="command">trusted-keys</strong></span> Statement Definition and Usage</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590325"><span><strong class="command">managed-keys</strong></span> Statement Grammar</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590967"><span><strong class="command">managed-keys</strong></span> Statement Grammar</a></span></dt> <dt><span class="sect2"><a href="Bv9ARM.ch06.html#managed-keys"><span><strong class="command">managed-keys</strong></span> Statement Definition and Usage</a></span></dt> <dt><span class="sect2"><a href="Bv9ARM.ch06.html#view_statement_grammar"><span><strong class="command">view</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590766"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591409"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt> <dt><span class="sect2"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span><strong class="command">zone</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2592398"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2593189"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt> </dl></dd> -<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2595755">Zone File</a></span></dt> +<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2596875">Zone File</a></span></dt> <dd><dl> <dt><span class="sect2"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2597986">Discussion of MX Records</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2599037">Discussion of MX Records</a></span></dt> <dt><span class="sect2"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2598601">Inverse Mapping in IPv4</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2598796">Other Zone File Directives</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2599138"><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2599585">Inverse Mapping in IPv4</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2599848">Other Zone File Directives</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2600189"><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt> <dt><span class="sect2"><a href="Bv9ARM.ch06.html#zonefile_format">Additional File Formats</a></span></dt> </dl></dd> <dt><span class="sect1"><a href="Bv9ARM.ch06.html#statistics">BIND9 Statistics</a></span></dt> @@ -491,7 +491,7 @@ <a name="address_match_lists"></a>Address Match Lists</h3></div></div></div> <div class="sect3" lang="en"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2574103"></a>Syntax</h4></div></div></div> +<a name="id2574546"></a>Syntax</h4></div></div></div> <pre class="programlisting"><code class="varname">address_match_list</code> = address_match_list_element ; [<span class="optional"> address_match_list_element; ... </span>] <code class="varname">address_match_list_element</code> = [<span class="optional"> ! </span>] (ip_address [<span class="optional">/length</span>] | @@ -500,7 +500,7 @@ </div> <div class="sect3" lang="en"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2574131"></a>Definition and Usage</h4></div></div></div> +<a name="id2574573"></a>Definition and Usage</h4></div></div></div> <p> Address match lists are primarily used to determine access control for various server operations. They are also used in @@ -584,7 +584,7 @@ </div> <div class="sect2" lang="en"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2574405"></a>Comment Syntax</h3></div></div></div> +<a name="id2574711"></a>Comment Syntax</h3></div></div></div> <p> The <acronym class="acronym">BIND</acronym> 9 comment syntax allows for comments to appear @@ -594,7 +594,7 @@ </p> <div class="sect3" lang="en"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2574420"></a>Syntax</h4></div></div></div> +<a name="id2574726"></a>Syntax</h4></div></div></div> <p> </p> <pre class="programlisting">/* This is a <acronym class="acronym">BIND</acronym> comment as in C */</pre> @@ -610,7 +610,7 @@ </div> <div class="sect3" lang="en"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2574450"></a>Definition and Usage</h4></div></div></div> +<a name="id2574756"></a>Definition and Usage</h4></div></div></div> <p> Comments may appear anywhere that whitespace may appear in a <acronym class="acronym">BIND</acronym> configuration file. @@ -774,7 +774,9 @@ <td> <p> defines a named masters list for - inclusion in stub and slave zone masters clauses. + inclusion in stub and slave zones' + <span><strong class="command">masters</strong></span> or + <span><strong class="command">also-notify</strong></span> lists. </p> </td> </tr> @@ -862,7 +864,7 @@ </p> <div class="sect2" lang="en"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2574990"></a><span><strong class="command">acl</strong></span> Statement Grammar</h3></div></div></div> +<a name="id2575371"></a><span><strong class="command">acl</strong></span> Statement Grammar</h3></div></div></div> <pre class="programlisting"><span><strong class="command">acl</strong></span> acl-name { address_match_list }; @@ -944,7 +946,7 @@ </div> <div class="sect2" lang="en"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2575180"></a><span><strong class="command">controls</strong></span> Statement Grammar</h3></div></div></div> +<a name="id2575561"></a><span><strong class="command">controls</strong></span> Statement Grammar</h3></div></div></div> <pre class="programlisting"><span><strong class="command">controls</strong></span> { [ inet ( ip_addr | * ) [ port ip_port ] allow { <em class="replaceable"><code> address_match_list </code></em> } @@ -1068,12 +1070,12 @@ </div> <div class="sect2" lang="en"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2575472"></a><span><strong class="command">include</strong></span> Statement Grammar</h3></div></div></div> +<a name="id2575921"></a><span><strong class="command">include</strong></span> Statement Grammar</h3></div></div></div> <pre class="programlisting"><span><strong class="command">include</strong></span> <em class="replaceable"><code>filename</code></em>;</pre> </div> <div class="sect2" lang="en"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2575489"></a><span><strong class="command">include</strong></span> Statement Definition and +<a name="id2575938"></a><span><strong class="command">include</strong></span> Statement Definition and Usage</h3></div></div></div> <p> The <span><strong class="command">include</strong></span> statement inserts the @@ -1088,7 +1090,7 @@ </div> <div class="sect2" lang="en"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2575649"></a><span><strong class="command">key</strong></span> Statement Grammar</h3></div></div></div> +<a name="id2575961"></a><span><strong class="command">key</strong></span> Statement Grammar</h3></div></div></div> <pre class="programlisting"><span><strong class="command">key</strong></span> <em class="replaceable"><code>key_id</code></em> { algorithm <em class="replaceable"><code>string</code></em>; secret <em class="replaceable"><code>string</code></em>; @@ -1097,7 +1099,7 @@ </div> <div class="sect2" lang="en"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2575672"></a><span><strong class="command">key</strong></span> Statement Definition and Usage</h3></div></div></div> +<a