summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--CHANGES53
-rw-r--r--bin/dig/dig.c23
-rw-r--r--bin/dig/host.c37
-rw-r--r--bin/dig/nslookup.c22
-rw-r--r--bin/named/config.c6
-rw-r--r--bin/named/main.c8
-rw-r--r--bin/named/update.c40
-rw-r--r--bin/nsupdate/nsupdate.c5
-rw-r--r--doc/arm/Bv9ARM-book.xml318
-rw-r--r--doc/arm/Bv9ARM.ch01.html18
-rw-r--r--doc/arm/Bv9ARM.ch03.html22
-rw-r--r--doc/arm/Bv9ARM.ch04.html82
-rw-r--r--doc/arm/Bv9ARM.ch05.html6
-rw-r--r--doc/arm/Bv9ARM.ch06.html350
-rw-r--r--doc/arm/Bv9ARM.ch07.html26
-rw-r--r--doc/arm/Bv9ARM.ch08.html18
-rw-r--r--doc/arm/Bv9ARM.ch09.html188
-rw-r--r--doc/arm/Bv9ARM.html96
-rw-r--r--doc/arm/man.dig.html20
-rw-r--r--doc/arm/man.dnssec-dsfromkey.html16
-rw-r--r--doc/arm/man.dnssec-keyfromlabel.html12
-rw-r--r--doc/arm/man.dnssec-keygen.html14
-rw-r--r--doc/arm/man.dnssec-signzone.html12
-rw-r--r--doc/arm/man.host.html10
-rw-r--r--doc/arm/man.named-checkconf.html12
-rw-r--r--doc/arm/man.named-checkzone.html12
-rw-r--r--doc/arm/man.named.html16
-rw-r--r--doc/arm/man.nsupdate.html14
-rw-r--r--doc/arm/man.rndc-confgen.html12
-rw-r--r--doc/arm/man.rndc.conf.html12
-rw-r--r--doc/arm/man.rndc.html12
-rw-r--r--doc/rfc/index1
-rw-r--r--doc/rfc/rfc5507.txt1011
-rw-r--r--lib/dns/api2
-rw-r--r--lib/dns/cache.c11
-rw-r--r--lib/dns/dispatch.c5
-rw-r--r--lib/dns/include/dns/events.h5
-rw-r--r--lib/dns/rbtdb.c208
-rw-r--r--lib/dns/resolver.c88
-rw-r--r--lib/dns/sdb.c9
-rw-r--r--lib/dns/sdlz.c9
-rw-r--r--lib/dns/validator.c105
-rw-r--r--lib/dns/zone.c4
-rw-r--r--lib/isc/alpha/include/isc/atomic.h40
-rw-r--r--lib/isc/api2
-rw-r--r--lib/isc/hash.c10
-rw-r--r--lib/isc/unix/socket.c11
-rw-r--r--lib/lwres/api2
-rw-r--r--lib/lwres/getaddrinfo.c54
-rw-r--r--version4
50 files changed, 2225 insertions, 848 deletions
diff --git a/CHANGES b/CHANGES
index 44c1d9ed..4f55ca2a 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,53 @@
+
+ --- 9.6.1rc1 released ---
+
+2599. [bug] Address rapid memory growth when validation fails.
+ [RT #19654]
+
+2597. [bug] Handle a validation failure with a insecure delegation
+ from a NSEC3 signed master/slave zone. [RT #19464]
+
+2596. [bug] Stale tree nodes of cache/dynamic rbtdb could stay
+ long, leading to inefficient memory usage or rejecting
+ newer cache entries in the worst case. [RT #19563]
+
+2595. [bug] Fix unknown extended rcodes in dig. [RT #19625]
+
+2592. [bug] Treat "any" as a type in nsupdate. [RT #19455]
+
+2591. [bug] named could die when processing a update in
+ removed_orphaned_ds(). [RT #19507]
+
+2588. [bug] SO_REUSEADDR could be set unconditionally after failure
+ of bind(2) call. This should be rare and mostly
+ harmless, but may cause interference with other
+ processes that happen to use the same port. [RT #19642]
+
+2586. [bug] Missing cleanup of SIG rdataset in searching a DLZ DB
+ or SDB. [RT #19577]
+
+2585. [bug] Uninitialized socket name could be referenced via a
+ statistics channel, triggering an assertion failure in
+ XML rendering. [RT #19427]
+
+2584. [bug] alpha: gcc optimization could break atomic operations.
+ [RT #19227]
+
+2583. [port] netbsd: provide a control to not add the compile
+ date to the version string, -DNO_VERSION_DATE.
+
+2582. [bug] Don't emit warning log message when we attempt to
+ remove non-existant journal. [RT #19516]
+
+2579. [bug] DNSSEC lookaside validation failed to handle unknown
+ algorithms. [RT #19479]
+
+2578. [bug] Changed default sig-signing-type to 65534, because
+ 65535 turns out to be reserved. [RT #19477]
+
+2499. [port] solaris: lib/lwres/getaddrinfo.c namespace clash.
+ [RT #18837]
+
--- 9.6.1b1 released ---
2577. [doc] Clarified some statistics counters. [RT #19454]
@@ -25,6 +75,9 @@
2563. [bug] Dig could leak a socket causing it to wait forever
to exit. [RT #19359]
+2562. [doc] ARM: miscellaneous improvements, reorganization,
+ and some new content.
+
2561. [doc] Add isc-config.sh(1) man page. [RT #16378]
2560. [bug] Add #include <config.h> to iptable.c. [RT #18258]
diff --git a/bin/dig/dig.c b/bin/dig/dig.c
index 87c40d70..f740a1d6 100644
--- a/bin/dig/dig.c
+++ b/bin/dig/dig.c
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dig.c,v 1.225.26.3 2009/01/22 05:19:47 marka Exp $ */
+/* $Id: dig.c,v 1.225.26.4 2009/05/06 10:18:33 fdupont Exp $ */
/*! \file */
@@ -111,6 +111,24 @@ static const char * const rcodetext[] = {
"BADVERS"
};
+/*% safe rcodetext[] */
+static char *
+rcode_totext(dns_rcode_t rcode)
+{
+ static char buf[sizeof("?65535")];
+ union {
+ const char *consttext;
+ char *deconsttext;
+ } totext;
+
+ if (rcode >= (sizeof(rcodetext)/sizeof(rcodetext[0]))) {
+ snprintf(buf, sizeof(buf), "?%u", rcode);
+ totext.deconsttext = buf;
+ } else
+ totext.consttext = rcodetext[rcode];
+ return totext.deconsttext;
+}
+
/*% print usage */
static void
print_usage(FILE *fp) {
@@ -469,7 +487,8 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
if (headers) {
printf(";; ->>HEADER<<- opcode: %s, status: %s, "
"id: %u\n",
- opcodetext[msg->opcode], rcodetext[msg->rcode],
+ opcodetext[msg->opcode],
+ rcode_totext(msg->rcode),
msg->id);
printf(";; flags:");
if ((msg->flags & DNS_MESSAGEFLAG_QR) != 0)
diff --git a/bin/dig/host.c b/bin/dig/host.c
index ac29ae6c..9f302068 100644
--- a/bin/dig/host.c
+++ b/bin/dig/host.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: host.c,v 1.116 2007/12/03 00:21:48 marka Exp $ */
+/* $Id: host.c,v 1.116.216.2 2009/05/06 23:47:18 tbox Exp $ */
/*! \file */
@@ -124,6 +124,23 @@ struct rtype rtypes[] = {
{ 0, NULL }
};
+static char *
+rcode_totext(dns_rcode_t rcode)
+{
+ static char buf[sizeof("?65535")];
+ union {
+ const char *consttext;
+ char *deconsttext;
+ } totext;
+
+ if (rcode >= (sizeof(rcodetext)/sizeof(rcodetext[0]))) {
+ snprintf(buf, sizeof(buf), "?%u", rcode);
+ totext.deconsttext = buf;
+ } else
+ totext.consttext = rcodetext[rcode];
+ return totext.deconsttext;
+}
+
static void
show_usage(void) {
fputs(
@@ -270,10 +287,10 @@ printsection(dns_message_t *msg, dns_section_t sectionid,
if (query->lookup->rdtype == dns_rdatatype_axfr &&
!((!list_addresses &&
(list_type == dns_rdatatype_any ||
- rdataset->type == list_type)) ||
+ rdataset->type == list_type)) ||
(list_addresses &&
(rdataset->type == dns_rdatatype_a ||
- rdataset->type == dns_rdatatype_aaaa ||
+ rdataset->type == dns_rdatatype_aaaa ||
rdataset->type == dns_rdatatype_ns ||
rdataset->type == dns_rdatatype_ptr))))
continue;
@@ -377,7 +394,7 @@ chase_cnamechain(dns_message_t *msg, dns_name_t *qname) {
dns_rdata_t rdata = DNS_RDATA_INIT;
unsigned int i = msg->counts[DNS_SECTION_ANSWER];
- while (i-- > 0) {
+ while (i-- > 0) {
rdataset = NULL;
result = dns_message_findname(msg, DNS_SECTION_ANSWER, qname,
dns_rdatatype_cname, 0, NULL,
@@ -429,7 +446,7 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
printf("Host %s not found: %d(%s)\n",
(msg->rcode != dns_rcode_nxdomain) ? namestr :
query->lookup->textname, msg->rcode,
- rcodetext[msg->rcode]);
+ rcode_totext(msg->rcode));
return (ISC_R_SUCCESS);
}
@@ -451,7 +468,7 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
sizeof(lookup->textname));
lookup->textname[sizeof(lookup->textname)-1] = 0;
lookup->rdtype = dns_rdatatype_aaaa;
- lookup->rdtypeset = ISC_TRUE;
+ lookup->rdtypeset = ISC_TRUE;
lookup->origin = NULL;
lookup->retries = tries;
ISC_LIST_APPEND(lookup_list, lookup, link);
@@ -462,7 +479,7 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
sizeof(lookup->textname));
lookup->textname[sizeof(lookup->textname)-1] = 0;
lookup->rdtype = dns_rdatatype_mx;
- lookup->rdtypeset = ISC_TRUE;
+ lookup->rdtypeset = ISC_TRUE;
lookup->origin = NULL;
lookup->retries = tries;
ISC_LIST_APPEND(lookup_list, lookup, link);
@@ -471,7 +488,7 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
if (!short_form) {
printf(";; ->>HEADER<<- opcode: %s, status: %s, id: %u\n",
- opcodetext[msg->opcode], rcodetext[msg->rcode],
+ opcodetext[msg->opcode], rcode_totext(msg->rcode),
msg->id);
printf(";; flags: ");
if ((msg->flags & DNS_MESSAGEFLAG_QR) != 0) {
@@ -838,7 +855,7 @@ main(int argc, char **argv) {
ISC_LIST_INIT(lookup_list);
ISC_LIST_INIT(server_list);
ISC_LIST_INIT(search_list);
-
+
fatalexit = 1;
#ifdef WITH_IDN
idnoptions = IDN_ASCCHECK;
diff --git a/bin/dig/nslookup.c b/bin/dig/nslookup.c
index b17032ff..56796268 100644
--- a/bin/dig/nslookup.c
+++ b/bin/dig/nslookup.c
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: nslookup.c,v 1.117.334.2 2009/01/06 23:47:26 tbox Exp $ */
+/* $Id: nslookup.c,v 1.117.334.4 2009/05/06 11:41:57 fdupont Exp $ */
#include <config.h>
@@ -26,6 +26,7 @@
#include <isc/commandline.h>
#include <isc/event.h>
#include <isc/parseint.h>
+#include <isc/print.h>
#include <isc/string.h>
#include <isc/timer.h>
#include <isc/util.h>
@@ -129,6 +130,23 @@ static const char *rtypetext[] = {
static void flush_lookup_list(void);
static void getinput(isc_task_t *task, isc_event_t *event);
+static char *
+rcode_totext(dns_rcode_t rcode)
+{
+ static char buf[sizeof("?65535")];
+ union {
+ const char *consttext;
+ char *deconsttext;
+ } totext;
+
+ if (rcode >= (sizeof(rcodetext)/sizeof(rcodetext[0]))) {
+ snprintf(buf, sizeof(buf), "?%u", rcode);
+ totext.deconsttext = buf;
+ } else
+ totext.consttext = rcodetext[rcode];
+ return totext.deconsttext;
+}
+
void
dighost_shutdown(void) {
isc_event_t *event = global_event;
@@ -412,7 +430,7 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
nametext, sizeof(nametext));
printf("** server can't find %s: %s\n",
(msg->rcode != dns_rcode_nxdomain) ? nametext :
- query->lookup->textname, rcodetext[msg->rcode]);
+ query->lookup->textname, rcode_totext(msg->rcode));
debug("returning with rcode == 0");
return (ISC_R_SUCCESS);
}
diff --git a/bin/named/config.c b/bin/named/config.c
index 96b071d1..8b96050e 100644
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2001-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: config.c,v 1.93 2008/11/06 05:30:24 marka Exp $ */
+/* $Id: config.c,v 1.93.14.2 2009/03/17 23:47:28 tbox Exp $ */
/*! \file */
@@ -177,7 +177,7 @@ options {\n\
sig-validity-interval 30; /* days */\n\
sig-signing-nodes 100;\n\
sig-signing-signatures 10;\n\
- sig-signing-type 65535;\n\
+ sig-signing-type 65534;\n\
zone-statistics false;\n\
max-journal-size unlimited;\n\
ixfr-from-differences false;\n\
diff --git a/bin/named/main.c b/bin/named/main.c
index 0fcca056..f97ab45a 100644
--- a/bin/named/main.c
+++ b/bin/named/main.c
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: main.c,v 1.166.34.2 2009/01/18 23:47:34 tbox Exp $ */
+/* $Id: main.c,v 1.166.34.3 2009/04/03 20:18:59 marka Exp $ */
/*! \file */
@@ -879,10 +879,10 @@ main(int argc, char *argv[]) {
* strings named.core | grep "named version:"
*/
strlcat(version,
-#ifdef __DATE__
- "named version: BIND " VERSION " (" __DATE__ ")",
-#else
+#if defined(NO_VERSION_DATE) || !defined(__DATE__)
"named version: BIND " VERSION,
+#else
+ "named version: BIND " VERSION " (" __DATE__ ")",
#endif
sizeof(version));
result = isc_file_progname(*argv, program_name, sizeof(program_name));
diff --git a/bin/named/update.c b/bin/named/update.c
index 98395bfd..ff073116 100644
--- a/bin/named/update.c
+++ b/bin/named/update.c
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: update.c,v 1.151.12.4 2009/01/29 22:40:33 jinmei Exp $ */
+/* $Id: update.c,v 1.151.12.5 2009/04/30 07:03:37 marka Exp $ */
#include <config.h>
@@ -2773,26 +2773,36 @@ static isc_result_t
remove_orphaned_ds(dns_db_t *db, dns_dbversion_t *newver, dns_diff_t *diff) {
isc_result_t result;
isc_boolean_t ns_exists;
- dns_difftuple_t *t;
+ dns_difftuple_t *tupple;
+ dns_diff_t temp_diff;
- for (t = ISC_LIST_HEAD(diff->tuples);
- t != NULL;
- t = ISC_LIST_NEXT(t, link)) {
- if (!((t->op == DNS_DIFFOP_DEL &&
- t->rdata.type == dns_rdatatype_ns) ||
- (t->op == DNS_DIFFOP_ADD &&
- t->rdata.type == dns_rdatatype_ds)))
+ dns_diff_init(diff->mctx, &temp_diff);
+
+ for (tupple = ISC_LIST_HEAD(diff->tuples);
+ tupple != NULL;
+ tupple = ISC_LIST_NEXT(tupple, link)) {
+ if (!((tupple->op == DNS_DIFFOP_DEL &&
+ tupple->rdata.type == dns_rdatatype_ns) ||
+ (tupple->op == DNS_DIFFOP_ADD &&
+ tupple->rdata.type == dns_rdatatype_ds)))
continue;
- CHECK(rrset_exists(db, newver, &t->name, dns_rdatatype_ns, 0,
- &ns_exists));
- if (ns_exists && !dns_name_equal(&t->name, dns_db_origin(db)))
+ CHECK(rrset_exists(db, newver, &tupple->name,
+ dns_rdatatype_ns, 0, &ns_exists));
+ if (ns_exists &&
+ !dns_name_equal(&tupple->name, dns_db_origin(db)))
continue;
- CHECK(delete_if(true_p, db, newver, &t->name,
- dns_rdatatype_ds, 0, NULL, diff));
+ CHECK(delete_if(true_p, db, newver, &tupple->name,
+ dns_rdatatype_ds, 0, NULL, &temp_diff));
}
- return (ISC_R_SUCCESS);
+ result = ISC_R_SUCCESS;
failure:
+ for (tupple = ISC_LIST_HEAD(temp_diff.tuples);
+ tupple != NULL;
+ tupple = ISC_LIST_HEAD(temp_diff.tuples)) {
+ ISC_LIST_UNLINK(temp_diff.tuples, tupple, link);
+ dns_diff_appendminimal(diff, &tupple);
+ }
return (result);
}
diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c
index 66e83114..6cf4cf42 100644
--- a/bin/nsupdate/nsupdate.c
+++ b/bin/nsupdate/nsupdate.c
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: nsupdate.c,v 1.163.48.2 2009/01/18 23:47:34 tbox Exp $ */
+/* $Id: nsupdate.c,v 1.163.48.3 2009/04/30 07:12:49 marka Exp $ */
/*! \file */
@@ -1541,8 +1541,9 @@ update_addordelete(char *cmdline, isc_boolean_t isdelete) {
}
region.base = word;
region.length = strlen(word);
+ rdataclass = dns_rdataclass_any;
result = dns_rdataclass_fromtext(&rdataclass, &region);
- if (result == ISC_R_SUCCESS) {
+ if (result == ISC_R_SUCCESS && rdataclass != dns_rdataclass_any) {
if (!setzoneclass(rdataclass)) {
fprintf(stderr, "class mismatch: %s\n", word);
goto failure;
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index 99b92755..f3bfe0d2 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- File: $Id: Bv9ARM-book.xml,v 1.380.14.8 2009/03/13 01:52:35 jinmei Exp $ -->
+<!-- File: $Id: Bv9ARM-book.xml,v 1.380.14.14 2009/04/02 15:30:12 jreed Exp $ -->
<book xmlns:xi="http://www.w3.org/2001/XInclude">
<title>BIND 9 Administrator Reference Manual</title>
@@ -75,23 +75,23 @@
<sect1>
<title>Organization of This Document</title>
<para>
- In this document, <emphasis>Section 1</emphasis> introduces
- the basic <acronym>DNS</acronym> and <acronym>BIND</acronym> concepts. <emphasis>Section 2</emphasis>
+ In this document, <emphasis>Chapter 1</emphasis> introduces
+ the basic <acronym>DNS</acronym> and <acronym>BIND</acronym> concepts. <emphasis>Chapter 2</emphasis>
describes resource requirements for running <acronym>BIND</acronym> in various
- environments. Information in <emphasis>Section 3</emphasis> is
+ environments. Information in <emphasis>Chapter 3</emphasis> is
<emphasis>task-oriented</emphasis> in its presentation and is
organized functionally, to aid in the process of installing the
<acronym>BIND</acronym> 9 software. The task-oriented
section is followed by
- <emphasis>Section 4</emphasis>, which contains more advanced
+ <emphasis>Chapter 4</emphasis>, which contains more advanced
concepts that the system administrator may need for implementing
- certain options. <emphasis>Section 5</emphasis>
+ certain options. <emphasis>Chapter 5</emphasis>
describes the <acronym>BIND</acronym> 9 lightweight
- resolver. The contents of <emphasis>Section 6</emphasis> are
+ resolver. The contents of <emphasis>Chapter 6</emphasis> are
organized as in a reference manual to aid in the ongoing
- maintenance of the software. <emphasis>Section 7</emphasis> addresses
+ maintenance of the software. <emphasis>Chapter 7</emphasis> addresses
security considerations, and
- <emphasis>Section 8</emphasis> contains troubleshooting help. The
+ <emphasis>Chapter 8</emphasis> contains troubleshooting help. The
main body of the document is followed by several
<emphasis>appendices</emphasis> which contain useful reference
information, such as a <emphasis>bibliography</emphasis> and
@@ -656,7 +656,7 @@
<chapter id="Bv9ARM.ch03">
<title>Name Server Configuration</title>
<para>
- In this section we provide some suggested configurations along
+ In this chapter we provide some suggested configurations along
with guidelines for their use. We suggest reasonable values for
certain option settings.
</para>
@@ -933,7 +933,7 @@ zone "eng.example.com" {
<arg>%<replaceable>comment</replaceable></arg>
</cmdsynopsis>
<para>
- The usual simple use of dig will take the form
+ The usual simple use of <command>dig</command> will take the form
</para>
<simpara>
<command>dig @server domain query-type query-class</command>
@@ -1276,8 +1276,8 @@ zone "eng.example.com" {
Stop the server, making sure any recent changes
made through dynamic update or IXFR are first saved to
the master files of the updated zones.
- If -p is specified named's process id is returned.
- This allows an external process to determine when named
+ If <option>-p</option> is specified <command>named</command>'s process id is returned.
+ This allows an external process to determine when <command>named</command>
had completed stopping.
</para>
</listitem>
@@ -1291,8 +1291,8 @@ zone "eng.example.com" {
made through dynamic update or IXFR are not saved to
the master files, but will be rolled forward from the
journal files when the server is restarted.
- If -p is specified named's process id is returned.
- This allows an external process to determine when named
+ If <option>-p</option> is specified <command>named</command>'s process id is returned.
+ This allows an external process to determine when <command>named</command>
had completed halting.
</para>
</listitem>
@@ -1361,7 +1361,7 @@ zone "eng.example.com" {
<term><userinput>recursing</userinput></term>
<listitem>
<para>
- Dump the list of queries named is currently recursing
+ Dump the list of queries <command>named</command> is currently recursing
on.
</para>
</listitem>
@@ -1446,7 +1446,7 @@ zone "eng.example.com" {
with
<command>named</command>. Its syntax is
identical to the
- <command>key</command> statement in named.conf.
+ <command>key</command> statement in <filename>named.conf</filename>.
The keyword <userinput>key</userinput> is
followed by a key name, which must be a valid
domain name, though it need not actually be hierarchical;
@@ -1619,10 +1619,10 @@ controls {
</para>
<note>
- As a slave zone can also be a master to other slaves, named,
+ As a slave zone can also be a master to other slaves, <command>named</command>,
by default, sends <command>NOTIFY</command> messages for every zone
it loads. Specifying <command>notify master-only;</command> will
- cause named to only send <command>NOTIFY</command> for master
+ cause <command>named</command> to only send <command>NOTIFY</command> for master
zones that it loads.
</note>
@@ -2111,7 +2111,7 @@ key host1-host2. {
</programlisting>
<para>
- The algorithm, hmac-md5, is the only one supported by <acronym>BIND</acronym>.
+ The algorithm, <literal>hmac-md5</literal>, is the only one supported by <acronym>BIND</acronym>.
The secret is the one generated above. Since this is a secret, it
is recommended that either <filename>named.conf</filename> be non-world
readable, or the key directive be added to a non-world readable
@@ -2171,7 +2171,7 @@ server 10.1.2.3 {
be denoted <command>key host1-host2.</command>
</para>
<para>
- An example of an allow-update directive would be:
+ An example of an <command>allow-update</command> directive would be:
</para>
<programlisting>
@@ -2261,7 +2261,7 @@ allow-update { key host1-host2. ;};
<para>
<acronym>BIND</acronym> 9 partially supports DNSSEC SIG(0)
- transaction signatures as specified in RFC 2535 and RFC2931.
+ transaction signatures as specified in RFC 2535 and RFC 2931.
SIG(0)
uses public/private keys to authenticate messages. Access control
is performed in the same manner as TSIG keys; privileges can be
@@ -2482,7 +2482,7 @@ allow-update { key host1-host2. ;};
more public keys for the root. This allows answers from
outside the organization to be validated. It will also
have several keys for parts of the namespace the organization
- controls. These are here to ensure that named is immune
+ controls. These are here to ensure that <command>named</command> is immune
to compromises in the DNSSEC components of the security
of parent zones.
</para>
@@ -3124,8 +3124,8 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
<para>
The interpretation of a match depends on whether the list is being
- used for access control, defining listen-on ports, or in a
- sortlist, and whether the element was negated.
+ used for access control, defining <command>listen-on</command> ports, or in a
+ <command>sortlist</command>, and whether the element was negated.
</para>
<para>
@@ -3143,7 +3143,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
<command>allow-update</command>,
<command>allow-update-forwarding</command>, and
<command>blackhole</command> all use address match
- lists. Similarly, the listen-on option will cause the
+ lists. Similarly, the <command>listen-on</command> option will cause the
server to refuse queries on any of the machine's
addresses which do not match the list.
</para>
@@ -3218,8 +3218,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
slash) and continue to the end of the physical line. They cannot
be continued across multiple physical lines; to have one logical
comment span multiple lines, each line must use the // pair.
- </para>
- <para>
For example:
</para>
<para>
@@ -3235,8 +3233,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
with the character <literal>#</literal> (number sign)
and continue to the end of the
physical line, as in C++ comments.
- </para>
- <para>
For example:
</para>
@@ -3371,23 +3367,23 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
</row>
<row rowsep="0">
<entry colname="1">
- <para><command>statistics-channels</command></para>
+ <para><command>server</command></para>
</entry>
<entry colname="2">
<para>
- declares communication channels to get access to
- <command>named</command> statistics.
+ sets certain configuration options on
+ a per-server basis.
</para>
</entry>
</row>
<row rowsep="0">
<entry colname="1">
- <para><command>server</command></para>
+ <para><command>statistics-channels</command></para>
</entry>
<entry colname="2">
<para>
- sets certain configuration options on
- a per-server basis.
+ declares communication channels to get access to
+ <command>named</command> statistics.
</para>
</entry>
</row>
@@ -3970,7 +3966,7 @@ notrace</command>. All debugging messages in the server have a debug
the date and time will be logged. <command>print-time</command> may
be specified for a <command>syslog</command> channel,
but is usually
- pointless since <command>syslog</command> also prints
+ pointless since <command>syslog</command> also logs
the date and
time. If <command>print-category</command> is
requested, then the
@@ -4216,7 +4212,7 @@ category notify { null; };
</entry>
<entry colname="2">
<para>
- Messages that named was unable to determine the
+ Messages that <command>named</command> was unable to determine the
class of or for which there was no matching <command>view</command>.
A one line summary is also logged to the <command>client</command> category.
This category is best sent to a file or stderr, by
@@ -4371,7 +4367,7 @@ category notify { null; };
number of false-positive reports.
</para>
<para>
- Note: eventually named will have to stop
+ Note: eventually <command>named</command> will have to stop
treating such timeouts as due to RFC 1034 non
compliance and start treating it as plain
packet loss. Falsely classifying packet
@@ -4963,7 +4959,7 @@ category notify { null; };
client requests a <command>TKEY</command> exchange,
it may or may not specify the desired name for the
key. If present, the name of the shared key will
- will be <varname>client specified part</varname> +
+ be <varname>client specified part</varname> +
<varname>tkey-domain</varname>. Otherwise, the
name of the shared key will be <varname>random hex
digits</varname> + <varname>tkey-domain</varname>.
@@ -5031,7 +5027,7 @@ category notify { null; };
The pathname of the file the server writes its process ID
in. If not specified, the default is
<filename>/var/run/named/named.pid</filename>.
- The pid-file is used by programs that want to send signals to
+ The PID file is used by programs that want to send signals to
the running
name server. Specifying <command>pid-file none</command> disables the
use of a PID file &mdash; no file will be written and any
@@ -5166,7 +5162,7 @@ options {
top of a zone. When a DNSKEY is at or below a domain
specified by the
deepest <command>dnssec-lookaside</command>, and
- the normal dnssec validation
+ the normal DNSSEC validation
has left the key untrusted, the trust-anchor will be append to
the key
name and a DLV record will be looked up to see if it can
@@ -5184,10 +5180,10 @@ options {
<para>
Specify hierarchies which must be or may not be secure (signed and
validated).
- If <userinput>yes</userinput>, then named will only accept
+ If <userinput>yes</userinput>, then <command>named</command> will only accept
answers if they
are secure.
- If <userinput>no</userinput>, then normal dnssec validation
+ If <userinput>no</userinput>, then normal DNSSEC validation
applies
allowing for insecure answers to be accepted.
The specified domain must be under a <command>trusted-key</command> or
@@ -5903,9 +5899,9 @@ options {
<para>
This should be set when you have multiple masters for a zone
and the
- addresses refer to different machines. If <userinput>yes</userinput>, named will
+ addresses refer to different machines. If <userinput>yes</userinput>, <command>named</command> will
not log
- when the serial number on the master is less than what named
+ when the serial number on the master is less than what <command>named</command>
currently
has. The default is <userinput>no</userinput>.
</para>
@@ -5916,8 +5912,8 @@ options {
<term><command>dnssec-enable</command></term>
<listitem>
<para>
- Enable DNSSEC support in named. Unless set to <userinput>yes</userinput>,
- named behaves as if it does not support DNSSEC.
+ Enable DNSSEC support in <command>named</command>. Unless set to <userinput>yes</userinput>,
+ <command>named</command> behaves as if it does not support DNSSEC.
The default is <userinput>yes</userinput>.
</para>
</listitem>
@@ -5927,7 +5923,7 @@ options {
<term><command>dnssec-validation</command></term>
<listitem>
<para>
- Enable DNSSEC validation in named.
+ Enable DNSSEC validation in <command>named</command>.
Note <command>dnssec-enable</command> also needs to be
set to <userinput>yes</userinput> to be effective.
The default is <userinput>yes</userinput>.
@@ -5941,7 +5937,7 @@ options {
<para>
Accept expired signatures when verifying DNSSEC signatures.
The default is <userinput>no</userinput>.
- Setting this option to "yes" leaves named vulnerable to replay attacks.
+ Setting this option to "yes" leaves <command>named</command> vulnerable to replay attacks.
</para>
</listitem>
</varlistentry>
@@ -5950,7 +5946,7 @@ options {
<term><command>querylog</command></term>
<listitem>
<para>
- Specify whether query logging should be started when named
+ Specify whether query logging should be started when <command>named</command>
starts.
If <command>querylog</command> is not specified,
then the query logging
@@ -6438,7 +6434,7 @@ options {
<para>
The interfaces and ports that the server will answer queries
from may be specified using the <command>listen-on</command> option. <command>listen-on</command> takes
- an optional port, and an <varname>address_match_list</varname>.
+ an optional port and an <varname>address_match_list</varname>.
The server will listen on all interfaces allowed by the address
match list. If a port is not specified, port 53 will be used.
</para>
@@ -6519,9 +6515,9 @@ listen-on-v6 port 1234 { !2001:db8::/32; any; };
<para>
If no <command>listen-on-v6</command> option is
specified, the server will not listen on any IPv6 address
- unless <command>-6</command> is specified when named is
+ unless <command>-6</command> is specified when <command>named</command> is
invoked. If <command>-6</command> is specified then
- named will listen on port 53 on all IPv6 interfaces by default.
+ <command>named</command> will listen on port 53 on all IPv6 interfaces by default.
</para>
</sect3>
@@ -6699,7 +6695,12 @@ avoid-v6-udp-ports {};
zone is loaded, in addition to the servers listed in the
zone's NS records.
This helps to ensure that copies of the zones will
- quickly converge on stealth servers. If an <command>also-notify</command> list
+ quickly converge on stealth servers.
+ Optionally, a port may be specified with each
+ <command>also-notify</command> address to send
+ the notify messages to a port other than the
+ default of 53.
+ If an <command>also-notify</command> list
is given in a <command>zone</command> statement,
it will override
the <command>options also-notify</command>
@@ -6928,7 +6929,7 @@ avoid-v6-udp-ports {};
to be used, you should set
<command>use-alt-transfer-source</command>
appropriately and you should not depend upon
- getting a answer back to the first refresh
+ getting an answer back to the first refresh
query.
</note>
</listitem>
@@ -7213,7 +7214,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
<para>
The number of file descriptors reserved for TCP, stdio,
etc. This needs to be big enough to cover the number of
- interfaces named listens on, tcp-clients as well as
+ interfaces <command>named</command> listens on, <command>tcp-clients</command> as well as
to provide room for outgoing TCP queries and incoming zone
transfers. The default is <literal>512</literal>.
The minimum value is <literal>128</literal> and the
@@ -7789,14 +7790,15 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
<term><command>edns-udp-size</command></term>
<listitem>
<para>
- Sets the advertised EDNS UDP buffer size in bytes. Valid
- values are 512 to 4096 (values outside this range
- will be silently adjusted). The default value is
- 4096. The usual reason for setting edns-udp-size to
- a non-default value is to get UDP answers to pass
- through broken firewalls that block fragmented
- packets and/or block UDP packets that are greater
- than 512 bytes.
