mirror/freebsd
1
0
Fork 0
mirror of https://git.FreeBSD.org/src.git synced 2024-12-31 12:13:10 +00:00
Code Issues Releases Activity

Vendor import of BIND 9.4.2

Browse Source
This commit is contained in:
Doug Barton 2007-12-02 19:10:41 +00:00
parent 56a78b5211
commit 995ea97467
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/vendor/bind9/dist/; revision=174187
204 changed files with 25088 additions and 10227 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

285
contrib/bind9/CHANGES
View File

@ -1,5 +1,117 @@
--- 9.4.1-P1 released ---
--- 9.4.2 released ---
--- 9.4.2rc2 released ---
2259. [bug] Reverse incorrect LIBINTERFACE bump of libisc
in 9.4.2rc1. Applications built against 9.4.2rc1
will need to be rebuilt.
2258. [bug] Fallback from IXFR/TSIG to SOA/AXFR/TSIG broken.
[RT #17241]
2257. [bug] win32: Use the full path to vcredist_x86.exe when
calling it. [RT #17222]
2256. [bug] win32: Correctly register the installation location of
bindevt.dll. [RT #17159]
2255. [bug] L.ROOT-SERVERS.NET is now 199.7.83.42.
2254. [bug] timer.c:dispatch() failed to lock timer->lock
when reading timer->idle allowing it to see
intermediate values as timer->idle was reset by
isc_timer_touch(). [RT #17243]
--- 9.4.2rc1 released ---
2251. [doc] Update memstatistics-file documentation to reflect
reality. Note there is behaviour change for BIND 9.5.
[RT #17113]
2249. [bug] Only set Authentic Data bit if client requested
DNSSEC, per RFC 3655 [RT #17175]
2248. [cleanup] Fix several errors reported by Coverity. [RT #17160]
2245. [bug] Validating lack of DS records at trust anchors wasn't
working. [RT #17151]
2238. [bug] It was possible to trigger a REQUIRE when a
validation was cancelled. [RT #17106]
2237. [bug] libbind: res_init() was not thread aware. [RT #17123]
2236. [bug] dnssec-signzone failed to preserve the case of
of wildcard owner names. [RT #17085]
2235. [bug] <isc/atomic.h> was not being installed. [RT #17135]
2234. [port] Correct some compiler warnings on SCO OSr5 [RT #17134]
2232. [bug] dns_adb_findaddrinfo() could fail and return
ISC_R_SUCCESS. [RT #17137]
2231. [bug] Building dlzbdb (contrib/dlz/bin/dlzbdb) was broken.
[RT #17088]
2230. [bug] We could INSIST reading a corrupted journal.
[RT #17132]
2228. [contrib] contrib: Change 2188 was incomplete.
2227. [cleanup] Tidied up the FAQ. [RT #17121]
2225. [bug] More support for systems with no IPv4 addresses.
[RT #17111]
2224. [bug] Defer journal compaction if a xfrin is in progress.
[RT #17119]
2223. [bug] Make a new journal when compacting. [RT #17119]
2221. [bug] Set the event result code to reflect the actual
record returned to caller when a cache update is
rejected due to a more credible answer existing.
[RT #17017]
2220. [bug] win32: Address a race condition in final shutdown of
the Windows socket code. [RT #17028]
2219. [bug] Apply zone consistancy checks to additions, not
removals, when updating. [RT #17049]
2218. [bug] Remove unnecessary REQUIRE from dns_validator_create().
[RT #16976]
2216. [cleanup] Fix a number of errors reported by Coverity.
[RT #17094]
2215. [bug] Bad REQUIRE check isc_hmacsha1_verify(). [RT #17094]
2214. [bug] Deregister OpenSSL lock callback when cleaning
up. Reorder OpenSSL cleanup so that RAND_cleanup()
is called before the locks are destroyed. [RT #17098]
2213. [bug] SIG0 diagnostic failure messages were looking at the
wrong status code. [RT #17101]
2212. [func] 'host -m' now causes memory statistics and active
memory to be printed at exit. [RT 17028]
2210. [bug] Deleting class specific records via UPDATE could
fail. [RT #17074]
2209. [port] osx: linking against user supplied static OpenSSL
libraries failed as the system ones were still being
found. [RT #17078]
2208. [port] win32: make sure both build methods produce the
same output. [RT #17058]
2207. [port] Some implementations of getaddrinfo() fail to set
ai_canonname correctly. [RT #17061]
--- 9.4.2b1 released ---
2206. [security] "allow-query-cache" and "allow-recursion" now
cross inherit from each other.
@ -16,12 +128,32 @@
[RT #16987]
2205. [bug] libbind: change #2119 broke thread support. [RT #16982]
2203. [security] Query id generation was cryptographically weak.
[RT # 16915]
2202. [security] The default acls for allow-query-cache and
allow-recursion were not being applied. [RT #16960]
2200. [bug] The search for cached NSEC records was stopping to
early leading to excessive DLV queries. [RT #16930]
2199. [bug] win32: don't call WSAStartup() while loading dlls.
[RT #16911]
2198. [bug] win32: RegCloseKey() could be called when
RegOpenKeyEx() failed. [RT #16911]
2197. [bug] Add INSIST to catch negative responses which are
not setting the event result code appropriately.
[RT #16909]
2196. [port] win32: yield processor while waiting for once to
to complete. [RT #16958]
2194. [bug] Close journal before calling 'done' in xfrin.c.
2193. [port] win32: BINDInstall.exe is now linked statically.
[RT #16906]
@ -29,6 +161,145 @@
Studio's redistributable dlls if building with
Visual Stdio 2005 or later.
2189. [bug] Handle socket() returning EINTR. [RT #15949]
2188. [contrib] queryperf: autoconf changes to make the search for
libresolv or libbind more robust. [RT #16299]
2187. [bug] query_addds(), query_addwildcardproof() and
query_addnxrrsetnsec() should take a version
arguement. [RT #16368]
2186. [port] cygwin: libbind: check for struct sockaddr_storage
independently of IPv6. [RT #16482]
2185. [port] sunos: libbind: check for ssize_t, memmove() and
memchr(). [RT #16463]
2183. [bug] dnssec-signzone didn't handle offline private keys
well. [RT #16832]