name="id2575985"></a><span><strong class="command">key</strong></span> Statement Definition and Usage</h3></div></div></div> <p> The <span><strong class="command">key</strong></span> statement defines a shared secret key for use with TSIG (see <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called “TSIG”</a>) @@ -1144,7 +1146,7 @@ </div> <div class="sect2" lang="en"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2575763"></a><span><strong class="command">logging</strong></span> Statement Grammar</h3></div></div></div> +<a name="id2576075"></a><span><strong class="command">logging</strong></span> Statement Grammar</h3></div></div></div> <pre class="programlisting"><span><strong class="command">logging</strong></span> { [ <span><strong class="command">channel</strong></span> <em class="replaceable"><code>channel_name</code></em> { ( <span><strong class="command">file</strong></span> <em class="replaceable"><code>path_name</code></em> @@ -1168,7 +1170,7 @@ </div> <div class="sect2" lang="en"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2575889"></a><span><strong class="command">logging</strong></span> Statement Definition and +<a name="id2576269"></a><span><strong class="command">logging</strong></span> Statement Definition and Usage</h3></div></div></div> <p> The <span><strong class="command">logging</strong></span> statement configures a @@ -1202,7 +1204,7 @@ </p> <div class="sect3" lang="en"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2576009"></a>The <span><strong class="command">channel</strong></span> Phrase</h4></div></div></div> +<a name="id2576322"></a>The <span><strong class="command">channel</strong></span> Phrase</h4></div></div></div> <p> All log output goes to one or more <span class="emphasis"><em>channels</em></span>; you can make as many of them as you want. @@ -1663,10 +1665,16 @@ category notify { null; }; </p> <p> - <code class="computeroutput">client 127.0.0.1#62536: query: www.example.com IN AAAA +SE</code> + <code class="computeroutput">client 127.0.0.1#62536 (www.example.com): query: www.example.com IN AAAA +SE</code> </p> <p> - <code class="computeroutput">client ::1#62537: query: www.example.net IN AAAA -SE</code> + <code class="computeroutput">client ::1#62537 (www.example.net): query: www.example.net IN AAAA -SE</code> + </p> + <p> + (The first part of this log message, showing the + client address/port number and query name, is + repeated in all subsequent log messages related + to the same query.) </p> </td> </tr> @@ -1780,7 +1788,7 @@ category notify { null; }; </div> <div class="sect3" lang="en"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2577326"></a>The <span><strong class="command">query-errors</strong></span> Category</h4></div></div></div> +<a name="id2577777"></a>The <span><strong class="command">query-errors</strong></span> Category</h4></div></div></div> <p> The <span><strong class="command">query-errors</strong></span> category is specifically intended for debugging purposes: To identify @@ -2008,7 +2016,7 @@ badresp:1,adberr:0,findfail:0,valfail:0] </div> <div class="sect2" lang="en"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2577914"></a><span><strong class="command">lwres</strong></span> Statement Grammar</h3></div></div></div> +<a name="id2578364"></a><span><strong class="command">lwres</strong></span> Statement Grammar</h3></div></div></div> <p> This is the grammar of the <span><strong class="command">lwres</strong></span> statement in the <code class="filename">named.conf</code> file: @@ -2024,7 +2032,7 @@ badresp:1,adberr:0,findfail:0,valfail:0] </div> <div class="sect2" lang="en"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2577988"></a><span><strong class="command">lwres</strong></span> Statement Definition and Usage</h3></div></div></div> +<a name="id2578438"></a><span><strong class="command">lwres</strong></span> Statement Definition and Usage</h3></div></div></div> <p> The <span><strong class="command">lwres</strong></span> statement configures the name @@ -2075,7 +2083,7 @@ badresp:1,adberr:0,findfail:0,valfail:0] </div> <div class="sect2" lang="en"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2578120"></a><span><strong class="command">masters</strong></span> Statement Grammar</h3></div></div></div> +<a name="id2578502"></a><span><strong class="command">masters</strong></span> Statement Grammar</h3></div></div></div> <pre class="programlisting"> <span><strong class="command">masters</strong></span> <em class="replaceable"><code>name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; @@ -2083,16 +2091,17 @@ badresp:1,adberr:0,findfail:0,valfail:0] </div> <div class="sect2" lang="en"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2578164"></a><span><strong class="command">masters</strong></span> Statement Definition and +<a name="id2578546"></a><span><strong class="command">masters</strong></span> Statement Definition and Usage</h3></div></div></div> <p><span><strong class="command">masters</strong></span> lists allow for a common set of masters to be easily used by - multiple stub and slave zones. + multiple stub and slave zones in their <span><strong class="command">masters</strong></span> + or <span><strong class="command">also-notify</strong></span> lists. </p> </div> <div class="sect2" lang="en"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2578179"></a><span><strong class="command">options</strong></span> Statement Grammar</h3></div></div></div> +<a name="id2578567"></a><span><strong class="command">options</strong></span> Statement Grammar</h3></div></div></div> <p> This is the grammar of the <span><strong class="command">options</strong></span> statement in the <code class="filename">named.conf</code> file: @@ -2122,7 +2131,7 @@ badresp:1,adberr:0,findfail:0,valfail:0] [<span class="optional"> pid-file <em class="replaceable"><code>path_name</code></em>; </span>] [<span class="optional"> recursing-file <em class="replaceable"><code>path_name</code></em>; </span>] [<span class="optional"> statistics-file <em class="replaceable"><code>path_name</code></em>; </span>] - [<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em>; </span>] + [<span class="optional"> zone-statistics <em class="replaceable"><code>full</code></em> | <em class="replaceable"><code>terse</code></em> | <em class="replaceable"><code>none</code></em>; </span>] [<span class="optional"> auth-nxdomain <em class="replaceable"><code>yes_or_no</code></em>; </span>] [<span class="optional"> deallocate-on-exit <em class="replaceable"><code>yes_or_no</code></em>; </span>] [<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em>; </span>] @@ -2176,7 +2185,9 @@ badresp:1,adberr:0,findfail:0,valfail:0] [<span class="optional"> allow-update { <em class="replaceable"><code>address_match_list</code></em> }; </span>] [<span class="optional"> allow-update-forwarding { <em class="replaceable"><code>address_match_list</code></em> }; </span>] [<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>] + [<span class="optional"> dnssec-update-mode ( <em class="replaceable"><code>maintain</code></em> | <em class="replaceable"><code>no-resign</code></em> ); </span>] [<span class="optional"> dnssec-dnskey-kskonly <em class="replaceable"><code>yes_or_no</code></em>; </span>] + [<span class="optional"> dnssec-loadkeys-interval <em class="replaceable"><code>number</code></em>; </span>] [<span class="optional"> dnssec-secure-to-insecure <em class="replaceable"><code>yes_or_no</code></em> ;</span>] [<span class="optional"> try-tcp-refresh <em class="replaceable"><code>yes_or_no</code></em>; </span>] [<span class="optional"> allow-v6-synthesis { <em class="replaceable"><code>address_match_list</code></em> }; </span>] @@ -2222,8 +2233,9 @@ badresp:1,adberr:0,findfail:0,valfail:0] [<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>] [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>] [<span class="optional"> notify-to-soa <em class="replaceable"><code>yes_or_no</code></em> ; </span>] - [<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; - [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>] + [<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> + [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>keyname</code></em></span>] ; + [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>keyname</code></em></span>] ; ... </span>] }; </span>] [<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em>; </span>] [<span class="optional"> max-journal-size <em class="replaceable"><code>size_spec</code></em>; </span>] [<span class="optional"> coresize <em class="replaceable"><code>size_spec</code></em> ; </span>] @@ -2274,6 +2286,7 @@ badresp:1,adberr:0,findfail:0,valfail:0] [<span class="optional"> preferred-glue ( <em class="replaceable"><code>A</code></em> | <em class="replaceable"><code>AAAA</code></em> | <em class="replaceable"><code>NONE</code></em> ); </span>] [<span class="optional"> edns-udp-size <em class="replaceable"><code>number</code></em>; </span>] [<span class="optional"> max-udp-size <em class="replaceable"><code>number</code></em>; </span>] + [<span class="optional"> max-rsa-exponent-size <em class="replaceable"><code>number</code></em>; </span>] [<span class="optional"> root-delegation-only [<span class="optional"> exclude { <em class="replaceable"><code>namelist</code></em> } </span>] ; </span>] [<span class="optional"> querylog <em class="replaceable"><code>yes_or_no</code></em> ; </span>] [<span class="optional"> disable-algorithms <em class="replaceable"><code>domain</code></em> { <em class="replaceable"><code>algorithm</code></em>; @@ -2826,6 +2839,68 @@ options { }; </pre> </dd> +<dt><span class="term"><span><strong class="command">dnssec-update-mode</strong></span></span></dt> +<dd> +<p> + If this option is set to its default value of + <code class="literal">maintain</code> in a zone of type + <code class="literal">master</code> which is DNSSEC-signed + and configured to allow dynamic updates (see + <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a>), and + if <span><strong class="command">named</strong></span> has access to the + private signing key(s) for the zone, then + <span><strong class="command">named</strong></span> will automatically sign all new + or changed records and maintain signatures for the zone + by regenerating RRSIG records whenever they approach + their expiration date. + </p> +<p> + If the option is changed to <code class="literal">no-resign</code>, + then <span><strong class="command">named</strong></span> will sign all new or + changed records, but scheduled maintenance of + signatures is disabled. + </p> +<p> + With either of these settings, <span><strong class="command">named</strong></span> + will reject updates to a DNSSEC-signed zone when the + signing keys are inactive or unavailable to + <span><strong class="command">named</strong></span>. (A planned third option, + <code class="literal">external</code>, will disable all automatic + signing and allow DNSSEC data to be submitted into a zone + via dyanmic update; this is not yet implemented.) + </p> +</dd> +<dt><span class="term"><span><strong class="command">zone-statistics</strong></span></span></dt> +<dd> +<p> + If <strong class="userinput"><code>full</code></strong>, the server will collect + statistical data on all zones (unless specifically + turned off on a per-zone basis by specifying + <span><strong class="command">zone-statistics terse</strong></span> or + <span><strong class="command">zone-statistics none</strong></span> + in the <span><strong class="command">zone</strong></span> statement). + The default is <strong class="userinput"><code>terse</code></strong>, providing + minimal statistics on zones (including name and + current serial number, but not query type + counters). + </p> +<p> + These statistics may be accessed via the + <span><strong class="command">statistics-channel</strong></span> or + using <span><strong class="command">rndc stats</strong></span>, which + will dump them to the file listed + in the <span><strong class="command">statistics-file</strong></span>. See + also <a href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called “The Statistics File”</a>. + </p> +<p> + For backward compatibility with earlier versions + of BIND 9, the <span><strong class="command">zone-statistics</strong></span> + option can also accept <strong class="userinput"><code>yes</code></strong> + or <strong class="userinput"><code>no</code></strong>, which have the same + effect as <strong class="userinput"><code>full</code></strong> and + <strong class="userinput"><code>terse</code></strong>, respectively. + </p> +</dd> </dl></div> <div class="sect3" lang="en"> <div class="titlepage"><div><div><h4 class="title"> @@ -3246,20 +3321,6 @@ options { <acronym class="acronym">BIND</acronym> 9 always allocates query IDs from a pool. </p></dd> -<dt><span class="term"><span><strong class="command">zone-statistics</strong></span></span></dt> -<dd><p> - If <strong class="userinput"><code>yes</code></strong>, the server will collect - statistical data on all zones (unless specifically turned - off - on a per-zone basis by specifying <span><strong class="command">zone-statistics no</strong></span> - in the <span><strong class="command">zone</strong></span> statement). - The default is <strong class="userinput"><code>no</code></strong>. - These statistics may be accessed - using <span><strong class="command">rndc stats</strong></span>, which will - dump them to the file listed - in the <span><strong class="command">statistics-file</strong></span>. See - also <a href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called “The Statistics File”</a>. - </p></dd> <dt><span class="term"><span><strong class="command">use-ixfr</strong></span></span></dt> <dd><p> <span class="emphasis"><em>This option is obsolete</em></span>. @@ -3451,13 +3512,14 @@ options { <dt><span class="term"><span><strong class="command">ixfr-from-differences</strong></span></span></dt> <dd> <p> - When <strong class="userinput"><code>yes</code></strong> and the server loads a new version of a master - zone from its zone file or receives a new version of a slave - file by a non-incremental zone transfer, it will compare - the new version to the previous one and calculate a set - of differences. The differences are then logged in the - zone's journal file such that the changes