+ Sets the advertised EDNS UDP buffer size in bytes
+ to control the size of packets received.
+ Valid values are 512 to 4096 (values outside this range
+ will be silently adjusted). The default value
+ is 4096. The usual reason for setting
+ <command>edns-udp-size</command> to a non-default
+ value is to get UDP answers to pass through broken
+ firewalls that block fragmented packets and/or
+ block UDP packets that are greater than 512 bytes.
</para>
</listitem>
</varlistentry>
@@ -7805,11 +7807,11 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
<term><command>max-udp-size</command></term>
<listitem>
<para>
- Sets the maximum EDNS UDP message size named will
+ Sets the maximum EDNS UDP message size <command>named</command> will
send in bytes. Valid values are 512 to 4096 (values outside
this range will be silently adjusted). The default
value is 4096. The usual reason for setting
- max-udp-size to a non-default value is to get UDP
+ <command>max-udp-size</command> to a non-default value is to get UDP
answers to pass through broken firewalls that
block fragmented packets and/or block UDP packets
that are greater than 512 bytes.
@@ -7857,14 +7859,14 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
initial value (minimum) and maximum number of recursive
simultaneous clients for any given query
(&lt;qname,qtype,qclass&gt;) that the server will accept
- before dropping additional clients. named will attempt to
+ before dropping additional clients. <command>named</command> will attempt to
self tune this value and changes will be logged. The
default values are 10 and 100.
</para>
<para>
This value should reflect how many queries come in for
a given name in the time it takes to resolve that name.
- If the number of queries exceed this value, named will
+ If the number of queries exceed this value, <command>named</command> will
assume that it is dealing with a non-responsive zone
and will drop additional queries. If it gets a response
after dropping queries, it will raise the estimate. The
@@ -7967,7 +7969,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
identify which of a group of anycast servers is actually
answering your queries. Specifying <command>server-id none;</command>
disables processing of the queries.
- Specifying <command>server-id hostname;</command> will cause named to
+ Specifying <command>server-id hostname;</command> will cause <command>named</command> to
use the hostname as found by the gethostname() function.
The default <command>server-id</command> is <command>none</command>.
</para>
@@ -7992,7 +7994,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
loopback address and the IPv6 unknown address.
</para>
<para>
- Named will attempt to determine if a built in zone already exists
+ Named will attempt to determine if a built-in zone already exists
or is active (covered by a forward-only forwarding declaration)
and will not create a empty zone in that case.
</para>
@@ -8055,7 +8057,7 @@ XXX: end of RFC1918 addresses #defined out -->
<note>
The real parent servers for these zones should disable all
empty zone under the parent zone they serve. For the real
- root servers, this is all built in empty zones. This will
+ root servers, this is all built-in empty zones. This will
enable them to return referrals to deeper in the tree.
</note>
<variablelist>
@@ -8220,74 +8222,6 @@ XXX: end of RFC1918 addresses #defined out -->
</sect2>
- <sect2 id="statschannels">
- <title><command>statistics-channels</command> Statement Grammar</title>
-
-<programlisting><command>statistics-channels</command> {
- [ inet ( ip_addr | * ) [ port ip_port ] [allow { <replaceable> address_match_list </replaceable> } ]; ]
- [ inet ...; ]
-};
-</programlisting>
- </sect2>
-
- <sect2>
- <title><command>statistics-channels</command> Statement Definition and
- Usage</title>
-
- <para>
- The <command>statistics-channels</command> statement
- declares communication channels to be used by system
- administrators to get access to statistics information of
- the name server.
- </para>
-
- <para>
- This statement intends to be flexible to support multiple
- communication protocols in the future, but currently only
- HTTP access is supported.
- It requires that BIND 9 be compiled with libxml2;
- the <command>statistics-channels</command> statement is
- still accepted even if it is built without the library,
- but any HTTP access will fail with an error.
- </para>
-
- <para>
- An <command>inet</command> control channel is a TCP socket
- listening at the specified <command>ip_port</command> on the
- specified <command>ip_addr</command>, which can be an IPv4 or IPv6
- address. An <command>ip_addr</command> of <literal>*</literal> (asterisk) is
- interpreted as the IPv4 wildcard address; connections will be
- accepted on any of the system's IPv4 addresses.
- To listen on the IPv6 wildcard address,
- use an <command>ip_addr</command> of <literal>::</literal>.
- </para>
-
- <para>
- If no port is specified, port 80 is used for HTTP channels.
- The asterisk "<literal>*</literal>" cannot be used for
- <command>ip_port</command>.
- </para>
-
- <para>
- The attempt of opening a statistics channel is
- restricted by the optional <command>allow</command> clause.
- Connections to the statistics channel are permitted based on the
- <command>address_match_list</command>.
- If no <command>allow</command> clause is present,
- <command>named</command> accepts connection
- attempts from any address; since the statistics may
- contain sensitive internal information, it is highly
- recommended to restrict the source of connection requests
- appropriately.
- </para>
-
- <para>
- If no <command>statistics-channels</command> statement is present,
- <command>named</command> will not open any communication channels.
- </para>
-
- </sect2>
-
<sect2 id="server_statement_grammar">
<title><command>server</command> Statement Grammar</title>
@@ -8401,7 +8335,7 @@ XXX: end of RFC1918 addresses #defined out -->
<para>
The <command>edns-udp-size</command> option sets the EDNS UDP size
- that is advertised by named when querying the remote server.
+ that is advertised by <command>named</command> when querying the remote server.
Valid values are 512 to 4096 bytes (values outside this range will be
silently adjusted). This option is useful when you wish to
advertises a different value to this server than the value you
@@ -8411,11 +8345,11 @@ XXX: end of RFC1918 addresses #defined out -->
<para>
The <command>max-udp-size</command> option sets the
- maximum EDNS UDP message size named will send. Valid
+ maximum EDNS UDP message size <command>named</command> will send. Valid
values are 512 to 4096 bytes (values outside this range will
be silently adjusted). This option is useful when you
know that there is a firewall that is blocking large
- replies from named.
+ replies from <command>named</command>.
</para>
<para>
@@ -8500,6 +8434,74 @@ XXX: end of RFC1918 addresses #defined out -->
</sect2>
+ <sect2 id="statschannels">
+ <title><command>statistics-channels</command> Statement Grammar</title>
+
+<programlisting><command>statistics-channels</command> {
+ [ inet ( ip_addr | * ) [ port ip_port ] [allow { <replaceable> address_match_list </replaceable> } ]; ]
+ [ inet ...; ]
+};
+</programlisting>
+ </sect2>
+
+ <sect2>
+ <title><command>statistics-channels</command> Statement Definition and
+ Usage</title>
+
+ <para>
+ The <command>statistics-channels</command> statement
+ declares communication channels to be used by system
+ administrators to get access to statistics information of
+ the name server.
+ </para>
+
+ <para>
+ This statement intends to be flexible to support multiple
+ communication protocols in the future, but currently only
+ HTTP access is supported.
+ It requires that BIND 9 be compiled with libxml2;
+ the <command>statistics-channels</command> statement is
+ still accepted even if it is built without the library,
+ but any HTTP access will fail with an error.
+ </para>
+
+ <para>
+ An <command>inet</command> control channel is a TCP socket
+ listening at the specified <command>ip_port</command> on the
+ specified <command>ip_addr</command>, which can be an IPv4 or IPv6
+ address. An <command>ip_addr</command> of <literal>*</literal> (asterisk) is
+ interpreted as the IPv4 wildcard address; connections will be
+ accepted on any of the system's IPv4 addresses.
+ To listen on the IPv6 wildcard address,
+ use an <command>ip_addr</command> of <literal>::</literal>.
+ </para>
+
+ <para>
+ If no port is specified, port 80 is used for HTTP channels.
+ The asterisk "<literal>*</literal>" cannot be used for
+ <command>ip_port</command>.
+ </para>
+
+ <para>
+ The attempt of opening a statistics channel is
+ restricted by the optional <command>allow</command> clause.
+ Connections to the statistics channel are permitted based on the
+ <command>address_match_list</command>.
+ If no <command>allow</command> clause is present,
+ <command>named</command> accepts connection
+ attempts from any address; since the statistics may
+ contain sensitive internal information, it is highly
+ recommended to restrict the source of connection requests
+ appropriately.
+ </para>
+
+ <para>
+ If no <command>statistics-channels</command> statement is present,
+ <command>named</command> will not open any communication channels.
+ </para>
+
+ </sect2>
+
<sect2>
<title><command>trusted-keys</command> Statement Grammar</title>
@@ -8900,7 +8902,7 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
<filename>ex/example.com</filename> where <filename>ex/</filename> is
just the first two letters of the zone name. (Most
operating systems
- behave very slowly if you put 100 000 files into
+ behave very slowly if you put 100000 files into
a single directory.)
</para>
</entry>
@@ -10880,8 +10882,6 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
the mail will be delivered to the server specified in the MX
record
pointed to by the CNAME.
- </para>
- <para>
For example:
</para>
<informaltable colsep="0" rowsep="0">
@@ -11364,7 +11364,7 @@ $GENERATE 1-127 $ CNAME $.0</programlisting>
<para>
Specifies the time-to-live of the generated records. If
not specified this will be inherited using the
- normal ttl inheritance rules.
+ normal TTL inheritance rules.
</para>
<para><command>class</command>
and <command>ttl</command> can be
@@ -12980,7 +12980,7 @@ $GENERATE 1-127 $ CNAME $.0</programlisting>
<sect1 id="Access_Control_Lists">
<title>Access Control Lists</title>
<para>
- Access Control Lists (ACLs), are address match lists that
+ Access Control Lists (ACLs) are address match lists that
you can set up and nickname for future use in <command>allow-notify</command>,
<command>allow-query</command>, <command>allow-query-on</command>,
<command>allow-recursion</command>, <command>allow-recursion-on</command>,
@@ -13045,11 +13045,13 @@ zone "example.com" {
<sect1>
<title><command>Chroot</command> and <command>Setuid</command></title>
<para>
- On UNIX servers, it is possible to run <acronym>BIND</acronym> in a <emphasis>chrooted</emphasis> environment
- (using the <command>chroot()</command> function) by specifying the "<option>-t</option>"
- option. This can help improve system security by placing <acronym>BIND</acronym> in
- a "sandbox", which will limit the damage done if a server is
- compromised.
+ On UNIX servers, it is possible to run <acronym>BIND</acronym>
+ in a <emphasis>chrooted</emphasis> environment (using
+ the <command>chroot()</command> function) by specifying
+ the "<option>-t</option>" option for <command>named</command>.
+ This can help improve system security by placing
+ <acronym>BIND</acronym> in a "sandbox", which will limit
+ the damage done if a server is compromised.
</para>
<para>
Another useful feature in the UNIX version of <acronym>BIND</acronym> is the
@@ -13062,7 +13064,7 @@ zone "example.com" {
user 202:
</para>
<para>
- <userinput>/usr/local/bin/named -u 202 -t /var/named</userinput>
+ <userinput>/usr/local/sbin/named -u 202 -t /var/named</userinput>
</para>
<sect2>
@@ -13328,11 +13330,9 @@ zone "example.com" {
BIND architecture.
</para>
<para>
- BIND version 4 is officially deprecated and BIND version
- 8 development is considered maintenance-only in favor
- of BIND version 9. No additional development is done
- on BIND version 4 or BIND version 8 other than for
- security-related patches.
+ BIND versions 4 and 8 are officially deprecated.
+ No additional development is done
+ on BIND version 4 or BIND version 8.
</para>
<para>
<acronym>BIND</acronym> development work is made
diff --git a/doc/arm/Bv9ARM.ch01.html b/doc/arm/Bv9ARM.ch01.html
index 9bcd1fe2..320a8675 100644
--- a/doc/arm/Bv9ARM.ch01.html
+++ b/doc/arm/Bv9ARM.ch01.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: Bv9ARM.ch01.html,v 1.43.48.1 2009/01/08 01:50:59 tbox Exp $ -->
+<!-- $Id: Bv9ARM.ch01.html,v 1.43.48.2 2009/04/03 01:52:22 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -89,23 +89,23 @@
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2564388"></a>Organization of This Document</h2></div></div></div>
<p>
- In this document, <span class="emphasis"><em>Section 1</em></span> introduces
- the basic <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym> concepts. <span class="emphasis"><em>Section 2</em></span>
+ In this document, <span class="emphasis"><em>Chapter 1</em></span> introduces
+ the basic <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym> concepts. <span class="emphasis"><em>Chapter 2</em></span>
describes resource requirements for running <acronym class="acronym">BIND</acronym> in various
- environments. Information in <span class="emphasis"><em>Section 3</em></span> is
+ environments. Information in <span class="emphasis"><em>Chapter 3</em></span> is
<span class="emphasis"><em>task-oriented</em></span> in its presentation and is
organized functionally, to aid in the process of installing the
<acronym class="acronym">BIND</acronym> 9 software. The task-oriented
section is followed by
- <span class="emphasis"><em>Section 4</em></span>, which contains more advanced
+ <span class="emphasis"><em>Chapter 4</em></span>, which contains more advanced
concepts that the system administrator may need for implementing
- certain options. <span class="emphasis"><em>Section 5</em></span>
+ certain options. <span class="emphasis"><em>Chapter 5</em></span>
describes the <acronym class="acronym">BIND</acronym> 9 lightweight
- resolver. The contents of <span class="emphasis"><em>Section 6</em></span> are
+ resolver. The contents of <span class="emphasis"><em>Chapter 6</em></span> are
organized as in a reference manual to aid in the ongoing
- maintenance of the software. <span class="emphasis"><em>Section 7</em></span> addresses
+ maintenance of the software. <span class="emphasis"><em>Chapter 7</em></span> addresses
security considerations, and
- <span class="emphasis"><em>Section 8</em></span> contains troubleshooting help. The
+ <span class="emphasis"><em>Chapter 8</em></span> contains troubleshooting help. The
main body of the document is followed by several
<span class="emphasis"><em>appendices</em></span> which contain useful reference
information, such as a <span class="emphasis"><em>bibliography</em></span> and
diff --git a/doc/arm/Bv9ARM.ch03.html b/doc/arm/Bv9ARM.ch03.html
index 53d5cb33..99648231 100644
--- a/doc/arm/Bv9ARM.ch03.html
+++ b/doc/arm/Bv9ARM.ch03.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: Bv9ARM.ch03.html,v 1.71.48.1 2009/01/08 01:50:59 tbox Exp $ -->
+<!-- $Id: Bv9ARM.ch03.html,v 1.71.48.2 2009/04/03 01:52:21 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -54,12 +54,12 @@
<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568358">Name Server Operations</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2568363">Tools for Use With the Name Server Daemon</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2570107">Signals</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2570071">Signals</a></span></dt>
</dl></dd>
</dl>
</div>
<p>
- In this section we provide some suggested configurations along
+ In this chapter we provide some suggested configurations along
with guidelines for their use. We suggest reasonable values for
certain option settings.
</p>
@@ -315,7 +315,7 @@ zone "eng.example.com" {
</p>
<div class="cmdsynopsis"><p><code class="command">dig</code> [@<em class="replaceable"><code>server</code></em>] <em class="replaceable"><code>domain</code></em> [<em class="replaceable"><code>query-type</code></em>] [<em class="replaceable"><code>query-class</code></em>] [+<em class="replaceable"><code>query-option</code></em>] [-<em class="replaceable"><code>dig-option</code></em>] [%<em class="replaceable"><code>comment</code></em>]</p></div>
<p>
- The usual simple use of dig will take the form
+ The usual simple use of <span><strong class="command">dig</strong></span> will take the form
</p>
<p>
<span><strong class="command">dig @server domain query-type query-class</strong></span>
@@ -541,8 +541,8 @@ zone "eng.example.com" {
Stop the server, making sure any recent changes
made through dynamic update or IXFR are first saved to
the master files of the updated zones.
- If -p is specified named's process id is returned.
- This allows an external process to determine when named
+ If <code class="option">-p</code> is specified <span><strong class="command">named</strong></span>'s process id is returned.
+ This allows an external process to determine when <span><strong class="command">named</strong></span>
had completed stopping.
</p></dd>
<dt><span class="term"><strong class="userinput"><code>halt [<span class="optional">-p</span>]</code></strong></span></dt>
@@ -551,8 +551,8 @@ zone "eng.example.com" {
made through dynamic update or IXFR are not saved to
the master files, but will be rolled forward from the
journal files when the server is restarted.
- If -p is specified named's process id is returned.
- This allows an external process to determine when named
+ If <code class="option">-p</code> is specified <span><strong class="command">named</strong></span>'s process id is returned.
+ This allows an external process to determine when <span><strong class="command">named</strong></span>
had completed halting.
</p></dd>
<dt><span class="term"><strong class="userinput"><code>trace</code></strong></span></dt>
@@ -586,7 +586,7 @@ zone "eng.example.com" {
</p></dd>
<dt><span class="term"><strong class="userinput"><code>recursing</code></strong></span></dt>
<dd><p>
- Dump the list of queries named is currently recursing
+ Dump the list of queries <span><strong class="command">named</strong></span> is currently recursing
on.
</p></dd>
<dt><span class="term"><strong class="userinput"><code>validation
@@ -661,7 +661,7 @@ zone "eng.example.com" {
with
<span><strong class="command">named</strong></span>. Its syntax is
identical to the
- <span><strong class="command">key</strong></span> statement in named.conf.
+ <span><strong class="command">key</strong></span> statement in <code class="filename">named.conf</code>.
The keyword <strong class="userinput"><code>key</code></strong> is
followed by a key name, which must be a valid
domain name, though it need not actually be hierarchical;
@@ -749,7 +749,7 @@ controls {
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2570107"></a>Signals</h3></div></div></div>
+<a name="id2570071"></a>Signals</h3></div></div></div>
<p>
Certain UNIX signals cause the name server to take specific
actions, as described in the following table. These signals can
diff --git a/doc/arm/Bv9ARM.ch04.html b/doc/arm/Bv9ARM.ch04.html
index c3096f89..123098e1 100644
--- a/doc/arm/Bv9ARM.ch04.html
+++ b/doc/arm/Bv9ARM.ch04.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: Bv9ARM.ch04.html,v 1.87.48.1 2009/01/08 01:50:59 tbox Exp $ -->
+<!-- $Id: Bv9ARM.ch04.html,v 1.87.48.2 2009/04/03 01:52:21 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -49,29 +49,29 @@
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dynamic_update">Dynamic Update</a></span></dt>
<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#journal">The journal file</a></span></dt></dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#incremental_zone_transfers">Incremental Zone Transfers (IXFR)</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2570513">Split DNS</a></span></dt>
-<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570531">Example split DNS setup</a></span></dt></dl></dd>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2564066">Split DNS</a></span></dt>
+<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2564084">Example split DNS setup</a></span></dt></dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#tsig">TSIG</a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571171">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571244">Copying the Shared Secret to Both Machines</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571255">Informing the Servers of the Key's Existence</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571294">Instructing the Server to Use the Key</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571489">TSIG Key Based Access Control</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571533">Errors</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571141">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571214">Copying the Shared Secret to Both Machines</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571225">Informing the Servers of the Key's Existence</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571268">Instructing the Server to Use the Key</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571325">TSIG Key Based Access Control</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571510">Errors</a></span></dt>
</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571616">TKEY</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571665">SIG(0)</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571524">TKEY</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571709">SIG(0)</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571801">Generating Keys</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571880">Signing the Zone</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571961">Configuring Servers</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571778">Generating Keys</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571925">Signing the Zone</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572006">Configuring Servers</a></span></dt>
</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2572104">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2572220">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572166">Address Lookups Using AAAA Records</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572187">Address to Name Lookups Using Nibble Format</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572282">Address Lookups Using AAAA Records</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572304">Address to Name Lookups Using Nibble Format</a></span></dt>
</dl></dd>
</dl>
</div>
@@ -95,10 +95,10 @@
</p>
<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
<h3 class="title">Note</h3>
- As a slave zone can also be a master to other slaves, named,
+ As a slave zone can also be a master to other slaves, <span><strong class="command">named</strong></span>,
by default, sends <span><strong class="command">NOTIFY</strong></span> messages for every zone
it loads. Specifying <span><strong class="command">notify master-only;</strong></span> will
- cause named to only send <span><strong class="command">NOTIFY</strong></span> for master
+ cause <span><strong class="command">named</strong></span> to only send <span><strong class="command">NOTIFY</strong></span> for master
zones that it loads.
</div>
</div>
@@ -210,7 +210,7 @@
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2570513"></a>Split DNS</h2></div></div></div>
+<a name="id2564066"></a>Split DNS</h2></div></div></div>
<p>
Setting up different views, or visibility, of the DNS space to
internal and external resolvers is usually referred to as a
@@ -240,7 +240,7 @@
</p>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2570531"></a>Example split DNS setup</h3></div></div></div>
+<a name="id2564084"></a>Example split DNS setup</h3></div></div></div>
<p>
Let's say a company named <span class="emphasis"><em>Example, Inc.</em></span>
(<code class="literal">example.com</code>)
@@ -486,7 +486,7 @@ nameserver 172.16.72.4
</p>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2571171"></a>Generate Shared Keys for Each Pair of Hosts</h3></div></div></div>
+<a name="id2571141"></a>Generate Shared Keys for Each Pair of Hosts</h3></div></div></div>
<p>
A shared secret is generated to be shared between <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host2</em></span>.
An arbitrary key name is chosen: "host1-host2.". The key name must
@@ -494,7 +494,7 @@ nameserver 172.16.72.4
</p>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2571188"></a>Automatic Generation</h4></div></div></div>
+<a name="id2571158"></a>Automatic Generation</h4></div></div></div>
<p>
The following command will generate a 128-bit (16 byte) HMAC-MD5
key as described above. Longer keys are better, but shorter keys
@@ -519,7 +519,7 @@ nameserver 172.16.72.4
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2571226"></a>Manual Generation</h4></div></div></div>
+<a name="id2571196"></a>Manual Generation</h4></div></div></div>
<p>
The shared secret is simply a random sequence of bits, encoded
in base-64. Most ASCII strings are valid base-64 strings (assuming
@@ -534,7 +534,7 @@ nameserver 172.16.72.4
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2571244"></a>Copying the Shared Secret to Both Machines</h3></div></div></div>
+<a name="id2571214"></a>Copying the Shared Secret to Both Machines</h3></div></div></div>
<p>
This is beyond the scope of DNS. A secure transport mechanism
should be used. This could be secure FTP, ssh, telephone, etc.
@@ -542,7 +542,7 @@ nameserver 172.16.72.4
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2571255"></a>Informing the Servers of the Key's Existence</h3></div></div></div>
+<a name="id2571225"></a>Informing the Servers of the Key's Existence</h3></div></div></div>
<p>
Imagine <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host 2</em></span>
are
@@ -555,7 +555,7 @@ key host1-host2. {
};
</pre>
<p>
- The algorithm, hmac-md5, is the only one supported by <acronym class="acronym">BIND</acronym>.
+ The algorithm, <code class="literal">hmac-md5</code>, is the only one supported by <acronym class="acronym">BIND</acronym>.
The secret is the one generated above. Since this is a secret, it
is recommended that either <code class="filename">named.conf</code> be non-world
readable, or the key directive be added to a non-world readable
@@ -571,7 +571,7 @@ key host1-host2. {
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2571294"></a>Instructing the Server to Use the Key</h3></div></div></div>
+<a name="id2571268"></a>Instructing the Server to Use the Key</h3></div></div></div>
<p>
Since keys are shared between two hosts only, the server must
be told when keys are to be used. The following is added to the <code class="filename">named.conf</code> file
@@ -603,7 +603,7 @@ server 10.1.2.3 {
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2571489"></a>TSIG Key Based Access Control</h3></div></div></div>
+<a name="id2571325"></a>TSIG Key Based Access Control</h3></div></div></div>
<p>
<acronym class="acronym">BIND</acronym> allows IP addresses and ranges
to be specified in ACL
@@ -614,7 +614,7 @@ server 10.1.2.3 {
be denoted <span><strong class="command">key host1-host2.</strong></span>
</p>
<p>
- An example of an allow-update directive would be:
+ An example of an <span><strong class="command">allow-update</strong></span> directive would be:
</p>
<pre class="programlisting">
allow-update { key host1-host2. ;};
@@ -631,7 +631,7 @@ allow-update { key host1-host2. ;};
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2571533"></a>Errors</h3></div></div></div>
+<a name="id2571510"></a>Errors</h3></div></div></div>
<p>
The processing of TSIG signed messages can result in
several errors. If a signed message is sent to a non-TSIG aware
@@ -657,7 +657,7 @@ allow-update { key host1-host2. ;};
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2571616"></a>TKEY</h2></div></div></div>
+<a name="id2571524"></a>TKEY</h2></div></div></div>
<p><span><strong class="command">TKEY</strong></span>
is a mechanism for automatically generating a shared secret
between two hosts. There are several "modes" of
@@ -693,10 +693,10 @@ allow-update { key host1-host2. ;};
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2571665"></a>SIG(0)</h2></div></div></div>
+<a name="id2571709"></a>SIG(0)</h2></div></div></div>
<p>
<acronym class="acronym">BIND</acronym> 9 partially supports DNSSEC SIG(0)
- transaction signatures as specified in RFC 2535 and RFC2931.
+ transaction signatures as specified in RFC 2535 and RFC 2931.
SIG(0)
uses public/private keys to authenticate messages. Access control
is performed in the same manner as TSIG keys; privileges can be
@@ -754,7 +754,7 @@ allow-update { key host1-host2. ;};
</p>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2571801"></a>Generating Keys</h3></div></div></div>
+<a name="id2571778"></a>Generating Keys</h3></div></div></div>
<p>
The <span><strong class="command">dnssec-keygen</strong></span> program is used to
generate keys.
@@ -810,7 +810,7 @@ allow-update { key host1-host2. ;};
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2571880"></a>Signing the Zone</h3></div></div></div>
+<a name="id2571925"></a>Signing the Zone</h3></div></div></div>
<p>
The <span><strong class="command">dnssec-signzone</strong></span> program is used
to sign a zone.
@@ -852,7 +852,7 @@ allow-update { key host1-host2. ;};
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2571961"></a>Configuring Servers</h3></div></div></div>
+<a name="id2572006"></a>Configuring Servers</h3></div></div></div>
<p>
To enable <span><strong class="command">named</strong></span> to respond appropriately
to DNS requests from DNSSEC aware clients,
@@ -889,7 +889,7 @@ allow-update { key host1-host2. ;};
more public keys for the root. This allows answers from
outside the organization to be validated. It will also
have several keys for parts of the namespace the organization
- controls. These are here to ensure that named is immune
+ controls. These are here to ensure that <span><strong class="command">named</strong></span> is immune
to compromises in the DNSSEC components of the security
of parent zones.
</p>
@@ -940,7 +940,7 @@ options {
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2572104"></a>IPv6 Support in <acronym class="acronym">BIND</acronym> 9</h2></div></div></div>
+<a name="id2572220"></a>IPv6 Support in <acronym class="acronym">BIND</acronym> 9</h2></div></div></div>
<p>
<acronym class="acronym">BIND</acronym> 9 fully supports all currently
defined forms of IPv6
@@ -979,7 +979,7 @@ options {
</p>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2572166"></a>Address Lookups Using AAAA Records</h3></div></div></div>
+<a name="id2572282"></a>Address Lookups Using AAAA Records</h3></div></div></div>
<p>
The IPv6 AAAA record is a parallel to the IPv4 A record,
and, unlike the deprecated A6 record, specifies the entire
@@ -998,7 +998,7 @@ host 3600 IN AAAA 2001:db8::1
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2572187"></a>Address to Name Lookups Using Nibble Format</h3></div></div></div>
+<a name="id2572304"></a>Address to Name Lookups Using Nibble Format</h3></div></div></div>
<p>
When looking up an address in nibble format, the address
components are simply reversed, just as in IPv4, and
diff --git a/doc/arm/Bv9ARM.ch05.html b/doc/arm/Bv9ARM.ch05.html
index 6ec2198e..addc97ac 100644
--- a/doc/arm/Bv9ARM.ch05.html
+++ b/doc/arm/Bv9ARM.ch05.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: Bv9ARM.ch05.html,v 1.71.48.1 2009/01/08 01:50:59 tbox Exp $ -->
+<!-- $Id: Bv9ARM.ch05.html,v 1.71.48.2 2009/04/03 01:52:21 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -45,13 +45,13 @@
<div class="toc">
<p><b>Table of Contents</b></p>
<dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch05.html#id2572289">The Lightweight Resolver Library</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch05.html#id2572337">The Lightweight Resolver Library</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch05.html#lwresd">Running a Resolver Daemon</a></span></dt>
</dl>
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2572289"></a>The Lightweight Resolver Library</h2></div></div></div>
+<a name="id2572337"></a>The Lightweight Resolver Library</h2></div></div></div>
<p>
Traditionally applications have been linked with a stub resolver
library that sends recursive DNS queries to a local caching name
diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html
index 7c2ddf13..10b7fd55 100644
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: Bv9ARM.ch06.html,v 1.201.14.7 2009/03/13 04:19:29 tbox Exp $ -->
+<!-- $Id: Bv9ARM.ch06.html,v 1.201.14.8 2009/04/03 01:52:21 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -48,38 +48,38 @@
<dt><span class="sect1"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573724">Comment Syntax</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573716">Comment Syntax</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574295"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574346"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#acl"><span><strong class="command">acl</strong></span> Statement Definition and
Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574553"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574536"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span><strong class="command">controls</strong></span> Statement Definition and
Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574914"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574931"><span><strong class="command">include</strong></span> Statement Definition and
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574965"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574982"><span><strong class="command">include</strong></span> Statement Definition and
Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575022"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575046"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575205"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575331"><span><strong class="command">logging</strong></span> Statement Definition and
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575005"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575029"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575120"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575245"><span><strong class="command">logging</strong></span> Statement Definition and
Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577315"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577457"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577521"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577564"><span><strong class="command">masters</strong></span> Statement Definition and
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577306"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577448"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577512"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577556"><span><strong class="command">masters</strong></span> Statement Definition and
Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577579"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577571"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#options"><span><strong class="command">options</strong></span> Statement Definition and
Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#statschannels"><span><strong class="command">statistics-channels</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2586020"><span><strong class="command">statistics-channels</strong></span> Statement Definition and
- Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span><strong class="command">server</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span><strong class="command">server</strong></span> Statement Definition and
Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#statschannels"><span><strong class="command">statistics-channels</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2586754"><span><strong class="command">statistics-channels</strong></span> Statement Definition and
+ Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2586908"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2586960"><span><strong class="command">trusted-keys</strong></span> Statement Definition
and Usage</a></span></dt>
@@ -94,9 +94,9 @@
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2593203">Discussion of MX Records</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2593822">Inverse Mapping in IPv4</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2594018">Other Zone File Directives</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2594206"><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2593886">Inverse Mapping in IPv4</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2594013">Other Zone File Directives</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2594270"><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zonefile_format">Additional File Formats</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch06.html#statistics">BIND9 Statistics</a></span></dt>
@@ -461,7 +461,7 @@
<a name="address_match_lists"></a>Address Match Lists</h3></div></div></div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2573502"></a>Syntax</h4></div></div></div>
+<a name="id2573414"></a>Syntax</h4></div></div></div>
<pre class="programlisting"><code class="varname">address_match_list</code> = address_match_list_element ;
[<span class="optional"> address_match_list_element; ... </span>]
<code class="varname">address_match_list_element</code> = [<span class="optional"> ! </span>] (ip_address [<span class="optional">/length</span>] |
@@ -470,7 +470,7 @@
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2573530"></a>Definition and Usage</h4></div></div></div>
+<a name="id2573442"></a>Definition and Usage</h4></div></div></div>
<p>
Address match lists are primarily used to determine access
control for various server operations. They are also used in
@@ -512,8 +512,8 @@
</p>
<p>
The interpretation of a match depends on whether the list is being
- used for access control, defining listen-on ports, or in a
- sortlist, and whether the element was negated.
+ used for access control, defining <span><strong class="command">listen-on</strong></span> ports, or in a
+ <span><strong class="command">sortlist</strong></span>, and whether the element was negated.
</p>
<p>
When used as an access control list, a non-negated match
@@ -530,7 +530,7 @@
<span><strong class="command">allow-update</strong></span>,
<span><strong class="command">allow-update-forwarding</strong></span>, and
<span><strong class="command">blackhole</strong></span> all use address match
- lists. Similarly, the listen-on option will cause the
+ lists. Similarly, the <span><strong class="command">listen-on</strong></span> option will cause the
server to refuse queries on any of the machine's
addresses which do not match the list.