2182. [bug] dns_dispatch_createtcp() and dispatch_createudp()
could return ISC_R_SUCCESS when they ran out of
memory. [RT #16365]
2181. [port] sunos: libbind: add paths.h from BIND 8. [RT #16462]
2180. [cleanup] Remove bit test from 'compress_test' as they
are no longer needed. [RT #16497]
2178. [bug] 'rndc reload' of a slave or stub zone resulted in
a reference leak. [RT #16867]
2177. [bug] Array bounds overrun on read (rcodetext) at
debug level 10+. [RT #16798]
2176. [contrib] dbus update to handle race condition during
initialisation (Bugzilla 235809). [RT #16842]
2175. [bug] win32: windows broadcast condition variable support
was broken. [RT #16592]
2174. [bug] I/O errors should always be fatal when reading
master files. [RT #16825]
2173. [port] win32: When compiling with MSVS 2005 SP1 we also
need to ship Microsoft.VC80.MFCLOC.
2171. [bug] Handle breaks in DNSSEC trust chains where the parent
servers are not DS aware (DS queries to the parent
return a referral to the child).
2170. [func] Add acache processing to test suite. [RT #16711]
2169. [bug] host, nslookup: when reporting NXDOMAIN report the
given name and not the last name searched for.
[RT #16763]
2168. [bug] nsupdate: in non-interactive mode treat syntax errors
as fatal errors. [RT #16785]
2167. [bug] When re-using a automatic zone named failed to
attach it to the new view. [RT #16786]
2166. [bug] When running in batch mode, dig could misinterpret
a server address as a name to be looked up, causing
unexpected output. [RT #16743]
2164. [bug] The code to determine how named-checkzone /
named-compilezone was called failed under windows.
[RT #16764]
2162. [func] Allow "rrset-order fixed" to be disabled at compile
time. [RT #16665]
2161. [bug] 'rndc flush' could report a false success. [RT #16698]
2160. [bug] libisc wasn't handling NULL ifa_addr pointers returned
from getifaddrs(). [RT #16708]
2159. [bug] Array bounds overrun in acache processing. [RT #16710]
2158. [bug] ns_client_isself() failed to initialise key
leading to a REQUIRE failure. [RT #16688]
2156. [bug] Fix node reference leaks in lookup.c:lookup_find(),
resolver.c:validated() and resolver.c:cache_name().
Fix a memory leak in rbtdb.c:free_noqname().
Make lookup.c:lookup_find() robust against
event leaks. [RT #16685]
2155. [contrib] SQLite sdb module from jaboydjr@netwalk.com.
[RT #16694]
2153. [bug] nsupdate could leak memory. [RT #16691]
2152. [cleanup] Use sizeof(buf) instead of fixed number in
dighost.c:get_trusted_key(). [RT #16678]
2151. [bug] Missing newline in usage message for journalprint.
[RT #16679]
2150. [bug] 'rrset-order cyclic' uniformly distribute the
starting point for the first response for a given
RRset. [RT #16655]
2149. [bug] isc_mem_checkdestroyed() failed to abort on
if there were still active memory contexts.
[RT #16672]
2147. [bug] libbind: remove potential buffer overflow from
hmac_link.c. [RT #16437]
2146. [cleanup] Silence Linux's spurious "obsolete setsockopt
SO_BSDCOMPAT" message. [RT #16641]
2145. [bug] Check DS/DLV digest lengths for known digests.
[RT #16622]
2144. [cleanup] Suppress logging of SERVFAIL from forwarders.
[RT #16619]
2143. [bug] We failed to restart the IPv6 client when the
kernel failed to return the destination the
packet was sent to. [RT #16613]
2142. [bug] Handle master files with a modification time that
matches the epoch. [RT# 16612]
2141. [bug] dig/host should not be setting IDN_ASCCHECK (IDN
equivalent of LDH checks). [RT #16609]
2140. [bug] libbind: missing unlock on pthread_key_create()
failures. [RT #16654]
2139. [bug] dns_view_find() was being called with wrong type
in adb.c. [RT #16670]
2119. [compat] libbind: allow res_init() to succeed enough to
return the default domain even if it was unable
to allocate memory.
--- 9.4.1 released ---
2172. [bug] query_addsoa() was being called with a non zone db.
@ -524,7 +795,7 @@
hex strings with comments. [RT #15814]
1974. [doc] List each of the zone types and associated zone
options seperately in the ARM.
options separately in the ARM.
1973. [func] TSIG HMACSHA1, HMACSHA224, HMACSHA256, HMACSHA384 and
HMACSHA512 support. [RT #13606]
@ -551,7 +822,7 @@
1965. [func] Suppress spurious "recusion requested but not
available" warning with 'dig +qr'. [RT #15780].
1964. [func] Seperate out MX and SRV to CNAME checks. [RT #15723]
1964. [func] Separate out MX and SRV to CNAME checks. [RT #15723]
1963. [port] Tru64 4.0E doesn't support send() and recv().
[RT #15586]
@ -771,7 +1042,7 @@
1898. [bug] Extend ISC_SOCKADDR_FORMATSIZE and
ISC_NETADDR_FORMATSIZE to allow for scope details.
1897. [func] x86 and x86_64 now have seperate atomic locking
1897. [func] x86 and x86_64 now have separate atomic locking
implementations.
1896. [bug] Recursive clients soft quota support wasn't working
@ -825,7 +1096,7 @@
[RT #14892]
1878. [func] Detect duplicates of UDP queries we are recursing on
and drop them. New stats category "duplicates".
and drop them. New stats category "duplicate".
[RT #2471]
1877. [bug] Fix unreasonably low quantum on call to
@ -1769,7 +2040,7 @@
[RT #6427]
1555. [func] 'rrset-order cyclic' no longer has a random starting
point. [RT #7572]
point per query. [RT #7572]
1554. [bug] dig, host, nslookup failed when no nameservers
were specified in /etc/resolv.conf. [RT #8232]
@ -6250,7 +6521,7 @@
and has been removed.
170. [cleanup] Remove inter server consistancy checks from zone,
these should return as a seperate module in 9.1.
these should return as a separate module in 9.1.
dns_zone_checkservers(), dns_zone_checkparents(),
dns_zone_checkchildren(), dns_zone_checkglue().