can be transmitted - to downstream slaves as an incremental zone transfer. + When <strong class="userinput"><code>yes</code></strong> and the server loads a new + version of a master zone from its zone file or receives a + new version of a slave file via zone transfer, it will + compare the new version to the previous one and calculate + a set of differences. The differences are then logged in + the zone's journal file such that the changes can be + transmitted to downstream slaves as an incremental zone + transfer. </p> <p> By allowing incremental zone transfers to be used for @@ -3687,6 +3749,21 @@ options { <code class="literal">no</code>, this option is ignored. </p> </dd> +<dt><span class="term"><span><strong class="command">dnssec-loadkeys-interval</strong></span></span></dt> +<dd><p> + When a zone is configured with <span><strong class="command">auto-dnssec + maintain;</strong></span> its key repository must be checked + periodically to see if any new keys have been added + or any existing keys' timing metadata has been updated + (see <a href="man.dnssec-keygen.html" title="dnssec-keygen"><span class="refentrytitle"><span class="application">dnssec-keygen</span></span>(8)</a> and + <a href="man.dnssec-settime.html" title="dnssec-settime"><span class="refentrytitle"><span class="application">dnssec-settime</span></span>(8)</a>). The + <span><strong class="command">dnssec-loadkeys-interval</strong></span> option + sets the frequency of autoatic repository checks, in + minutes. The default is <code class="literal">60</code> (1 hour), + the minimum is <code class="literal">1</code> (1 minute), and the + maximum is <code class="literal">1440</code> (24 hours); any higher + value is silently reduced. + </p></dd> <dt><span class="term"><span><strong class="command">try-tcp-refresh</strong></span></span></dt> <dd><p> Try to refresh the zone using TCP if UDP queries fail. @@ -3722,7 +3799,7 @@ options { </div> <div class="sect3" lang="en"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2583834"></a>Forwarding</h4></div></div></div> +<a name="id2584393"></a>Forwarding</h4></div></div></div> <p> The forwarding facility can be used to create a large site-wide cache on a few servers, reducing traffic over links to external @@ -3766,7 +3843,7 @@ options { </div> <div class="sect3" lang="en"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2583893"></a>Dual-stack Servers</h4></div></div></div> +<a name="id2584588"></a>Dual-stack Servers</h4></div></div></div> <p> Dual-stack servers are used as servers of last resort to work around @@ -3983,7 +4060,7 @@ options { </div> <div class="sect3" lang="en"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2584590"></a>Interfaces</h4></div></div></div> +<a name="id2585149"></a>Interfaces</h4></div></div></div> <p> The interfaces and ports that the server will answer queries from may be specified using the <span><strong class="command">listen-on</strong></span> option. <span><strong class="command">listen-on</strong></span> takes @@ -4204,7 +4281,8 @@ avoid-v6-udp-ports {}; </p> <div class="variablelist"><dl> <dt><span class="term"><span><strong class="command">also-notify</strong></span></span></dt> -<dd><p> +<dd> +<p> Defines a global list of IP addresses of name servers that are also sent NOTIFY messages whenever a fresh copy of the @@ -4216,6 +4294,13 @@ avoid-v6-udp-ports {}; <span><strong class="command">also-notify</strong></span> address to send the notify messages to a port other than the default of 53. + An optional TSIG key can also be specified with each + address to cause the notify messages to be signed; this + can be useful when sending notifies to multiple views. + In place of explicit addresses, one or more named + <span><strong class="command">masters</strong></span> lists can be used. + </p> +<p> If an <span><strong class="command">also-notify</strong></span> list is given in a <span><strong class="command">zone</strong></span> statement, it will override @@ -4227,7 +4312,8 @@ avoid-v6-udp-ports {}; not be sent NOTIFY messages for that zone. The default is the empty list (no global notification list). - </p></dd> + </p> +</dd> <dt><span class="term"><span><strong class="command">max-transfer-time-in</strong></span></span></dt> <dd><p> Inbound zone transfers running longer than @@ -4442,7 +4528,7 @@ avoid-v6-udp-ports {}; </div> <div class="sect3" lang="en"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2585664"></a>UDP Port Lists</h4></div></div></div> +<a name="id2586366"></a>UDP Port Lists</h4></div></div></div> <p> <span><strong class="command">use-v4-udp-ports</strong></span>, <span><strong class="command">avoid-v4-udp-ports</strong></span>, @@ -4484,7 +4570,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; </div> <div class="sect3" lang="en"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2585723"></a>Operating System Resource Limits</h4></div></div></div> +<a name="id2586426"></a>Operating System Resource Limits</h4></div></div></div> <p> The server's usage of many system resources can be limited. Scaled values are allowed when specifying resource limits. For @@ -4564,8 +4650,10 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; approaches the specified size, some of the oldest transactions in the journal - will be automatically removed. The default is - <code class="literal">unlimited</code>. + will be automatically removed. The largest permitted + value is 2 gigabytes. The default is + <code class="literal">unlimited</code>, which also + means 2 gigabytes. This may also be set on a per-zone basis. </p></dd> <dt><span class="term"><span><strong class="command">host-statistics-max</strong></span></span></dt> @@ -4646,7 +4734,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; </div> <div class="sect3" lang="en"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2586350"></a>Periodic Task Intervals</h4></div></div></div> +<a name="id2586917"></a>Periodic Task Intervals</h4></div></div></div> <div class="variablelist"><dl> <dt><span class="term"><span><strong class="command">cleaning-interval</strong></span></span></dt> <dd><p> @@ -4948,8 +5036,10 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; </p> <p> If multiple <span><strong class="command">rrset-order</strong></span> statements - appear, - they are not combined — the last one applies. + appear, they are not combined — the last one applies. + </p> +<p> + By default, all records are returned in random order. </p> <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> <h3 class="title">Note</h3> @@ -5073,6 +5163,15 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; It is expected that this parameter may be removed in a future version once there is a standard type. </p> +<p> + These records can be removed from the zone once named + has completed signing the zone with the matching key + using <span><strong class="command">nsupdate</strong></span> or + <span><strong class="command">rndc signing -clear</strong></span>. + <span><strong class="command">rndc signing -clear</strong></span> is the only supported + way to remove these records from + <span><strong class="command">inline-signing</strong></span> zones. + </p> </dd> <dt> <span