</p>
@@ -554,7 +554,7 @@
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2573724"></a>Comment Syntax</h3></div></div></div>
+<a name="id2573716"></a>Comment Syntax</h3></div></div></div>
<p>
The <acronym class="acronym">BIND</acronym> 9 comment syntax allows for
comments to appear
@@ -564,7 +564,7 @@
</p>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2573739"></a>Syntax</h4></div></div></div>
+<a name="id2573731"></a>Syntax</h4></div></div></div>
<p>
</p>
<pre class="programlisting">/* This is a <acronym class="acronym">BIND</acronym> comment as in C */</pre>
@@ -579,7 +579,7 @@
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2573769"></a>Definition and Usage</h4></div></div></div>
+<a name="id2573761"></a>Definition and Usage</h4></div></div></div>
<p>
Comments may appear anywhere that whitespace may appear in
a <acronym class="acronym">BIND</acronym> configuration file.
@@ -610,8 +610,6 @@
slash) and continue to the end of the physical line. They cannot
be continued across multiple physical lines; to have one logical
comment span multiple lines, each line must use the // pair.
- </p>
-<p>
For example:
</p>
<p>
@@ -629,8 +627,6 @@
with the character <code class="literal">#</code> (number sign)
and continue to the end of the
physical line, as in C++ comments.
- </p>
-<p>
For example:
</p>
<p>
@@ -764,23 +760,23 @@
</tr>
<tr>
<td>
- <p><span><strong class="command">statistics-channels</strong></span></p>
+ <p><span><strong class="command">server</strong></span></p>
</td>
<td>
<p>
- declares communication channels to get access to
- <span><strong class="command">named</strong></span> statistics.
+ sets certain configuration options on
+ a per-server basis.
</p>
</td>
</tr>
<tr>
<td>
- <p><span><strong class="command">server</strong></span></p>
+ <p><span><strong class="command">statistics-channels</strong></span></p>
</td>
<td>
<p>
- sets certain configuration options on
- a per-server basis.
+ declares communication channels to get access to
+ <span><strong class="command">named</strong></span> statistics.
</p>
</td>
</tr>
@@ -824,7 +820,7 @@
</p>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2574295"></a><span><strong class="command">acl</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2574346"></a><span><strong class="command">acl</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting"><span><strong class="command">acl</strong></span> acl-name {
address_match_list
};
@@ -906,7 +902,7 @@
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2574553"></a><span><strong class="command">controls</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2574536"></a><span><strong class="command">controls</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting"><span><strong class="command">controls</strong></span> {
[ inet ( ip_addr | * ) [ port ip_port ] allow { <em class="replaceable"><code> address_match_list </code></em> }
keys { <em class="replaceable"><code>key_list</code></em> }; ]
@@ -1028,12 +1024,12 @@
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2574914"></a><span><strong class="command">include</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2574965"></a><span><strong class="command">include</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting"><span><strong class="command">include</strong></span> <em class="replaceable"><code>filename</code></em>;</pre>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2574931"></a><span><strong class="command">include</strong></span> Statement Definition and
+<a name="id2574982"></a><span><strong class="command">include</strong></span> Statement Definition and
Usage</h3></div></div></div>
<p>
The <span><strong class="command">include</strong></span> statement inserts the
@@ -1048,7 +1044,7 @@
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2575022"></a><span><strong class="command">key</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2575005"></a><span><strong class="command">key</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting"><span><strong class="command">key</strong></span> <em class="replaceable"><code>key_id</code></em> {
algorithm <em class="replaceable"><code>string</code></em>;
secret <em class="replaceable"><code>string</code></em>;
@@ -1057,7 +1053,7 @@
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2575046"></a><span><strong class="command">key</strong></span> Statement Definition and Usage</h3></div></div></div>
+<a name="id2575029"></a><span><strong class="command">key</strong></span> Statement Definition and Usage</h3></div></div></div>
<p>
The <span><strong class="command">key</strong></span> statement defines a shared
secret key for use with TSIG (see <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called &#8220;TSIG&#8221;</a>)
@@ -1104,7 +1100,7 @@
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2575205"></a><span><strong class="command">logging</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2575120"></a><span><strong class="command">logging</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting"><span><strong class="command">logging</strong></span> {
[ <span><strong class="command">channel</strong></span> <em class="replaceable"><code>channel_name</code></em> {
( <span><strong class="command">file</strong></span> <em class="replaceable"><code>path_name</code></em>
@@ -1128,7 +1124,7 @@
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2575331"></a><span><strong class="command">logging</strong></span> Statement Definition and
+<a name="id2575245"></a><span><strong class="command">logging</strong></span> Statement Definition and
Usage</h3></div></div></div>
<p>
The <span><strong class="command">logging</strong></span> statement configures a
@@ -1162,7 +1158,7 @@
</p>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2575383"></a>The <span><strong class="command">channel</strong></span> Phrase</h4></div></div></div>
+<a name="id2575298"></a>The <span><strong class="command">channel</strong></span> Phrase</h4></div></div></div>
<p>
All log output goes to one or more <span class="emphasis"><em>channels</em></span>;
you can make as many of them as you want.
@@ -1324,7 +1320,7 @@ notrace</strong></span>. All debugging messages in the server have a debug
the date and time will be logged. <span><strong class="command">print-time</strong></span> may
be specified for a <span><strong class="command">syslog</strong></span> channel,
but is usually
- pointless since <span><strong class="command">syslog</strong></span> also prints
+ pointless since <span><strong class="command">syslog</strong></span> also logs
the date and
time. If <span><strong class="command">print-category</strong></span> is
requested, then the
@@ -1558,7 +1554,7 @@ category notify { null; };
</td>
<td>
<p>
- Messages that named was unable to determine the
+ Messages that <span><strong class="command">named</strong></span> was unable to determine the
class of or for which there was no matching <span><strong class="command">view</strong></span>.
A one line summary is also logged to the <span><strong class="command">client</strong></span> category.
This category is best sent to a file or stderr, by
@@ -1713,7 +1709,7 @@ category notify { null; };
number of false-positive reports.
</p>
<p>
- Note: eventually named will have to stop
+ Note: eventually <span><strong class="command">named</strong></span> will have to stop
treating such timeouts as due to RFC 1034 non
compliance and start treating it as plain
packet loss. Falsely classifying packet
@@ -1728,7 +1724,7 @@ category notify { null; };
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2576665"></a>The <span><strong class="command">query-errors</strong></span> Category</h4></div></div></div>
+<a name="id2576793"></a>The <span><strong class="command">query-errors</strong></span> Category</h4></div></div></div>
<p>
The <span><strong class="command">query-errors</strong></span> category is
specifically intended for debugging purposes: To identify
@@ -1948,7 +1944,7 @@ category notify { null; };
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2577315"></a><span><strong class="command">lwres</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2577306"></a><span><strong class="command">lwres</strong></span> Statement Grammar</h3></div></div></div>
<p>
This is the grammar of the <span><strong class="command">lwres</strong></span>
statement in the <code class="filename">named.conf</code> file:
@@ -1963,7 +1959,7 @@ category notify { null; };
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2577457"></a><span><strong class="command">lwres</strong></span> Statement Definition and Usage</h3></div></div></div>
+<a name="id2577448"></a><span><strong class="command">lwres</strong></span> Statement Definition and Usage</h3></div></div></div>
<p>
The <span><strong class="command">lwres</strong></span> statement configures the
name
@@ -2014,14 +2010,14 @@ category notify { null; };
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2577521"></a><span><strong class="command">masters</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2577512"></a><span><strong class="command">masters</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting">
<span><strong class="command">masters</strong></span> <em class="replaceable"><code>name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] };
</pre>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2577564"></a><span><strong class="command">masters</strong></span> Statement Definition and
+<a name="id2577556"></a><span><strong class="command">masters</strong></span> Statement Definition and
Usage</h3></div></div></div>
<p><span><strong class="command">masters</strong></span>
lists allow for a common set of masters to be easily used by
@@ -2030,7 +2026,7 @@ category notify { null; };
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2577579"></a><span><strong class="command">options</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2577571"></a><span><strong class="command">options</strong></span> Statement Grammar</h3></div></div></div>
<p>
This is the grammar of the <span><strong class="command">options</strong></span>
statement in the <code class="filename">named.conf</code> file:
@@ -2267,7 +2263,7 @@ category notify { null; };
client requests a <span><strong class="command">TKEY</strong></span> exchange,
it may or may not specify the desired name for the
key. If present, the name of the shared key will
- will be <code class="varname">client specified part</code> +
+ be <code class="varname">client specified part</code> +
<code class="varname">tkey-domain</code>. Otherwise, the
name of the shared key will be <code class="varname">random hex
digits</code> + <code class="varname">tkey-domain</code>.
@@ -2310,7 +2306,7 @@ category notify { null; };
The pathname of the file the server writes its process ID
in. If not specified, the default is
<code class="filename">/var/run/named/named.pid</code>.
- The pid-file is used by programs that want to send signals to
+ The PID file is used by programs that want to send signals to
the running
name server. Specifying <span><strong class="command">pid-file none</strong></span> disables the
use of a PID file &#8212; no file will be written and any
@@ -2405,7 +2401,7 @@ options {
top of a zone. When a DNSKEY is at or below a domain
specified by the
deepest <span><strong class="command">dnssec-lookaside</strong></span>, and
- the normal dnssec validation
+ the normal DNSSEC validation
has left the key untrusted, the trust-anchor will be append to
the key
name and a DLV record will be looked up to see if it can
@@ -2418,10 +2414,10 @@ options {
<dd><p>
Specify hierarchies which must be or may not be secure (signed and
validated).
- If <strong class="userinput"><code>yes</code></strong>, then named will only accept
+ If <strong class="userinput"><code>yes</code></strong>, then <span><strong class="command">named</strong></span> will only accept
answers if they
are secure.
- If <strong class="userinput"><code>no</code></strong>, then normal dnssec validation
+ If <strong class="userinput"><code>no</code></strong>, then normal DNSSEC validation
applies
allowing for insecure answers to be accepted.
The specified domain must be under a <span><strong class="command">trusted-key</strong></span> or
@@ -3013,21 +3009,21 @@ options {
<dd><p>
This should be set when you have multiple masters for a zone
and the
- addresses refer to different machines. If <strong class="userinput"><code>yes</code></strong>, named will
+ addresses refer to different machines. If <strong class="userinput"><code>yes</code></strong>, <span><strong class="command">named</strong></span> will
not log
- when the serial number on the master is less than what named
+ when the serial number on the master is less than what <span><strong class="command">named</strong></span>
currently
has. The default is <strong class="userinput"><code>no</code></strong>.
</p></dd>
<dt><span class="term"><span><strong class="command">dnssec-enable</strong></span></span></dt>
<dd><p>
- Enable DNSSEC support in named. Unless set to <strong class="userinput"><code>yes</code></strong>,
- named behaves as if it does not support DNSSEC.
+ Enable DNSSEC support in <span><strong class="command">named</strong></span>. Unless set to <strong class="userinput"><code>yes</code></strong>,
+ <span><strong class="command">named</strong></span> behaves as if it does not support DNSSEC.
The default is <strong class="userinput"><code>yes</code></strong>.
</p></dd>
<dt><span class="term"><span><strong class="command">dnssec-validation</strong></span></span></dt>
<dd><p>
- Enable DNSSEC validation in named.
+ Enable DNSSEC validation in <span><strong class="command">named</strong></span>.
Note <span><strong class="command">dnssec-enable</strong></span> also needs to be
set to <strong class="userinput"><code>yes</code></strong> to be effective.
The default is <strong class="userinput"><code>yes</code></strong>.
@@ -3036,11 +3032,11 @@ options {
<dd><p>
Accept expired signatures when verifying DNSSEC signatures.
The default is <strong class="userinput"><code>no</code></strong>.
- Setting this option to "yes" leaves named vulnerable to replay attacks.
+ Setting this option to "yes" leaves <span><strong class="command">named</strong></span> vulnerable to replay attacks.
</p></dd>
<dt><span class="term"><span><strong class="command">querylog</strong></span></span></dt>
<dd><p>
- Specify whether query logging should be started when named
+ Specify whether query logging should be started when <span><strong class="command">named</strong></span>
starts.
If <span><strong class="command">querylog</strong></span> is not specified,
then the query logging
@@ -3155,7 +3151,7 @@ options {
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2581713"></a>Forwarding</h4></div></div></div>
+<a name="id2581667"></a>Forwarding</h4></div></div></div>
<p>
The forwarding facility can be used to create a large site-wide
cache on a few servers, reducing traffic over links to external
@@ -3199,7 +3195,7 @@ options {
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2581771"></a>Dual-stack Servers</h4></div></div></div>
+<a name="id2581725"></a>Dual-stack Servers</h4></div></div></div>
<p>
Dual-stack servers are used as servers of last resort to work
around
@@ -3396,11 +3392,11 @@ options {
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2582277"></a>Interfaces</h4></div></div></div>
+<a name="id2582231"></a>Interfaces</h4></div></div></div>
<p>
The interfaces and ports that the server will answer queries
from may be specified using the <span><strong class="command">listen-on</strong></span> option. <span><strong class="command">listen-on</strong></span> takes
- an optional port, and an <code class="varname">address_match_list</code>.
+ an optional port and an <code class="varname">address_match_list</code>.
The server will listen on all interfaces allowed by the address
match list. If a port is not specified, port 53 will be used.
</p>
@@ -3471,9 +3467,9 @@ listen-on-v6 port 1234 { !2001:db8::/32; any; };
<p>
If no <span><strong class="command">listen-on-v6</strong></span> option is
specified, the server will not listen on any IPv6 address
- unless <span><strong class="command">-6</strong></span> is specified when named is
+ unless <span><strong class="command">-6</strong></span> is specified when <span><strong class="command">named</strong></span> is
invoked. If <span><strong class="command">-6</strong></span> is specified then
- named will listen on port 53 on all IPv6 interfaces by default.
+ <span><strong class="command">named</strong></span> will listen on port 53 on all IPv6 interfaces by default.
</p>
</div>
<div class="sect3" lang="en">
@@ -3624,7 +3620,12 @@ avoid-v6-udp-ports {};
zone is loaded, in addition to the servers listed in the
zone's NS records.
This helps to ensure that copies of the zones will
- quickly converge on stealth servers. If an <span><strong class="command">also-notify</strong></span> list
+ quickly converge on stealth servers.
+ Optionally, a port may be specified with each
+ <span><strong class="command">also-notify</strong></span> address to send
+ the notify messages to a port other than the
+ default of 53.
+ If an <span><strong class="command">also-notify</strong></span> list
is given in a <span><strong class="command">zone</strong></span> statement,
it will override
the <span><strong class="command">options also-notify</strong></span>
@@ -3791,7 +3792,7 @@ avoid-v6-udp-ports {};
to be used, you should set
<span><strong class="command">use-alt-transfer-source</strong></span>
appropriately and you should not depend upon
- getting a answer back to the first refresh
+ getting an answer back to the first refresh
query.
</div>
</dd>
@@ -3843,7 +3844,7 @@ avoid-v6-udp-ports {};
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2583335"></a>UDP Port Lists</h4></div></div></div>
+<a name="id2583571"></a>UDP Port Lists</h4></div></div></div>
<p>
<span><strong class="command">use-v4-udp-ports</strong></span>,
<span><strong class="command">avoid-v4-udp-ports</strong></span>,
@@ -3885,7 +3886,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2583463"></a>Operating System Resource Limits</h4></div></div></div>
+<a name="id2583699"></a>Operating System Resource Limits</h4></div></div></div>
<p>
The server's usage of many system resources can be limited.
Scaled values are allowed when specifying resource limits. For
@@ -3999,7 +4000,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
<p>
The number of file descriptors reserved for TCP, stdio,
etc. This needs to be big enough to cover the number of
- interfaces named listens on, tcp-clients as well as
+ interfaces <span><strong class="command">named</strong></span> listens on, <span><strong class="command">tcp-clients</strong></span> as well as
to provide room for outgoing TCP queries and incoming zone
transfers. The default is <code class="literal">512</code>.
The minimum value is <code class="literal">128</code> and the
@@ -4047,7 +4048,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2583947"></a>Periodic Task Intervals</h4></div></div></div>
+<a name="id2583985"></a>Periodic Task Intervals</h4></div></div></div>
<div class="variablelist"><dl>
<dt><span class="term"><span><strong class="command">cleaning-interval</strong></span></span></dt>
<dd><p>
@@ -4487,22 +4488,23 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
</dd>
<dt><span class="term"><span><strong class="command">edns-udp-size</strong></span></span></dt>
<dd><p>
- Sets the advertised EDNS UDP buffer size in bytes. Valid
- values are 512 to 4096 (values outside this range
- will be silently adjusted). The default value is
- 4096. The usual reason for setting edns-udp-size to
- a non-default value is to get UDP answers to pass
- through broken firewalls that block fragmented
- packets and/or block UDP packets that are greater
- than 512 bytes.
+ Sets the advertised EDNS UDP buffer size in bytes
+ to control the size of packets received.
+ Valid values are 512 to 4096 (values outside this range
+ will be silently adjusted). The default value
+ is 4096. The usual reason for setting
+ <span><strong class="command">edns-udp-size</strong></span> to a non-default
+ value is to get UDP answers to pass through broken
+ firewalls that block fragmented packets and/or
+ block UDP packets that are greater than 512 bytes.
</p></dd>
<dt><span class="term"><span><strong class="command">max-udp-size</strong></span></span></dt>
<dd><p>
- Sets the maximum EDNS UDP message size named will
+ Sets the maximum EDNS UDP message size <span><strong class="command">named</strong></span> will
send in bytes. Valid values are 512 to 4096 (values outside
this range will be silently adjusted). The default
value is 4096. The usual reason for setting
- max-udp-size to a non-default value is to get UDP
+ <span><strong class="command">max-udp-size</strong></span> to a non-default value is to get UDP
answers to pass through broken firewalls that
block fragmented packets and/or block UDP packets
that are greater than 512 bytes.
@@ -4542,14 +4544,14 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
initial value (minimum) and maximum number of recursive
simultaneous clients for any given query
(&lt;qname,qtype,qclass&gt;) that the server will accept
- before dropping additional clients. named will attempt to
+ before dropping additional clients. <span><strong class="command">named</strong></span> will attempt to
self tune this value and changes will be logged. The
default values are 10 and 100.
</p>
<p>
This value should reflect how many queries come in for
a given name in the time it takes to resolve that name.
- If the number of queries exceed this value, named will
+ If the number of queries exceed this value, <span><strong class="command">named</strong></span> will
assume that it is dealing with a non-responsive zone
and will drop additional queries. If it gets a response
after dropping queries, it will raise the estimate. The
@@ -4630,7 +4632,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
identify which of a group of anycast servers is actually
answering your queries. Specifying <span><strong class="command">server-id none;</strong></span>
disables processing of the queries.
- Specifying <span><strong class="command">server-id hostname;</strong></span> will cause named to
+ Specifying <span><strong class="command">server-id hostname;</strong></span> will cause <span><strong class="command">named</strong></span> to
use the hostname as found by the gethostname() function.
The default <span><strong class="command">server-id</strong></span> is <span><strong class="command">none</strong></span>.
</p></dd>
@@ -4651,7 +4653,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
loopback address and the IPv6 unknown address.
</p>
<p>
- Named will attempt to determine if a built in zone already exists
+ Named will attempt to determine if a built-in zone already exists
or is active (covered by a forward-only forwarding declaration)
and will not create a empty zone in that case.
</p>
@@ -4699,7 +4701,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
<h3 class="title">Note</h3>
The real parent servers for these zones should disable all
empty zone under the parent zone they serve. For the real
- root servers, this is all built in empty zones. This will
+ root servers, this is all built-in empty zones. This will
enable them to return referrals to deeper in the tree.
</div>
<div class="variablelist"><dl>
@@ -4821,66 +4823,6 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="statschannels"></a><span><strong class="command">statistics-channels</strong></span> Statement Grammar</h3></div></div></div>
-<pre class="programlisting"><span><strong class="command">statistics-channels</strong></span> {
- [ inet ( ip_addr | * ) [ port ip_port ] [allow { <em class="replaceable"><code> address_match_list </code></em> } ]; ]
- [ inet ...; ]
-};
-</pre>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2586020"></a><span><strong class="command">statistics-channels</strong></span> Statement Definition and
- Usage</h3></div></div></div>
-<p>
- The <span><strong class="command">statistics-channels</strong></span> statement
- declares communication channels to be used by system
- administrators to get access to statistics information of
- the name server.
- </p>
-<p>
- This statement intends to be flexible to support multiple
- communication protocols in the future, but currently only
- HTTP access is supported.
- It requires that BIND 9 be compiled with libxml2;
- the <span><strong class="command">statistics-channels</strong></span> statement is
- still accepted even if it is built without the library,
- but any HTTP access will fail with an error.
- </p>
-<p>
- An <span><strong class="command">inet</strong></span> control channel is a TCP socket
- listening at the specified <span><strong class="command">ip_port</strong></span> on the
- specified <span><strong class="command">ip_addr</strong></span>, which can be an IPv4 or IPv6
- address. An <span><strong class="command">ip_addr</strong></span> of <code class="literal">*</code> (asterisk) is
- interpreted as the IPv4 wildcard address; connections will be
- accepted on any of the system's IPv4 addresses.
- To listen on the IPv6 wildcard address,
- use an <span><strong class="command">ip_addr</strong></span> of <code class="literal">::</code>.
- </p>
-<p>
- If no port is specified, port 80 is used for HTTP channels.
- The asterisk "<code class="literal">*</code>" cannot be used for
- <span><strong class="command">ip_port</strong></span>.
- </p>
-<p>
- The attempt of opening a statistics channel is
- restricted by the optional <span><strong class="command">allow</strong></span> clause.
- Connections to the statistics channel are permitted based on the
- <span><strong class="command">address_match_list</strong></span>.
- If no <span><strong class="command">allow</strong></span> clause is present,
- <span><strong class="command">named</strong></span> accepts connection
- attempts from any address; since the statistics may
- contain sensitive internal information, it is highly
- recommended to restrict the source of connection requests
- appropriately.
- </p>
-<p>
- If no <span><strong class="command">statistics-channels</strong></span> statement is present,
- <span><strong class="command">named</strong></span> will not open any communication channels.
- </p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
<a name="server_statement_grammar"></a><span><strong class="command">server</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting"><span><strong class="command">server</strong></span> <em class="replaceable"><code>ip_addr[/prefixlen]</code></em> {
[<span class="optional"> bogus <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
@@ -4984,7 +4926,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
</p>
<p>
The <span><strong class="command">edns-udp-size</strong></span> option sets the EDNS UDP size
- that is advertised by named when querying the remote server.
+ that is advertised by <span><strong class="command">named</strong></span> when querying the remote server.
Valid values are 512 to 4096 bytes (values outside this range will be
silently adjusted). This option is useful when you wish to
advertises a different value to this server than the value you
@@ -4993,11 +4935,11 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
</p>
<p>
The <span><strong class="command">max-udp-size</strong></span> option sets the
- maximum EDNS UDP message size named will send. Valid
+ maximum EDNS UDP message size <span><strong class="command">named</strong></span> will send. Valid
values are 512 to 4096 bytes (values outside this range will
be silently adjusted). This option is useful when you
know that there is a firewall that is blocking large
- replies from named.
+ replies from <span><strong class="command">named</strong></span>.
</p>
<p>
The server supports two zone transfer methods. The first, <span><strong class="command">one-answer</strong></span>,
@@ -5075,6 +5017,66 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
+<a name="statschannels"></a><span><strong class="command">statistics-channels</strong></span> Statement Grammar</h3></div></div></div>
+<pre class="programlisting"><span><strong class="command">statistics-channels</strong></span> {
+ [ inet ( ip_addr | * ) [ port ip_port ] [allow { <em class="replaceable"><code> address_match_list </code></em> } ]; ]
+ [ inet ...; ]
+};
+</pre>
+</div>
+<div class="sect2" lang="en">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="id2586754"></a><span><strong class="command">statistics-channels</strong></span> Statement Definition and
+ Usage</h3></div></div></div>
+<p>
+ The <span><strong class="command">statistics-channels</strong></span> statement
+ declares communication channels to be used by system
+ administrators to get access to statistics information of
+ the name server.
+ </p>
+<p>
+ This statement intends to be flexible to support multiple
+ communication protocols in the future, but currently only
+ HTTP access is supported.
+ It requires that BIND 9 be compiled with libxml2;
+ the <span><strong class="command">statistics-channels</strong></span> statement is
+ still accepted even if it is built without the library,
+ but any HTTP access will fail with an error.
+ </p>
+<p>
+ An <span><strong class="command">inet</strong></span> control channel is a TCP socket
+ listening at the specified <span><strong class="command">ip_port</strong></span> on the
+ specified <span><strong class="command">ip_addr</strong></span>, which can be an IPv4 or IPv6
+ address. An <span><strong class="command">ip_addr</strong></span> of <code class="literal">*</code> (asterisk) is
+ interpreted as the IPv4 wildcard address; connections will be
+ accepted on any of the system's IPv4 addresses.
+ To listen on the IPv6 wildcard address,
+ use an <span><strong class="command">ip_addr</strong></span> of <code class="literal">::</code>.
+ </p>
+<p>
+ If no port is specified, port 80 is used for HTTP channels.
+ The asterisk "<code class="literal">*</code>" cannot be used for
+ <span><strong class="command">ip_port</strong></span>.
+ </p>
+<p>
+ The attempt of opening a statistics channel is
+ restricted by the optional <span><strong class="command">allow</strong></span> clause.
+ Connections to the statistics channel are permitted based on the
+ <span><strong class="command">address_match_list</strong></span>.
+ If no <span><strong class="command">allow</strong></span> clause is present,
+ <span><strong class="command">named</strong></span> accepts connection
+ attempts from any address; since the statistics may
+ contain sensitive internal information, it is highly
+ recommended to restrict the source of connection requests
+ appropriately.
+ </p>
+<p>
+ If no <span><strong class="command">statistics-channels</strong></span> statement is present,
+ <span><strong class="command">named</strong></span> will not open any communication channels.
+ </p>
+</div>
+<div class="sect2" lang="en">
+<div class="titlepage"><div><div><h3 class="title">
<a name="id2586908"></a><span><strong class="command">trusted-keys</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting"><span><strong class="command">trusted-keys</strong></span> {
<em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ;
@@ -5462,7 +5464,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
<code class="filename">ex/example.com</code> where <code class="filename">ex/</code> is
just the first two letters of the zone name. (Most
operating systems
- behave very slowly if you put 100 000 files into
+ behave very slowly if you put 100000 files into
a single directory.)
</p>
</td>
@@ -6955,7 +6957,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2592546"></a>Textual expression of RRs</h4></div></div></div>
+<a name="id2592682"></a>Textual expression of RRs</h4></div></div></div>
<p>
RRs are represented in binary form in the packets of the DNS
protocol, and are usually represented in highly encoded form
@@ -7192,8 +7194,6 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
the mail will be delivered to the server specified in the MX
record
pointed to by the CNAME.
- </p>
-<p>
For example:
</p>
<div class="informaltable"><table border="1">
@@ -7416,7 +7416,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2593822"></a>Inverse Mapping in IPv4</h3></div></div></div>
+<a name="id2593886"></a>Inverse Mapping in IPv4</h3></div></div></div>
<p>
Reverse name resolution (that is, translation from IP address
to name) is achieved by means of the <span class="emphasis"><em>in-addr.arpa</em></span> domain
@@ -7477,7 +7477,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2594018"></a>Other Zone File Directives</h3></div></div></div>
+<a name="id2594013"></a>Other Zone File Directives</h3></div></div></div>
<p>
The Master File Format was initially defined in RFC 1035 and
has subsequently been extended. While the Master File Format
@@ -7492,7 +7492,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
</p>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2594040"></a>The <span><strong class="command">$ORIGIN</strong></span> Directive</h4></div></div></div>
+<a name="id2594036"></a>The <span><strong class="command">$ORIGIN</strong></span> Directive</h4></div></div></div>
<p>
Syntax: <span><strong class="command">$ORIGIN</strong></span>
<em class="replaceable"><code>domain-name</code></em>
@@ -7520,7 +7520,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2594101"></a>The <span><strong class="command">$INCLUDE</strong></span> Directive</h4></div></div></div>
+<a name="id2594097"></a>The <span><strong class="command">$INCLUDE</strong></span> Directive</h4></div></div></div>
<p>
Syntax: <span><strong class="command">$INCLUDE</strong></span>
<em class="replaceable"><code>filename</code></em>
@@ -7556,7 +7556,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2594170"></a>The <span><strong class="command">$TTL</strong></span> Directive</h4></div></div></div>
+<a name="id2594234"></a>The <span><strong class="command">$TTL</strong></span> Directive</h4></div></div></div>
<p>
Syntax: <span><strong class="command">$TTL</strong></span>
<em class="replaceable"><code>default-ttl</code></em>
@@ -7575,7 +7575,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2594206"></a><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</h3></div></div></div>
+<a name="id2594270"></a><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</h3></div></div></div>
<p>
Syntax: <span><strong class="command">$GENERATE</strong></span>
<em class="replaceable"><code>range</code></em>
@@ -7679,7 +7679,7 @@ $GENERATE 1-127 $ CNAME $.0</pre>
<p>
Specifies the time-to-live of the generated records. If
not specified this will be inherited using the
- normal ttl inheritance rules.
+ normal TTL inheritance rules.
</p>
<p><span><strong class="command">class</strong></span>
and <span><strong class="command">ttl</strong></span> can be
@@ -7966,7 +7966,7 @@ $GENERATE 1-127 $ CNAME $.0</pre>
</p>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2595134"></a>Name Server Statistics Counters</h4></div></div></div>
+<a name="id2595267"></a>Name Server Statistics Counters</h4></div></div></div>
<div class="informaltable"><table border="1">
<colgroup>
<col>
@@ -8523,7 +8523,7 @@ $GENERATE 1-127 $ CNAME $.0</pre>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2596812"></a>Zone Maintenance Statistics Counters</h4></div></div></div>
+<a name="id2596808"></a>Zone Maintenance Statistics Counters</h4></div></div></div>
<div class="informaltable"><table border="1">
<colgroup>
<col>
@@ -8677,7 +8677,7 @@ $GENERATE 1-127 $ CNAME $.0</pre>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2597195"></a>Resolver Statistics Counters</h4></div></div></div>
+<a name="id2597191"></a>Resolver Statistics Counters</h4></div></div></div>
<div class="informaltable"><table border="1">
<colgroup>
<col>
@@ -9053,7 +9053,7 @@ $GENERATE 1-127 $ CNAME $.0</pre>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2598214"></a>Socket I/O Statistics Counters</h4></div></div></div>
+<a name="id2598210"></a>Socket I/O Statistics Counters</h4></div></div></div>
<p>
Socket I/O statistics counters are defined per socket
types, which are
@@ -9208,7 +9208,7 @@ $GENERATE 1-127 $ CNAME $.0</pre>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2598587"></a>Compatibility with <span class="emphasis"><em>BIND</em></span> 8 Counters</h4></div></div></div>
+<a name="id2598651"></a>Compatibility with <span class="emphasis"><em>BIND</em></span> 8 Counters</h4></div></div></div>
<p>
Most statistics counters that were available
in <span><strong class="command">BIND</strong></span> 8 are also supported in
diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html
index 029bd8b9..80ba6e3c 100644
--- a/doc/arm/Bv9ARM.ch07.html
+++ b/doc/arm/Bv9ARM.ch07.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: Bv9ARM.ch07.html,v 1.178.14.4 2009/03/13 04:19:26 tbox Exp $ -->
+<!-- $Id: Bv9ARM.ch07.html,v 1.178.14.5 2009/04/03 01:52:22 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -46,9 +46,9 @@
<p><b>Table of Contents</b></p>
<dl>
<dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2598829"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2598893"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2598906">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2598974">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2599034">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
@@ -58,7 +58,7 @@
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="Access_Control_Lists"></a>Access Control Lists</h2></div></div></div>
<p>
- Access Control Lists (ACLs), are address match lists that
+ Access Control Lists (ACLs) are address match lists that
you can set up and nickname for future use in <span><strong class="command">allow-notify</strong></span>,
<span><strong class="command">allow-query</strong></span>, <span><strong class="command">allow-query-on</strong></span>,
<span><strong class="command">allow-recursion</strong></span>, <span><strong class="command">allow-recursion-on</strong></span>,
@@ -119,14 +119,16 @@ zone "example.com" {
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2598829"></a><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span>
+<a name="id2598893"></a><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span>
</h2></div></div></div>
<p>
- On UNIX servers, it is possible to run <acronym class="acronym">BIND</acronym> in a <span class="emphasis"><em>chrooted</em></span> environment
- (using the <span><strong class="command">chroot()</strong></span> function) by specifying the "<code class="option">-t</code>"
- option. This can help improve system security by placing <acronym class="acronym">BIND</acronym> in
- a "sandbox", which will limit the damage done if a server is
- compromised.