4
contrib/bind9/COPYRIGHT
View File

@ -1,7 +1,7 @@
Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
Copyright (C) 1996-2003 Internet Software Consortium.
Permission to use, copy, modify, and distribute this software for any
Permission to use, copy, modify, and/or distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.
@ -13,7 +13,7 @@ LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
PERFORMANCE OF THIS SOFTWARE.
$Id: COPYRIGHT,v 1.9.18.3 2007/01/08 02:41:59 marka Exp $
$Id: COPYRIGHT,v 1.9.18.4 2007/08/28 07:19:54 tbox Exp $
Portions Copyright (C) 1996-2001 Nominum, Inc.

862
contrib/bind9/FAQ
View File

File diff suppressed because it is too large Load Diff

1032
contrib/bind9/FAQ.xml
View File

File diff suppressed because it is too large Load Diff

127
contrib/bind9/FREEBSD-Upgrade
View File

@ -1,17 +1,120 @@
# $FreeBSD$
#
# Bug trhodes@ and des@ to actually throw some text in here.
#
while read pattern ; do rm -rf $pattern ; done <FREEBSD-Xlist
sed -i.orig -e '/\/tests/d; /docutil/d;' configure.in Makefile.in */Makefile.in
FreeBSD maintainer's guide to updating BIND 9
=============================================
autoconf253
1) Obtain the latest source distribution from the ISC's FTP server
(ftp://ftp.isc.org/isc/bind9/)
autoheader253
2) Unpack the tarball in a suitable directory, and cd into the new
source directory.
./configure --prefix=/usr --infodir=/usr/share/info --mandir=/usr/share/man \
--enable-threads --enable-libbind --disable-ipv6 \
--enable-getifaddrs --disable-linux-caps \
--with-openssl=/usr --with-randomdev=/dev/random
3) Remove unwanted files and directories:
$ while read pattern ; do rm -rf $pattern ; done \
</usr/src/contrib/bind9/FREEBSD-Xlist
Make sure that took care of everything, and if it didn't, make sure
to update FREEBSD-Xlist so you won't miss it the next time. A good
way to do this is to run a test import and see if any new files
show up:
$ cvs -q -n import src/contrib/bind9 ISC x | grep \^N
4) Import the sources:
$ cvs import -m "Vendor import of BIND 9.X.Y" \
src/contrib/bind9 ISC BIND_9_X_Y
5) Resolve conflicts.
As of 2 June 2007, we have no local patches against BIND 9; thus
there are no conflicts to merge. This may change at a later date.
5a) Remove any files that are no longer in the tarball from the vendor branch.
6) Remove any references to the {bin,lib}/tests and docutil
directories from the configure and Makefile templates:
$ sed -i.orig -e '/\/tests/d; /docutil/d; /\/xsl/d;' \
configure.in Makefile.in */Makefile.in
Please do not commit this change, as it would unnecessarily take
files off the vendor branch. You only need this to generate
config.h.
7) Generate and run configure:
$ aclocal
$ autoheader
$ autoconf
$ ./configure --prefix=/usr \
--infodir=/usr/share/info --mandir=/usr/share/man \
--enable-threads --enable-libbind --disable-ipv6 \
--enable-getifaddrs --disable-linux-caps \
--with-openssl=/usr --with-randomdev=/dev/random
Note that we intentionally disable IPv6 support on the configure
command line; src/lib/bind/config.mk will re-enable it at compile
time if WITHOUT_INET6 is not defined.
8) Copy the following generated files to src/lib/bind and commit them:
Path in src/contrib/bind9 Path in src/lib/bind
------------------------------------------------------------
s=/usr/src/lib/bind
cp config.h ${s}/config.h
cp lib/bind/config.h ${s}/bind/config.h
cp lib/bind/port_after.h ${s}/bind/port_after.h
cp lib/bind/port_before.h ${s}/bind/port_before.h
cp lib/isc/include/isc/platform.h ${s}/isc/isc/platform.h
cp lib/lwres/include/lwres/netdb.h ${s}/lwres/lwres/netdb.h
cp lib/lwres/include/lwres/platform.h ${s}/lwres/lwres/platform.h
Do not commit any other file that was modified or created in
steps 6) or 7).
9) cd src/lib/bind/dns && make -DMAINTAINER_MODE generate && rm gen
Commit the new versions of the files generated.
The following directories contain Makefiles for bits and pieces of
BIND 9:
FreeBSD directory ISC directory
========================================================
src/lib/bind bind9/lib
src/lib/bind/bind bind9/lib/bind
src/lib/bind/bind9 bind9/lib/bind9
src/lib/bind/dns bind9/lib/dns
src/lib/bind/isc bind9/lib/isc
src/lib/bind/isccc bind9/lib/isccc
src/lib/bind/isccfg bind9/lib/isccfg
src/lib/bind/lwres bind9/lib/lwres
src/share/doc/bind9 bind9/doc/{arm,misc}
src/usr.bin/dig bind9/bin/dig
src/usr.bin/host bind9/bin/dig
src/usr.bin/nslookup bind9/bin/dig
src/usr.bin/nsupdate bind9/bin/nsupdate
src/usr.sbin/dnssec-keygen bind9/bin/dnssec
src/usr.sbin/dnssec-signzone bind9/bin/dnssec
src/usr.sbin/named bind9/bin/named
src/usr.sbin/named-checkconf bind9/bin/check
src/usr.sbin/named-checkzone bind9/bin/check
src/usr.sbin/rndc bind9/bin/rndc
src/usr.sbin/rndc-confgen bind9/bin/rndc
Make sure that the lists of sources, headers and man pages in each
FreeBSD Makefile accurately reflects those in the corresponding ISC
Makefile. Please strive to keep those lists in the same order and
with line breaks in the same places to ease future comparisons.
A) Build and test.
B) Lather, rinse, repeat.
C) Commit when everything builds cleanly and works properly.
-- des@FreeBSD.org
-- dougb@FreeBSD.org
$FreeBSD$

12
contrib/bind9/FREEBSD-Xlist
View File

@ -3,12 +3,19 @@
# Misc. stuff
.cvsignore
aclocal.m4
bin/tests
config.h.in
configure
contrib
docutil
# Tests
bin/tests
lib/tests
# Doc stuff
doc/arm/latex-fixup.pl
doc/xsl
# Windows directories
bin/check/win32
bin/dig/win32
@ -29,8 +36,7 @@ lib/win32
win32utils
# Various ports to other OSs
lib/bind/port/aix32
lib/bind/port/aix4
lib/bind/port/aix*
lib/bind/port/aux3
lib/bind/port/bsdos
lib/bind/port/bsdos2

8
contrib/bind9/Makefile.in
View File

@ -1,7 +1,7 @@
# Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 1998-2002 Internet Software Consortium.
#
# Permission to use, copy, modify, and distribute this software for any
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
@ -13,7 +13,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: Makefile.in,v 1.43.18.4 2006/05/19 00:04:01 marka Exp $
# $Id: Makefile.in,v 1.43.18.6 2007/09/03 23:46:21 tbox Exp $
srcdir = @srcdir@
VPATH = @srcdir@
@ -61,7 +61,7 @@ test:
FAQ: FAQ.xml
${XSLTPROC} doc/xsl/isc-docbook-text.xsl FAQ.xml | \
${W3M} -T text/html -dump >$@.tmp
LC_ALL=C ${W3M} -T text/html -dump -cols 72 >$@.tmp
mv $@.tmp $@
clean::

32
contrib/bind9/README
View File

@ -43,16 +43,19 @@ BIND 9
Nominum, Inc.
BIND 9.4.1-P1
BIND 9.4.2
BIND 9.4.1-P1 is a security release, containing a fixes for a
security bugs in BIND 9.4.1.
BIND 9.4.2 is a maintenance release, containing fixes for
a number of bugs in 9.4.1.
Warning: If you installed BIND 9.4.2rc1 then any applications
linked against this release candidate will need to be rebuilt.
BIND 9.4.1
BIND 9.4.1 is a security release, containing a fix for a
security bug in 9.4.0.
BIND 9.4.1 is a security release, containing a fix for
a security bugs in 9.4.0.
BIND 9.4.0
BIND 9.4.0 has a number of new features over 9.3,
@ -74,7 +77,9 @@ BIND 9.4.0
used to specify the default zone access level rather than
having to have every zone override the global value.
allow-query-cache can be set at both the options and view
levels. If allow-query-cache is not set allow-query applies.
levels. If allow-query-cache is not set then allow-recursion
is used if set, otherwise allow-query is used if set, otherwise
the default (localhost; localnets;) is used.
rndc: the source address can now be specified.
@ -418,7 +423,7 @@ Building
We've had successful builds and tests on the following systems:
COMPAQ Tru64 UNIX 5.1B
FreeBSD 4.10, 5.2.1
FreeBSD 4.10, 5.2.1, 6.2
HP-UX 11.11
NetBSD 1.5
Slackware Linux 8.1
@ -475,6 +480,8 @@ Building
-DDIG_SIGCHASE_BU=1)
Disable dropping queries from particular well known ports.
-DNS_CLIENT_DROPPORT=0
Disable support for "rrset-order fixed".
-DDNS_RDATASET_FIXED=0
LDFLAGS
Linker flags. Defaults to empty string.
@ -587,9 +594,8 @@ Bug Reports and Mailing Lists
http://www.isc.org/ops/lists/
If you're planning on making changes to the BIND 9 source
code, you might want to join the BIND Workers mailing list.
Send mail to
bind-workers-request@isc.org
code, you might want to join the BIND Forum as a Worker.
This gives you access to the bind-workers@isc.org mailing
list and pre-release access to the code.
http://www.isc.org/sw/guild/bf/