class="term"><span><strong class="command">min-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">max-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">min-retry-time</strong></span>, </span><span class="term"><span><strong class="command">max-retry-time</strong></span></span> @@ -5148,13 +5247,19 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; </p> </dd> <dt><span class="term"><span><strong class="command">masterfile-format</strong></span></span></dt> -<dd><p>Specifies +<dd> +<p>Specifies the file format of zone files (see <a href="Bv9ARM.ch06.html#zonefile_format" title="Additional File Formats">the section called “Additional File Formats”</a>). The default value is <code class="constant">text</code>, which is the - standard textual representation. Files in other formats - than <code class="constant">text</code> are typically expected - to be generated by the <span><strong class="command">named-compilezone</strong></span> tool. + standard textual representation, except for slave zones, + in which the default value is <code class="constant">raw</code>. + Files in other formats than <code class="constant">text</code> are + typically expected to be generated by the + <span><strong class="command">named-compilezone</strong></span> tool, or dumped by + <span><strong class="command">named</strong></span>. + </p> +<p> Note that when a zone file in a different format than <code class="constant">text</code> is loaded, <span><strong class="command">named</strong></span> may omit some of the checks which would be performed for a @@ -5171,7 +5276,8 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; statement within the <span><strong class="command">zone</strong></span> or <span><strong class="command">view</strong></span> block in the configuration file. - </p></dd> + </p> +</dd> <dt> <a name="clients-per-query"></a><span class="term"><span><strong class="command">clients-per-query</strong></span>, </span><span class="term"><span><strong class="command">max-clients-per-query</strong></span></span> </dt> @@ -5216,6 +5322,13 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; zones is controlled by <span><strong class="command">serial-query-rate</strong></span>. </p> </dd> +<dt><span class="term"><span><strong class="command">max-rsa-exponent-size</strong></span></span></dt> +<dd><p> + The maximum RSA exponent size, in bits, that will + be accepted when validating. Valid values are 35 + to 4096 bits. The default zero (0) is also accepted + and is equivalent to 4096. + </p></dd> </dl></div> </div> <div class="sect3" lang="en"> @@ -5554,7 +5667,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; </div> <div class="sect3" lang="en"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2588612"></a>Content Filtering</h4></div></div></div> +<a name="id2589223"></a>Content Filtering</h4></div></div></div> <p> <acronym class="acronym">BIND</acronym> 9 provides the ability to filter out DNS responses from external DNS servers containing @@ -5677,7 +5790,7 @@ deny-answer-aliases { "example.net"; }; </div> <div class="sect3" lang="en"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2588738"></a>Response Policy Zone (RPZ) Rewriting</h4></div></div></div> +<a name="id2589417"></a>Response Policy Zone (RPZ) Rewriting</h4></div></div></div> <p> <acronym class="acronym">BIND</acronym> 9 includes a limited mechanism to modify DNS responses for requests @@ -6026,8 +6139,9 @@ ns.domain.com.rpz-nsdname CNAME . the local server, acting as a slave, will request incremental zone transfers from the given remote server, a master. If not set, the value of the <span><strong class="command">request-ixfr</strong></span> option in - the view or - global options block is used as a default. + the view or global options block is used as a default. It may + also be set in the zone block and, if set there, it will + override the global or view setting for that zone. </p> <p> IXFR requests to servers that do not support IXFR will @@ -6151,7 +6265,7 @@ ns.domain.com.rpz-nsdname CNAME . </div> <div class="sect2" lang="en"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2590070"></a><span><strong class="command">statistics-channels</strong></span> Statement Definition and +<a name="id2590613"></a><span><strong class="command">statistics-channels</strong></span> Statement Definition and Usage</h3></div></div></div> <p> The <span><strong class="command">statistics-channels</strong></span> statement @@ -6199,6 +6313,30 @@ ns.domain.com.rpz-nsdname CNAME . If no <span><strong class="command">statistics-channels</strong></span> statement is present, <span><strong class="command">named</strong></span> will not open any communication channels. </p> +<p> + If the statistics channel is configured to listen on 127.0.0.1 + port 8888, then the statistics are accessible in XML format at + <a href="http://127.0.0.1:8888/" target="_top">http://127.0.0.1:8888/</a> or + <a href="http://127.0.0.1:8888/xml" target="_top">http://127.0.0.1:8888/xml</a>. A CSS file is + included which can format the XML statistics into tables + when viewed with a stylesheet-capable browser. When + <acronym class="acronym">BIND</acronym> 9 is configured with --enable-newstats, + a new XML schema is used (version 3) which adds additional + zone statistics and uses a flatter tree for more efficient + parsing. The stylesheet included uses the Google Charts API + to render data into into charts and graphs when using a + javascript-capable browser. + </p> +<p> + Applications that depend on a particular XML schema + can request + <a href="http://127.0.0.1:8888/xml/v2" target="_top">http://127.0.0.1:8888/xml/v2</a> for version 2 + of the statistics XML schema or + <a href="http://127.0.0.1:8888/xml/v3" target="_top">http://127.0.0.1:8888/xml/v3</a> for version 3. + If the requested schema is supported by the server, then + it will respond; if not, it will return a "page not found" + error. + </p> </div> <div class="sect2" lang="en"> <div class="titlepage"><div><div><h3 class="title"> @@ -6211,7 +6349,7 @@ ns.domain.com.rpz-nsdname CNAME . </div> <div class="sect2" lang="en"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2590278"></a><span><strong class="command">trusted-keys</strong></span> Statement Definition +<a name="id2590920"></a><span><strong class="command">trusted-keys</strong></span> Statement Definition and Usage</h3></div></div></div> <p> The <span><strong class="command">trusted-keys</strong></span> statement defines @@ -6251,7 +6389,7 @@ ns.domain.com.rpz-nsdname CNAME . </div> <div class="sect2" lang="en"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2590325"></a><span><strong class="command">managed-keys</strong></span> Statement Grammar</h3></div></div></div> +<a name="id2590967"></a><span><strong class="command">managed-keys</strong></span> Statement Grammar</h3></div></div></div> <pre class="programlisting"><span><strong class="command">managed-keys</strong></span> { <em class="replaceable"><code>name</code></em> <code class="literal">initial-key</code> <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key-data</code></em> ; [<span class="optional"> <em class="replaceable"><code>name</code></em> <code class="literal">initial-key</code> <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key-data</code></em> ; [<span class="optional">...