+ On UNIX servers, it is possible to run <acronym class="acronym">BIND</acronym>
+ in a <span class="emphasis"><em>chrooted</em></span> environment (using
+ the <span><strong class="command">chroot()</strong></span> function) by specifying
+ the "<code class="option">-t</code>" option for <span><strong class="command">named</strong></span>.
+ This can help improve system security by placing
+ <acronym class="acronym">BIND</acronym> in a "sandbox", which will limit
+ the damage done if a server is compromised.
</p>
<p>
Another useful feature in the UNIX version of <acronym class="acronym">BIND</acronym> is the
@@ -139,11 +141,11 @@ zone "example.com" {
user 202:
</p>
<p>
- <strong class="userinput"><code>/usr/local/bin/named -u 202 -t /var/named</code></strong>
+ <strong class="userinput"><code>/usr/local/sbin/named -u 202 -t /var/named</code></strong>
</p>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2598906"></a>The <span><strong class="command">chroot</strong></span> Environment</h3></div></div></div>
+<a name="id2598974"></a>The <span><strong class="command">chroot</strong></span> Environment</h3></div></div></div>
<p>
In order for a <span><strong class="command">chroot</strong></span> environment
to
diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html
index ac13cae8..65ca623f 100644
--- a/doc/arm/Bv9ARM.ch08.html
+++ b/doc/arm/Bv9ARM.ch08.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: Bv9ARM.ch08.html,v 1.178.14.4 2009/03/13 04:19:26 tbox Exp $ -->
+<!-- $Id: Bv9ARM.ch08.html,v 1.178.14.5 2009/04/03 01:52:22 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -45,18 +45,18 @@
<div class="toc">
<p><b>Table of Contents</b></p>
<dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2599182">Common Problems</a></span></dt>
-<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch08.html#id2599256">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2599268">Incrementing and Changing the Serial Number</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2599285">Where Can I Get Help?</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2599251">Common Problems</a></span></dt>
+<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch08.html#id2599324">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd>
+<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2599336">Incrementing and Changing the Serial Number</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2599353">Where Can I Get Help?</a></span></dt>
</dl>
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2599182"></a>Common Problems</h2></div></div></div>
+<a name="id2599251"></a>Common Problems</h2></div></div></div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2599256"></a>It's not working; how can I figure out what's wrong?</h3></div></div></div>
+<a name="id2599324"></a>It's not working; how can I figure out what's wrong?</h3></div></div></div>
<p>
The best solution to solving installation and
configuration issues is to take preventative measures by setting
@@ -68,7 +68,7 @@
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2599268"></a>Incrementing and Changing the Serial Number</h2></div></div></div>
+<a name="id2599336"></a>Incrementing and Changing the Serial Number</h2></div></div></div>
<p>
Zone serial numbers are just numbers &#8212; they aren't
date related. A lot of people set them to a number that
@@ -95,7 +95,7 @@
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2599285"></a>Where Can I Get Help?</h2></div></div></div>
+<a name="id2599353"></a>Where Can I Get Help?</h2></div></div></div>
<p>
The Internet Systems Consortium
(<acronym class="acronym">ISC</acronym>) offers a wide range
diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index be869542..3664b99f 100644
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: Bv9ARM.ch09.html,v 1.180.16.4 2009/03/13 04:19:26 tbox Exp $ -->
+<!-- $Id: Bv9ARM.ch09.html,v 1.180.16.5 2009/04/03 01:52:22 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -45,21 +45,21 @@
<div class="toc">
<p><b>Table of Contents</b></p>
<dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2599347">Acknowledgments</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2599415">Acknowledgments</a></span></dt>
<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#historical_dns_information">A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></a></span></dt></dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2599450">General <acronym class="acronym">DNS</acronym> Reference Information</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2599587">General <acronym class="acronym">DNS</acronym> Reference Information</a></span></dt>
<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#ipv6addresses">IPv6 addresses (AAAA)</a></span></dt></dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch09.html#bibliography">Bibliography (and Suggested Reading)</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch09.html#rfcs">Request for Comments (RFCs)</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch09.html#internet_drafts">Internet Drafts</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2602730">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2602867">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt>
</dl></dd>
</dl>
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2599347"></a>Acknowledgments</h2></div></div></div>
+<a name="id2599415"></a>Acknowledgments</h2></div></div></div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="historical_dns_information"></a>A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym>
@@ -148,11 +148,9 @@
BIND architecture.
</p>
<p>
- BIND version 4 is officially deprecated and BIND version
- 8 development is considered maintenance-only in favor
- of BIND version 9. No additional development is done
- on BIND version 4 or BIND version 8 other than for
- security-related patches.
+ BIND versions 4 and 8 are officially deprecated.
+ No additional development is done
+ on BIND version 4 or BIND version 8.
</p>
<p>
<acronym class="acronym">BIND</acronym> development work is made
@@ -164,7 +162,7 @@
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2599450"></a>General <acronym class="acronym">DNS</acronym> Reference Information</h2></div></div></div>
+<a name="id2599587"></a>General <acronym class="acronym">DNS</acronym> Reference Information</h2></div></div></div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="ipv6addresses"></a>IPv6 addresses (AAAA)</h3></div></div></div>
@@ -252,17 +250,17 @@
</p>
<div class="bibliography">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2599774"></a>Bibliography</h4></div></div></div>
+<a name="id2599843"></a>Bibliography</h4></div></div></div>
<div class="bibliodiv">
<h3 class="title">Standards</h3>
<div class="biblioentry">
-<a name="id2599785"></a><p>[<abbr class="abbrev">RFC974</abbr>] <span class="author"><span class="firstname">C.</span> <span class="surname">Partridge</span>. </span><span class="title"><i>Mail Routing and the Domain System</i>. </span><span class="pubdate">January 1986. </span></p>
+<a name="id2599853"></a><p>[<abbr class="abbrev">RFC974</abbr>] <span class="author"><span class="firstname">C.</span> <span class="surname">Partridge</span>. </span><span class="title"><i>Mail Routing and the Domain System</i>. </span><span class="pubdate">January 1986. </span></p>
</div>
<div class="biblioentry">
-<a name="id2599809"></a><p>[<abbr class="abbrev">RFC1034</abbr>] <span class="author"><span class="firstname">P.V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>Domain Names &#8212; Concepts and Facilities</i>. </span><span class="pubdate">November 1987. </span></p>
+<a name="id2599877"></a><p>[<abbr class="abbrev">RFC1034</abbr>] <span class="author"><span class="firstname">P.V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>Domain Names &#8212; Concepts and Facilities</i>. </span><span class="pubdate">November 1987. </span></p>
</div>
<div class="biblioentry">
-<a name="id2599832"></a><p>[<abbr class="abbrev">RFC1035</abbr>] <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>Domain Names &#8212; Implementation and
+<a name="id2599900"></a><p>[<abbr class="abbrev">RFC1035</abbr>] <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>Domain Names &#8212; Implementation and
Specification</i>. </span><span class="pubdate">November 1987. </span></p>
</div>
</div>
@@ -270,42 +268,42 @@
<h3 class="title">
<a name="proposed_standards"></a>Proposed Standards</h3>
<div class="biblioentry">
-<a name="id2599868"></a><p>[<abbr class="abbrev">RFC2181</abbr>] <span class="author"><span class="firstname">R., R. Bush</span> <span class="surname">Elz</span>. </span><span class="title"><i>Clarifications to the <acronym class="acronym">DNS</acronym>
+<a name="id2599937"></a><p>[<abbr class="abbrev">RFC2181</abbr>] <span class="author"><span class="firstname">R., R. Bush</span> <span class="surname">Elz</span>. </span><span class="title"><i>Clarifications to the <acronym class="acronym">DNS</acronym>
Specification</i>. </span><span class="pubdate">July 1997. </span></p>
</div>
<div class="biblioentry">
-<a name="id2599895"></a><p>[<abbr class="abbrev">RFC2308</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Andrews</span>. </span><span class="title"><i>Negative Caching of <acronym class="acronym">DNS</acronym>
+<a name="id2599963"></a><p>[<abbr class="abbrev">RFC2308</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Andrews</span>. </span><span class="title"><i>Negative Caching of <acronym class="acronym">DNS</acronym>
Queries</i>. </span><span class="pubdate">March 1998. </span></p>
</div>
<div class="biblioentry">
-<a name="id2599921"></a><p>[<abbr class="abbrev">RFC1995</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Ohta</span>. </span><span class="title"><i>Incremental Zone Transfer in <acronym class="acronym">DNS</acronym></i>. </span><span class="pubdate">August 1996. </span></p>
+<a name="id2599989"></a><p>[<abbr class="abbrev">RFC1995</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Ohta</span>. </span><span class="title"><i>Incremental Zone Transfer in <acronym class="acronym">DNS</acronym></i>. </span><span class="pubdate">August 1996. </span></p>
</div>
<div class="biblioentry">
-<a name="id2599945"></a><p>[<abbr class="abbrev">RFC1996</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>A Mechanism for Prompt Notification of Zone Changes</i>. </span><span class="pubdate">August 1996. </span></p>
+<a name="id2600013"></a><p>[<abbr class="abbrev">RFC1996</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>A Mechanism for Prompt Notification of Zone Changes</i>. </span><span class="pubdate">August 1996. </span></p>
</div>
<div class="biblioentry">
-<a name="id2599969"></a><p>[<abbr class="abbrev">RFC2136</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">Y.</span> <span class="surname">Rekhter</span>, and <span class="firstname">J.</span> <span class="surname">Bound</span>. </span><span class="title"><i>Dynamic Updates in the Domain Name System</i>. </span><span class="pubdate">April 1997. </span></p>
+<a name="id2600037"></a><p>[<abbr class="abbrev">RFC2136</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">Y.</span> <span class="surname">Rekhter</span>, and <span class="firstname">J.</span> <span class="surname">Bound</span>. </span><span class="title"><i>Dynamic Updates in the Domain Name System</i>. </span><span class="pubdate">April 1997. </span></p>
</div>
<div class="biblioentry">
-<a name="id2600024"></a><p>[<abbr class="abbrev">RFC2671</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Extension Mechanisms for DNS (EDNS0)</i>. </span><span class="pubdate">August 1997. </span></p>
+<a name="id2600092"></a><p>[<abbr class="abbrev">RFC2671</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Extension Mechanisms for DNS (EDNS0)</i>. </span><span class="pubdate">August 1997. </span></p>
</div>
<div class="biblioentry">
-<a name="id2600051"></a><p>[<abbr class="abbrev">RFC2672</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span>. </span><span class="title"><i>Non-Terminal DNS Name Redirection</i>. </span><span class="pubdate">August 1999. </span></p>
+<a name="id2600119"></a><p>[<abbr class="abbrev">RFC2672</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span>. </span><span class="title"><i>Non-Terminal DNS Name Redirection</i>. </span><span class="pubdate">August 1999. </span></p>
</div>
<div class="biblioentry">
-<a name="id2600077"></a><p>[<abbr class="abbrev">RFC2845</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>, <span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, and <span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Secret Key Transaction Authentication for <acronym class="acronym">DNS</acronym> (TSIG)</i>. </span><span class="pubdate">May 2000. </span></p>
+<a name="id2600146"></a><p>[<abbr class="abbrev">RFC2845</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>, <span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, and <span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Secret Key Transaction Authentication for <acronym class="acronym">DNS</acronym> (TSIG)</i>. </span><span class="pubdate">May 2000. </span></p>
</div>
<div class="biblioentry">
-<a name="id2600139"></a><p>[<abbr class="abbrev">RFC2930</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Secret Key Establishment for DNS (TKEY RR)</i>. </span><span class="pubdate">September 2000. </span></p>
+<a name="id2600208"></a><p>[<abbr class="abbrev">RFC2930</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Secret Key Establishment for DNS (TKEY RR)</i>. </span><span class="pubdate">September 2000. </span></p>
</div>
<div class="biblioentry">
-<a name="id2600169"></a><p>[<abbr class="abbrev">RFC2931</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>DNS Request and Transaction Signatures (SIG(0)s)</i>. </span><span class="pubdate">September 2000. </span></p>
+<a name="id2600237"></a><p>[<abbr class="abbrev">RFC2931</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>DNS Request and Transaction Signatures (SIG(0)s)</i>. </span><span class="pubdate">September 2000. </span></p>
</div>
<div class="biblioentry">
-<a name="id2600199"></a><p>[<abbr class="abbrev">RFC3007</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Secure Domain Name System (DNS) Dynamic Update</i>. </span><span class="pubdate">November 2000. </span></p>
+<a name="id2600267"></a><p>[<abbr class="abbrev">RFC3007</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Secure Domain Name System (DNS) Dynamic Update</i>. </span><span class="pubdate">November 2000. </span></p>
</div>
<div class="biblioentry">
-<a name="id2600226"></a><p>[<abbr class="abbrev">RFC3645</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Kwan</span>, <span class="firstname">P.</span> <span class="surname">Garg</span>, <span class="firstname">J.</span> <span class="surname">Gilroy</span>, <span class="firstname">L.</span> <span class="surname">Esibov</span>, <span class="firstname">J.</span> <span class="surname">Westhead</span>, and <span class="firstname">R.</span> <span class="surname">Hall</span>. </span><span class="title"><i>Generic Security Service Algorithm for Secret
+<a name="id2600294"></a><p>[<abbr class="abbrev">RFC3645</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Kwan</span>, <span class="firstname">P.</span> <span class="surname">Garg</span>, <span class="firstname">J.</span> <span class="surname">Gilroy</span>, <span class="firstname">L.</span> <span class="surname">Esibov</span>, <span class="firstname">J.</span> <span class="surname">Westhead</span>, and <span class="firstname">R.</span> <span class="surname">Hall</span>. </span><span class="title"><i>Generic Security Service Algorithm for Secret
Key Transaction Authentication for DNS
(GSS-TSIG)</i>. </span><span class="pubdate">October 2003. </span></p>
</div>
@@ -314,19 +312,19 @@
<h3 class="title">
<acronym class="acronym">DNS</acronym> Security Proposed Standards</h3>
<div class="biblioentry">
-<a name="id2600308"></a><p>[<abbr class="abbrev">RFC3225</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Conrad</span>. </span><span class="title"><i>Indicating Resolver Support of DNSSEC</i>. </span><span class="pubdate">December 2001. </span></p>
+<a name="id2600376"></a><p>[<abbr class="abbrev">RFC3225</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Conrad</span>. </span><span class="title"><i>Indicating Resolver Support of DNSSEC</i>. </span><span class="pubdate">December 2001. </span></p>
</div>
<div class="biblioentry">
-<a name="id2600334"></a><p>[<abbr class="abbrev">RFC3833</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Atkins</span> and <span class="firstname">R.</span> <span class="surname">Austein</span>. </span><span class="title"><i>Threat Analysis of the Domain Name System (DNS)</i>. </span><span class="pubdate">August 2004. </span></p>
+<a name="id2600403"></a><p>[<abbr class="abbrev">RFC3833</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Atkins</span> and <span class="firstname">R.</span> <span class="surname">Austein</span>. </span><span class="title"><i>Threat Analysis of the Domain Name System (DNS)</i>. </span><span class="pubdate">August 2004. </span></p>
</div>
<div class="biblioentry">
-<a name="id2600371"></a><p>[<abbr class="abbrev">RFC4033</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>DNS Security Introduction and Requirements</i>. </span><span class="pubdate">March 2005. </span></p>
+<a name="id2600439"></a><p>[<abbr class="abbrev">RFC4033</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>DNS Security Introduction and Requirements</i>. </span><span class="pubdate">March 2005. </span></p>
</div>
<div class="biblioentry">
-<a name="id2600436"></a><p>[<abbr class="abbrev">RFC4034</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Resource Records for the DNS Security Extensions</i>. </span><span class="pubdate">March 2005. </span></p>
+<a name="id2600504"></a><p>[<abbr class="abbrev">RFC4034</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Resource Records for the DNS Security Extensions</i>. </span><span class="pubdate">March 2005. </span></p>
</div>
<div class="biblioentry">
-<a name="id2600501"></a><p>[<abbr class="abbrev">RFC4035</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Protocol Modifications for the DNS
+<a name="id2600569"></a><p>[<abbr class="abbrev">RFC4035</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Protocol Modifications for the DNS
Security Extensions</i>. </span><span class="pubdate">March 2005. </span></p>
</div>
</div>
@@ -334,146 +332,146 @@
<h3 class="title">Other Important RFCs About <acronym class="acronym">DNS</acronym>
Implementation</h3>
<div class="biblioentry">
-<a name="id2600574"></a><p>[<abbr class="abbrev">RFC1535</abbr>] <span class="author"><span class="firstname">E.</span> <span class="surname">Gavron</span>. </span><span class="title"><i>A Security Problem and Proposed Correction With Widely
+<a name="id2600643"></a><p>[<abbr class="abbrev">RFC1535</abbr>] <span class="author"><span class="firstname">E.</span> <span class="surname">Gavron</span>. </span><span class="title"><i>A Security Problem and Proposed Correction With Widely
Deployed <acronym class="acronym">DNS</acronym> Software.</i>. </span><span class="pubdate">October 1993. </span></p>
</div>
<div class="biblioentry">
-<a name="id2600600"></a><p>[<abbr class="abbrev">RFC1536</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Kumar</span>, <span class="firstname">J.</span> <span class="surname">Postel</span>, <span class="firstname">C.</span> <span class="surname">Neuman</span>, <span class="firstname">P.</span> <span class="surname">Danzig</span>, and <span class="firstname">S.</span> <span class="surname">Miller</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Implementation
+<a name="id2600668"></a><p>[<abbr class="abbrev">RFC1536</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Kumar</span>, <span class="firstname">J.</span> <span class="surname">Postel</span>, <span class="firstname">C.</span> <span class="surname">Neuman</span>, <span class="firstname">P.</span> <span class="surname">Danzig</span>, and <span class="firstname">S.</span> <span class="surname">Miller</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Implementation
Errors and Suggested Fixes</i>. </span><span class="pubdate">October 1993. </span></p>
</div>
<div class="biblioentry">
-<a name="id2600668"></a><p>[<abbr class="abbrev">RFC1982</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Elz</span> and <span class="firstname">R.</span> <span class="surname">Bush</span>. </span><span class="title"><i>Serial Number Arithmetic</i>. </span><span class="pubdate">August 1996. </span></p>
+<a name="id2600737"></a><p>[<abbr class="abbrev">RFC1982</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Elz</span> and <span class="firstname">R.</span> <span class="surname">Bush</span>. </span><span class="title"><i>Serial Number Arithmetic</i>. </span><span class="pubdate">August 1996. </span></p>
</div>
<div class="biblioentry">
-<a name="id2600704"></a><p>[<abbr class="abbrev">RFC4074</abbr>] <span class="authorgroup"><span class="firstname">Y.</span> <span class="surname">Morishita</span> and <span class="firstname">T.</span> <span class="surname">Jinmei</span>. </span><span class="title"><i>Common Misbehaviour Against <acronym class="acronym">DNS</acronym>
+<a name="id2600772"></a><p>[<abbr class="abbrev">RFC4074</abbr>] <span class="authorgroup"><span class="firstname">Y.</span> <span class="surname">Morishita</span> and <span class="firstname">T.</span> <span class="surname">Jinmei</span>. </span><span class="title"><i>Common Misbehaviour Against <acronym class="acronym">DNS</acronym>
Queries for IPv6 Addresses</i>. </span><span class="pubdate">May 2005. </span></p>
</div>
</div>
<div class="bibliodiv">
<h3 class="title">Resource Record Types</h3>
<div class="biblioentry">
-<a name="id2600749"></a><p>[<abbr class="abbrev">RFC1183</abbr>] <span class="authorgroup"><span class="firstname">C.F.</span> <span class="surname">Everhart</span>, <span class="firstname">L. A.</span> <span class="surname">Mamakos</span>, <span class="firstname">R.</span> <span class="surname">Ullmann</span>, and <span class="firstname">P.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>New <acronym class="acronym">DNS</acronym> RR Definitions</i>. </span><span class="pubdate">October 1990. </span></p>
+<a name="id2600818"></a><p>[<abbr class="abbrev">RFC1183</abbr>] <span class="authorgroup"><span class="firstname">C.F.</span> <span class="surname">Everhart</span>, <span class="firstname">L. A.</span> <span class="surname">Mamakos</span>, <span class="firstname">R.</span> <span class="surname">Ullmann</span>, and <span class="firstname">P.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>New <acronym class="acronym">DNS</acronym> RR Definitions</i>. </span><span class="pubdate">October 1990. </span></p>
</div>
<div class="biblioentry">
-<a name="id2600807"></a><p>[<abbr class="abbrev">RFC1706</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">R.</span> <span class="surname">Colella</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> NSAP Resource Records</i>. </span><span class="pubdate">October 1994. </span></p>
+<a name="id2600875"></a><p>[<abbr class="abbrev">RFC1706</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">R.</span> <span class="surname">Colella</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> NSAP Resource Records</i>. </span><span class="pubdate">October 1994. </span></p>
</div>
<div class="biblioentry">
-<a name="id2600844"></a><p>[<abbr class="abbrev">RFC2168</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Daniel</span> and <span class="firstname">M.</span> <span class="surname">Mealling</span>. </span><span class="title"><i>Resolution of Uniform Resource Identifiers using
+<a name="id2600913"></a><p>[<abbr class="abbrev">RFC2168</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Daniel</span> and <span class="firstname">M.</span> <span class="surname">Mealling</span>. </span><span class="title"><i>Resolution of Uniform Resource Identifiers using
the Domain Name System</i>. </span><span class="pubdate">June 1997. </span></p>
</div>
<div class="biblioentry">
-<a name="id2600880"></a><p>[<abbr class="abbrev">RFC1876</abbr>] <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Davis</span>, <span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">T.</span>, and <span class="firstname">I.</span> <span class="surname">Dickinson</span>. </span><span class="title"><i>A Means for Expressing Location Information in the
+<a name="id2600948"></a><p>[<abbr class="abbrev">RFC1876</abbr>] <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Davis</span>, <span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">T.</span>, and <span class="firstname">I.</span> <span class="surname">Dickinson</span>. </span><span class="title"><i>A Means for Expressing Location Information in the
Domain
Name System</i>. </span><span class="pubdate">January 1996. </span></p>
</div>
<div class="biblioentry">
-<a name="id2600934"></a><p>[<abbr class="abbrev">RFC2052</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>A <acronym class="acronym">DNS</acronym> RR for Specifying the
+<a name="id2601002"></a><p>[<abbr class="abbrev">RFC2052</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>A <acronym class="acronym">DNS</acronym> RR for Specifying the
Location of
Services.</i>. </span><span class="pubdate">October 1996. </span></p>
</div>
<div class="biblioentry">
-<a name="id2600972"></a><p>[<abbr class="abbrev">RFC2163</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Allocchio</span>. </span><span class="title"><i>Using the Internet <acronym class="acronym">DNS</acronym> to
+<a name="id2601041"></a><p>[<abbr class="abbrev">RFC2163</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Allocchio</span>. </span><span class="title"><i>Using the Internet <acronym class="acronym">DNS</acronym> to
Distribute MIXER
Conformant Global Address Mapping</i>. </span><span class="pubdate">January 1998. </span></p>
</div>
<div class="biblioentry">
-<a name="id2600998"></a><p>[<abbr class="abbrev">RFC2230</abbr>] <span class="author"><span class="firstname">R.</span> <span class="surname">Atkinson</span>. </span><span class="title"><i>Key Exchange Delegation Record for the <acronym class="acronym">DNS</acronym></i>. </span><span class="pubdate">October 1997. </span></p>
+<a name="id2601066"></a><p>[<abbr class="abbrev">RFC2230</abbr>] <span class="author"><span class="firstname">R.</span> <span class="surname">Atkinson</span>. </span><span class="title"><i>Key Exchange Delegation Record for the <acronym class="acronym">DNS</acronym></i>. </span><span class="pubdate">October 1997. </span></p>
</div>
<div class="biblioentry">
-<a name="id2601024"></a><p>[<abbr class="abbrev">RFC2536</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>DSA KEYs and SIGs in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
+<a name="id2601092"></a><p>[<abbr class="abbrev">RFC2536</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>DSA KEYs and SIGs in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
</div>
<div class="biblioentry">
-<a name="id2601050"></a><p>[<abbr class="abbrev">RFC2537</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>RSA/MD5 KEYs and SIGs in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
+<a name="id2601118"></a><p>[<abbr class="abbrev">RFC2537</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>RSA/MD5 KEYs and SIGs in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
</div>
<div class="biblioentry">
-<a name="id2601077"></a><p>[<abbr class="abbrev">RFC2538</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Storing Certificates in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
+<a name="id2601145"></a><p>[<abbr class="abbrev">RFC2538</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Storing Certificates in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
</div>
<div class="biblioentry">
-<a name="id2601116"></a><p>[<abbr class="abbrev">RFC2539</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Storage of Diffie-Hellman Keys in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
+<a name="id2601185"></a><p>[<abbr class="abbrev">RFC2539</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Storage of Diffie-Hellman Keys in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
</div>
<div class="biblioentry">
-<a name="id2601146"></a><p>[<abbr class="abbrev">RFC2540</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Detached Domain Name System (DNS) Information</i>. </span><span class="pubdate">March 1999. </span></p>
+<a name="id2601214"></a><p>[<abbr class="abbrev">RFC2540</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Detached Domain Name System (DNS) Information</i>. </span><span class="pubdate">March 1999. </span></p>
</div>
<div class="biblioentry">
-<a name="id2601176"></a><p>[<abbr class="abbrev">RFC2782</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span>. </span><span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="author"><span class="firstname">L.</span> <span class="surname">Esibov</span>. </span><span class="title"><i>A DNS RR for specifying the location of services (DNS SRV)</i>. </span><span class="pubdate">February 2000. </span></p>
+<a name="id2601244"></a><p>[<abbr class="abbrev">RFC2782</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span>. </span><span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="author"><span class="firstname">L.</span> <span class="surname">Esibov</span>. </span><span class="title"><i>A DNS RR for specifying the location of services (DNS SRV)</i>. </span><span class="pubdate">February 2000. </span></p>
</div>
<div class="biblioentry">
-<a name="id2601219"></a><p>[<abbr class="abbrev">RFC2915</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Mealling</span>. </span><span class="author"><span class="firstname">R.</span> <span class="surname">Daniel</span>. </span><span class="title"><i>The Naming Authority Pointer (NAPTR) DNS Resource Record</i>. </span><span class="pubdate">September 2000. </span></p>
+<a name="id2601287"></a><p>[<abbr class="abbrev">RFC2915</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Mealling</span>. </span><span class="author"><span class="firstname">R.</span> <span class="surname">Daniel</span>. </span><span class="title"><i>The Naming Authority Pointer (NAPTR) DNS Resource Record</i>. </span><span class="pubdate">September 2000. </span></p>
</div>
<div class="biblioentry">
-<a name="id2601252"></a><p>[<abbr class="abbrev">RFC3110</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)</i>. </span><span class="pubdate">May 2001. </span></p>
+<a name="id2601320"></a><p>[<abbr class="abbrev">RFC3110</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)</i>. </span><span class="pubdate">May 2001. </span></p>
</div>
<div class="biblioentry">
-<a name="id2601278"></a><p>[<abbr class="abbrev">RFC3123</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Koch</span>. </span><span class="title"><i>A DNS RR Type for Lists of Address Prefixes (APL RR)</i>. </span><span class="pubdate">June 2001. </span></p>
+<a name="id2601347"></a><p>[<abbr class="abbrev">RFC3123</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Koch</span>. </span><span class="title"><i>A DNS RR Type for Lists of Address Prefixes (APL RR)</i>. </span><span class="pubdate">June 2001. </span></p>
</div>
<div class="biblioentry">
-<a name="id2601302"></a><p>[<abbr class="abbrev">RFC3596</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">C.</span> <span class="surname">Huitema</span>, <span class="firstname">V.</span> <span class="surname">Ksinant</span>, and <span class="firstname">M.</span> <span class="surname">Souissi</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Extensions to support IP
+<a name="id2601370"></a><p>[<abbr class="abbrev">RFC3596</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">C.</span> <span class="surname">Huitema</span>, <span class="firstname">V.</span> <span class="surname">Ksinant</span>, and <span class="firstname">M.</span> <span class="surname">Souissi</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Extensions to support IP
version 6</i>. </span><span class="pubdate">October 2003. </span></p>
</div>
<div class="biblioentry">
-<a name="id2601360"></a><p>[<abbr class="abbrev">RFC3597</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Gustafsson</span>. </span><span class="title"><i>Handling of Unknown DNS Resource Record (RR) Types</i>. </span><span class="pubdate">September 2003. </span></p>
+<a name="id2601428"></a><p>[<abbr class="abbrev">RFC3597</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Gustafsson</span>. </span><span class="title"><i>Handling of Unknown DNS Resource Record (RR) Types</i>. </span><span class="pubdate">September 2003. </span></p>
</div>
</div>
<div class="bibliodiv">
<h3 class="title">
<acronym class="acronym">DNS</acronym> and the Internet</h3>
<div class="biblioentry">
-<a name="id2601392"></a><p>[<abbr class="abbrev">RFC1101</abbr>] <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Encoding of Network Names
+<a name="id2601460"></a><p>[<abbr class="abbrev">RFC1101</abbr>] <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Encoding of Network Names
and Other Types</i>. </span><span class="pubdate">April 1989. </span></p>
</div>
<div class="biblioentry">
-<a name="id2601417"></a><p>[<abbr class="abbrev">RFC1123</abbr>] <span class="author"><span class="surname">Braden</span>. </span><span class="title"><i>Requirements for Internet Hosts - Application and
+<a name="id2601485"></a><p>[<abbr class="abbrev">RFC1123</abbr>] <span class="author"><span class="surname">Braden</span>. </span><span class="title"><i>Requirements for Internet Hosts - Application and
Support</i>. </span><span class="pubdate">October 1989. </span></p>
</div>
<div class="biblioentry">
-<a name="id2601440"></a><p>[<abbr class="abbrev">RFC1591</abbr>] <span class="author"><span class="firstname">J.</span> <span class="surname">Postel</span>. </span><span class="title"><i>Domain Name System Structure and Delegation</i>. </span><span class="pubdate">March 1994. </span></p>
+<a name="id2601576"></a><p>[<abbr class="abbrev">RFC1591</abbr>] <span class="author"><span class="firstname">J.</span> <span class="surname">Postel</span>. </span><span class="title"><i>Domain Name System Structure and Delegation</i>. </span><span class="pubdate">March 1994. </span></p>
</div>
<div class="biblioentry">
-<a name="id2601463"></a><p>[<abbr class="abbrev">RFC2317</abbr>] <span class="authorgroup"><span class="firstname">H.</span> <span class="surname">Eidnes</span>, <span class="firstname">G.</span> <span class="surname">de Groot</span>, and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Classless IN-ADDR.ARPA Delegation</i>. </span><span class="pubdate">March 1998. </span></p>
+<a name="id2601600"></a><p>[<abbr class="abbrev">RFC2317</abbr>] <span class="authorgroup"><span class="firstname">H.</span> <span class="surname">Eidnes</span>, <span class="firstname">G.</span> <span class="surname">de Groot</span>, and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Classless IN-ADDR.ARPA Delegation</i>. </span><span class="pubdate">March 1998. </span></p>
</div>
<div class="biblioentry">
-<a name="id2601509"></a><p>[<abbr class="abbrev">RFC2826</abbr>] <span class="authorgroup"><span class="surname">Internet Architecture Board</span>. </span><span class="title"><i>IAB Technical Comment on the Unique DNS Root</i>. </span><span class="pubdate">May 2000. </span></p>
+<a name="id2601645"></a><p>[<abbr class="abbrev">RFC2826</abbr>] <span class="authorgroup"><span class="surname">Internet Architecture Board</span>. </span><span class="title"><i>IAB Technical Comment on the Unique DNS Root</i>. </span><span class="pubdate">May 2000. </span></p>
</div>
<div class="biblioentry">
-<a name="id2601532"></a><p>[<abbr class="abbrev">RFC2929</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, <span class="firstname">E.</span> <span class="surname">Brunner-Williams</span>, and <span class="firstname">B.</span> <span class="surname">Manning</span>. </span><span class="title"><i>Domain Name System (DNS) IANA Considerations</i>. </span><span class="pubdate">September 2000. </span></p>
+<a name="id2601669"></a><p>[<abbr class="abbrev">RFC2929</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, <span class="firstname">E.</span> <span class="surname">Brunner-Williams</span>, and <span class="firstname">B.</span> <span class="surname">Manning</span>. </span><span class="title"><i>Domain Name System (DNS) IANA Considerations</i>. </span><span class="pubdate">September 2000. </span></p>
</div>
</div>
<div class="bibliodiv">
<h3 class="title">
<acronym class="acronym">DNS</acronym> Operations</h3>
<div class="biblioentry">
-<a name="id2601590"></a><p>[<abbr class="abbrev">RFC1033</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Lottor</span>. </span><span class="title"><i>Domain administrators operations guide.</i>. </span><span class="pubdate">November 1987. </span></p>
+<a name="id2601726"></a><p>[<abbr class="abbrev">RFC1033</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Lottor</span>. </span><span class="title"><i>Domain administrators operations guide.</i>. </span><span class="pubdate">November 1987. </span></p>
</div>
<div class="biblioentry">
-<a name="id2601613"></a><p>[<abbr class="abbrev">RFC1537</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Beertema</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Data File
+<a name="id2601750"></a><p>[<abbr class="abbrev">RFC1537</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Beertema</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Data File
Configuration Errors</i>. </span><span class="pubdate">October 1993. </span></p>
</div>
<div class="biblioentry">
-<a name="id2601640"></a><p>[<abbr class="abbrev">RFC1912</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Barr</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Operational and
+<a name="id2601777"></a><p>[<abbr class="abbrev">RFC1912</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Barr</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Operational and
Configuration Errors</i>. </span><span class="pubdate">February 1996. </span></p>
</div>
<div class="biblioentry">
-<a name="id2601667"></a><p>[<abbr class="abbrev">RFC2010</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Operational Criteria for Root Name Servers.</i>. </span><span class="pubdate">October 1996. </span></p>
+<a name="id2601803"></a><p>[<abbr class="abbrev">RFC2010</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Operational Criteria for Root Name Servers.</i>. </span><span class="pubdate">October 1996. </span></p>
</div>
<div class="biblioentry">
-<a name="id2601703"></a><p>[<abbr class="abbrev">RFC2219</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Hamilton</span> and <span class="firstname">R.</span> <span class="surname">Wright</span>. </span><span class="title"><i>Use of <acronym class="acronym">DNS</acronym> Aliases for
+<a name="id2601840"></a><p>[<abbr class="abbrev">RFC2219</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Hamilton</span> and <span class="firstname">R.</span> <span class="surname">Wright</span>. </span><span class="title"><i>Use of <acronym class="acronym">DNS</acronym> Aliases for
Network Services.</i>. </span><span class="pubdate">October 1997. </span></p>
</div>
</div>
<div class="bibliodiv">
<h3 class="title">Internationalized Domain Names</h3>
<div class="biblioentry">
-<a name="id2601749"></a><p>[<abbr class="abbrev">RFC2825</abbr>] <span class="authorgroup"><span class="surname">IAB</span> and <span class="firstname">R.</span> <span class="surname">Daigle</span>. </span><span class="title"><i>A Tangled Web: Issues of I18N, Domain Names,
+<a name="id2601885"></a><p>[<abbr class="abbrev">RFC2825</abbr>] <span class="authorgroup"><span class="surname">IAB</span> and <span class="firstname">R.</span> <span class="surname">Daigle</span>. </span><span class="title"><i>A Tangled Web: Issues of I18N, Domain Names,
and the Other Internet protocols</i>. </span><span class="pubdate">May 2000. </span></p>
</div>
<div class="biblioentry">