45
contrib/bind9/bin/check/check-tool.c
View File

@ -1,8 +1,8 @@
/*
* Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000-2002 Internet Software Consortium.
*
* Permission to use, copy, modify, and distribute this software for any
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@ -15,14 +15,13 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: check-tool.c,v 1.10.18.14 2006/06/08 01:43:00 marka Exp $ */
/* $Id: check-tool.c,v 1.10.18.18 2007/09/13 05:04:01 each Exp $ */
/*! \file */
#include <config.h>
#include <stdio.h>
#include <string.h>
#include "check-tool.h"
#include <isc/util.h>
@ -33,6 +32,7 @@
#include <isc/netdb.h>
#include <isc/region.h>
#include <isc/stdio.h>
#include <isc/string.h>
#include <isc/types.h>
#include <dns/fixedname.h>
@ -130,7 +130,16 @@ checkns(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner,
dns_name_format(name, namebuf, sizeof(namebuf) - 1);
switch (result) {
case 0:
if (strcasecmp(ai->ai_canonname, namebuf) != 0) {
/*
* Work around broken getaddrinfo() implementations that
* fail to set ai_canonname on first entry.
*/
cur = ai;
while (cur != NULL && cur->ai_canonname == NULL &&
cur->ai_next != NULL)
cur = cur->ai_next;
if (cur != NULL && cur->ai_canonname != NULL &&
strcasecmp(ai->ai_canonname, namebuf) != 0) {
dns_zone_log(zone, ISC_LOG_ERROR,
"%s/NS '%s' (out of zone) "
"is a CNAME (illegal)",
@ -268,7 +277,7 @@ checkns(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner,
static isc_boolean_t
checkmx(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner) {
#ifdef USE_GETADDRINFO
struct addrinfo hints, *ai;
struct addrinfo hints, *ai, *cur;
char namebuf[DNS_NAME_FORMATSIZE + 1];
char ownerbuf[DNS_NAME_FORMATSIZE];
int result;
@ -293,7 +302,16 @@ checkmx(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner) {
dns_name_format(name, namebuf, sizeof(namebuf) - 1);
switch (result) {
case 0:
if (strcasecmp(ai->ai_canonname, namebuf) != 0) {
/*
* Work around broken getaddrinfo() implementations that
* fail to set ai_canonname on first entry.
*/
cur = ai;
while (cur != NULL && cur->ai_canonname == NULL &&
cur->ai_next != NULL)
cur = cur->ai_next;
if (cur != NULL && cur->ai_canonname != NULL &&
strcasecmp(cur->ai_canonname, namebuf) != 0) {
if ((zone_options & DNS_ZONEOPT_WARNMXCNAME) != 0)
level = ISC_LOG_WARNING;
if ((zone_options & DNS_ZONEOPT_IGNOREMXCNAME) == 0) {
@ -332,7 +350,7 @@ checkmx(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner) {
static isc_boolean_t
checksrv(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner) {
#ifdef USE_GETADDRINFO
struct addrinfo hints, *ai;
struct addrinfo hints, *ai, *cur;
char namebuf[DNS_NAME_FORMATSIZE + 1];
char ownerbuf[DNS_NAME_FORMATSIZE];
int result;
@ -357,7 +375,16 @@ checksrv(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner) {
dns_name_format(name, namebuf, sizeof(namebuf) - 1);
switch (result) {
case 0:
if (strcasecmp(ai->ai_canonname, namebuf) != 0) {
/*
* Work around broken getaddrinfo() implementations that
* fail to set ai_canonname on first entry.
*/
cur = ai;
while (cur != NULL && cur->ai_canonname == NULL &&
cur->ai_next != NULL)
cur = cur->ai_next;
if (cur != NULL && cur->ai_canonname != NULL &&
strcasecmp(cur->ai_canonname, namebuf) != 0) {
if ((zone_options & DNS_ZONEOPT_WARNSRVCNAME) != 0)
level = ISC_LOG_WARNING;
if ((zone_options & DNS_ZONEOPT_IGNORESRVCNAME) == 0) {

7
contrib/bind9/bin/check/named-checkconf.8
View File

@ -13,7 +13,7 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id: named-checkconf.8,v 1.16.18.11 2007/01/30 00:23:44 marka Exp $
.\" $Id: named-checkconf.8,v 1.16.18.13 2007/06/20 02:26:58 marka Exp $
.\"
.hy 0
.ad l
@ -42,7 +42,7 @@ checks the syntax, but not the semantics, of a named configuration file.
.PP
\-t \fIdirectory\fR
.RS 4
chroot to
Chroot to
\fIdirectory\fR
so that include directives in the configuration file are processed as if run by a similarly chrooted named.
.RE
@ -56,7 +56,7 @@ program and exit.
.PP
\-z
.RS 4
Perform a check load the master zonefiles found in
Perform a test load of all master zones found in
\fInamed.conf\fR.
.RE
.PP
@ -77,6 +77,7 @@ returns an exit status of 1 if errors were detected and 0 otherwise.
.SH "SEE ALSO"
.PP
\fBnamed\fR(8),
\fBnamed\-checkzone\fR(8),
BIND 9 Administrator Reference Manual.
.SH "AUTHOR"
.PP

13
contrib/bind9/bin/check/named-checkconf.docbook
View File

@ -5,7 +5,7 @@
- Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2002 Internet Software Consortium.
-
- Permission to use, copy, modify, and distribute this software for any
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: named-checkconf.docbook,v 1.8.18.7 2007/01/29 23:57:20 marka Exp $ -->
<!-- $Id: named-checkconf.docbook,v 1.8.18.10 2007/08/28 07:19:55 tbox Exp $ -->
<refentry id="man.named-checkconf">
<refentryinfo>
<date>June 14, 2000</date>
@ -77,7 +77,7 @@
<term>-t <replaceable class="parameter">directory</replaceable></term>
<listitem>
<para>
chroot to <filename>directory</filename> so that
Chroot to <filename>directory</filename> so that
include
directives in the configuration file are processed as if
run by a similarly chrooted named.
@ -99,8 +99,8 @@
<term>-z</term>
<listitem>
<para>
Perform a check load the master zonefiles found in
<filename>named.conf</filename>.
Perform a test load of all master zones found in
<filename>named.conf</filename>.
</para>
</listitem>
</varlistentry>
@ -141,6 +141,9 @@
<para><citerefentry>
<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>named-checkzone</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>.
</para>
</refsect1>