</span>]</span>] @@ -6389,7 +6527,7 @@ ns.domain.com.rpz-nsdname CNAME . </div> <div class="sect2" lang="en"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2590766"></a><span><strong class="command">view</strong></span> Statement Definition and Usage</h3></div></div></div> +<a name="id2591409"></a><span><strong class="command">view</strong></span> Statement Definition and Usage</h3></div></div></div> <p> The <span><strong class="command">view</strong></span> statement is a powerful feature @@ -6517,6 +6655,9 @@ view "external" { [<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>] [<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>] [<span class="optional"> allow-update { <em class="replaceable"><code>address_match_list</code></em> }; </span>] + [<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>] + [<span class="optional"> dnssec-dnskey-kskonly <em class="replaceable"><code>yes_or_no</code></em>; </span>] + [<span class="optional"> dnssec-loadkeys-interval <em class="replaceable"><code>number</code></em>; </span>] [<span class="optional"> update-policy <em class="replaceable"><code>local</code></em> | { <em class="replaceable"><code>update_policy_rule</code></em> [<span class="optional">...</span>] }; </span>] [<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>] @@ -6535,6 +6676,7 @@ view "external" { [<span class="optional"> ixfr-base <em class="replaceable"><code>string</code></em> ; </span>] [<span class="optional"> ixfr-from-differences <em class="replaceable"><code>yes_or_no</code></em>; </span>] [<span class="optional"> ixfr-tmp-file <em class="replaceable"><code>string</code></em> ; </span>] + [<span class="optional"> request-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>] [<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em> ; </span>] [<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em> ; </span>] [<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em> ; </span>] @@ -6545,7 +6687,7 @@ view "external" { [<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>] [<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>] [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>] - [<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>] + [<span class="optional"> zone-statistics <em class="replaceable"><code>full</code></em> | <em class="replaceable"><code>terse</code></em> | <em class="replaceable"><code>none</code></em>; </span>] [<span class="optional"> sig-validity-interval <em class="replaceable"><code>number</code></em> [<span class="optional"><em class="replaceable"><code>number</code></em></span>] ; </span>] [<span class="optional"> sig-signing-nodes <em class="replaceable"><code>number</code></em> ; </span>] [<span class="optional"> sig-signing-signatures <em class="replaceable"><code>number</code></em> ; </span>] @@ -6557,7 +6699,9 @@ view "external" { [<span class="optional"> max-retry-time <em class="replaceable"><code>number</code></em> ; </span>] [<span class="optional"> key-directory <em class="replaceable"><code>path_name</code></em>; </span>] [<span class="optional"> auto-dnssec <code class="constant">allow</code>|<code class="constant">maintain</code>|<code class="constant">off</code>; </span>] + [<span class="optional"> inline-signing <em class="replaceable"><code>yes_or_no</code></em>; </span>] [<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>] + [<span class="optional"> serial-update-method <code class="constant">increment</code>|<code class="constant">unixtime</code>; </span>] }; zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] { @@ -6567,13 +6711,15 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional" [<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>] [<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>] [<span class="optional"> allow-update-forwarding { <em class="replaceable"><code>address_match_list</code></em> }; </span>] - [<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>] [<span class="optional"> dnssec-update-mode ( <em class="replaceable"><code>maintain</code></em> | <em class="replaceable"><code>no-resign</code></em> ); </span>] + [<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>] [<span class="optional"> dnssec-dnskey-kskonly <em class="replaceable"><code>yes_or_no</code></em>; </span>] + [<span class="optional"> dnssec-loadkeys-interval <em class="replaceable"><code>number</code></em>; </span>] [<span class="optional"> dnssec-secure-to-insecure <em class="replaceable"><code>yes_or_no</code></em> ; </span>] [<span class="optional"> try-tcp-refresh <em class="replaceable"><code>yes_or_no</code></em>; </span>] - [<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; - [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>] + [<span class="optional"> also-notify [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> + [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] + [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>] [<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>] [<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em> ; </span>] [<span class="optional"> file <em class="replaceable"><code>string</code></em> ; </span>] @@ -6606,12 +6752,19 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional" [<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>] [<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>] [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>] - [<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>] + [<span class="optional"> zone-statistics <em class="replaceable"><code>full</code></em> | <em class="replaceable"><code>terse</code></em> | <em class="replaceable"><code>none</code></em>; </span>] + [<span class="optional"> sig-validity-interval <em class="replaceable"><code>number</code></em> [<span class="optional"><em class="replaceable"><code>number</code></em></span>] ; </span>] + [<span class="optional"> sig-signing-nodes <em class="replaceable"><code>number</code></em> ; </span>] + [<span class="optional"> sig-signing-signatures <em class="replaceable"><code>number</code></em> ; </span>] + [<span class="optional"> sig-signing-type <em class="replaceable"><code>number</code></em> ; </span>] [<span class="optional"> database <em class="replaceable"><code>string</code></em> ; </span>] [<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>] [<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>] [<span class="optional"> min-retry-time <em class="replaceable"><code>number</code></em> ; </span>] [<span class="optional"> max-retry-time <em class="replaceable"><code>number</code></em> ; </span>] + [<span class="optional"> key-directory <em class="replaceable"><code>path_name</code></em>; </span>] + [<span class="optional"> auto-dnssec <code class="constant">allow</code>|<code class="constant">maintain</code>|<code class="constant">off</code>; </span>] + [<span class="optional"> inline-signing <em class="replaceable"><code>yes_or_no</code></em>; </span>] [<span class="optional"> multi-master <em class="replaceable"><code>yes_or_no</code></em> ; </span>] [<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>] }; @@ -6671,6 +6824,13 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional" [<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>] }; +zone <em class="replaceable"><code>"."