-<a name="id2601781"></a><p>[<abbr class="abbrev">RFC3490</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Faltstrom</span>, <span class="firstname">P.</span> <span class="surname">Hoffman</span>, and <span class="firstname">A.</span> <span class="surname">Costello</span>. </span><span class="title"><i>Internationalizing Domain Names in Applications (IDNA)</i>. </span><span class="pubdate">March 2003. </span></p>
+<a name="id2601917"></a><p>[<abbr class="abbrev">RFC3490</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Faltstrom</span>, <span class="firstname">P.</span> <span class="surname">Hoffman</span>, and <span class="firstname">A.</span> <span class="surname">Costello</span>. </span><span class="title"><i>Internationalizing Domain Names in Applications (IDNA)</i>. </span><span class="pubdate">March 2003. </span></p>
</div>
<div class="biblioentry">
-<a name="id2601827"></a><p>[<abbr class="abbrev">RFC3491</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Hoffman</span> and <span class="firstname">M.</span> <span class="surname">Blanchet</span>. </span><span class="title"><i>Nameprep: A Stringprep Profile for Internationalized Domain Names</i>. </span><span class="pubdate">March 2003. </span></p>
+<a name="id2601963"></a><p>[<abbr class="abbrev">RFC3491</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Hoffman</span> and <span class="firstname">M.</span> <span class="surname">Blanchet</span>. </span><span class="title"><i>Nameprep: A Stringprep Profile for Internationalized Domain Names</i>. </span><span class="pubdate">March 2003. </span></p>
</div>
<div class="biblioentry">
-<a name="id2601930"></a><p>[<abbr class="abbrev">RFC3492</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Costello</span>. </span><span class="title"><i>Punycode: A Bootstring encoding of Unicode
+<a name="id2601998"></a><p>[<abbr class="abbrev">RFC3492</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Costello</span>. </span><span class="title"><i>Punycode: A Bootstring encoding of Unicode
for Internationalized Domain Names in
Applications (IDNA)</i>. </span><span class="pubdate">March 2003. </span></p>
</div>
@@ -489,47 +487,47 @@
</p>
</div>
<div class="biblioentry">
-<a name="id2601975"></a><p>[<abbr class="abbrev">RFC1464</abbr>] <span class="author"><span class="firstname">R.</span> <span class="surname">Rosenbaum</span>. </span><span class="title"><i>Using the Domain Name System To Store Arbitrary String
+<a name="id2602043"></a><p>[<abbr class="abbrev">RFC1464</abbr>] <span class="author"><span class="firstname">R.</span> <span class="surname">Rosenbaum</span>. </span><span class="title"><i>Using the Domain Name System To Store Arbitrary String
Attributes</i>. </span><span class="pubdate">May 1993. </span></p>
</div>
<div class="biblioentry">
-<a name="id2601997"></a><p>[<abbr class="abbrev">RFC1713</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Romao</span>. </span><span class="title"><i>Tools for <acronym class="acronym">DNS</acronym> Debugging</i>. </span><span class="pubdate">November 1994. </span></p>
+<a name="id2602066"></a><p>[<abbr class="abbrev">RFC1713</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Romao</span>. </span><span class="title"><i>Tools for <acronym class="acronym">DNS</acronym> Debugging</i>. </span><span class="pubdate">November 1994. </span></p>
</div>
<div class="biblioentry">
-<a name="id2602023"></a><p>[<abbr class="abbrev">RFC1794</abbr>] <span class="author"><span class="firstname">T.</span> <span class="surname">Brisco</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Support for Load
+<a name="id2602091"></a><p>[<abbr class="abbrev">RFC1794</abbr>] <span class="author"><span class="firstname">T.</span> <span class="surname">Brisco</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Support for Load
Balancing</i>. </span><span class="pubdate">April 1995. </span></p>
</div>
<div class="biblioentry">
-<a name="id2602049"></a><p>[<abbr class="abbrev">RFC2240</abbr>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Legal Basis for Domain Name Allocation</i>. </span><span class="pubdate">November 1997. </span></p>
+<a name="id2602117"></a><p>[<abbr class="abbrev">RFC2240</abbr>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Legal Basis for Domain Name Allocation</i>. </span><span class="pubdate">November 1997. </span></p>
</div>
<div class="biblioentry">
-<a name="id2602072"></a><p>[<abbr class="abbrev">RFC2345</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>, <span class="firstname">T.</span> <span class="surname">Wolf</span>, and <span class="firstname">G.</span> <span class="surname">Oglesby</span>. </span><span class="title"><i>Domain Names and Company Name Retrieval</i>. </span><span class="pubdate">May 1998. </span></p>
+<a name="id2602140"></a><p>[<abbr class="abbrev">RFC2345</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>, <span class="firstname">T.</span> <span class="surname">Wolf</span>, and <span class="firstname">G.</span> <span class="surname">Oglesby</span>. </span><span class="title"><i>Domain Names and Company Name Retrieval</i>. </span><span class="pubdate">May 1998. </span></p>
</div>
<div class="biblioentry">
-<a name="id2602118"></a><p>[<abbr class="abbrev">RFC2352</abbr>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Convention For Using Legal Names as Domain Names</i>. </span><span class="pubdate">May 1998. </span></p>
+<a name="id2602186"></a><p>[<abbr class="abbrev">RFC2352</abbr>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Convention For Using Legal Names as Domain Names</i>. </span><span class="pubdate">May 1998. </span></p>
</div>
<div class="biblioentry">
-<a name="id2602141"></a><p>[<abbr class="abbrev">RFC3071</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>. </span><span class="title"><i>Reflections on the DNS, RFC 1591, and Categories of Domains</i>. </span><span class="pubdate">February 2001. </span></p>
+<a name="id2602210"></a><p>[<abbr class="abbrev">RFC3071</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>. </span><span class="title"><i>Reflections on the DNS, RFC 1591, and Categories of Domains</i>. </span><span class="pubdate">February 2001. </span></p>
</div>
<div class="biblioentry">
-<a name="id2602168"></a><p>[<abbr class="abbrev">RFC3258</abbr>] <span class="authorgroup"><span class="firstname">T.</span> <span class="surname">Hardie</span>. </span><span class="title"><i>Distributing Authoritative Name Servers via
+<a name="id2602236"></a><p>[<abbr class="abbrev">RFC3258</abbr>] <span class="authorgroup"><span class="firstname">T.</span> <span class="surname">Hardie</span>. </span><span class="title"><i>Distributing Authoritative Name Servers via
Shared Unicast Addresses</i>. </span><span class="pubdate">April 2002. </span></p>
</div>
<div class="biblioentry">
-<a name="id2602194"></a><p>[<abbr class="abbrev">RFC3901</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Durand</span> and <span class="firstname">J.</span> <span class="surname">Ihren</span>. </span><span class="title"><i>DNS IPv6 Transport Operational Guidelines</i>. </span><span class="pubdate">September 2004. </span></p>
+<a name="id2602262"></a><p>[<abbr class="abbrev">RFC3901</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Durand</span> and <span class="firstname">J.</span> <span class="surname">Ihren</span>. </span><span class="title"><i>DNS IPv6 Transport Operational Guidelines</i>. </span><span class="pubdate">September 2004. </span></p>
</div>
</div>
<div class="bibliodiv">
<h3 class="title">Obsolete and Unimplemented Experimental RFC</h3>
<div class="biblioentry">
-<a name="id2602237"></a><p>[<abbr class="abbrev">RFC1712</abbr>] <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Farrell</span>, <span class="firstname">M.</span> <span class="surname">Schulze</span>, <span class="firstname">S.</span> <span class="surname">Pleitner</span>, and <span class="firstname">D.</span> <span class="surname">Baldoni</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Encoding of Geographical
+<a name="id2602306"></a><p>[<abbr class="abbrev">RFC1712</abbr>] <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Farrell</span>, <span class="firstname">M.</span> <span class="surname">Schulze</span>, <span class="firstname">S.</span> <span class="surname">Pleitner</span>, and <span class="firstname">D.</span> <span class="surname">Baldoni</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Encoding of Geographical
Location</i>. </span><span class="pubdate">November 1994. </span></p>
</div>
<div class="biblioentry">
-<a name="id2602295"></a><p>[<abbr class="abbrev">RFC2673</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span>. </span><span class="title"><i>Binary Labels in the Domain Name System</i>. </span><span class="pubdate">August 1999. </span></p>
+<a name="id2602363"></a><p>[<abbr class="abbrev">RFC2673</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span>. </span><span class="title"><i>Binary Labels in the Domain Name System</i>. </span><span class="pubdate">August 1999. </span></p>
</div>
<div class="biblioentry">
-<a name="id2602322"></a><p>[<abbr class="abbrev">RFC2874</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span> and <span class="firstname">C.</span> <span class="surname">Huitema</span>. </span><span class="title"><i>DNS Extensions to Support IPv6 Address Aggregation
+<a name="id2602390"></a><p>[<abbr class="abbrev">RFC2874</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span> and <span class="firstname">C.</span> <span class="surname">Huitema</span>. </span><span class="title"><i>DNS Extensions to Support IPv6 Address Aggregation
and Renumbering</i>. </span><span class="pubdate">July 2000. </span></p>
</div>
</div>
@@ -543,39 +541,39 @@
</p>
</div>
<div class="biblioentry">
-<a name="id2602370"></a><p>[<abbr class="abbrev">RFC2065</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">C.</span> <span class="surname">Kaufman</span>. </span><span class="title"><i>Domain Name System Security Extensions</i>. </span><span class="pubdate">January 1997. </span></p>
+<a name="id2602438"></a><p>[<abbr class="abbrev">RFC2065</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">C.</span> <span class="surname">Kaufman</span>. </span><span class="title"><i>Domain Name System Security Extensions</i>. </span><span class="pubdate">January 1997. </span></p>
</div>
<div class="biblioentry">
-<a name="id2602409"></a><p>[<abbr class="abbrev">RFC2137</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Secure Domain Name System Dynamic Update</i>. </span><span class="pubdate">April 1997. </span></p>
+<a name="id2602477"></a><p>[<abbr class="abbrev">RFC2137</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Secure Domain Name System Dynamic Update</i>. </span><span class="pubdate">April 1997. </span></p>
</div>
<div class="biblioentry">
-<a name="id2602436"></a><p>[<abbr class="abbrev">RFC2535</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Domain Name System Security Extensions</i>. </span><span class="pubdate">March 1999. </span></p>
+<a name="id2602504"></a><p>[<abbr class="abbrev">RFC2535</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Domain Name System Security Extensions</i>. </span><span class="pubdate">March 1999. </span></p>
</div>
<div class="biblioentry">
-<a name="id2602466"></a><p>[<abbr class="abbrev">RFC3008</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Domain Name System Security (DNSSEC)
+<a name="id2602534"></a><p>[<abbr class="abbrev">RFC3008</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Domain Name System Security (DNSSEC)
Signing Authority</i>. </span><span class="pubdate">November 2000. </span></p>
</div>
<div class="biblioentry">
-<a name="id2602491"></a><p>[<abbr class="abbrev">RFC3090</abbr>] <span class="authorgroup"><span class="firstname">E.</span> <span class="surname">Lewis</span>. </span><span class="title"><i>DNS Security Extension Clarification on Zone Status</i>. </span><span class="pubdate">March 2001. </span></p>
+<a name="id2602560"></a><p>[<abbr class="abbrev">RFC3090</abbr>] <span class="authorgroup"><span class="firstname">E.</span> <span class="surname">Lewis</span>. </span><span class="title"><i>DNS Security Extension Clarification on Zone Status</i>. </span><span class="pubdate">March 2001. </span></p>
</div>
<div class="biblioentry">
-<a name="id2602518"></a><p>[<abbr class="abbrev">RFC3445</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Massey</span> and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Limiting the Scope of the KEY Resource Record (RR)</i>. </span><span class="pubdate">December 2002. </span></p>
+<a name="id2602586"></a><p>[<abbr class="abbrev">RFC3445</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Massey</span> and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Limiting the Scope of the KEY Resource Record (RR)</i>. </span><span class="pubdate">December 2002. </span></p>
</div>
<div class="biblioentry">
-<a name="id2602554"></a><p>[<abbr class="abbrev">RFC3655</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span> and <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Redefinition of DNS Authenticated Data (AD) bit</i>. </span><span class="pubdate">November 2003. </span></p>
+<a name="id2602691"></a><p>[<abbr class="abbrev">RFC3655</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span> and <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Redefinition of DNS Authenticated Data (AD) bit</i>. </span><span class="pubdate">November 2003. </span></p>
</div>
<div class="biblioentry">
-<a name="id2602590"></a><p>[<abbr class="abbrev">RFC3658</abbr>] <span class="authorgroup"><span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Delegation Signer (DS) Resource Record (RR)</i>. </span><span class="pubdate">December 2003. </span></p>
+<a name="id2602727"></a><p>[<abbr class="abbrev">RFC3658</abbr>] <span class="authorgroup"><span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Delegation Signer (DS) Resource Record (RR)</i>. </span><span class="pubdate">December 2003. </span></p>
</div>
<div class="biblioentry">
-<a name="id2602617"></a><p>[<abbr class="abbrev">RFC3755</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Weiler</span>. </span><span class="title"><i>Legacy Resolver Compatibility for Delegation Signer (DS)</i>. </span><span class="pubdate">May 2004. </span></p>
+<a name="id2602754"></a><p>[<abbr class="abbrev">RFC3755</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Weiler</span>. </span><span class="title"><i>Legacy Resolver Compatibility for Delegation Signer (DS)</i>. </span><span class="pubdate">May 2004. </span></p>
</div>
<div class="biblioentry">
-<a name="id2602644"></a><p>[<abbr class="abbrev">RFC3757</abbr>] <span class="authorgroup"><span class="firstname">O.</span> <span class="surname">Kolkman</span>, <span class="firstname">J.</span> <span class="surname">Schlyter</span>, and <span class="firstname">E.</span> <span class="surname">Lewis</span>. </span><span class="title"><i>Domain Name System KEY (DNSKEY) Resource Record
+<a name="id2602780"></a><p>[<abbr class="abbrev">RFC3757</abbr>] <span class="authorgroup"><span class="firstname">O.</span> <span class="surname">Kolkman</span>, <span class="firstname">J.</span> <span class="surname">Schlyter</span>, and <span class="firstname">E.</span> <span class="surname">Lewis</span>. </span><span class="title"><i>Domain Name System KEY (DNSKEY) Resource Record
(RR) Secure Entry Point (SEP) Flag</i>. </span><span class="pubdate">April 2004. </span></p>
</div>
<div class="biblioentry">
-<a name="id2602689"></a><p>[<abbr class="abbrev">RFC3845</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Schlyter</span>. </span><span class="title"><i>DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format</i>. </span><span class="pubdate">August 2004. </span></p>
+<a name="id2602825"></a><p>[<abbr class="abbrev">RFC3845</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Schlyter</span>. </span><span class="title"><i>DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format</i>. </span><span class="pubdate">August 2004. </span></p>
</div>
</div>
</div>
@@ -596,14 +594,14 @@
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2602730"></a>Other Documents About <acronym class="acronym">BIND</acronym>
+<a name="id2602867"></a>Other Documents About <acronym class="acronym">BIND</acronym>
</h3></div></div></div>
<p></p>
<div class="bibliography">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2602808"></a>Bibliography</h4></div></div></div>
+<a name="id2602876"></a>Bibliography</h4></div></div></div>
<div class="biblioentry">
-<a name="id2602810"></a><p><span class="authorgroup"><span class="firstname">Paul</span> <span class="surname">Albitz</span> and <span class="firstname">Cricket</span> <span class="surname">Liu</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></i>. </span><span class="copyright">Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. </span></p>
+<a name="id2602878"></a><p><span class="authorgroup"><span class="firstname">Paul</span> <span class="surname">Albitz</span> and <span class="firstname">Cricket</span> <span class="surname">Liu</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></i>. </span><span class="copyright">Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. </span></p>
</div>
</div>
</div>
diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html
index b7afc11d..23499407 100644
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: Bv9ARM.html,v 1.193.14.4 2009/03/13 04:19:27 tbox Exp $ -->
+<!-- $Id: Bv9ARM.html,v 1.193.14.5 2009/04/03 01:52:22 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -83,7 +83,7 @@
<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568358">Name Server Operations</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2568363">Tools for Use With the Name Server Daemon</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2570107">Signals</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2570071">Signals</a></span></dt>
</dl></dd>
</dl></dd>
<dt><span class="chapter"><a href="Bv9ARM.ch04.html">4. Advanced DNS Features</a></span></dt>
@@ -92,34 +92,34 @@
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dynamic_update">Dynamic Update</a></span></dt>
<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#journal">The journal file</a></span></dt></dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#incremental_zone_transfers">Incremental Zone Transfers (IXFR)</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2570513">Split DNS</a></span></dt>
-<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570531">Example split DNS setup</a></span></dt></dl></dd>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2564066">Split DNS</a></span></dt>
+<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2564084">Example split DNS setup</a></span></dt></dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#tsig">TSIG</a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571171">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571244">Copying the Shared Secret to Both Machines</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571255">Informing the Servers of the Key's Existence</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571294">Instructing the Server to Use the Key</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571489">TSIG Key Based Access Control</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571533">Errors</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571141">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571214">Copying the Shared Secret to Both Machines</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571225">Informing the Servers of the Key's Existence</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571268">Instructing the Server to Use the Key</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571325">TSIG Key Based Access Control</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571510">Errors</a></span></dt>
</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571616">TKEY</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571665">SIG(0)</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571524">TKEY</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571709">SIG(0)</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571801">Generating Keys</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571880">Signing the Zone</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571961">Configuring Servers</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571778">Generating Keys</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571925">Signing the Zone</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572006">Configuring Servers</a></span></dt>
</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2572104">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2572220">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572166">Address Lookups Using AAAA Records</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572187">Address to Name Lookups Using Nibble Format</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572282">Address Lookups Using AAAA Records</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572304">Address to Name Lookups Using Nibble Format</a></span></dt>
</dl></dd>
</dl></dd>
<dt><span class="chapter"><a href="Bv9ARM.ch05.html">5. The <acronym class="acronym">BIND</acronym> 9 Lightweight Resolver</a></span></dt>
<dd><dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch05.html#id2572289">The Lightweight Resolver Library</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch05.html#id2572337">The Lightweight Resolver Library</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch05.html#lwresd">Running a Resolver Daemon</a></span></dt>
</dl></dd>
<dt><span class="chapter"><a href="Bv9ARM.ch06.html">6. <acronym class="acronym">BIND</acronym> 9 Configuration Reference</a></span></dt>
@@ -127,38 +127,38 @@
<dt><span class="sect1"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573724">Comment Syntax</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573716">Comment Syntax</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574295"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574346"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#acl"><span><strong class="command">acl</strong></span> Statement Definition and
Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574553"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574536"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span><strong class="command">controls</strong></span> Statement Definition and
Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574914"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574931"><span><strong class="command">include</strong></span> Statement Definition and
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574965"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574982"><span><strong class="command">include</strong></span> Statement Definition and
Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575022"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575046"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575205"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575331"><span><strong class="command">logging</strong></span> Statement Definition and
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575005"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575029"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575120"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575245"><span><strong class="command">logging</strong></span> Statement Definition and
Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577315"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577457"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577521"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577564"><span><strong class="command">masters</strong></span> Statement Definition and
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577306"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577448"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577512"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577556"><span><strong class="command">masters</strong></span> Statement Definition and
Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577579"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577571"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#options"><span><strong class="command">options</strong></span> Statement Definition and
Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#statschannels"><span><strong class="command">statistics-channels</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2586020"><span><strong class="command">statistics-channels</strong></span> Statement Definition and
- Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span><strong class="command">server</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span><strong class="command">server</strong></span> Statement Definition and
Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#statschannels"><span><strong class="command">statistics-channels</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2586754"><span><strong class="command">statistics-channels</strong></span> Statement Definition and
+ Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2586908"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2586960"><span><strong class="command">trusted-keys</strong></span> Statement Definition
and Usage</a></span></dt>
@@ -173,9 +173,9 @@
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2593203">Discussion of MX Records</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2593822">Inverse Mapping in IPv4</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2594018">Other Zone File Directives</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2594206"><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2593886">Inverse Mapping in IPv4</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2594013">Other Zone File Directives</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2594270"><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zonefile_format">Additional File Formats</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch06.html#statistics">BIND9 Statistics</a></span></dt>
@@ -184,31 +184,31 @@
<dt><span class="chapter"><a href="Bv9ARM.ch07.html">7. <acronym class="acronym">BIND</acronym> 9 Security Considerations</a></span></dt>
<dd><dl>
<dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2598829"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2598893"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2598906">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2598974">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2599034">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
</dl></dd>
<dt><span class="chapter"><a href="Bv9ARM.ch08.html">8. Troubleshooting</a></span></dt>
<dd><dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2599182">Common Problems</a></span></dt>
-<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch08.html#id2599256">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2599268">Incrementing and Changing the Serial Number</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2599285">Where Can I Get Help?</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2599251">Common Problems</a></span></dt>
+<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch08.html#id2599324">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd>
+<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2599336">Incrementing and Changing the Serial Number</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2599353">Where Can I Get Help?</a></span></dt>
</dl></dd>
<dt><span class="appendix"><a href="Bv9ARM.ch09.html">A. Appendices</a></span></dt>
<dd><dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2599347">Acknowledgments</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2599415">Acknowledgments</a></span></dt>
<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#historical_dns_information">A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></a></span></dt></dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2599450">General <acronym class="acronym">DNS</acronym> Reference Information</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2599587">General <acronym class="acronym">DNS</acronym> Reference Information</a></span></dt>
<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#ipv6addresses">IPv6 addresses (AAAA)</a></span></dt></dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch09.html#bibliography">Bibliography (and Suggested Reading)</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch09.html#rfcs">Request for Comments (RFCs)</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch09.html#internet_drafts">Internet Drafts</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2602730">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2602867">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt>
</dl></dd>
</dl></dd>
<dt><span class="reference"><a href="Bv9ARM.ch10.html">I. Manual pages</a></span></dt>
diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html
index 4a919492..4a5697ae 100644
--- a/doc/arm/man.dig.html
+++ b/doc/arm/man.dig.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: man.dig.html,v 1.93.14.6 2009/03/13 04:19:27 tbox Exp $ -->
+<!-- $Id: man.dig.html,v 1.93.14.7 2009/04/03 01:52:23 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -52,7 +52,7 @@
<div class="cmdsynopsis"><p><code class="command">dig</code> [global-queryopt...] [query...]</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2563870"></a><h2>DESCRIPTION</h2>
+<a name="id2570492"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dig</strong></span>
(domain information groper) is a flexible tool
for interrogating DNS name servers. It performs DNS lookups and
@@ -98,7 +98,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2570724"></a><h2>SIMPLE USAGE</h2>
+<a name="id2603014"></a><h2>SIMPLE USAGE</h2>
<p>
A typical invocation of <span><strong class="command">dig</strong></span> looks like:
</p>
@@ -144,7 +144,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2570835"></a><h2>OPTIONS</h2>
+<a name="id2603125"></a><h2>OPTIONS</h2>
<p>
The <code class="option">-b</code> option sets the source IP address of the query
to <em class="parameter"><code>address</code></em>. This must be a valid
@@ -248,7 +248,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2629818"></a><h2>QUERY OPTIONS</h2>
+<a name="id2630091"></a><h2>QUERY OPTIONS</h2>
<p><span><strong class="command">dig</strong></span>
provides a number of query options which affect
the way in which lookups are made and the results displayed. Some of
@@ -573,7 +573,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2630887"></a><h2>MULTIPLE QUERIES</h2>
+<a name="id2631092"></a><h2>MULTIPLE QUERIES</h2>
<p>
The BIND 9 implementation of <span><strong class="command">dig </strong></span>
supports
@@ -619,7 +619,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2631041"></a><h2>IDN SUPPORT</h2>
+<a name="id2631177"></a><h2>IDN SUPPORT</h2>
<p>
If <span><strong class="command">dig</strong></span> has been built with IDN (internationalized
domain name) support, it can accept and display non-ASCII domain names.
@@ -633,14 +633,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2631069"></a><h2>FILES</h2>
+<a name="id2631206"></a><h2>FILES</h2>
<p><code class="filename">/etc/resolv.conf</code>
</p>
<p><code class="filename">${HOME}/.digrc</code>
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2631091"></a><h2>SEE ALSO</h2>
+<a name="id2631227"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">host</span>(1)</span>,
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
@@ -648,7 +648,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2631128"></a><h2>BUGS</h2>
+<a name="id2631265"></a><h2>BUGS</h2>
<p>
There are probably too many query options.
</p>
diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html
index 24a60662..ebf41d21 100644
--- a/doc/arm/man.dnssec-dsfromkey.html
+++ b/doc/arm/man.dnssec-dsfromkey.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: man.dnssec-dsfromkey.html,v 1.6.14.5 2009/03/13 04:19:27 tbox Exp $ -->
+<!-- $Id: man.dnssec-dsfromkey.html,v 1.6.14.6 2009/04/03 01:52:23 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -51,14 +51,14 @@
<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> {-s} [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>dir</code></em></code>] {dnsname}</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2603763"></a><h2>DESCRIPTION</h2>
+<a name="id2603968"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-dsfromkey</strong></span>
outputs the Delegation Signer (DS) resource record (RR), as defined in
RFC 3658 and RFC 4509, for the given key(s).
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2603777"></a><h2>OPTIONS</h2>
+<a name="id2603981"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-1</span></dt>
<dd><p>
@@ -99,7 +99,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2603907"></a><h2>EXAMPLE</h2>
+<a name="id2604180"></a><h2>EXAMPLE</h2>
<p>
To build the SHA-256 DS RR from the
<strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
@@ -114,7 +114,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2603943"></a><h2>FILES</h2>
+<a name="id2604216"></a><h2>FILES</h2>
<p>
The keyfile can be designed by the key identification
<code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
@@ -128,13 +128,13 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2603985"></a><h2>CAVEAT</h2>
+<a name="id2604258"></a><h2>CAVEAT</h2>
<p>
A keyfile error can give a "file not found" even if the file exists.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2603994"></a><h2>SEE ALSO</h2>
+<a name="id2604267"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
@@ -143,7 +143,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2604030"></a><h2>AUTHOR</h2>
+<a name="id2604304"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html
index cd58bf78..dffae429 100644
--- a/doc/arm/man.dnssec-keyfromlabel.html
+++ b/doc/arm/man.dnssec-keyfromlabel.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: man.dnssec-keyfromlabel.html,v 1.31.14.5 2009/03/13 04:19:30 tbox Exp $ -->
+<!-- $Id: man.dnssec-keyfromlabel.html,v 1.31.14.6 2009/04/03 01:52:21 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -50,7 +50,7 @@
<div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code> {-a <em class="replaceable"><code>algorithm</code></em>} {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-k</code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2604418"></a><h2>DESCRIPTION</h2>
+<a name="id2604759"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-keyfromlabel</strong></span>
gets keys with the given label from a crypto hardware and builds
key files for DNSSEC (Secure DNS), as defined in RFC 2535
@@ -58,7 +58,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2604432"></a><h2>OPTIONS</h2>
+<a name="id2604773"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd>
@@ -131,7 +131,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2604696"></a><h2>GENERATED KEY FILES</h2>
+<a name="id2604969"></a><h2>GENERATED KEY FILES</h2>
<p>
When <span><strong class="command">dnssec-keyfromlabel</strong></span> completes
successfully,
@@ -172,7 +172,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2604790"></a><h2>SEE ALSO</h2>
+<a name="id2605063"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
@@ -182,7 +182,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2604829"></a><h2>AUTHOR</h2>
+<a name="id2605102"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html
index 8736a54b..fd122597 100644
--- a/doc/arm/man.dnssec-keygen.html
+++ b/doc/arm/man.dnssec-keygen.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: man.dnssec-keygen.html,v 1.97.14.5 2009/03/13 04:19:30 tbox Exp $ -->
+<!-- $Id: man.dnssec-keygen.html,v 1.97.14.6 2009/04/03 01:52:21 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -50,7 +50,7 @@
<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> {-a <em class="replaceable"><code>algorithm</code></em>} {-b <em class="replaceable"><code>keysize</code></em>} {-n <em class="replaceable"><code>nametype</code></em>} [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k</code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2605203"></a><h2>DESCRIPTION</h2>
+<a name="id2605817"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-keygen</strong></span>
generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
and RFC 4034. It can also generate keys for use with
@@ -58,7 +58,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2605217"></a><h2>OPTIONS</h2>
+<a name="id2605831"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd>
@@ -166,7 +166,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2605628"></a><h2>GENERATED KEYS</h2>
+<a name="id2606584"></a><h2>GENERATED KEYS</h2>
<p>
When <span><strong class="command">dnssec-keygen</strong></span> completes
successfully,
@@ -212,7 +212,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2605736"></a><h2>EXAMPLE</h2>
+<a name="id2608808"></a><h2>EXAMPLE</h2>
<p>
To generate a 768-bit DSA key for the domain
<strong class="userinput"><code>example.com</code></strong>, the following command would be
@@ -233,7 +233,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2605793"></a><h2>SEE ALSO</h2>
+<a name="id2608865"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 2539</em>,
@@ -242,7 +242,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2608076"></a><h2>AUTHOR</h2>
+<a name="id2608896"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html
index 52c5938c..89cab245 100644
--- a/doc/arm/man.dnssec-signzone.html
+++ b/doc/arm/man.dnssec-signzone.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: man.dnssec-signzone.html,v 1.94.14.5 2009/03/13 04:19:30 tbox Exp $ -->
+<!-- $Id: man.dnssec-signzone.html,v 1.94.14.6 2009/04/03 01:52:21 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -50,7 +50,7 @@
<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code> [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-p</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-t</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2606729"></a><h2>DESCRIPTION</h2>
+<a name="id2608094"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-signzone</strong></span>
signs a zone. It generates
NSEC and RRSIG records and produces a signed version of the
@@ -61,7 +61,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2606748"></a><h2>OPTIONS</h2>
+<a name="id2608114"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-a</span></dt>
<dd><p>
@@ -276,7 +276,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2661349"></a><h2>EXAMPLE</h2>
+<a name="id2659164"></a><h2>EXAMPLE</h2>
<p>
The following command signs the <strong class="userinput"><code>example.com</code></strong>
zone with the DSA key generated by <span><strong class="command">dnssec-keygen</strong></span>
@@ -305,14 +305,14 @@ db.example.com.signed
%</pre>
</div>
<div class="refsect1" lang="en">
-<a name="id2661421"></a><h2>SEE ALSO</h2>
+<a name="id2659237"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 4033</em>.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2661446"></a><h2>AUTHOR</h2>
+<a name="id2659330"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html
index 9b96c8b7..fe37654f 100644
--- a/doc/arm/man.host.html
+++ b/doc/arm/man.host.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: man.host.html,v 1.93.14.5 2009/03/13 04:19:27 tbox Exp $ -->
+<!-- $Id: man.host.html,v 1.93.14.6 2009/04/03 01:52:23 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -50,7 +50,7 @@
<div class="cmdsynopsis"><p><code class="command">host</code> [<code class="option">-aCdlnrsTwv</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-N <em class="replaceable"><code>ndots</code></em></code>] [<code class="option">-R <em class="replaceable"><code>number</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-W <em class="replaceable"><code>wait</code></em></code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-4</code>] [<code class="option">-6</code>] {name} [server]</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2603056"></a><h2>DESCRIPTION</h2>
+<a name="id2603329"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">host</strong></span>
is a simple utility for performing DNS lookups.