15
contrib/bind9/bin/check/named-checkconf.html
View File

@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: named-checkconf.html,v 1.9.18.18 2007/01/30 00:23:44 marka Exp $ -->
<!-- $Id: named-checkconf.html,v 1.9.18.20 2007/06/20 02:26:58 marka Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@ -43,7 +43,7 @@
<div class="variablelist"><dl>
<dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
chroot to <code class="filename">directory</code> so that
Chroot to <code class="filename">directory</code> so that
include
directives in the configuration file are processed as if
run by a similarly chrooted named.
@ -55,8 +55,8 @@
</p></dd>
<dt><span class="term">-z</span></dt>
<dd><p>
Perform a check load the master zonefiles found in
<code class="filename">named.conf</code>.
Perform a test load of all master zones found in
<code class="filename">named.conf</code>.
</p></dd>
<dt><span class="term">-j</span></dt>
<dd><p>
@ -70,20 +70,21 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543488"></a><h2>RETURN VALUES</h2>
<a name="id2543489"></a><h2>RETURN VALUES</h2>
<p><span><strong class="command">named-checkconf</strong></span>
returns an exit status of 1 if
errors were detected and 0 otherwise.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543499"></a><h2>SEE ALSO</h2>
<a name="id2543500"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">named-checkzone</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543521"></a><h2>AUTHOR</h2>
<a name="id2543530"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>

11
contrib/bind9/bin/check/named-checkzone.8
View File

@ -13,7 +13,7 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id: named-checkzone.8,v 1.18.18.20 2007/01/30 00:23:44 marka Exp $
.\" $Id: named-checkzone.8,v 1.18.18.23 2007/06/20 02:26:58 marka Exp $
.\"
.hy 0
.ad l
@ -48,7 +48,7 @@ useful for checking zone files before configuring them into a name server.
\fBnamed\-compilezone\fR
is similar to
\fBnamed\-checkzone\fR, but it always dumps the zone contents to a specified file in a specified format. Additionally, it applies stricter check levels by default, since the dump output will be used as an actual zone file loaded by
\fBnamed\fR. When manaully specified otherwise, the check levels must at least be as strict as those specified in the
\fBnamed\fR. When manually specified otherwise, the check levels must at least be as strict as those specified in the
\fBnamed\fR
configuration file.
.SH "OPTIONS"
@ -82,7 +82,7 @@ Specify the class of the zone. If not specified "IN" is assumed.
.PP
\-i \fImode\fR
.RS 4
Perform post load zone integrity checks. Possible modes are
Perform post\-load zone integrity checks. Possible modes are
\fB"full"\fR
(default),
\fB"full\-sibling"\fR,
@ -105,7 +105,7 @@ only checks SRV records which refer to in\-zone hostnames.
.sp
Mode
\fB"full"\fR
checks that delegation NS records refer to A or AAAA record (both in\-zone and out\-of\-zone hostnames). It also checks that glue addresses records in the zone match those advertised by the child. Mode
checks that delegation NS records refer to A or AAAA record (both in\-zone and out\-of\-zone hostnames). It also checks that glue address records in the zone match those advertised by the child. Mode
\fB"local"\fR
only checks NS records which refer to in\-zone hostnames or that some required glue exists, that is when the nameserver is in a child zone.
.sp
@ -213,7 +213,7 @@ Check if a SRV record refers to a CNAME. Possible modes are
.PP
\-t \fIdirectory\fR
.RS 4
chroot to
Chroot to
\fIdirectory\fR
so that include directives in the configuration file are processed as if run by a similarly chrooted named.
.RE
@ -256,6 +256,7 @@ returns an exit status of 1 if errors were detected and 0 otherwise.
.SH "SEE ALSO"
.PP
\fBnamed\fR(8),
\fBnamed\-checkconf\fR(8),
RFC 1035,
BIND 9 Administrator Reference Manual.
.SH "AUTHOR"

8
contrib/bind9/bin/check/named-checkzone.c
View File

@ -1,8 +1,8 @@
/*
* Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and distribute this software for any
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: named-checkzone.c,v 1.29.18.16 2006/10/05 05:24:35 marka Exp $ */
/* $Id: named-checkzone.c,v 1.29.18.19 2007/08/28 07:19:55 tbox Exp $ */
/*! \file */
@ -109,6 +109,8 @@ main(int argc, char **argv) {
outputstyle = &dns_master_style_full;
prog_name = strrchr(argv[0], '/');
if (prog_name == NULL)
prog_name = strrchr(argv[0], '\\');
if (prog_name != NULL)
prog_name++;
else

15
contrib/bind9/bin/check/named-checkzone.docbook
View File

@ -5,7 +5,7 @@
- Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2002 Internet Software Consortium.
-
- Permission to use, copy, modify, and distribute this software for any
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: named-checkzone.docbook,v 1.11.18.17 2007/01/29 23:57:20 marka Exp $ -->
<!-- $Id: named-checkzone.docbook,v 1.11.18.21 2007/08/28 07:19:55 tbox Exp $ -->
<refentry id="man.named-checkzone">
<refentryinfo>
<date>June 13, 2000</date>
@ -117,7 +117,7 @@
Additionally, it applies stricter check levels by default,
since the dump output will be used as an actual zone file
loaded by <command>named</command>.
When manaully specified otherwise, the check levels must at
When manually specified otherwise, the check levels must at
least be as strict as those specified in the
<command>named</command> configuration file.
</para>
@ -177,7 +177,7 @@
<term>-i <replaceable class="parameter">mode</replaceable></term>
<listitem>
<para>
Perform post load zone integrity checks. Possible modes are
Perform post-load zone integrity checks. Possible modes are
<command>"full"</command> (default),
<command>"full-sibling"</command>,
<command>"local"</command>,
@ -199,7 +199,7 @@
<para>
Mode <command>"full"</command> checks that delegation NS
records refer to A or AAAA record (both in-zone and out-of-zone
hostnames). It also checks that glue addresses records
hostnames). It also checks that glue address records
in the zone match those advertised by the child.
Mode <command>"local"</command> only checks NS records which
refer to in-zone hostnames or that some required glue exists,
@ -342,7 +342,7 @@
<term>-t <replaceable class="parameter">directory</replaceable></term>
<listitem>
<para>
chroot to <filename>directory</filename> so that
Chroot to <filename>directory</filename> so that
include
directives in the configuration file are processed as if
run by a similarly chrooted named.
@ -422,6 +422,9 @@
<para><citerefentry>
<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>named-checkconf</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citetitle>RFC 1035</citetitle>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>.
</para>

13
contrib/bind9/bin/check/named-checkzone.html
View File

@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: named-checkzone.html,v 1.11.18.27 2007/01/30 00:23:44 marka Exp $ -->
<!-- $Id: named-checkzone.html,v 1.11.18.30 2007/06/20 02:26:58 marka Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@ -47,7 +47,7 @@
Additionally, it applies stricter check levels by default,
since the dump output will be used as an actual zone file
loaded by <span><strong class="command">named</strong></span>.
When manaully specified otherwise, the check levels must at
When manually specified otherwise, the check levels must at
least be as strict as those specified in the
<span><strong class="command">named</strong></span> configuration file.
</p>
@ -79,7 +79,7 @@
<dt><span class="term">-i <em class="replaceable"><code>mode</code></em></span></dt>
<dd>
<p>
Perform post load zone integrity checks. Possible modes are
Perform post-load zone integrity checks. Possible modes are
<span><strong class="command">"full"</strong></span> (default),
<span><strong class="command">"full-sibling"</strong></span>,
<span><strong class="command">"local"</strong></span>,
@ -101,7 +101,7 @@
<p>
Mode <span><strong class="command">"full"</strong></span> checks that delegation NS
records refer to A or AAAA record (both in-zone and out-of-zone
hostnames). It also checks that glue addresses records
hostnames). It also checks that glue address records
in the zone match those advertised by the child.
Mode <span><strong class="command">"local"</strong></span> only checks NS records which
refer to in-zone hostnames or that some required glue exists,
@ -195,7 +195,7 @@
</p></dd>
<dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
chroot to <code class="filename">directory</code> so that
Chroot to <code class="filename">directory</code> so that
include
directives in the configuration file are processed as if
run by a similarly chrooted named.
@ -242,12 +242,13 @@
<div class="refsect1" lang="en">
<a name="id2544311"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">named-checkconf</span>(8)</span>,
<em class="citetitle">RFC 1035</em>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2544336"></a><h2>AUTHOR</h2>
<a name="id2544344"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>