</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] { + type redirect; + file <em class="replaceable"><code>string</code></em> ; + [<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>] + [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>] +}; + zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] { type delegation-only; }; @@ -6679,10 +6839,10 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional" </div> <div class="sect2" lang="en"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2592398"></a><span><strong class="command">zone</strong></span> Statement Definition and Usage</h3></div></div></div> +<a name="id2593189"></a><span><strong class="command">zone</strong></span> Statement Definition and Usage</h3></div></div></div> <div class="sect3" lang="en"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2592406"></a>Zone Types</h4></div></div></div> +<a name="id2593196"></a>Zone Types</h4></div></div></div> <div class="informaltable"><table border="1"> <colgroup> <col> @@ -6914,6 +7074,64 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional" <tr> <td> <p> + <code class="varname">redirect</code> + </p> + </td> +<td> + <p> + Redirect zones are used to provide answers to + queries when normal resolution would result in + NXDOMAIN being returned. + Only one redirect zone is supported + per view. <span><strong class="command">allow-query</strong></span> can be + used to restrict which clients see these answers. + </p> + <p> + If the client has requested DNSSEC records (DO=1) and + the NXDOMAIN response is signed then no substitution + will occur. + </p> + <p> + To redirect all NXDOMAIN responses to + 100.100.100.2 and + 2001:ffff:ffff::100.100.100.2, one would + configure a type redirect zone named ".", + with the zone file containing wildcard records + that point to the desired addresses: + <code class="literal">"*. IN A 100.100.100.2"</code> + and + <code class="literal">"*. IN AAAA 2001:ffff:ffff::100.100.100.2"</code>. + </p> + <p> + To redirect all Spanish names (under .ES) one + would use similar entries but with the names + "*.ES." instead of "*.". To redirect all + commercial Spanish names (under COM.ES) one + would use wildcard entries called "*.COM.ES.". + </p> + <p> + Note that the redirect zone supports all + possible types; it is not limited to A and + AAAA records. + </p> + <p> + Because redirect zones are not referenced + directly by name, they are not kept in the + zone lookup table with normal master and slave + zones. Consequently, it is not currently possible + to use + <span><strong class="command">rndc reload + <em class="replaceable"><code>zonename</code></em></strong></span> + to reload a redirect zone. However, when using + <span><strong class="command">rndc reload</strong></span> without specifying + a zone name, redirect zones will be reloaded along + with other zones. + </p> + </td> +</tr> +<tr> +<td> + <p> <code class="varname">delegation-only</code> </p> </td> @@ -6942,7 +7160,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional" </div> <div class="sect3" lang="en"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2593019"></a>Class</h4></div></div></div> +<a name="id2594009"></a>Class</h4></div></div></div> <p> The zone's name may optionally be followed by a class. If a class is not specified, class <code class="literal">IN</code> (for <code class="varname">Internet</code>), @@ -6964,7 +7182,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional" </div> <div class="sect3" lang="en"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2593052"></a>Zone Options</h4></div></div></div> +<a name="id2594042"></a>Zone Options</h4></div></div></div> <div class="variablelist"><dl> <dt><span class="term"><span><strong class="command">allow-notify</strong></span></span></dt> <dd><p> @@ -7017,6 +7235,9 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional" with each <span><strong class="command">also-notify</strong></span> address to send the notify messages to a port other than the default of 53. + A TSIG key may also be specified to cause the + <code class="literal">NOTIFY</code> to be signed by the + given key. <span><strong class="command">also-notify</strong></span> is not meaningful for stub zones. The default is the empty list. @@ -7066,6 +7287,13 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional" See the description of <span><strong class="command">update-check-ksk</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. </p></dd> +<dt><span class="term"><span><strong class="command">dnssec-update-mode</strong></span></span></dt> +<dd><p> + See the description of + <span><strong class="command">dnssec-update-mode</strong></span> in <a href="Bv9ARM.ch06.html#options" title="options Statement Definition and + Usage">the section called “<span><strong class="command">options</strong></span> Statement Definition and + Usage”</a>. + </p></dd> <dt><span class="term"><span><strong class="command">dnssec-dnskey-kskonly</strong></span></span></dt> <dd><p> See the description of @@ -7396,20 +7624,44 @@ example.com. NS ns2.example.net. zone the first time, the repository will be searched for changes periodically, regardless of whether <span><strong class="command">rndc loadkeys</strong></span> is used. The recheck - interval is hard-coded to - one hour. + interval is defined by + <span><strong class="command">dnssec-loadkeys-interval</strong></span>.) </p> <p> - <span><strong class="command">auto-dnssec create;</strong></span> includes the - above, but also allows <span><strong class="command">named</strong></span> - to create new keys in the key repository when needed. - (NOTE: This option is not yet implemented; the syntax is - being reserved for future use.) + The default setting is <span><strong class="command">auto-dnssec off</strong></span>. </p> +</dd> +<dt><span class="term"><span><strong class="command">serial-update-method</strong></span></span></dt> +<dd> <p> - The default setting is <span><strong class="command">auto-dnssec off</strong></span>. + Zones configured for dynamic DNS may use this + option to set the update method that will be used for + the zone serial number in the SOA record. + </p> +<p> + With the default setting of + <span><strong class="command">serial-update-method increment;</strong></span>, the + SOA serial number will be incremented by one each time + the zone is updated. + </p> +<p> + When set to + <span><strong class="command">serial-update-method unixtime;</strong></span>, the + SOA serial number will be set to the number of seconds + since the UNIX epoch, unless the serial number is + already greater than or equal to that value, in which + case it is simply incremented by one. </p> </dd> +<dt><span class="term"><span><strong class="command">inline-signing</strong></span></span></dt> +<dd><p> + If <code class="literal">yes</code>, this enables + "bump in the wire" signing of a zone, where a + unsigned zone