It is normally used to convert names to IP addresses and vice versa.
@@ -202,7 +202,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2603433"></a><h2>IDN SUPPORT</h2>
+<a name="id2603843"></a><h2>IDN SUPPORT</h2>
<p>
If <span><strong class="command">host</strong></span> has been built with IDN (internationalized
domain name) support, it can accept and display non-ASCII domain names.
@@ -216,12 +216,12 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2603462"></a><h2>FILES</h2>
+<a name="id2603872"></a><h2>FILES</h2>
<p><code class="filename">/etc/resolv.conf</code>
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2603476"></a><h2>SEE ALSO</h2>
+<a name="id2603885"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>,
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>.
</p>
diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html
index 1b563afc..10287aab 100644
--- a/doc/arm/man.named-checkconf.html
+++ b/doc/arm/man.named-checkconf.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: man.named-checkconf.html,v 1.92.14.5 2009/03/13 04:19:30 tbox Exp $ -->
+<!-- $Id: man.named-checkconf.html,v 1.92.14.6 2009/04/03 01:52:21 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -50,14 +50,14 @@
<div class="cmdsynopsis"><p><code class="command">named-checkconf</code> [<code class="option">-h</code>] [<code class="option">-v</code>] [<code class="option">-j</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] {filename} [<code class="option">-z</code>]</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2607504"></a><h2>DESCRIPTION</h2>
+<a name="id2609005"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">named-checkconf</strong></span>
checks the syntax, but not the semantics, of a named
configuration file.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2607517"></a><h2>OPTIONS</h2>
+<a name="id2609019"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-h</span></dt>
<dd><p>
@@ -92,21 +92,21 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2607634"></a><h2>RETURN VALUES</h2>
+<a name="id2609136"></a><h2>RETURN VALUES</h2>
<p><span><strong class="command">named-checkconf</strong></span>
returns an exit status of 1 if
errors were detected and 0 otherwise.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2607648"></a><h2>SEE ALSO</h2>
+<a name="id2609149"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">named-checkzone</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2608155"></a><h2>AUTHOR</h2>
+<a name="id2609179"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html
index 4a54b1f7..723c4849 100644
--- a/doc/arm/man.named-checkzone.html
+++ b/doc/arm/man.named-checkzone.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: man.named-checkzone.html,v 1.98.14.5 2009/03/13 04:19:30 tbox Exp $ -->
+<!-- $Id: man.named-checkzone.html,v 1.98.14.6 2009/04/03 01:52:21 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -51,7 +51,7 @@
<div class="cmdsynopsis"><p><code class="command">named-compilezone</code> [<code class="option">-d</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-C <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-o <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {zonename} {filename}</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2608970"></a><h2>DESCRIPTION</h2>
+<a name="id2610131"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">named-checkzone</strong></span>
checks the syntax and integrity of a zone file. It performs the
same checks as <span><strong class="command">named</strong></span> does when loading a
@@ -71,7 +71,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2609020"></a><h2>OPTIONS</h2>
+<a name="id2659401"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-d</span></dt>
<dd><p>
@@ -257,14 +257,14 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2663280"></a><h2>RETURN VALUES</h2>
+<a name="id2660208"></a><h2>RETURN VALUES</h2>
<p><span><strong class="command">named-checkzone</strong></span>
returns an exit status of 1 if
errors were detected and 0 otherwise.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2663293"></a><h2>SEE ALSO</h2>
+<a name="id2660221"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">named-checkconf</span>(8)</span>,
<em class="citetitle">RFC 1035</em>,
@@ -272,7 +272,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2663326"></a><h2>AUTHOR</h2>
+<a name="id2660254"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html
index bc47f06d..08489e06 100644
--- a/doc/arm/man.named.html
+++ b/doc/arm/man.named.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: man.named.html,v 1.99.14.5 2009/03/13 04:19:30 tbox Exp $ -->
+<!-- $Id: man.named.html,v 1.99.14.6 2009/04/03 01:52:22 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -50,7 +50,7 @@
<div class="cmdsynopsis"><p><code class="command">named</code> [<code class="option">-4</code>] [<code class="option">-6</code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>debug-level</code></em></code>] [<code class="option">-f</code>] [<code class="option">-g</code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-n <em class="replaceable"><code>#cpus</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-s</code>] [<code class="option">-S <em class="replaceable"><code>#max-socks</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>] [<code class="option">-v</code>] [<code class="option">-V</code>] [<code class="option">-x <em class="replaceable"><code>cache-file</code></em></code>]</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2609282"></a><h2>DESCRIPTION</h2>
+<a name="id2610579"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">named</strong></span>
is a Domain Name System (DNS) server,
part of the BIND 9 distribution from ISC. For more
@@ -65,7 +65,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2609381"></a><h2>OPTIONS</h2>
+<a name="id2610610"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-4</span></dt>
<dd><p>
@@ -238,7 +238,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2612028"></a><h2>SIGNALS</h2>
+<a name="id2612848"></a><h2>SIGNALS</h2>
<p>
In routine operation, signals should not be used to control
the nameserver; <span><strong class="command">rndc</strong></span> should be used
@@ -259,7 +259,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2612078"></a><h2>CONFIGURATION</h2>
+<a name="id2612898"></a><h2>CONFIGURATION</h2>
<p>
The <span><strong class="command">named</strong></span> configuration file is too complex
to describe in detail here. A complete description is provided
@@ -268,7 +268,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2612098"></a><h2>FILES</h2>
+<a name="id2612917"></a><h2>FILES</h2>
<div class="variablelist"><dl>
<dt><span class="term"><code class="filename">/etc/named.conf</code></span></dt>
<dd><p>
@@ -281,7 +281,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2612141"></a><h2>SEE ALSO</h2>
+<a name="id2612961"></a><h2>SEE ALSO</h2>
<p><em class="citetitle">RFC 1033</em>,
<em class="citetitle">RFC 1034</em>,
<em class="citetitle">RFC 1035</em>,
@@ -294,7 +294,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2612212"></a><h2>AUTHOR</h2>
+<a name="id2613099"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html
index c8e2c18a..5848fb21 100644
--- a/doc/arm/man.nsupdate.html
+++ b/doc/arm/man.nsupdate.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: man.nsupdate.html,v 1.22.14.6 2009/03/13 04:19:26 tbox Exp $ -->
+<!-- $Id: man.nsupdate.html,v 1.22.14.7 2009/04/03 01:52:22 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -50,7 +50,7 @@
<div class="cmdsynopsis"><p><code class="command">nsupdate</code> [<code class="option">-d</code>] [<code class="option">-D</code>] [[<code class="option">-g</code>] | [<code class="option">-o</code>] | [<code class="option">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]keyname:secret</code></em></code>] | [<code class="option">-k <em class="replaceable"><code>keyfile</code></em></code>]] [<code class="option">-t <em class="replaceable"><code>timeout</code></em></code>] [<code class="option">-u <em class="replaceable"><code>udptimeout</code></em></code>] [<code class="option">-r <em class="replaceable"><code>udpretries</code></em></code>] [<code class="option">-R <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-v</code>] [filename]</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2610236"></a><h2>DESCRIPTION</h2>
+<a name="id2611329"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">nsupdate</strong></span>
is used to submit Dynamic DNS Update requests as defined in RFC2136
to a name server.
@@ -187,7 +187,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2610563"></a><h2>INPUT FORMAT</h2>
+<a name="id2612201"></a><h2>INPUT FORMAT</h2>
<p><span><strong class="command">nsupdate</strong></span>
reads input from
<em class="parameter"><code>filename</code></em>
@@ -451,7 +451,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2666960"></a><h2>EXAMPLES</h2>
+<a name="id2667233"></a><h2>EXAMPLES</h2>
<p>
The examples below show how
<span><strong class="command">nsupdate</strong></span>
@@ -505,7 +505,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2667078"></a><h2>FILES</h2>
+<a name="id2667283"></a><h2>FILES</h2>
<div class="variablelist"><dl>
<dt><span class="term"><code class="constant">/etc/resolv.conf</code></span></dt>
<dd><p>
@@ -524,7 +524,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2667147"></a><h2>SEE ALSO</h2>
+<a name="id2667352"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">RFC2136</span></span>,
<span class="citerefentry"><span class="refentrytitle">RFC3007</span></span>,
<span class="citerefentry"><span class="refentrytitle">RFC2104</span></span>,
@@ -537,7 +537,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2667218"></a><h2>BUGS</h2>
+<a name="id2667422"></a><h2>BUGS</h2>
<p>
The TSIG key is redundantly stored in two separate files.
This is a consequence of nsupdate using the DST library
diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html
index aa41c674..4839e89f 100644
--- a/doc/arm/man.rndc-confgen.html
+++ b/doc/arm/man.rndc-confgen.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: man.rndc-confgen.html,v 1.102.14.6 2009/03/13 04:19:26 tbox Exp $ -->
+<!-- $Id: man.rndc-confgen.html,v 1.102.14.7 2009/04/03 01:52:22 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -48,7 +48,7 @@
<div class="cmdsynopsis"><p><code class="command">rndc-confgen</code> [<code class="option">-a</code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-c <em class="replaceable"><code>keyfile</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [<code class="option">-s <em class="replaceable"><code>address</code></em></code>] [<code class="option">-t <em class="replaceable"><code>chrootdir</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>]</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2616776"></a><h2>DESCRIPTION</h2>
+<a name="id2616981"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">rndc-confgen</strong></span>
generates configuration files
for <span><strong class="command">rndc</strong></span>. It can be used as a
@@ -64,7 +64,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2616842"></a><h2>OPTIONS</h2>
+<a name="id2625034"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-a</span></dt>
<dd>
@@ -171,7 +171,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2633885"></a><h2>EXAMPLES</h2>
+<a name="id2634158"></a><h2>EXAMPLES</h2>
<p>
To allow <span><strong class="command">rndc</strong></span> to be used with
no manual configuration, run
@@ -188,7 +188,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2633942"></a><h2>SEE ALSO</h2>
+<a name="id2634215"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
@@ -196,7 +196,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2633980"></a><h2>AUTHOR</h2>
+<a name="id2634253"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html
index 097d0791..cb72238a 100644
--- a/doc/arm/man.rndc.conf.html
+++ b/doc/arm/man.rndc.conf.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: man.rndc.conf.html,v 1.103.14.6 2009/03/13 04:19:26 tbox Exp $ -->
+<!-- $Id: man.rndc.conf.html,v 1.103.14.7 2009/04/03 01:52:22 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -50,7 +50,7 @@
<div class="cmdsynopsis"><p><code class="command">rndc.conf</code> </p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2607897"></a><h2>DESCRIPTION</h2>
+<a name="id2606668"></a><h2>DESCRIPTION</h2>
<p><code class="filename">rndc.conf</code> is the configuration file
for <span><strong class="command">rndc</strong></span>, the BIND 9 name server control
utility. This file has a similar structure and syntax to
@@ -135,7 +135,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2612779"></a><h2>EXAMPLE</h2>
+<a name="id2614213"></a><h2>EXAMPLE</h2>
<pre class="programlisting">
options {
default-server localhost;
@@ -209,7 +209,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2612901"></a><h2>NAME SERVER CONFIGURATION</h2>
+<a name="id2614334"></a><h2>NAME SERVER CONFIGURATION</h2>
<p>
The name server must be configured to accept rndc connections and
to recognize the key specified in the <code class="filename">rndc.conf</code>
@@ -219,7 +219,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2612926"></a><h2>SEE ALSO</h2>
+<a name="id2614360"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">mmencode</span>(1)</span>,
@@ -227,7 +227,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2612965"></a><h2>AUTHOR</h2>
+<a name="id2614398"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html
index 1eb9db0c..f88a70e5 100644
--- a/doc/arm/man.rndc.html
+++ b/doc/arm/man.rndc.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: man.rndc.html,v 1.101.14.6 2009/03/13 04:19:26 tbox Exp $ -->
+<!-- $Id: man.rndc.html,v 1.101.14.7 2009/04/03 01:52:22 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -50,7 +50,7 @@
<div class="cmdsynopsis"><p><code class="command">rndc</code> [<code class="option">-b <em class="replaceable"><code>source-address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key-file</code></em></code>] [<code class="option">-s <em class="replaceable"><code>server</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-V</code>] [<code class="option">-y <em class="replaceable"><code>key_id</code></em></code>] {command}</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2610871"></a><h2>DESCRIPTION</h2>
+<a name="id2612305"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">rndc</strong></span>
controls the operation of a name
server. It supersedes the <span><strong class="command">ndc</strong></span> utility
@@ -79,7 +79,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2610921"></a><h2>OPTIONS</h2>
+<a name="id2612355"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-b <em class="replaceable"><code>source-address</code></em></span></dt>
<dd><p>
@@ -151,7 +151,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2611283"></a><h2>LIMITATIONS</h2>
+<a name="id2613262"></a><h2>LIMITATIONS</h2>
<p><span><strong class="command">rndc</strong></span>
does not yet support all the commands of
the BIND 8 <span><strong class="command">ndc</strong></span> utility.
@@ -165,7 +165,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2611314"></a><h2>SEE ALSO</h2>
+<a name="id2613293"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
<span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
@@ -175,7 +175,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2611369"></a><h2>AUTHOR</h2>
+<a name="id2613349"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
diff --git a/doc/rfc/index b/doc/rfc/index
index a1450d06..684b135c 100644
--- a/doc/rfc/index
+++ b/doc/rfc/index
@@ -118,3 +118,4 @@
Dynamic Host Configuration Protocol (DHCP) Information (DHCID RR)
5155: DNS Security (DNSSEC) Hashed Authenticated Denial of Existence
5295: Host Identity Protocol (HIP) Domain Name System (DNS) Extension
+5507: Design Choices When Expanding the DNS
diff --git a/doc/rfc/rfc5507.txt b/doc/rfc/rfc5507.txt
new file mode 100644
index 00000000..a286d908
--- /dev/null
+++ b/doc/rfc/rfc5507.txt
@@ -0,0 +1,1011 @@
+
+
+
+
+
+
+Network Working Group IAB
+Request for Comments: 5507 P. Faltstrom, Ed.
+Category: Informational R. Austein, Ed.
+ P. Koch, Ed.
+ April 2009
+
+
+ Design Choices When Expanding the DNS
+
+Status of This Memo
+
+ This memo provides information for the Internet community. It does
+ not specify an Internet standard of any kind. Distribution of this
+ memo is unlimited.
+
+Copyright Notice
+
+ Copyright (c) 2009 IETF Trust and the persons identified as the
+ document authors. All rights reserved.
+
+ This document is subject to BCP 78 and the IETF Trust's Legal
+ Provisions Relating to IETF Documents in effect on the date of
+ publication of this document (http://trustee.ietf.org/license-info).
+ Please review these documents carefully, as they describe your rights
+ and restrictions with respect to this document.
+
+
+Abstract
+
+ This note discusses how to extend the DNS with new data for a new
+ application. DNS extension discussions too often focus on reuse of
+ the TXT Resource Record Type. This document lists different
+ mechanisms to extend the DNS, and concludes that the use of a new DNS
+ Resource Record Type is the best solution.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+IAB, et al. Informational [Page 1]
+
+RFC 5507 Design Choices When Expanding the DNS April 2009
+
+
+Table of Contents
+
+ 1. Introduction ....................................................3
+ 2. Background ......................................................4
+ 3. Extension Mechanisms ............................................5
+ 3.1. Place Selectors inside the RDATA of Existing
+ Resource Record Types ......................................5
+ 3.2. Add a Prefix to the Owner Name .............................6
+ 3.3. Add a Suffix to the Owner Name .............................7
+ 3.4. Add a New Class ............................................8
+ 3.5. Add a New Resource Record Type .............................8
+ 4. Zone Boundaries are Invisible to Applications ...................9
+ 5. Why Adding a New Resource Record Type Is the Preferred
+ Solution .......................................................10
+ 6. Conclusion and Recommendation ..................................14
+ 7. Creating a New Resource Record Type ............................14
+ 8. Security Considerations ........................................15
+ 9. Acknowledgements ...............................................15
+ 10. IAB Members at the Time of This Writing .......................16
+ 11. References ....................................................16
+ 11.1. Normative References .....................................16
+ 11.2. Informative References ...................................16
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+IAB, et al. Informational [Page 2]
+
+RFC 5507 Design Choices When Expanding the DNS April 2009
+
+
+1. Introduction
+
+ The DNS stores multiple categories of data. The two most commonly
+ used categories are infrastructure data for the DNS system itself (NS
+ and SOA Resource Records) and data that have to do with mappings
+ between domain names and IP addresses (A, AAAA, and PTR Resource
+ Records). There are other categories as well, some of which are tied
+ to specific applications like email (MX Resource Records), while
+ others are generic Resource Record Types used to convey information
+ for multiple protocols (SRV and NAPTR Resource Records).
+
+ When storing data in the DNS for a new application, the goal must be
+ to store data in such a way that the application can query for the
+ data it wants, while minimizing both the impact on existing
+ applications and the amount of extra data transferred to the client.
+ This implies that a number of design choices have to be made, where
+ the most important is to ensure that a precise selection of what data
+ to return must be made already in the query. A query consists of a
+ triple: {Owner (or name), Resource Record Class, Resource Record
+ Type}.
+
+ Historically, extending the DNS to store application data tied to a
+ domain name has been done in different ways at different times. MX
+ Resource Records were created as a new Resource Record Type
+ specifically designed to support electronic mail. SRV records are a
+ generic type that use a prefixing scheme in combination with a base
+ domain name. NAPTR records add selection data inside the RDATA. It
+ is clear that the methods used to add new data types to the DNS have
+ been inconsistent, and the purpose of this document is to attempt to
+ clarify the implications of each of these methods, both for the
+ applications that use them and for the rest of the DNS.
+
+ This document talks extensively about use of DNS wildcards. Many
+ people might think use of wildcards is not something that happens
+ today. In reality though, wildcards are in use, especially for
+ certain application-specific data such as MX Resource Records.
+ Because of this, the choice has to be made with the existence of
+ wildcards in mind.
+
+ Another overall issue that must be taken into account is what the new
+ data in the DNS are to describe. In some cases, they might be
+ completely new data. In other cases, they might be metadata tied to
+ data that already exist in the DNS. Examples of new data are key
+ information for the Secure SHell (SSH) Protocol and data used for
+ authenticating the sender of email messages (metadata tied to MX
+ Resource Records). If the new data are tied to data that already
+ exist in the DNS, an analysis should be made as to whether having
+ (for example) address records and SSH key information in different
+
+
+
+IAB, et al. Informational [Page 3]
+
+RFC 5507 Design Choices When Expanding the DNS April 2009
+
+
+ DNS zones is a problem or if it is a bonus, and if it is a problem,
+ whether the specification must require all of the related data to be
+ in the same zone. One specific difference between having the records
+ in the same zone or not has to do with maintenance of the records.
+ If they are in the same zone, the same maintainer (from a DNS
+ perspective) manages the two records. Specifically, they must be
+ signed with the same DNSSEC keys if DNSSEC is in use.
+
+ This document does not talk about what one should store in the DNS.
+ It also doesn't discuss whether the DNS should be used for service
+ discovery, or whether the DNS should be used for storage of data
+ specific to the service. In general, the DNS is a protocol that,
+ apart from holding metadata that makes the DNS itself function (NS,
+ SOA, DNSSEC Resource Record Types, etc.), only holds references to
+ service locations (SRV, NAPTR, A, AAAA Resource Record Types) --
+ though there are exceptions, such as MX Resource Records.
+
+2. Background
+
+ See RFC 5395 [RFC5395] for a brief summary of the DNS query
+ structure. Readers interested in the full story should start with
+ the base DNS specification in RFC 1035 [RFC1035] and continue with
+ the various documents that update, clarify, and extend the base
+ specification.
+
+ When composing a DNS query, the parameters used by the protocol are a
+ {owner, class, type} triple. Every Resource Record matching such a
+ triple is said to belong to the same Resource Record Set (RRSet), and
+ the whole RRSet is always returned to the client that queries for it.
+ Splitting an RRSet is a protocol violation (sending a partial RRSet,
+ not truncating the DNS response), because it can result in coherency
+ problems with the DNS caching mechanism. See Section 5 of [RFC2181]
+ for more information.
+
+ Some discussions around extensions to the DNS include arguments
+ around MTU size. Note that most discussions about DNS and MTU size
+ are about the size of the whole DNS packet, not about the size of a
+ single RRSet.
+
+ Almost all DNS query traffic is carried over UDP, where a DNS message
+ must fit within a single UDP packet. DNS response messages are
+ almost always larger than DNS query messages, so message size issues
+ are almost always about responses, not queries. The base DNS
+ specification limits DNS messages over UDP to 512 octets; EDNS0
+ [RFC2671] specifies a mechanism by which a client can signal its
+ willingness to receive larger responses, but deployment of EDNS0 is
+ not universal, in part because of firewalls that block fragmented UDP
+ packets or EDNS0. If a response message won't fit in a single
+
+
+
+IAB, et al. Informational [Page 4]
+
+RFC 5507 Design Choices When Expanding the DNS April 2009
+
+
+ packet, the name server returns a truncated response, at which point
+ the client may retry using TCP. DNS queries over TCP are not subject
+ to this length limitation, but TCP imposes significantly higher per-
+ query overhead on name servers than UDP. It is also the case that
+ the policies in deployed firewalls far too often are such that they
+ block DNS over TCP, so using TCP might not in reality be an option.
+ There are also risks (although possibly small) that a change of
+ routing while a TCP flow is open creates problems when the DNS
+ servers are deployed in an anycast environment.
+
+3. Extension Mechanisms
+
+ The DNS protocol is intended to be extensible to support new kinds of
+ data. This section examines the various ways in which this sort of
+ extension can be accomplished.
+
+3.1. Place Selectors inside the RDATA of Existing Resource Record Types
+
+ For a given query name, one might choose to have a single RRSet (all
+ Resource Records sharing the same {owner, class, type} triple) shared
+ by multiple applications, and have the different applications use
+ selectors within the Resource Record data (RDATA) to determine which
+ records are intended for which applications. This sort of selector
+ mechanism is usually referred to "subtyping", because it is in effect
+ creating an additional type subsystem within a single DNS Resource
+ Record Type.
+
+ Examples of subtyping include NAPTR Resource Records [RFC3761] and
+ the original DNSSEC KEY Resource Record Type [RFC2535] (which was
+ later updated by RFC 3445 [RFC3445], and obsoleted by RFC 4033
+ [RFC4033], RFC 4034 [RFC4034] and RFC 4035 [RFC4035]).
+
+ All DNS subtyping schemes share a common weakness: with subtyping
+ schemes, it is impossible for a client to query for just the data it
+ wants. Instead, the client must fetch the entire RRSet, then select
+ the Resource Records in which it is interested. Furthermore, since
+ DNSSEC signatures operate on complete RRSets, the entire RRSet must
+ be re-signed if any Resource Record in it changes. As a result, each
+ application that uses a subtyped Resource Record incurs higher
+ overhead than any of the applications would have incurred had they
+ not been using a subtyping scheme. The fact the RRSet is always
+ passed around as an indivisible unit increases the risk the RRSet
+ will not fit in a UDP packet, which in turn increases the risk that
+ the client will have to retry the query with TCP, which substantially
+ increases the load on the name server. More precisely: having one
+ query fail over to TCP is not a big deal, but since the typical ratio
+
+
+
+
+
+IAB, et al. Informational [Page 5]
+
+RFC 5507 Design Choices When Expanding the DNS April 2009
+
+
+ of clients to servers in today's deployed DNS is very high, having a
+ substantial number of DNS messages fail over to TCP may cause the
+ queried name servers to be overloaded by TCP overhead.
+
+ Because of the size limitations, using a subtyping scheme to list a
+ large number of services for a single domain name risks triggering
+ truncation and fallback to TCP, which may in turn force the zone
+ administrator to announce only a subset of available services.
+
+3.2. Add a Prefix to the Owner Name
+
+ By adding an application-specific prefix to a domain name, we get a
+ different {owner, class, type} triple, and therefore a different
+ RRSet. One problem with adding prefixes has to do with wildcards,
+ especially if one has records like:
+
+ *.example.com. IN MX 1 mail.example.com.
+
+ and one wants records tied to those names. Suppose one creates the
+ prefix "_mail". One would then have to say something like:
+
+ _mail.*.example.com. IN X-FOO A B C D
+
+ but DNS wildcards only work with the "*" as the leftmost token in the
+ domain name (see also RFC 4592 [RFC4592]).
+
+ There have been proposals to deal with the problem that DNS wildcards
+ are always terminal records. These proposals introduce an additional
+ set of trade-offs that would need to be taken into account when
+ assessing which extension mechanism to choose. Aspects of extra
+ response time needed to perform the extra queries, costs of pre-
+ calculation of possible answers, or the costs induced to the system
+ as a whole come to mind. At the time of writing, none of these
+ proposals has been published as Standards Track RFCs.
+
+ Even when a specific prefix is chosen, the data will still have to be
+ stored in some Resource Record Type. This Resource Record Type can
+ be either a new Resource Record Type or an existing Resource Record
+ Type that has an appropriate format to store the data. One also
+ might need some other selection mechanism, such as the ability to
+ distinguish between the records in an RRSet, given they have the same
+ Resource Record Type. Because of this, one needs to both register a
+ unique prefix and define what Resource Record Type is to be used for
+ this specific service.
+
+
+
+
+
+
+
+IAB, et al. Informational [Page 6]
+
+RFC 5507 Design Choices When Expanding the DNS April 2009
+
+
+ If the record has some relationship with another record in the zone,
+ the fact that the two records can be in different zones might have
+ implications on the trust the application has in the records. For
+ example:
+
+ example.com. IN MX 10 mail.example.com.
+ _foo.example.com. IN X-BAR "metadata for the mail service"
+
+ In this example, the two records might be in two different zones, and
+ as a result might be administered by two different organizations, and
+ signed by two different entities when using DNSSEC. For these two
+ reasons, using a prefix has recently become a very interesting
+ solution for many protocol designers. In some cases, e.g.,
+ DomainKeys Identified Mail Signatures [RFC4871], TXT records have
+ been used. In others, such as SRV, entirely new Resource Record
+ Types have been added.
+
+3.3. Add a Suffix to the Owner Name
+
+ Adding a suffix to a domain name changes the {owner, class, type}
+ triple, and therefore the RRSet. In this case, since the query name
+ can be set to exactly the data one wants, the size of the RRSet is
+ minimized. The problem with adding a suffix is that it creates a
+ parallel tree within the IN class. Further, there is no technical
+ mechanism to ensure that the delegation for "example.com" and
+ "example.com._bar" are made to the same organization. Furthermore,
+ data associated with a single entity will now be stored in two
+ different zones, such as "example.com" and "example.com._bar", which,
+ depending on who controls "_bar", can create new synchronization and
+ update authorization issues.
+
+ One way of solving the administrative issues is by using the DNAME
+ Resource Record Type specified in RFC 2672 [RFC2672].
+
+ Even when using a different name, the data will still have to be
+ stored in some Resource Record Type that has an appropriate format to
+ store the data. This implies that one might have to mix the prefix
+ based selection mechanism with some other mechanism so that the right
+ Resource Record can be found out of many in a potential larger RRSet.
+
+ In RFC 2163 [RFC2163] an infix token is inserted directly below the
+ Top-Level Domain (TLD), but the result is equivalent to adding a
+ suffix to the owner name (instead of creating a TLD, one is creating
+ a second level domain).
+
+
+
+
+
+
+
+IAB, et al. Informational [Page 7]
+
+RFC 5507 Design Choices When Expanding the DNS April 2009
+
+
+3.4. Add a New Class
+
+ DNS zones are class-specific in the sense that all the records in
+ that zone share the same class as the zone's SOA record and the
+ existence of a zone in one class does not guarantee the existence of
+ the zone in any other class. In practice, only the IN class has ever
+ seen widespread deployment, and the administrative overhead of
+ deploying an additional class would almost certainly be prohibitive.
+
+ Nevertheless, one could, in theory, use the DNS class mechanism to
+ distinguish between different kinds of data. However, since the DNS
+ delegation tree (represented by NS Resource Records) is itself tied
+ to a specific class, attempting to resolve a query by crossing a
+ class boundary may produce unexpected results because there is no
+ guarantee that the name servers for the zone in the new class will be
+ the same as the name servers in the IN class. The MIT Hesiod system
+ [Dyer87] used a scheme like this for storing data in the HS class,
+ but only on a very small scale (within a single institution), and
+ with an administrative fiat requiring that the delegation trees for
+ the IN and HS trees be identical. The use of the HS class for such
+ storage of non-sensitive data was, over time, replaced by use of the
+ Lightweight Directory Access Protocol (LDAP) [RFC4511].
+
+ Even when using a different class, the data will still have to be
+ stored in some Resource Record Type that has an appropriate format.
+
+3.5. Add a New Resource Record Type
+
+ When adding a new Resource Record Type to the system, entities in
+ four different roles have to be able to handle the new Type:
+
+ 1. There must be a way to insert the new Resource Records into the
+ zone at the Primary Master name server. For some server
+ implementations, the user interface only accepts Resource Record
+ Types that it understands (perhaps so that the implementation can
+ attempt to validate the data). Other implementations allow the
+ zone administrator to enter an integer for the Resource Record
+ Type code and the RDATA in Base64 or hexadecimal encoding (or
+ even as raw data). RFC 3597 [RFC3597] specifies a standard
+ generic encoding for this purpose.
+
+ 2. A slave authoritative name server must be able to do a zone
+ transfer, receive the data from some other authoritative name
+ server, and serve data from the zone even though the zone
+ includes records of unknown Resource Record Types. Historically,
+ some implementations have had problems parsing stored copies of
+ the zone file after restarting, but those problems have not been
+ seen for a few years. Some implementations use an alternate
+
+
+
+IAB, et al. Informational [Page 8]
+
+RFC 5507 Design Choices When Expanding the DNS April 2009
+
+
+ mechanism (e.g., LDAP) to transfer Resource Records in a zone,
+ and are primarily used within corporate environments; in this
+ case, name servers must be able to transfer new Resource Record
+ Types using whatever mechanism is used. However, today this
+ alternative mechanism may not support unknown Resource Record
+ Types. Hence, in Internet environments, unknown Resource Record
+ Types are supported, but in corporate environments they are
+ problematic.