26
contrib/bind9/bin/dig/dig.1
View File

@ -13,7 +13,7 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id: dig.1,v 1.23.18.19 2007/01/30 00:23:44 marka Exp $
.\" $Id: dig.1,v 1.23.18.22 2007/05/16 06:11:27 marka Exp $
.\"
.hy 0
.ad l
@ -50,7 +50,7 @@ Although
\fBdig\fR
is normally used with command\-line arguments, it also has a batch mode of operation for reading lookup requests from a file. A brief summary of its command\-line arguments and options is printed when the
\fB\-h\fR
option is given. Unlike earlier versions, the BIND9 implementation of
option is given. Unlike earlier versions, the BIND 9 implementation of
\fBdig\fR
allows multiple lookups to be issued from the command line.
.PP
@ -128,14 +128,14 @@ The default query class (IN for internet) is overridden by the
\fB\-c\fR
option.
\fIclass\fR
is any valid class, such as HS for Hesiod records or CH for CHAOSNET records.
is any valid class, such as HS for Hesiod records or CH for Chaosnet records.
.PP
The
\fB\-f\fR
option makes
\fBdig \fR
operate in batch mode by reading a list of lookup requests to process from the file
\fIfilename\fR. The file contains a number of queries, one per line. Each entry in the file should be organised in the same way they would be presented as queries to
\fIfilename\fR. The file contains a number of queries, one per line. Each entry in the file should be organized in the same way they would be presented as queries to
\fBdig\fR
using the command\-line interface.
.PP
@ -160,7 +160,7 @@ to only use IPv6 query transport.
The
\fB\-t\fR
option sets the query type to
\fItype\fR. It can be any valid query type which is supported in BIND9. The default query type "A", unless the
\fItype\fR. It can be any valid query type which is supported in BIND 9. The default query type is "A", unless the
\fB\-x\fR
option is supplied to indicate a reverse lookup. A zone transfer can be requested by specifying a type of AXFR. When an incremental zone transfer (IXFR) is required,
\fItype\fR
@ -171,11 +171,11 @@ ixfr=N. The incremental zone transfer will contain the changes made to the zone
The
\fB\-q\fR
option sets the query name to
\fIname\fR. This useful do distingish the
\fIname\fR. This useful do distinguish the
\fIname\fR
from other arguments.
.PP
Reverse lookups \- mapping addresses to names \- are simplified by the
Reverse lookups \(em mapping addresses to names \(em are simplified by the
\fB\-x\fR
option.
\fIaddr\fR
@ -228,7 +228,7 @@ to negate the meaning of that keyword. Other keywords assign values to options l
.PP
\fB+[no]tcp\fR
.RS 4
Use [do not use] TCP when querying name servers. The default behaviour is to use UDP unless an AXFR or IXFR query is requested, in which case a TCP connection is used.
Use [do not use] TCP when querying name servers. The default behavior is to use UDP unless an AXFR or IXFR query is requested, in which case a TCP connection is used.
.RE
.PP
\fB+[no]vc\fR
@ -330,7 +330,7 @@ makes iterative queries to resolve the name being looked up. It will follow refe
.PP
\fB+[no]cmd\fR
.RS 4
toggles the printing of the initial comment in the output identifying the version of
Toggles the printing of the initial comment in the output identifying the version of
\fBdig\fR
and the query options that have been applied. This comment is printed by default.
.RE
@ -354,7 +354,7 @@ Toggle the display of comment lines in the output. The default is to print comme
.PP
\fB+[no]stats\fR
.RS 4
This query option toggles the printing of statistics: when the query was made, the size of the reply and so on. The default behaviour is to print the query statistics.
This query option toggles the printing of statistics: when the query was made, the size of the reply and so on. The default behavior is to print the query statistics.
.RE
.PP
\fB+[no]qr\fR
@ -391,7 +391,7 @@ Set or clear all display flags.
.RS 4
Sets the timeout for a query to
\fIT\fR
seconds. The default time out is 5 seconds. An attempt to set
seconds. The default timeout is 5 seconds. An attempt to set
\fIT\fR
to less than 1 will result in a query timeout of 1 second being applied.
.RE
@ -451,7 +451,7 @@ output.
.PP
\fB+[no]fail\fR
.RS 4
Do not try the next server if you receive a SERVFAIL. The default is to not try the next server which is the reverse of normal stub resolver behaviour.
Do not try the next server if you receive a SERVFAIL. The default is to not try the next server which is the reverse of normal stub resolver behavior.
.RE
.PP
\fB+[no]besteffort\fR
@ -487,7 +487,7 @@ Requires dig be compiled with \-DDIG_SIGCHASE.
.PP
\fB+[no]topdown\fR
.RS 4
When chasing DNSSEC signature chains perform a top down validation. Requires dig be compiled with \-DDIG_SIGCHASE.
When chasing DNSSEC signature chains perform a top\-down validation. Requires dig be compiled with \-DDIG_SIGCHASE.
.RE
.SH "MULTIPLE QUERIES"
.PP