is transferred in or loaded from + disk and a signed version of the zone is served, + with possibly, a different serial number. This + behaviour is disabled by default. + </p></dd> <dt><span class="term"><span><strong class="command">multi-master</strong></span></span></dt> <dd><p> See the description of <span><strong class="command">multi-master</strong></span> in @@ -7846,7 +8098,7 @@ example.com. NS ns2.example.net. </div> <div class="sect1" lang="en"> <div class="titlepage"><div><div><h2 class="title" style="clear: both"> -<a name="id2595755"></a>Zone File</h2></div></div></div> +<a name="id2596875"></a>Zone File</h2></div></div></div> <div class="sect2" lang="en"> <div class="titlepage"><div><div><h3 class="title"> <a name="types_of_resource_records_and_when_to_use_them"></a>Types of Resource Records and When to Use Them</h3></div></div></div> @@ -7859,7 +8111,7 @@ example.com. NS ns2.example.net. </p> <div class="sect3" lang="en"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2595842"></a>Resource Records</h4></div></div></div> +<a name="id2596893"></a>Resource Records</h4></div></div></div> <p> A domain name identifies a node. Each node has a set of resource information, which may be empty. The set of resource @@ -8596,7 +8848,7 @@ example.com. NS ns2.example.net. </div> <div class="sect3" lang="en"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2597465"></a>Textual expression of RRs</h4></div></div></div> +<a name="id2598517"></a>Textual expression of RRs</h4></div></div></div> <p> RRs are represented in binary form in the packets of the DNS protocol, and are usually represented in highly encoded form @@ -8799,7 +9051,7 @@ example.com. NS ns2.example.net. </div> <div class="sect2" lang="en"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2597986"></a>Discussion of MX Records</h3></div></div></div> +<a name="id2599037"></a>Discussion of MX Records</h3></div></div></div> <p> As described above, domain servers store information as a series of resource records, each of which contains a particular @@ -9055,7 +9307,7 @@ example.com. NS ns2.example.net. </div> <div class="sect2" lang="en"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2598601"></a>Inverse Mapping in IPv4</h3></div></div></div> +<a name="id2599585"></a>Inverse Mapping in IPv4</h3></div></div></div> <p> Reverse name resolution (that is, translation from IP address to name) is achieved by means of the <span class="emphasis"><em>in-addr.arpa</em></span> domain @@ -9116,7 +9368,7 @@ example.com. NS ns2.example.net. </div> <div class="sect2" lang="en"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2598796"></a>Other Zone File Directives</h3></div></div></div> +<a name="id2599848"></a>Other Zone File Directives</h3></div></div></div> <p> The Master File Format was initially defined in RFC 1035 and has subsequently been extended. While the Master File Format @@ -9131,7 +9383,7 @@ example.com. NS ns2.example.net. </p> <div class="sect3" lang="en"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2598819"></a>The <span><strong class="command">@</strong></span> (at-sign)</h4></div></div></div> +<a name="id2599939"></a>The <span><strong class="command">@</strong></span> (at-sign)</h4></div></div></div> <p> When used in the label (or name) field, the asperand or at-sign (@) symbol represents the current origin. @@ -9142,7 +9394,7 @@ example.com. NS ns2.example.net. </div> <div class="sect3" lang="en"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2598835"></a>The <span><strong class="command">$ORIGIN</strong></span> Directive</h4></div></div></div> +<a name="id2599955"></a>The <span><strong class="command">$ORIGIN</strong></span> Directive</h4></div></div></div> <p> Syntax: <span><strong class="command">$ORIGIN</strong></span> <em class="replaceable"><code>domain-name</code></em> @@ -9171,7 +9423,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM. </div> <div class="sect3" lang="en"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2598964"></a>The <span><strong class="command">$INCLUDE</strong></span> Directive</h4></div></div></div> +<a name="id2600016"></a>The <span><strong class="command">$INCLUDE</strong></span> Directive</h4></div></div></div> <p> Syntax: <span><strong class="command">$INCLUDE</strong></span> <em class="replaceable"><code>filename</code></em> @@ -9207,7 +9459,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM. </div> <div class="sect3" lang="en"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2599101"></a>The <span><strong class="command">$TTL</strong></span> Directive</h4></div></div></div> +<a name="id2600153"></a>The <span><strong class="command">$TTL</strong></span> Directive</h4></div></div></div> <p> Syntax: <span><strong class="command">$TTL</strong></span> <em class="replaceable"><code>default-ttl</code></em> @@ -9226,7 +9478,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM. </div> <div class="sect2" lang="en"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2599138"></a><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</h3></div></div></div> +<a name="id2600189"></a><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</h3></div></div></div> <p> Syntax: <span><strong class="command">$GENERATE</strong></span> <em class="replaceable"><code>range</code></em> @@ -9650,7 +9902,7 @@ HOST-127.EXAMPLE. MX 0 . </p> <div class="sect3" lang="en"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2600091"></a>Name Server Statistics Counters</h4></div></div></div> +<a name="id2601075"></a>Name Server Statistics Counters</h4></div></div></div> <div class="informaltable"><table border="1"> <colgroup> <col> @@ -10220,7 +10472,7 @@ HOST-127.EXAMPLE. MX 0 . </div> <div class="sect3" lang="en"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2601596"></a>Zone Maintenance Statistics Counters</h4></div></div></div> +<a name="id2602716"></a>Zone Maintenance Statistics Counters</h4></div></div></div> <div class="informaltable"><table border="1"> <colgroup> <col> @@ -10374,7 +10626,7 @@ HOST-127.EXAMPLE. MX 0 . </div> <div class="sect3" lang="en"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2601979"></a>Resolver Statistics Counters</h4></div></div></div> +<a name="id2603099"></a>Resolver Statistics Counters</h4></div></div></div> <div class="informaltable"><table border="1"> <colgroup> <col> @@ -10757,7 +11009,7 @@ HOST-127.EXAMPLE. MX 0 . </div> <div class="sect3" lang="en"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2603138"></a>Socket I/O Statistics Counters</h4></div></div></div> +<a name="id2604121"></a>Socket I/O Statistics Counters</h4></div></div></div> <p> Socket I/O statistics counters are defined per socket types, which are @@ -10912,7 +11164,7 @@ HOST-127.EXAMPLE. MX 0 . </div> <div class="sect3" lang="en"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2603579"></a>Compatibility with <span class="emphasis"><em>BIND</em></span> 8 Counters</h4></div></div></div> +<a name="id2604494"></a>Compatibility with <span class="emphasis"><em>BIND</em></span> 8 Counters</h4></div></div></div> <p> Most statistics counters that were available in <span><strong class="command">BIND</strong></span> 8 are also supported in |