+
+ 3. A caching resolver (most commonly a recursive name server) will
+ cache the records that are responses to queries. As mentioned in
+ RFC 3597 [RFC3597], there are various pitfalls where a recursive
+ name server might end up having problems.
+
+ 4. The application must be able to get the RRSet with a new Resource
+ Record Type. The application itself may understand the RDATA,
+ but the resolver library might not. Support for a generic
+ interface for retrieving arbitrary DNS Resource Record Types has
+ been a requirement since 1989 (see Section 6.1.4.2 of [RFC1123]).
+ Some stub resolver library implementations neglect to provide
+ this functionality and cannot handle unknown Resource Record
+ Types, but implementation of a new stub resolver library is not
+ particularly difficult, and open source libraries that already
+ provide this functionality are available.
+
+ Historically, adding a new Resource Record Type has been very
+ problematic. The review process has been cumbersome, DNS servers
+ have not been able to handle new Resource Record Types, and firewalls
+ have dropped queries or responses with Resource Record Types that are
+ unknown to the firewall. This is, for example, one of the reasons
+ the ENUM standard reuses the NAPTR Resource Record, a decision that
+ today might have gone to creating a new Resource Record Type instead.
+
+ Today, there is a requirement that DNS software handle unknown
+ Resource Record Types, and investigations have shown that software
+ that is deployed, in general, does support it, except in some
+ alternate mechanisms for transferring Resource Records such as LDAP,
+ as noted above. Also, the approval process for new Resource Record
+ Types has been updated [RFC5395] so the effort that is needed for
+ various Resource Record Types is more predictable.
+
+4. Zone Boundaries are Invisible to Applications
+
+ Regardless of the possible choices above, we have seen a number of
+ cases where the application made assumptions about the structure of
+ the namespace and the location where specific information resides.
+ We take a small sidestep to argue against such approaches.
+
+
+
+
+IAB, et al. Informational [Page 9]
+
+RFC 5507 Design Choices When Expanding the DNS April 2009
+
+
+ The DNS namespace is a hierarchy, technically speaking. However,
+ this only refers to the way names are built from multiple labels.
+ DNS hierarchy neither follows nor implies administrative hierarchy.
+ Because of that, it cannot be assumed that data attached to a node in
+ the DNS tree is valid for the whole subtree. Technically, there are
+ zone boundaries partitioning the namespace, and administrative
+ boundaries (or policy boundaries) may even exist elsewhere.
+
+ The false assumption has lead to an approach called "tree climbing",
+ where a query that does not receive a positive response (either the
+ requested RRSet was missing or the name did not exist) is retried by
+ repeatedly stripping off the leftmost label (climbing towards the
+ root) until the root domain is reached. Sometimes these proposals
+ try to avoid the query for the root or the TLD level, but still this
+ approach has severe drawbacks:
+
+ o Technically, the DNS was built as a query-response tool without
+ any search capability [RFC3467]. Adding the search mechanism
+ imposes additional burden on the technical infrastructure, in the
+ worst case on TLD and root name servers.
+
+ o For reasons similar to those outlined in RFC 1535 [RFC1535],
+ querying for information in a domain outside the control of the
+ intended entity may lead to incorrect results and may also put
+ security at risk. Finding the exact policy boundary is impossible
+ without an explicit marker, which does not exist at present. At
+ best, software can detect zone boundaries (e.g., by looking for
+ SOA Resource Records), but some TLD registries register names
+ starting at the second level (e.g., CO.UK), and there are various
+ other "registry" types at second, third, or other level domains
+ that cannot be identified as such without policy knowledge
+ external to the DNS.
+
+ To restate, the zone boundary is purely a boundary that exists in the
+ DNS for administrative purposes, and applications should be careful
+ not to draw unwarranted conclusions from zone boundaries. A
+ different way of stating this is that the DNS does not support
+ inheritance, e.g., an MX RRSet for a TLD will not be valid for any
+ subdomain of that particular TLD.
+
+5. Why Adding a New Resource Record Type Is the Preferred Solution
+
+ By now, the astute reader might be wondering what conclusions to draw
+ from the issues presented so far. We will now attempt to clear up
+ the reader's confusion by following the thought processes of a
+ typical application designer who wishes to store data in the DNS.
+ We'll show how such a designer almost inevitably hits upon the idea
+ of just using a TXT Resource Record, why this is a bad thing, and why
+
+
+
+IAB, et al. Informational [Page 10]
+
+RFC 5507 Design Choices When Expanding the DNS April 2009
+
+
+ a new Resource Record Type should be allocated instead. We'll also
+ explain how the reuse of an existing Resource Record, including TXT,
+ can be made less harmful.
+
+ The overall problem with most solutions has to do with two main
+ issues:
+
+ o No semantics to prevent collision with other use
+
+ o Space considerations in the DNS message
+
+ A typical application designer is not interested in the DNS for its
+ own sake, but rather regards it as a distributed database in which
+ application data can be stored. As a result, the designer of a new
+ application is usually looking for the easiest way to add whatever
+ new data the application needs to the DNS in a way that naturally
+ associates the data with a DNS name and does not require major
+ changes to DNS servers.
+
+ As explained in Section 3.4, using the DNS class system as an
+ extension mechanism is not really an option, and in fact, most users
+ of the system don't even realize that the mechanism exists. As a
+ practical matter, therefore any extension is likely to be within the
+ IN class.
+
+ Adding a new Resource Record Type is the technically correct answer
+ from the DNS protocol standpoint (more on this below), but doing so
+ requires some DNS expertise, due to the issues listed in Section 3.5.
+ Consequently, this option is often rejected. Note that according to
+ RFC 5395 [RFC5395], some Types require IETF Consensus, while others
+ only require a specification.
+
+ There is a drawback to defining new RR types that is worth
+ mentioning. The Resource Record Type (RRTYPE) is a 16-bit value and
+ hence is a limited resource. In order to prevent hoarding the
+ registry has a review-based allocation policy [RFC5395]; however,
+ this may not be sufficient if extension of the DNS by addition of new
+ RR types takes up significantly and the registry starts nearing
+ completion. In that case, the trade-offs with respect to choosing an
+ extension mechanism may need to change.
+
+ The application designer is thus left with the prospect of reusing
+ some existing DNS Types within the IN class, but when the designer
+ looks at the existing Types, almost all of them have well-defined
+ semantics, none of which quite match the needs of the new
+ application. This has not completely prevented proposals from
+
+
+
+
+
+IAB, et al. Informational [Page 11]
+
+RFC 5507 Design Choices When Expanding the DNS April 2009
+
+
+ reusing existing Resource Record Types in ways incompatible with
+ their defined semantics, but it does tend to steer application
+ designers away from this approach.
+
+ For example, Resource Record Type 40 was registered for the SINK
+ Resource Record Type. This Resource Record Type was discussed in the
+ DNSIND working group of the IETF, and it was decided at the 46th IETF
+ to not move the I-D forward to become an RFC because of the risk of
+ encouraging application designers to use the SINK Resource Record
+ Type instead of registering a new Resource Record Type, which would
+ result in infeasibly large SINK RRsets.
+
+ Eliminating all of the above leaves the TXT Resource Record Type in
+ the IN class. The TXT RDATA format is free form text, and there are
+ no existing semantics to get in the way. Some attempts have been
+ made, for example, in [DNSEXT-DNS-SD], to specify a structured format
+ for TXT Resource Record Types, but no such attempt has reached RFC
+ status. Furthermore, the TXT Resource Record can obviously just be
+ used as a bucket in which to carry around data to be used by some
+ higher-level parser, perhaps in some human-readable programming or
+ markup language. Thus, for many applications, TXT Resource Records
+ are the "obvious" choice. Unfortunately, this conclusion, while
+ understandable, is also problematic, for several reasons.
+
+ The first reason why TXT Resource Records are not well suited to such
+ use is precisely what makes them so attractive: the lack of pre-
+ defined common syntax or structure. As a result, each application
+ that uses them creates its own syntax/structure, and that makes it
+ difficult to reliably distinguish one application's record from
+ others, and for its parser to avoid problems when it encounters other
+ TXT records.
+
+ Arguably, the TXT Resource Record is misnamed, and should have been
+ called the Local Container record, because a TXT Resource Record
+ means only what the data producer says it means. This is fine, so
+ long as TXT Resource Records are being used by human beings or by
+ private agreement between data producer and data consumer. However,
+ it becomes a problem once one starts using them for standardized
+ protocols in which there is no prior relationship between data
+ producer and data consumer. If TXT records are used without one of
+ the naming modifications discussed earlier (and in some cases even if
+ one uses such naming mechanisms), there is nothing to prevent
+ collisions with some other incompatible use of TXT Resource Records.
+
+ This is even worse than the general subtyping problem described in
+ Section 3.1 because TXT Resource Records don't even have a
+ standardized selector field in which to store the subtype. RFC 1464
+ [RFC1464] tried, but it was not a success. At best, a definition of
+
+
+
+IAB, et al. Informational [Page 12]
+
+RFC 5507 Design Choices When Expanding the DNS April 2009
+
+
+ a subtype is reduced to hoping that whatever scheme one has come up
+ with will not accidently conflict with somebody else's subtyping
+ scheme, and that it will not be possible to mis-parse one
+ application's use of TXT Resource Records as data intended for a
+ different application. Any attempt to impose a standardized format
+ within the TXT Resource Record format would be at least fifteen years
+ too late, even if it were put into effect immediately; at best, one
+ can restrict the syntax that a particular application uses within a
+ TXT Resource Record and accept the risk that unrelated TXT Resource
+ Record uses will collide with it.
+
+ Using one of the naming modifications discussed in Section 3.2 and
+ Section 3.3 would address the subtyping problem, (and have been used
+ in combinations with reuse of TXT record, such as for the dns/txt
+ lookup mechanism in Domain Keys Identified Mail (DKIM)) but each of
+ these approaches brings in new problems of its own. The prefix
+ approach (that for example SRV Resource Records use) does not work
+ well with wildcards, which is a particular problem for mail-related
+ applications, since MX Resource Records are probably the most common
+ use of DNS wildcards. The suffix approach doesn't have wildcard
+ issues, but, as noted previously, it does have synchronization and
+ update authorization issues, since it works by creating a second
+ subtree in a different part of the global DNS namespace.
+
+ The next reason why TXT Resource Records are not well suited to
+ protocol use has to do with the limited data space available in a DNS
+ message. As alluded to briefly in Section 3.1, typical DNS query
+ traffic patterns involve a very large number of DNS clients sending
+ queries to a relatively small number of DNS servers. Normal path MTU
+ discovery schemes do little good here because, from the server's
+ perspective, there isn't enough repeat traffic from any one client
+ for it to be worth retaining state. UDP-based DNS is an idempotent
+ query, whereas TCP-based DNS requires the server to keep state (in
+ the form of TCP connection state, usually in the server's kernel) and
+ roughly triples the traffic load. Thus, there's a strong incentive
+ to keep DNS messages short enough to fit in a UDP datagram,
+ preferably a UDP datagram short enough not to require IP
+ fragmentation.
+
+ Subtyping schemes are therefore again problematic because they
+ produce larger Resource RRSets than necessary, but verbose text
+ encodings of data are also wasteful since the data they hold can
+ usually be represented more compactly in a Resource Record designed
+ specifically to support the application's particular data needs. If
+ the data that need to be carried are so large that there is no way to
+ make them fit comfortably into the DNS regardless of encoding, it is
+ probably better to move the data somewhere else, and just use the DNS
+ as a pointer to the data, as with NAPTR.
+
+
+
+IAB, et al. Informational [Page 13]
+
+RFC 5507 Design Choices When Expanding the DNS April 2009
+
+
+6. Conclusion and Recommendation
+
+ Given the problems detailed in Section 5, it is worth reexamining the
+ oft-jumped-to conclusion that specifying a new Resource Record Type
+ is hard. Historically, this was indeed the case, but recent surveys
+ suggest that support for unknown Resource Record Types [RFC3597] is
+ now widespread in the public Internet, and because of that, the DNS
+ infrastructure can handle new Resource Record Types. The lack of
+ support for unknown Types remains an issue for relatively old
+ provisioning software and in corporate environments.
+
+ Of all the issues detailed in Section 3.5, provisioning the data is
+ in some respects the most difficult. Investigations with zone
+ transfers show that the problem is less difficult for the
+ authoritative name servers themselves than the front-end systems used
+ to enter (and perhaps validate) the data. Hand editing does not work
+ well for maintenance of large zones, so some sort of tool is
+ necessary, and the tool may not be tightly coupled to the name server
+ implementation itself. Note, however, that this provisioning problem
+ exists to some degree with any new form of data to be stored in the
+ DNS, regardless of data format, Resource Record type (even if TXT
+ Resource Record Types are in use), or naming scheme. Adapting front-
+ end systems to support a new Resource Record Type may be a bit more
+ difficult than reusing an existing type, but this appears to be a
+ minor difference in degree rather than a difference in kind.
+
+ Given the various issues described in this note, we believe that:
+
+ o there is no magic solution that allows a completely painless
+ addition of new data to the DNS, but
+
+ o on the whole, the best solution is still to use the DNS Resource
+ Record Type mechanism designed for precisely this purpose,
+ whenever possible, and
+
+ o of all the alternate solutions, the "obvious" approach of using
+ TXT Resource Records for arbitrary names is almost certainly the
+ worst, especially for the two reasons outlined above (lack of
+ semantics and its implementations, and size leading to the need to
+ use TCP).
+
+7. Creating a New Resource Record Type
+
+ The process for creating a new Resource Record Type is specified in
+ RFC 5395 [RFC5395].
+
+
+
+
+
+
+IAB, et al. Informational [Page 14]
+
+RFC 5507 Design Choices When Expanding the DNS April 2009
+
+
+8. Security Considerations
+
+ DNS RRSets can be signed using DNSSEC. DNSSEC is almost certainly
+ necessary for any application mechanism that stores authorization
+ data in the DNS. DNSSEC signatures significantly increase the size
+ of the messages transported, and because of this, the DNS message
+ size issues discussed in Sections 3.1 and 5 are more serious than
+ they might at first appear.
+
+ Adding new Resource Record Types (as discussed in Section 3.5) can
+ create two different kinds of problems: in the DNS software and in
+ applications. In the DNS software, it might conceivably trigger bugs
+ and other bad behavior in software that is not compliant with RFC
+ 3597 [RFC3597], but most such DNS software is old enough and insecure
+ enough that it should be updated for other reasons in any case. In
+ applications and provisioning software, the changes for the new
+ features that need the new data in the DNS can be updated to
+ understand the structure of the new data format (regardless of
+ whether a new Resource Record Type is used or some other mechanism is
+ chosen). Basic API support for retrieving arbitrary Resource Record
+ Types has been a requirement since 1989 [RFC1123].
+
+ Any new protocol that proposes to use the DNS to store data used to
+ make authorization decisions would be well advised not only to use
+ DNSSEC but also to encourage upgrades to DNS server software recent
+ enough not to be riddled with well-known exploitable bugs.
+
+9. Acknowledgements
+
+ This document has been created over a number of years, with input
+ from many people. The question on how to expand and use the DNS is
+ sensitive, and a document like this can not please everyone. The
+ goal is instead to describe the architecture and tradeoffs, and make
+ some recommendations about best practices.
+
+ People that have helped include: Dean Anderson, Mark Andrews, John
+ Angelmo, Roy Badami, Dan Bernstein, Alex Bligh, Nathaniel Borenstein,
+ Stephane Bortzmeyer, Brian Carpenter, Leslie Daigle, Elwyn Davies,
+ Mark Delany, Richard Draves, Martin Duerst, Donald Eastlake, Robert
+ Elz, Jim Fenton, Tony Finch, Jim Gilroy, Olafur Gudmundsson, Eric
+ Hall, Phillip Hallam-Baker, Ted Hardie, Bob Hinden, Paul Hoffman,
+ Geoff Houston, Christian Huitema, Johan Ihren, John Klensin, Ben
+ Laurie, William Leibzon, John Levine, Edward Lewis, David MacQuigg,
+ Allison Mankin, Bill Manning, David Meyer, Pekka Nikander, Mans
+ Nilsson, Masataka Ohta, Douglas Otis, Michael Patton, Jonathan
+ Rosenberg, Anders Rundgren, Miriam Sapiro, Carsten Strotmann, Pekka
+ Savola, Chip Sharp, James Snell, Michael Thomas, Paul Vixie, Sam
+ Weiler, Florian Weimer, Bert Wijnen, and Dan Wing.
+
+
+
+IAB, et al. Informational [Page 15]
+
+RFC 5507 Design Choices When Expanding the DNS April 2009
+
+
+10. IAB Members at the Time of This Writing
+
+ Loa Andersson
+ Gonzalo Camarillo
+ Stuart Cheshire
+ Russ Housley
+ Olaf Kolkman
+ Gregory Lebovitz
+ Barry Leiba
+ Kurtis Lindqvist
+ Andrew Malis
+ Danny McPherson
+ David Oran
+ Dave Thaler
+ Lixia Zhang
+
+11. References
+
+11.1. Normative References
+
+ [RFC1035] Mockapetris, P., "Domain names - implementation and
+ specification", STD 13, RFC 1035, November 1987.
+
+ [RFC1464] Rosenbaum, R., "Using the Domain Name System To
+ Store Arbitrary String Attributes", RFC 1464,
+ May 1993.
+
+ [RFC2535] Eastlake, D., "Domain Name System Security
+ Extensions", RFC 2535, March 1999.
+
+ [RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)",
+ RFC 2671, August 1999.
+
+ [RFC3597] Gustafsson, A., "Handling of Unknown DNS Resource
+ Record (RR) Types", RFC 3597, September 2003.
+
+ [RFC5395] Eastlake, D., "Domain Name System (DNS) IANA
+ Considerations", BCP 42, RFC 5395, November 2008.
+
+11.2. Informative References
+
+ [DNSEXT-DNS-SD] Cheshire, S. and M. Krochmal, "DNS-Based Service
+ Discovery", Work in Progress, September 2008.
+
+ [Dyer87] Dyer, S. and F. Hsu, "Hesiod, Project Athena
+ Technical Plan - Name Service", Version 1.9,
+ April 1987.
+
+
+
+
+IAB, et al. Informational [Page 16]
+
+RFC 5507 Design Choices When Expanding the DNS April 2009
+
+
+ [RFC1123] Braden, R., "Requirements for Internet Hosts -
+ Application and Support", STD 3, RFC 1123,
+ October 1989.
+
+ [RFC1535] Gavron, E., "A Security Problem and Proposed
+ Correction With Widely Deployed DNS Software",
+ RFC 1535, October 1993.
+
+ [RFC2163] Allocchio, C., "Using the Internet DNS to Distribute
+ MIXER Conformant Global Address Mapping (MCGAM)",
+ RFC 2163, January 1998.
+
+ [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS
+ Specification", RFC 2181, July 1997.
+
+ [RFC2672] Crawford, M., "Non-Terminal DNS Name Redirection",
+ RFC 2672, August 1999.
+
+ [RFC3445] Massey, D. and S. Rose, "Limiting the Scope of the
+ KEY Resource Record (RR)", RFC 3445, December 2002.
+
+ [RFC3467] Klensin, J., "Role of the Domain Name System (DNS)",
+ RFC 3467, February 2003.
+
+ [RFC3761] Faltstrom, P. and M. Mealling, "The E.164 to Uniform
+ Resource Identifiers (URI) Dynamic Delegation
+ Discovery System (DDDS) Application (ENUM)",
+ RFC 3761, April 2004.
+
+ [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and
+ S. Rose, "DNS Security Introduction and
+ Requirements", RFC 4033, March 2005.
+
+ [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and
+ S. Rose, "Resource Records for the DNS Security
+ Extensions", RFC 4034, March 2005.
+
+ [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and
+ S. Rose, "Protocol Modifications for the DNS
+ Security Extensions", RFC 4035, March 2005.
+
+ [RFC4511] Sermersheim, J., "Lightweight Directory Access
+ Protocol (LDAP): The Protocol", RFC 4511, June 2006.
+
+ [RFC4592] Lewis, E., "The Role of Wildcards in the Domain Name
+ System", RFC 4592, July 2006.
+
+
+
+
+
+IAB, et al. Informational [Page 17]
+
+RFC 5507 Design Choices When Expanding the DNS April 2009
+
+
+ [RFC4871] Allman, E., Callas, J., Delany, M., Libbey, M.,
+ Fenton, J., and M. Thomas, "DomainKeys Identified
+ Mail (DKIM) Signatures", RFC 4871, May 2007.
+
+Authors' Addresses
+
+ Internet Architecture Board
+
+ EMail: iab@iab.org
+
+
+ Patrik Faltstrom (editor)
+
+ EMail: paf@cisco.com
+
+
+ Rob Austein (editor)
+
+ EMail: sra@isc.org
+
+
+ Peter Koch (editor)
+
+ EMail: pk@denic.de
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+IAB, et al. Informational [Page 18]
+
diff --git a/lib/dns/api b/lib/dns/api
index e5a8e69a..5ef8dc03 100644
--- a/lib/dns/api
+++ b/lib/dns/api
@@ -1,3 +1,3 @@
LIBINTERFACE = 51
-LIBREVISION = 0
+LIBREVISION = 1
LIBAGE = 1
diff --git a/lib/dns/cache.c b/lib/dns/cache.c
index 4c19788d..aee824e5 100644
--- a/lib/dns/cache.c
+++ b/lib/dns/cache.c
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: cache.c,v 1.80.50.2 2009/01/18 23:47:35 tbox Exp $ */
+/* $Id: cache.c,v 1.80.50.3 2009/05/06 23:34:30 jinmei Exp $ */
/*! \file */
@@ -174,6 +174,7 @@ dns_cache_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
isc_result_t result;
dns_cache_t *cache;
int i;
+ isc_task_t *dbtask;
REQUIRE(cachep != NULL);
REQUIRE(*cachep == NULL);
@@ -229,6 +230,14 @@ dns_cache_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
result = cache_create_db(cache, &cache->db);
if (result != ISC_R_SUCCESS)
goto cleanup_dbargv;
+ if (taskmgr != NULL) {
+ dbtask = NULL;
+ result = isc_task_create(taskmgr, 1, &dbtask);
+ if (result != ISC_R_SUCCESS)
+ goto cleanup_db;
+ dns_db_settask(cache->db, dbtask);
+ isc_task_detach(&dbtask);
+ }
cache->filename = NULL;
diff --git a/lib/dns/dispatch.c b/lib/dns/dispatch.c
index 1356134d..9b4e9685 100644
--- a/lib/dns/dispatch.c
+++ b/lib/dns/dispatch.c
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dispatch.c,v 1.155.12.6 2009/01/31 00:38:25 marka Exp $ */
+/* $Id: dispatch.c,v 1.155.12.7 2009/04/28 21:39:45 jinmei Exp $ */
/*! \file */
@@ -808,7 +808,7 @@ get_dispsocket(dns_dispatch_t *disp, isc_sockaddr_t *dest,
dispsocket_t *dispsock;
unsigned int nports;
in_port_t *ports;
- unsigned int bindoptions = 0;
+ unsigned int bindoptions;
dispportentry_t *portentry = NULL;
if (isc_sockaddr_pf(&disp->local) == AF_INET) {
@@ -858,6 +858,7 @@ get_dispsocket(dns_dispatch_t *disp, isc_sockaddr_t *dest,
bucket = dns_hash(qid, dest, 0, port);
if (socket_search(qid, dest, port, bucket) != NULL)
continue;
+ bindoptions = 0;
portentry = port_search(disp, port);
if (portentry != NULL)
bindoptions |= ISC_SOCKET_REUSEADDRESS;
diff --git a/lib/dns/include/dns/events.h b/lib/dns/include/dns/events.h
index 7692c1b6..bb61b9d4 100644
--- a/lib/dns/include/dns/events.h
+++ b/lib/dns/include/dns/events.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2002 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: events.h,v 1.49 2007/06/19 23:47:16 tbox Exp $ */
+/* $Id: events.h,v 1.49.332.2 2009/05/07 23:47:12 tbox Exp $ */
#ifndef DNS_EVENTS_H
#define DNS_EVENTS_H 1
@@ -68,6 +68,7 @@
#define DNS_EVENT_ACACHECONTROL (ISC_EVENTCLASS_DNS + 38)
#define DNS_EVENT_ACACHECLEAN (ISC_EVENTCLASS_DNS + 39)
#define DNS_EVENT_ACACHEOVERMEM (ISC_EVENTCLASS_DNS + 40)
+#define DNS_EVENT_RBTPRUNE (ISC_EVENTCLASS_DNS + 41)
#define DNS_EVENT_FIRSTEVENT (ISC_EVENTCLASS_DNS + 0)
#define DNS_EVENT_LASTEVENT (ISC_EVENTCLASS_DNS + 65535)
diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
index 1019cd44..9741c157 100644
--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: rbtdb.c,v 1.270.12.4 2009/03/05 04:57:40 marka Exp $ */
+/* $Id: rbtdb.c,v 1.270.12.6 2009/05/06 23:34:30 jinmei Exp $ */
/*! \file */
@@ -344,7 +344,7 @@ struct acachectl {
*/
#ifdef DNS_RBTDB_CACHE_NODE_LOCK_COUNT
#if DNS_RBTDB_CACHE_NODE_LOCK_COUNT <= 1
-#error "DNS_RBTDB_CACHE_NODE_LOCK_COUNT must be larger 1"
+#error "DNS_RBTDB_CACHE_NODE_LOCK_COUNT must be larger than 1"
#else
#define DEFAULT_CACHE_NODE_LOCK_COUNT DNS_RBTDB_CACHE_NODE_LOCK_COUNT
#endif
@@ -533,6 +533,7 @@ static void overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start,
isc_stdtime_t now, isc_boolean_t tree_locked);
static isc_result_t resign_insert(dns_rbtdb_t *rbtdb, int idx,
rdatasetheader_t *newheader);
+static void prune_tree(isc_task_t *task, isc_event_t *event);
static dns_rdatasetmethods_t rdataset_methods = {
rdataset_disassociate,
@@ -1551,7 +1552,7 @@ new_reference(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node) {
/*
* This function is assumed to be called when a node is newly referenced
* and can be in the deadnode list. In that case the node must be retrieved
- * from the list because the it is going to be used. In addition, if the caller
+ * from the list because it is going to be used. In addition, if the caller
* happens to hold a write lock on the tree, it's a good chance to purge dead
* nodes.
* Note: while a new reference is gained in multiple places, there are only very
@@ -1604,13 +1605,15 @@ reactivate_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
static isc_boolean_t
decrement_reference(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
rbtdb_serial_t least_serial,
- isc_rwlocktype_t nlock, isc_rwlocktype_t tlock)
+ isc_rwlocktype_t nlock, isc_rwlocktype_t tlock,
+ isc_boolean_t pruning)
{
isc_result_t result;
isc_boolean_t write_locked;
rbtdb_nodelock_t *nodelock;
unsigned int refs, nrefs;
int bucket = node->locknum;
+ isc_boolean_t no_reference;
nodelock = &rbtdb->node_locks[bucket];
@@ -1693,6 +1696,7 @@ decrement_reference(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
} else
write_locked = ISC_TRUE;
+ no_reference = ISC_TRUE;
if (write_locked && dns_rbtnode_refcurrent(node) == 0) {
/*
* We can now delete the node if the reference counter is
@@ -1701,35 +1705,97 @@ decrement_reference(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
* current thread locks the tree (e.g., in findnode()).
*/
- if (isc_log_wouldlog(dns_lctx, ISC_LOG_DEBUG(1))) {
- char printname[DNS_NAME_FORMATSIZE];
+ /*
+ * If this node is the only one in the level it's in, deleting
+ * this node may recursively make its parent the only node in
+ * the parent level; if so, and if no one is currently using
+ * the parent node, this is almost the only opportunity to
+ * clean it up. But the recursive cleanup is not that trivial
+ * since the child and parent may be in different lock buckets,
+ * which would cause a lock order reversal problem. To avoid
+ * the trouble, we'll dispatch a separate event for batch
+ * cleaning. We need to check whether we're deleting the node
+ * as a result of pruning to avoid infinite dispatching.
+ * Note: pruning happens only when a task has been set for the
+ * rbtdb. If the user of the rbtdb chooses not to set a task,
+ * it's their responsibility to purge stale leaves (e.g. by
+ * periodic walk-through).
+ */
+ if (!pruning && node->parent != NULL &&
+ node->parent->down == node && node->left == NULL &&
+ node->right == NULL && rbtdb->task != NULL) {
+ isc_event_t *ev;
+ dns_db_t *db;
+
+ ev = isc_event_allocate(rbtdb->common.mctx, NULL,
+ DNS_EVENT_RBTPRUNE,
+ prune_tree, node,
+ sizeof(isc_event_t));
+ if (ev != NULL) {
+ new_reference(rbtdb, node);
+ db = NULL;
+ attach((dns_db_t *)rbtdb, &db);
+ ev->ev_sender = db;
+ isc_task_send(rbtdb->task, &ev);
+ no_reference = ISC_FALSE;
+ } else {
+ /*
+ * XXX: this is a weird situation. We could
+ * ignore this error case, but then the stale
+ * node will unlikely be purged except via a
+ * rare condition such as manual cleanup. So
+ * we queue it in the deadnodes list, hoping
+ * the memory shortage is temporary and the node
+ * will be deleted later.
+ */
+ isc_log_write(dns_lctx,
+ DNS_LOGCATEGORY_DATABASE,
+ DNS_LOGMODULE_CACHE,
+ ISC_LOG_INFO,
+ "decrement_reference: failed to "
+ "allocate pruning event");
+ INSIST(!ISC_LINK_LINKED(node, deadlink));
+ ISC_LIST_APPEND(rbtdb->deadnodes[bucket], node,
+ deadlink);
+ }
+ } else {
+ if (isc_log_wouldlog(dns_lctx, ISC_LOG_DEBUG(1))) {
+ char printname[DNS_NAME_FORMATSIZE];
+
+ isc_log_write(dns_lctx,
+ DNS_LOGCATEGORY_DATABASE,
+ DNS_LOGMODULE_CACHE,
+ ISC_LOG_DEBUG(1),
+ "decrement_reference: "
+ "delete from rbt: %p %s",
+ node,
+ dns_rbt_formatnodename(node,
+ printname,
+ sizeof(printname)));
+ }
- isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
- DNS_LOGMODULE_CACHE, ISC_LOG_DEBUG(1),
- "decrement_reference: "
- "delete from rbt: %p %s",
- node,
- dns_rbt_formatnodename(node, printname,
- sizeof(printname)));
+ INSIST(!ISC_LINK_LINKED(node, deadlink));
+ if (node->nsec3)
+ result = dns_rbt_deletenode(rbtdb->nsec3, node,
+ ISC_FALSE);
+ else
+ result = dns_rbt_deletenode(rbtdb->tree, node,
+ ISC_FALSE);
+ if (result != ISC_R_SUCCESS) {
+ isc_log_write(dns_lctx,
+ DNS_LOGCATEGORY_DATABASE,
+ DNS_LOGMODULE_CACHE,
+ ISC_LOG_WARNING,
+ "decrement_reference: "
+ "dns_rbt_deletenode: %s",
+ isc_result_totext(result));
+ }
}
-
- INSIST(!ISC_LINK_LINKED(node, deadlink));
- if (node->nsec3)
- result = dns_rbt_deletenode(rbtdb->nsec3, node,
- ISC_FALSE);
- else
- result = dns_rbt_deletenode(rbtdb->tree, node,
- ISC_FALSE);
- if (result != ISC_R_SUCCESS)
- isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
- DNS_LOGMODULE_CACHE, ISC_LOG_WARNING,
- "decrement_reference: "
- "dns_rbt_deletenode: %s",
- isc_result_totext(result));
} else if (dns_rbtnode_refcurrent(node) == 0) {
INSIST(!ISC_LINK_LINKED(node, deadlink));
ISC_LIST_APPEND(rbtdb->deadnodes[bucket], node, deadlink);
- }
+ } else
+ no_reference = ISC_FALSE;
/* Restore the lock? */
if (nlock == isc_rwlocktype_read)
@@ -1746,7 +1812,71 @@ decrement_reference(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
if (write_locked)
isc_rwlock_downgrade(&rbtdb->tree_lock);
- return (ISC_TRUE);
+ return (no_reference);
+}
+
+/*
+ * Prune the tree by recursively cleaning-up single leaves. In the worst
+ * case, the number of iteration is the number of tree levels, which is at
+ * most the maximum number of domain name labels, i.e, 127. In practice, this
+ * should be much smaller (only a few times), and even the worst case would be
+ * acceptable for a single event.