126
contrib/bind9/bin/dig/dig.c
View File

@ -1,8 +1,8 @@
/*
* Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and distribute this software for any
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dig.c,v 1.186.18.26 2006/07/21 23:52:21 marka Exp $ */
/* $Id: dig.c,v 1.186.18.29 2007/08/28 07:19:55 tbox Exp $ */
/*! \file */
@ -650,42 +650,6 @@ printgreeting(int argc, char **argv, dig_lookup_t *lookup) {
}
}
/*%
* Reorder an argument list so that server names all come at the end.
* This is a bit of a hack, to allow batch-mode processing to properly
* handle the server options.
*/
static void
reorder_args(int argc, char *argv[]) {
int i, j;
char *ptr;
int end;
debug("reorder_args()");
end = argc - 1;
while (argv[end][0] == '@') {
end--;
if (end == 0)
return;
}
debug("arg[end]=%s", argv[end]);
for (i = 1; i < end - 1; i++) {
if (argv[i][0] == '@') {
debug("arg[%d]=%s", i, argv[i]);
ptr = argv[i];
for (j = i + 1; j < end; j++) {
debug("Moving %s to %d", argv[j], j - 1);
argv[j - 1] = argv[j];
}
debug("moving %s to end, %d", ptr, end - 1);
argv[end - 1] = ptr;
end--;
if (end < 1)
return;
}
}
}
static isc_uint32_t
parse_uint(char *arg, const char *desc, isc_uint32_t max) {
isc_result_t result;
@ -1104,7 +1068,9 @@ static const char *single_dash_opts = "46dhimnv";
static const char *dash_opts = "46bcdfhikmnptvyx";
static isc_boolean_t
dash_option(char *option, char *next, dig_lookup_t **lookup,
isc_boolean_t *open_type_class, isc_boolean_t config_only)
isc_boolean_t *open_type_class, isc_boolean_t *need_clone,
isc_boolean_t config_only, int argc, char **argv,
isc_boolean_t *firstarg)
{
char opt, *value, *ptr, *ptr2, *ptr3;
isc_result_t result;
@ -1241,14 +1207,20 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
return (value_from_next);
case 'q':
if (!config_only) {
(*lookup) = clone_lookup(default_lookup,
ISC_TRUE);
if (*need_clone)
(*lookup) = clone_lookup(default_lookup,
ISC_TRUE);
*need_clone = ISC_TRUE;
strncpy((*lookup)->textname, value,
sizeof((*lookup)->textname));
(*lookup)->textname[sizeof((*lookup)->textname)-1]=0;
(*lookup)->trace_root = ISC_TF((*lookup)->trace ||
(*lookup)->ns_search_only);
(*lookup)->new_search = ISC_TRUE;
if (*firstarg) {
printgreeting(argc, argv, *lookup);
*firstarg = ISC_FALSE;
}
ISC_LIST_APPEND(lookup_list, (*lookup), link);
debug("looking up %s", (*lookup)->textname);
}
@ -1376,7 +1348,9 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
keysecret[sizeof(keysecret)-1]=0;
return (value_from_next);
case 'x':
*lookup = clone_lookup(default_lookup, ISC_TRUE);
if (*need_clone)
*lookup = clone_lookup(default_lookup, ISC_TRUE);
*need_clone = ISC_TRUE;
if (get_reverse(textname, sizeof(textname), value,
ip6_int, ISC_FALSE) == ISC_R_SUCCESS) {
strncpy((*lookup)->textname, textname,
@ -1390,6 +1364,10 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
if (!(*lookup)->rdclassset)
(*lookup)->rdclass = dns_rdataclass_in;
(*lookup)->new_search = ISC_TRUE;
if (*firstarg) {
printgreeting(argc, argv, *lookup);
*firstarg = ISC_FALSE;
}
ISC_LIST_APPEND(lookup_list, *lookup, link);
} else {
fprintf(stderr, "Invalid IP address %s\n", value);
@ -1481,6 +1459,8 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only,
char rcfile[256];
#endif
char *input;
int i;
isc_boolean_t need_clone = ISC_TRUE;
/*
* The semantics for parsing the args is a bit complex; if
@ -1528,7 +1508,9 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only,
bargv[0] = argv[0];
argv0 = argv[0];
reorder_args(bargc, (char **)bargv);
for(i = 0; i < bargc; i++)
debug(".digrc argv %d: %s",
i, bargv[i]);
parse_args(ISC_TRUE, ISC_TRUE, bargc,
(char **)bargv);
}
@ -1537,7 +1519,12 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only,
#endif
}
lookup = default_lookup;
if (is_batchfile && !config_only) {
/* Processing '-f batchfile'. */
lookup = clone_lookup(default_lookup, ISC_TRUE);
need_clone = ISC_FALSE;
} else
lookup = default_lookup;
rc = argc;
rv = argv;
@ -1554,14 +1541,16 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only,
if (rc <= 1) {
if (dash_option(&rv[0][1], NULL,
&lookup, &open_type_class,
config_only)) {
&need_clone, config_only,
argc, argv, &firstarg)) {
rc--;
rv++;
}
} else {
if (dash_option(&rv[0][1], rv[1],
&lookup, &open_type_class,
config_only)) {
&need_clone, config_only,
argc, argv, &firstarg)) {
rc--;
rv++;
}
@ -1629,21 +1618,29 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only,
continue;
}
}
if (!config_only) {
lookup = clone_lookup(default_lookup,
ISC_TRUE);
if (need_clone)
lookup = clone_lookup(default_lookup,
ISC_TRUE);
need_clone = ISC_TRUE;
strncpy(lookup->textname, rv[0],
sizeof(lookup->textname));
lookup->textname[sizeof(lookup->textname)-1]=0;
lookup->trace_root = ISC_TF(lookup->trace ||
lookup->ns_search_only);
lookup->new_search = ISC_TRUE;
if (firstarg) {
printgreeting(argc, argv, lookup);
firstarg = ISC_FALSE;
}
ISC_LIST_APPEND(lookup_list, lookup, link);
debug("looking up %s", lookup->textname);
}
/* XXX Error message */
}
}
/*
* If we have a batchfile, seed the lookup list with the
* first entry, then trust the callback in dighost_shutdown
@ -1678,15 +1675,20 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only,
bargv[0] = argv[0];
argv0 = argv[0];
reorder_args(bargc, (char **)bargv);
for(i = 0; i < bargc; i++)
debug("batch argv %d: %s", i, bargv[i]);
parse_args(ISC_TRUE, ISC_FALSE, bargc, (char **)bargv);
return;
}
return;
}
/*
* If no lookup specified, search for root
*/
if ((lookup_list.head == NULL) && !config_only) {
lookup = clone_lookup(default_lookup, ISC_TRUE);
if (need_clone)
lookup = clone_lookup(default_lookup, ISC_TRUE);
need_clone = ISC_TRUE;
lookup->trace_root = ISC_TF(lookup->trace ||
lookup->ns_search_only);
lookup->new_search = ISC_TRUE;
@ -1698,10 +1700,9 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only,
firstarg = ISC_FALSE;
}
ISC_LIST_APPEND(lookup_list, lookup, link);
} else if (!config_only && firstarg) {
printgreeting(argc, argv, lookup);
firstarg = ISC_FALSE;
}
if (!need_clone)
destroy_lookup(lookup);
}
/*
@ -1715,7 +1716,7 @@ dighost_shutdown(void) {
int bargc;
char *bargv[16];
char *input;
int i;
if (batchname == NULL) {
isc_app_shutdown();
@ -1743,7 +1744,8 @@ dighost_shutdown(void) {
bargv[0] = argv0;
reorder_args(bargc, (char **)bargv);
for(i = 0; i < bargc; i++)
debug("batch argv %d: %s", i, bargv[i]);
parse_args(ISC_TRUE, ISC_FALSE, bargc, (char **)bargv);
start_lookup();
} else {
@ -1759,7 +1761,6 @@ dighost_shutdown(void) {
int
main(int argc, char **argv) {
isc_result_t result;
dig_server_t *s, *s2;
ISC_LIST_INIT(lookup_list);
ISC_LIST_INIT(server_list);
@ -1780,16 +1781,7 @@ main(int argc, char **argv) {
result = isc_app_onrun(mctx, global_task, onrun_callback, NULL);
check_result(result, "isc_app_onrun");
isc_app_run();
s = ISC_LIST_HEAD(default_lookup->my_server_list);
while (s != NULL) {
debug("freeing server %p belonging to %p",
s, default_lookup);
s2 = s;
s = ISC_LIST_NEXT(s, link);
ISC_LIST_DEQUEUE(default_lookup->my_server_list, s2, link);
isc_mem_free(mctx, s2);
}
isc_mem_free(mctx, default_lookup);
destroy_lookup(default_lookup);
if (batchname != NULL) {
if (batchfp != stdin)
fclose(batchfp);