+ */
+static void
+prune_tree(isc_task_t *task, isc_event_t *event) {
+ dns_rbtdb_t *rbtdb = event->ev_sender;
+ dns_rbtnode_t *node = event->ev_arg;
+ dns_rbtnode_t *parent;
+ unsigned int locknum;
+
+ UNUSED(task);
+
+ isc_event_free(&event);
+
+ RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
+ locknum = node->locknum;
+ NODE_LOCK(&rbtdb->node_locks[locknum].lock, isc_rwlocktype_write);
+ do {
+ parent = node->parent;
+ decrement_reference(rbtdb, node, 0, isc_rwlocktype_write,
+ isc_rwlocktype_write, ISC_TRUE);
+
+ if (parent != NULL && parent->down == NULL) {
+ /*
+ * node was the only down child of the parent and has
+ * just been removed. We'll then need to examine the
+ * parent. Keep the lock if possible; otherwise,
+ * release the old lock and acquire one for the parent.
+ */
+ if (parent->locknum != locknum) {
+ NODE_UNLOCK(&rbtdb->node_locks[locknum].lock,
+ isc_rwlocktype_write);
+ locknum = parent->locknum;
+ NODE_LOCK(&rbtdb->node_locks[locknum].lock,
+ isc_rwlocktype_write);
+ }
+
+ /*
+ * We need to gain a reference to the node before
+ * decrementing it in the next iteration. In addition,
+ * if the node is in the dead-nodes list, extract it
+ * from the list beforehand as we do in
+ * reactivate_node().
+ */
+ new_reference(rbtdb, parent);
+ if (ISC_LINK_LINKED(parent, deadlink)) {
+ ISC_LIST_UNLINK(rbtdb->deadnodes[locknum],
+ parent, deadlink);
+ }
+ } else
+ parent = NULL;
+
+ node = parent;
+ } while (node != NULL);
+ NODE_UNLOCK(&rbtdb->node_locks[locknum].lock, isc_rwlocktype_write);
+ RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
+
+ detach((dns_db_t **)&rbtdb);
}
static inline void
@@ -2163,8 +2293,8 @@ closeversion(dns_db_t *db, dns_dbversion_t **versionp, isc_boolean_t commit) {
NODE_UNLOCK(lock, isc_rwlocktype_write);
}
decrement_reference(rbtdb, header->node, least_serial,
- isc_rwlocktype_write,
- isc_rwlocktype_none);
+ isc_rwlocktype_write, isc_rwlocktype_none,
+ ISC_FALSE);
}
if (!EMPTY(cleanup_list)) {
@@ -2197,7 +2327,7 @@ closeversion(dns_db_t *db, dns_dbversion_t **versionp, isc_boolean_t commit) {
rollback_node(rbtnode, serial);
decrement_reference(rbtdb, rbtnode, least_serial,
isc_rwlocktype_write,
- isc_rwlocktype_write);
+ isc_rwlocktype_write, ISC_FALSE);
NODE_UNLOCK(lock, isc_rwlocktype_write);
@@ -3747,7 +3877,8 @@ zone_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
NODE_LOCK(lock, isc_rwlocktype_read);
decrement_reference(search.rbtdb, node, 0,
- isc_rwlocktype_read, isc_rwlocktype_none);
+ isc_rwlocktype_read, isc_rwlocktype_none,
+ ISC_FALSE);
NODE_UNLOCK(lock, isc_rwlocktype_read);
}
@@ -4525,7 +4656,8 @@ cache_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
NODE_LOCK(lock, isc_rwlocktype_read);
decrement_reference(search.rbtdb, node, 0,
- isc_rwlocktype_read, isc_rwlocktype_none);
+ isc_rwlocktype_read, isc_rwlocktype_none,
+ ISC_FALSE);
NODE_UNLOCK(lock, isc_rwlocktype_read);
}
@@ -4743,7 +4875,7 @@ detachnode(dns_db_t *db, dns_dbnode_t **targetp) {
NODE_LOCK(&nodelock->lock, isc_rwlocktype_read);
if (decrement_reference(rbtdb, node, 0, isc_rwlocktype_read,
- isc_rwlocktype_none)) {
+ isc_rwlocktype_none, ISC_FALSE)) {
if (isc_refcount_current(&nodelock->references) == 0 &&
nodelock->exiting) {
inactive = ISC_TRUE;
@@ -7469,7 +7601,7 @@ dereference_iter_node(rbtdb_dbiterator_t *rbtdbiter) {
lock = &rbtdb->node_locks[node->locknum].lock;
NODE_LOCK(lock, isc_rwlocktype_read);
decrement_reference(rbtdb, node, 0, isc_rwlocktype_read,
- rbtdbiter->tree_locked);
+ rbtdbiter->tree_locked, ISC_FALSE);
NODE_UNLOCK(lock, isc_rwlocktype_read);
rbtdbiter->node = NULL;
@@ -7510,7 +7642,7 @@ flush_deletions(rbtdb_dbiterator_t *rbtdbiter) {
NODE_LOCK(lock, isc_rwlocktype_read);
decrement_reference(rbtdb, node, 0,
isc_rwlocktype_read,
- rbtdbiter->tree_locked);
+ rbtdbiter->tree_locked, ISC_FALSE);
NODE_UNLOCK(lock, isc_rwlocktype_read);
}
@@ -8446,6 +8578,6 @@ expire_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header,
decrement_reference(rbtdb, header->node, 0,
isc_rwlocktype_write,
tree_locked ? isc_rwlocktype_write :
- isc_rwlocktype_none);
+ isc_rwlocktype_none, ISC_FALSE);
}
}
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 39ff4bd1..a1c263e1 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: resolver.c,v 1.384.14.9 2009/02/27 23:05:22 marka Exp $ */
+/* $Id: resolver.c,v 1.384.14.12 2009/05/11 02:38:03 tbox Exp $ */
/*! \file */
@@ -4228,53 +4228,53 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
rdataset->trust = dns_trust_pending;
if (sigrdataset != NULL)
sigrdataset->trust = dns_trust_pending;
- if (!need_validation)
+ if (!need_validation || !ANSWER(rdataset)) {
addedrdataset = ardataset;
- else
- addedrdataset = NULL;
- result = dns_db_addrdataset(fctx->cache, node, NULL,
- now, rdataset, 0,
- addedrdataset);
- if (result == DNS_R_UNCHANGED) {
- result = ISC_R_SUCCESS;
- if (!need_validation &&
- ardataset != NULL &&
- ardataset->type == 0) {
- /*
- * The answer in the cache is better
- * than the answer we found, and is
- * a negative cache entry, so we
- * must set eresult appropriately.
- */
- if (NXDOMAIN(ardataset))
- eresult = DNS_R_NCACHENXDOMAIN;
- else
- eresult = DNS_R_NCACHENXRRSET;
- /*
- * We have a negative response from
- * the cache so don't attempt to
- * add the RRSIG rrset.
- */
- continue;
- }
- }
- if (result != ISC_R_SUCCESS)
- break;
- if (sigrdataset != NULL) {
- if (!need_validation)
- addedrdataset = asigrdataset;
- else
- addedrdataset = NULL;
- result = dns_db_addrdataset(fctx->cache,
- node, NULL, now,
- sigrdataset, 0,
- addedrdataset);
- if (result == DNS_R_UNCHANGED)
+ result = dns_db_addrdataset(fctx->cache, node,
+ NULL, now, rdataset,
+ 0, addedrdataset);
+ if (result == DNS_R_UNCHANGED) {
result = ISC_R_SUCCESS;
+ if (!need_validation &&
+ ardataset != NULL &&
+ ardataset->type == 0) {
+ /*
+ * The answer in the cache is
+ * better than the answer we
+ * found, and is a negative
+ * cache entry, so we must set
+ * eresult appropriately.
+ */
+ if (NXDOMAIN(ardataset))
+ eresult =
+ DNS_R_NCACHENXDOMAIN;
+ else
+ eresult =
+ DNS_R_NCACHENXRRSET;
+ /*
+ * We have a negative response
+ * from the cache so don't
+ * attempt to add the RRSIG
+ * rrset.
+ */
+ continue;
+ }
+ }
if (result != ISC_R_SUCCESS)
break;
- } else if (!ANSWER(rdataset))
- continue;
+ if (sigrdataset != NULL) {
+ addedrdataset = asigrdataset;
+ result = dns_db_addrdataset(fctx->cache,
+ node, NULL, now,
+ sigrdataset, 0,
+ addedrdataset);
+ if (result == DNS_R_UNCHANGED)
+ result = ISC_R_SUCCESS;
+ if (result != ISC_R_SUCCESS)
+ break;
+ } else if (!ANSWER(rdataset))
+ continue;
+ }
if (ANSWER(rdataset) && need_validation) {
if (fctx->type != dns_rdatatype_any &&
diff --git a/lib/dns/sdb.c b/lib/dns/sdb.c
index f141a102..03fca9ed 100644
--- a/lib/dns/sdb.c
+++ b/lib/dns/sdb.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: sdb.c,v 1.66 2008/09/24 03:16:58 tbox Exp $ */
+/* $Id: sdb.c,v 1.66.48.2 2009/04/21 23:47:18 tbox Exp $ */
/*! \file */
@@ -880,9 +880,12 @@ find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
{
result = DNS_R_ZONECUT;
dns_rdataset_disassociate(rdataset);
- if (sigrdataset != NULL)
+ if (sigrdataset != NULL &&
+ dns_rdataset_isassociated
+ (sigrdataset)) {
dns_rdataset_disassociate
(sigrdataset);
+ }
} else
result = DNS_R_DELEGATION;
break;
diff --git a/lib/dns/sdlz.c b/lib/dns/sdlz.c
index ec82c3e5..89cd0eea 100644
--- a/lib/dns/sdlz.c
+++ b/lib/dns/sdlz.c
@@ -1,5 +1,5 @@
/*
- * Portions Copyright (C) 2005-2008 Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2005-2009 Internet Systems Consortium, Inc. ("ISC")
* Portions Copyright (C) 1999-2001 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -50,7 +50,7 @@
* USE OR PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: sdlz.c,v 1.18 2008/09/24 02:46:22 marka Exp $ */
+/* $Id: sdlz.c,v 1.18.50.2 2009/04/21 23:47:18 tbox Exp $ */
/*! \file */
@@ -844,9 +844,12 @@ find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
{
result = DNS_R_ZONECUT;
dns_rdataset_disassociate(rdataset);
- if (sigrdataset != NULL)
+ if (sigrdataset != NULL &&
+ dns_rdataset_isassociated
+ (sigrdataset)) {
dns_rdataset_disassociate
(sigrdataset);
+ }
} else
result = DNS_R_DELEGATION;
break;
diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index 3ef6b6dd..c62b7141 100644
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: validator.c,v 1.164.12.5 2009/02/15 23:47:49 marka Exp $ */
+/* $Id: validator.c,v 1.164.12.9 2009/05/07 23:47:12 tbox Exp $ */
#include <config.h>
@@ -218,6 +218,37 @@ exit_check(dns_validator_t *val) {
return (ISC_TRUE);
}
+/*
+ * Check that we have atleast one supported algorithm in the DLV RRset.
+ */
+static inline isc_boolean_t
+dlv_algorithm_supported(dns_validator_t *val) {
+ dns_rdata_t rdata = DNS_RDATA_INIT;
+ dns_rdata_dlv_t dlv;
+ isc_result_t result;
+
+ for (result = dns_rdataset_first(&val->dlv);
+ result == ISC_R_SUCCESS;
+ result = dns_rdataset_next(&val->dlv)) {
+ dns_rdata_reset(&rdata);
+ dns_rdataset_current(&val->dlv, &rdata);
+ result = dns_rdata_tostruct(&rdata, &dlv, NULL);
+ RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+ if (!dns_resolver_algorithm_supported(val->view->resolver,
+ val->event->name,
+ dlv.algorithm))
+ continue;
+
+ if (dlv.digest_type != DNS_DSDIGEST_SHA256 &&
+ dlv.digest_type != DNS_DSDIGEST_SHA1)
+ continue;
+
+ return (ISC_TRUE);
+ }
+ return (ISC_FALSE);
+}
+
/*%
* Look in the NSEC record returned from a DS query to see if there is
* a NS RRset at this name. If it is found we are at a delegation point.
@@ -2963,19 +2994,36 @@ dlvfetched(isc_task_t *task, isc_event_t *event) {
sizeof(namebuf));
dns_rdataset_clone(&val->frdataset, &val->dlv);
val->havedlvsep = ISC_TRUE;
- validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found", namebuf);
- dlv_validator_start(val);
+ if (dlv_algorithm_supported(val)) {
+ validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found",
+ namebuf);
+ dlv_validator_start(val);
+ } else {
+ validator_log(val, ISC_LOG_DEBUG(3),
+ "DLV %s found with no supported algorithms",
+ namebuf);
+ markanswer(val);
+ validator_done(val, ISC_R_SUCCESS);
+ }
} else if (eresult == DNS_R_NXRRSET ||
eresult == DNS_R_NXDOMAIN ||
eresult == DNS_R_NCACHENXRRSET ||
eresult == DNS_R_NCACHENXDOMAIN) {
- result = finddlvsep(val, ISC_TRUE);
+ result = finddlvsep(val, ISC_TRUE);
if (result == ISC_R_SUCCESS) {
- dns_name_format(dns_fixedname_name(&val->dlvsep),
- namebuf, sizeof(namebuf));
- validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found",
- namebuf);
- dlv_validator_start(val);
+ if (dlv_algorithm_supported(val)) {
+ dns_name_format(dns_fixedname_name(&val->dlvsep),
+ namebuf, sizeof(namebuf));
+ validator_log(val, ISC_LOG_DEBUG(3),
+ "DLV %s found", namebuf);
+ dlv_validator_start(val);
+ } else {
+ validator_log(val, ISC_LOG_DEBUG(3),
+ "DLV %s found with no supported "
+ "algorithms", namebuf);
+ markanswer(val);
+ validator_done(val, ISC_R_SUCCESS);
+ }
} else if (result == ISC_R_NOTFOUND) {
validator_log(val, ISC_LOG_DEBUG(3), "DLV not found");
markanswer(val);
@@ -3038,9 +3086,16 @@ startfinddlvsep(dns_validator_t *val, dns_name_t *unsecure) {
}
dns_name_format(dns_fixedname_name(&val->dlvsep), namebuf,
sizeof(namebuf));
- validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found", namebuf);
- dlv_validator_start(val);
- return (DNS_R_WAIT);
+ if (dlv_algorithm_supported(val)) {
+ validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found", namebuf);
+ dlv_validator_start(val);
+ return (DNS_R_WAIT);
+ }
+ validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found with no supported "
+ "algorithms", namebuf);
+ markanswer(val);
+ validator_done(val, ISC_R_SUCCESS);
+ return (ISC_R_SUCCESS);
}
/*%
@@ -3177,9 +3232,13 @@ proveunsecure(dns_validator_t *val, isc_boolean_t have_ds, isc_boolean_t resume)
dns_name_t *secroot;
dns_name_t *tname;
char namebuf[DNS_NAME_FORMATSIZE];
+ dns_name_t *found;
+ dns_fixedname_t fixedfound;
dns_fixedname_init(&fixedsecroot);
secroot = dns_fixedname_name(&fixedsecroot);
+ dns_fixedname_init(&fixedfound);
+ found = dns_fixedname_name(&fixedfound);
if (val->havedlvsep)
dns_name_copy(dns_fixedname_name(&val->dlvsep), secroot, NULL);
else {
@@ -3287,6 +3346,28 @@ proveunsecure(dns_validator_t *val, isc_boolean_t have_ds, isc_boolean_t resume)
goto out;
return (DNS_R_WAIT);
}
+ /*
+ * Zones using NSEC3 don't return a NSEC RRset so
+ * we need to use dns_view_findzonecut2 to find
+ * the zone cut.
+ */
+ if (result == DNS_R_NXRRSET &&
+ !dns_rdataset_isassociated(&val->frdataset) &&
+ dns_view_findzonecut2(val->view, tname, found,
+ 0, 0, ISC_FALSE, ISC_FALSE,
+ NULL, NULL) == ISC_R_SUCCESS &&
+ dns_name_equal(tname, found)) {
+ if (val->mustbesecure) {
+ validator_log(val, ISC_LOG_WARNING,
+ "must be secure failure");
+ return (DNS_R_MUSTBESECURE);
+ }
+ if (val->view->dlv == NULL || DLVTRIED(val)) {
+ markanswer(val);
+ return (ISC_R_SUCCESS);
+ }
+ return (startfinddlvsep(val, tname));
+ }
if (val->frdataset.trust < dns_trust_secure) {
/*
* This shouldn't happen, since the negative
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 732566fc..423b0057 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: zone.c,v 1.483.36.5 2009/03/13 01:38:51 marka Exp $ */
+/* $Id: zone.c,v 1.483.36.6 2009/03/26 22:57:07 marka Exp $ */
/*! \file */
@@ -9560,7 +9560,7 @@ zone_replacedb(dns_zone_t *zone, dns_db_t *db, isc_boolean_t dump) {
isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
DNS_LOGMODULE_ZONE, ISC_LOG_DEBUG(3),
"removing journal file");
- if (remove(zone->journal) < 0) {
+ if (remove(zone->journal) < 0 && errno != ENOENT) {
char strbuf[ISC_STRERRORSIZE];
isc__strerror(errno, strbuf, sizeof(strbuf));
isc_log_write(dns_lctx,
diff --git a/lib/isc/alpha/include/isc/atomic.h b/lib/isc/alpha/include/isc/atomic.h
index 056d5fc3..bc1510ff 100644
--- a/lib/isc/alpha/include/isc/atomic.h
+++ b/lib/isc/alpha/include/isc/atomic.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: atomic.h,v 1.5 2007/06/19 23:47:17 tbox Exp $ */
+/* $Id: atomic.h,v 1.5.332.2 2009/04/08 06:47:32 tbox Exp $ */
/*
* This code was written based on FreeBSD's kernel source whose copyright
@@ -62,16 +62,20 @@
/*
* This routine atomically increments the value stored in 'p' by 'val', and
- * returns the previous value.
+ * returns the previous value. Memory access ordering around this function
+ * can be critical, so we add explicit memory block instructions at the
+ * beginning and the end of it (same for other functions).
*/
-static inline isc_int32_t
+static inline isc_int32_t
isc_atomic_xadd(isc_int32_t *p, isc_int32_t val) {
- return (asm("1:"
+ return (asm("mb;"
+ "1:"
"ldl_l %t0, 0(%a0);" /* load old value */
"mov %t0, %v0;" /* copy the old value */
"addl %t0, %a1, %t0;" /* calculate new value */
"stl_c %t0, 0(%a0);" /* attempt to store */
- "beq %t0, 1b;", /* spin if failed */
+ "beq %t0, 1b;" /* spin if failed */
+ "mb;",
p, val));
}
@@ -80,11 +84,13 @@ isc_atomic_xadd(isc_int32_t *p, isc_int32_t val) {
*/
static inline void
isc_atomic_store(isc_int32_t *p, isc_int32_t val) {
- (void)asm("1:"
+ (void)asm("mb;"
+ "1:"
"ldl_l %t0, 0(%a0);" /* load old value */
"mov %a1, %t0;" /* value to store */
"stl_c %t0, 0(%a0);" /* attempt to store */
- "beq %t0, 1b;", /* spin if failed */
+ "beq %t0, 1b;" /* spin if failed */
+ "mb;",
p, val);
}
@@ -96,7 +102,8 @@ isc_atomic_store(isc_int32_t *p, isc_int32_t val) {
static inline isc_int32_t
isc_atomic_cmpxchg(isc_int32_t *p, isc_int32_t cmpval, isc_int32_t val) {
- return(asm("1:"
+ return(asm("mb;"
+ "1:"
"ldl_l %t0, 0(%a0);" /* load old value */
"mov %t0, %v0;" /* copy the old value */
"cmpeq %t0, %a1, %t0;" /* compare */
@@ -104,22 +111,25 @@ isc_atomic_cmpxchg(isc_int32_t *p, isc_int32_t cmpval, isc_int32_t val) {
"mov %a2, %t0;" /* value to store */
"stl_c %t0, 0(%a0);" /* attempt to store */
"beq %t0, 1b;" /* if it failed, spin */
- "2:",
+ "2:"
+ "mb;",
p, cmpval, val));
}
#elif defined (ISC_PLATFORM_USEGCCASM)
-static inline isc_int32_t
+static inline isc_int32_t
isc_atomic_xadd(isc_int32_t *p, isc_int32_t val) {
isc_int32_t temp, prev;
__asm__ volatile(
+ "mb;"
"1:"
"ldl_l %0, %1;" /* load old value */
"mov %0, %2;" /* copy the old value */
"addl %0, %3, %0;" /* calculate new value */
"stl_c %0, %1;" /* attempt to store */
"beq %0, 1b;" /* spin if failed */
- : "=&r"(temp), "+m"(*p), "=r"(prev)
+ "mb;"
+ : "=&r"(temp), "+m"(*p), "=&r"(prev)
: "r"(val)
: "memory");
@@ -131,11 +141,13 @@ isc_atomic_store(isc_int32_t *p, isc_int32_t val) {
isc_int32_t temp;
__asm__ volatile(
+ "mb;"
"1:"
"ldl_l %0, %1;" /* load old value */
"mov %2, %0;" /* value to store */
"stl_c %0, %1;" /* attempt to store */
"beq %0, 1b;" /* if it failed, spin */
+ "mb;"
: "=&r"(temp), "+m"(*p)
: "r"(val)
: "memory");
@@ -146,6 +158,7 @@ isc_atomic_cmpxchg(isc_int32_t *p, isc_int32_t cmpval, isc_int32_t val) {
isc_int32_t temp, prev;
__asm__ volatile(
+ "mb;"
"1:"
"ldl_l %0, %1;" /* load old value */
"mov %0, %2;" /* copy the old value */
@@ -155,7 +168,8 @@ isc_atomic_cmpxchg(isc_int32_t *p, isc_int32_t cmpval, isc_int32_t val) {
"stl_c %0, %1;" /* attempt to store */
"beq %0, 1b;" /* if it failed, spin */
"2:"
- : "=&r"(temp), "+m"(*p), "=r"(prev)
+ "mb;"
+ : "=&r"(temp), "+m"(*p), "=&r"(prev)
: "r"(cmpval), "r"(val)
: "memory");
diff --git a/lib/isc/api b/lib/isc/api
index e5a8e69a..5ef8dc03 100644
--- a/lib/isc/api
+++ b/lib/isc/api
@@ -1,3 +1,3 @@
LIBINTERFACE = 51
-LIBREVISION = 0
+LIBREVISION = 1
LIBAGE = 1
diff --git a/lib/isc/hash.c b/lib/isc/hash.c
index 41bb8842..9911bdee 100644
--- a/lib/isc/hash.c
+++ b/lib/isc/hash.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -15,11 +15,11 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: hash.c,v 1.13 2007/06/19 23:47:17 tbox Exp $ */
+/* $Id: hash.c,v 1.13.332.3 2009/05/07 23:47:12 tbox Exp $ */
/*! \file
* Some portion of this code was derived from universal hash function
- * libraries of Rice University.
+ * libraries of Rice University.
\section license UH Universal Hashing Library
Copyright ((c)) 2002, Rice University
@@ -244,7 +244,7 @@ isc_hash_ctxinit(isc_hash_t *hctx) {
goto out;
if (hctx->entropy) {
- result = isc_entropy_getdata(hctx->entropy,
+ result = isc_entropy_getdata(hctx->entropy,
hctx->rndvector, hctx->vectorlen,
NULL, 0);
INSIST(result == ISC_R_SUCCESS);
@@ -276,7 +276,7 @@ isc_hash_ctxinit(isc_hash_t *hctx) {
void
isc_hash_init() {
INSIST(hash != NULL && VALID_HASH(hash));
-
+
isc_hash_ctxinit(hash);
}
diff --git a/lib/isc/unix/socket.c b/lib/isc/unix/socket.c
index f0a320e9..d09fe51a 100644
--- a/lib/isc/unix/socket.c
+++ b/lib/isc/unix/socket.c
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: socket.c,v 1.308.12.7 2009/02/16 00:24:04 marka Exp $ */
+/* $Id: socket.c,v 1.308.12.8 2009/04/18 01:29:26 jinmei Exp $ */
/*! \file */
@@ -1878,6 +1878,9 @@ allocate_socket(isc_socketmgr_t *manager, isc_sockettype_t type,
goto error;
}
+ memset(sock->name, 0, sizeof(sock->name));
+ sock->tag = NULL;
+
/*
* set up list of readers and writers to be initially empty
*/
@@ -2317,9 +2320,6 @@ isc_socket_create(isc_socketmgr_t *manager, int pf, isc_sockettype_t type,
return (result);
}
- memset(sock->name, 0, sizeof(sock->name));
- sock->tag = NULL;
-
sock->references = 1;
*socketp = sock;
@@ -2525,11 +2525,14 @@ isc_socket_close(isc_socket_t *sock) {
type = sock->type;
fd = sock->fd;
sock->fd = -1;
+ memset(sock->name, 0, sizeof(sock->name));
+ sock->tag = NULL;
sock->listener = 0;
sock->connected = 0;
sock->connecting = 0;
sock->bound = 0;
isc_sockaddr_any(&sock->peer_address);
+
UNLOCK(&sock->lock);
closesocket(manager, sock, fd);
diff --git a/lib/lwres/api b/lib/lwres/api
index 2240cdda..39934b4f 100644
--- a/lib/lwres/api
+++ b/lib/lwres/api
@@ -1,3 +1,3 @@
LIBINTERFACE = 50
-LIBREVISION = 1
+LIBREVISION = 2
LIBAGE = 0
diff --git a/lib/lwres/getaddrinfo.c b/lib/lwres/getaddrinfo.c
index b5a2bcd8..fc53e63a 100644
--- a/lib/lwres/getaddrinfo.c
+++ b/lib/lwres/getaddrinfo.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2001 Internet Software Consortium.
*
* This code is derived from software contributed to ISC by
@@ -18,7 +18,7 @@
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: getaddrinfo.c,v 1.52 2007/09/13 04:45:18 each Exp $ */
+/* $Id: getaddrinfo.c,v 1.52.254.2 2009/03/31 23:47:16 tbox Exp $ */
/*! \file */
@@ -31,10 +31,10 @@
* string: a dotted decimal IPv4 address or an IPv6 address. servname is
* either a decimal port number or a service name as listed in
* /etc/services.
- *
+ *
* If the operating system does not provide a struct addrinfo, the
* following structure is used:
- *
+ *
* \code
* struct addrinfo {
* int ai_flags; // AI_PASSIVE, AI_CANONNAME
@@ -47,29 +47,29 @@
* struct addrinfo *ai_next; // next structure in linked list
* };
* \endcode
- *
- *
+ *
+ *
* hints is an optional pointer to a struct addrinfo. This structure can
* be used to provide hints concerning the type of socket that the caller
* supports or wishes to use. The caller can supply the following
* structure elements in *hints:
- *
+ *
* <ul>
* <li>ai_family:
* The protocol family that should be used. When ai_family is set
* to PF_UNSPEC, it means the caller will accept any protocol
* family supported by the operating system.</li>
- *
+ *
* <li>ai_socktype:
* denotes the type of socket -- SOCK_STREAM, SOCK_DGRAM or
* SOCK_RAW -- that is wanted. When ai_socktype is zero the caller
* will accept any socket type.</li>
- *
+ *
* <li>ai_protocol:
* indicates which transport protocol is wanted: IPPROTO_UDP or
* IPPROTO_TCP. If ai_protocol is zero the caller will accept any
* protocol.</li>
- *
+ *
* <li>ai_flags:
* Flag bits. If the AI_CANONNAME bit is set, a successful call to
* lwres_getaddrinfo() will return a null-terminated string
@@ -81,7 +81,7 @@
* address portion of the socket address structure will be set to
* INADDR_ANY for an IPv4 address or IN6ADDR_ANY_INIT for an IPv6
* address.<br /><br />
- *
+ *
* When ai_flags does not set the AI_PASSIVE bit, the returned
* socket address structure will be ready for use in a call to
* connect(2) for a connection-oriented protocol or connect(2),
@@ -89,18 +89,18 @@
* chosen. The IP address portion of the socket address structure
* will be set to the loopback address if hostname is a NULL
* pointer and AI_PASSIVE is not set in ai_flags.<br /><br />
- *
+ *
* If ai_flags is set to AI_NUMERICHOST it indicates that hostname
* should be treated as a numeric string defining an IPv4 or IPv6
* address and no name resolution should be attempted.
* </li></ul>
- *
+ *
* All other elements of the struct addrinfo passed via hints must be
* zero.
- *
+ *
* A hints of NULL is treated as if the caller provided a struct addrinfo
* initialized to zero with ai_familyset to PF_UNSPEC.
- *
+ *
* After a successful call to lwres_getaddrinfo(), *res is a pointer to a
* linked list of one or more addrinfo structures. Each struct addrinfo
* in this list cn be processed by following the ai_next pointer, until a
@@ -109,7 +109,7 @@
* corresponding arguments for a call to socket(2). For each addrinfo
* structure in the list, the ai_addr member points to a filled-in socket
* address structure of length ai_addrlen.
- *
+ *
* All of the information returned by lwres_getaddrinfo() is dynamically
* allocated: the addrinfo structures, and the socket address structures
* and canonical host name strings pointed to by the addrinfostructures.
@@ -117,15 +117,15 @@
* successful call to lwres_getaddrinfo() is released by
* lwres_freeaddrinfo(). ai is a pointer to a struct addrinfo created by
* a call to lwres_getaddrinfo().
- *
+ *
* \section lwresreturn RETURN VALUES
- *
+ *
* lwres_getaddrinfo() returns zero on success or one of the error codes
* listed in gai_strerror() if an error occurs. If both hostname and
* servname are NULL lwres_getaddrinfo() returns #EAI_NONAME.
- *
+ *
* \section lwressee SEE ALSO
- *
+ *
* lwres(3), lwres_getaddrinfo(), lwres_freeaddrinfo(),
* lwres_gai_strerror(), RFC2133, getservbyname(3), connect(2),
* sendto(2), sendmsg(2), socket(2).
@@ -145,7 +145,7 @@
#define SA(addr) ((struct sockaddr *)(addr))
#define SIN(addr) ((struct sockaddr_in *)(addr))
#define SIN6(addr) ((struct sockaddr_in6 *)(addr))
-#define SUN(addr) ((struct sockaddr_un *)(addr))
+#define SLOCAL(addr) ((struct sockaddr_un *)(addr))
/*! \struct addrinfo
*/
@@ -162,7 +162,7 @@ static int add_ipv4(const char *hostname, int flags, struct addrinfo **aip,
static int add_ipv6(const char *hostname, int flags, struct addrinfo **aip,
int socktype, int port);
static void set_order(int, int (**)(const char *, int, struct addrinfo **,
- int, int));
+ int, int));
#define FOUND_IPV4 0x1
#define FOUND_IPV6 0x2
@@ -384,7 +384,7 @@ lwres_getaddrinfo(const char *hostname, const char *servname,
scopeid = 0;
#endif
- if (lwres_net_pton(AF_INET, hostname, (struct in_addr *)abuf)
+ if (lwres_net_pton(AF_INET, hostname, (struct in_addr *)abuf)
== 1)
{
if (family == AF_INET6) {
@@ -709,17 +709,17 @@ lwres_freeaddrinfo(struct addrinfo *ai) {
static int
get_local(const char *name, int socktype, struct addrinfo **res) {
struct addrinfo *ai;
- struct sockaddr_un *sun;
+ struct sockaddr_un *slocal;
if (socktype == 0)
return (EAI_SOCKTYPE);
- ai = ai_alloc(AF_LOCAL, sizeof(*sun));
+ ai = ai_alloc(AF_LOCAL, sizeof(*slocal));
if (ai == NULL)
return (EAI_MEMORY);
- sun = SUN(ai->ai_addr);
- strncpy(sun->sun_path, name, sizeof(sun->sun_path));
+ slocal = SLOCAL(ai->ai_addr);
+ strncpy(slocal->sun_path, name, sizeof(slocal->sun_path));
ai->ai_socktype = socktype;
/*
diff --git a/version b/version
index de966cbf..10a1d31f 100644
--- a/version
+++ b/version
@@ -1,4 +1,4 @@
-# $Id: version,v 1.43.12.3 2009/03/13 05:23:35 marka Exp $
+# $Id: version,v 1.43.12.4 2009/04/08 06:55:37 marka Exp $
#
# This file must follow /bin/sh rules. It is imported directly via
# configure.
@@ -6,5 +6,5 @@
MAJORVER=9
MINORVER=6
PATCHVER=1
-RELEASETYPE=b
+RELEASETYPE=rc
RELEASEVER=1
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-20 23:18:58 +0000