30
contrib/bind9/bin/dig/dig.docbook
View File

@ -5,7 +5,7 @@
- Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and distribute this software for any
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dig.docbook,v 1.17.18.17 2007/01/29 23:57:20 marka Exp $ -->
<!-- $Id: dig.docbook,v 1.17.18.21 2007/08/28 07:19:55 tbox Exp $ -->
<refentry id="man.dig">
<refentryinfo>
@ -104,7 +104,7 @@
arguments, it also has a batch mode of operation for reading lookup
requests from a file. A brief summary of its command-line arguments
and options is printed when the <option>-h</option> option is given.
Unlike earlier versions, the BIND9 implementation of
Unlike earlier versions, the BIND 9 implementation of
<command>dig</command> allows multiple lookups to be issued
from the
command line.
@ -216,7 +216,7 @@
The default query class (IN for internet) is overridden by the
<option>-c</option> option. <parameter>class</parameter> is
any valid
class, such as HS for Hesiod records or CH for CHAOSNET records.
class, such as HS for Hesiod records or CH for Chaosnet records.
</para>
<para>
@ -225,7 +225,7 @@
in batch mode by reading a list of lookup requests to process from the
file <parameter>filename</parameter>. The file contains a
number of
queries, one per line. Each entry in the file should be organised in
queries, one per line. Each entry in the file should be organized in
the same way they would be presented as queries to
<command>dig</command> using the command-line interface.
</para>
@ -251,7 +251,7 @@
The <option>-t</option> option sets the query type to
<parameter>type</parameter>. It can be any valid query type
which is
supported in BIND9. The default query type "A", unless the
supported in BIND 9. The default query type is "A", unless the
<option>-x</option> option is supplied to indicate a reverse lookup.
A zone transfer can be requested by specifying a type of AXFR. When
an incremental zone transfer (IXFR) is required,
@ -263,12 +263,12 @@
<para>
The <option>-q</option> option sets the query name to
<parameter>name</parameter>. This useful do distingish the
<parameter>name</parameter>. This useful do distinguish the
<parameter>name</parameter> from other arguments.
</para>
<para>
Reverse lookups - mapping addresses to names - are simplified by the
Reverse lookups &mdash; mapping addresses to names &mdash; are simplified by the
<option>-x</option> option. <parameter>addr</parameter> is
an IPv4
address in dotted-decimal notation, or a colon-delimited IPv6 address.
@ -343,7 +343,7 @@
<listitem>
<para>
Use [do not use] TCP when querying name servers. The default
behaviour is to use UDP unless an AXFR or IXFR query is
behavior is to use UDP unless an AXFR or IXFR query is
requested, in
which case a TCP connection is used.
</para>
@ -536,7 +536,7 @@
<term><option>+[no]cmd</option></term>
<listitem>
<para>
toggles the printing of the initial comment in the output
Toggles the printing of the initial comment in the output
identifying
the version of <command>dig</command> and the query
options that have
@ -588,7 +588,7 @@
This query option toggles the printing of statistics: when the
query
was made, the size of the reply and so on. The default
behaviour is
behavior is
to print the query statistics.
</para>
</listitem>
@ -662,8 +662,8 @@
<para>
Sets the timeout for a query to
<parameter>T</parameter> seconds. The default time
out is 5 seconds.
<parameter>T</parameter> seconds. The default
timeout is 5 seconds.
An attempt to set <parameter>T</parameter> to less
than 1 will result
in a query timeout of 1 second being applied.
@ -763,7 +763,7 @@
default is
to not try the next server which is the reverse of normal stub
resolver
behaviour.
behavior.
</para>
</listitem>
</varlistentry>
@ -822,7 +822,7 @@
<term><option>+[no]topdown</option></term>
<listitem>
<para>
When chasing DNSSEC signature chains perform a top down
When chasing DNSSEC signature chains perform a top-down
validation.
Requires dig be compiled with -DDIG_SIGCHASE.
</para>

28
contrib/bind9/bin/dig/dig.html
View File

@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dig.html,v 1.13.18.25 2007/01/30 00:23:44 marka Exp $ -->
<!-- $Id: dig.html,v 1.13.18.28 2007/05/16 06:11:27 marka Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@ -50,7 +50,7 @@
arguments, it also has a batch mode of operation for reading lookup
requests from a file. A brief summary of its command-line arguments
and options is printed when the <code class="option">-h</code> option is given.
Unlike earlier versions, the BIND9 implementation of
Unlike earlier versions, the BIND 9 implementation of
<span><strong class="command">dig</strong></span> allows multiple lookups to be issued
from the
command line.
@ -139,7 +139,7 @@
The default query class (IN for internet) is overridden by the
<code class="option">-c</code> option. <em class="parameter"><code>class</code></em> is
any valid
class, such as HS for Hesiod records or CH for CHAOSNET records.
class, such as HS for Hesiod records or CH for Chaosnet records.
</p>
<p>
The <code class="option">-f</code> option makes <span><strong class="command">dig </strong></span>
@ -147,7 +147,7 @@
in batch mode by reading a list of lookup requests to process from the
file <em class="parameter"><code>filename</code></em>. The file contains a
number of
queries, one per line. Each entry in the file should be organised in
queries, one per line. Each entry in the file should be organized in
the same way they would be presented as queries to
<span><strong class="command">dig</strong></span> using the command-line interface.
</p>
@ -170,7 +170,7 @@
The <code class="option">-t</code> option sets the query type to
<em class="parameter"><code>type</code></em>. It can be any valid query type
which is
supported in BIND9. The default query type "A", unless the
supported in BIND 9. The default query type is "A", unless the
<code class="option">-x</code> option is supplied to indicate a reverse lookup.
A zone transfer can be requested by specifying a type of AXFR. When
an incremental zone transfer (IXFR) is required,
@ -181,11 +181,11 @@
</p>
<p>
The <code class="option">-q</code> option sets the query name to
<em class="parameter"><code>name</code></em>. This useful do distingish the
<em class="parameter"><code>name</code></em>. This useful do distinguish the
<em class="parameter"><code>name</code></em> from other arguments.
</p>
<p>
Reverse lookups - mapping addresses to names - are simplified by the
Reverse lookups &#8212; mapping addresses to names &#8212; are simplified by the
<code class="option">-x</code> option. <em class="parameter"><code>addr</code></em> is
an IPv4
address in dotted-decimal notation, or a colon-delimited IPv6 address.
@ -249,7 +249,7 @@
<dt><span class="term"><code class="option">+[no]tcp</code></span></dt>
<dd><p>
Use [do not use] TCP when querying name servers. The default
behaviour is to use UDP unless an AXFR or IXFR query is
behavior is to use UDP unless an AXFR or IXFR query is
requested, in
which case a TCP connection is used.
</p></dd>
@ -362,7 +362,7 @@
</p></dd>
<dt><span class="term"><code class="option">+[no]cmd</code></span></dt>
<dd><p>
toggles the printing of the initial comment in the output
Toggles the printing of the initial comment in the output
identifying
the version of <span><strong class="command">dig</strong></span> and the query
options that have
@ -394,7 +394,7 @@
This query option toggles the printing of statistics: when the
query
was made, the size of the reply and so on. The default
behaviour is
behavior is
to print the query statistics.
</p></dd>
<dt><span class="term"><code class="option">+[no]qr</code></span></dt>
@ -433,8 +433,8 @@
<dd><p>
Sets the timeout for a query to
<em class="parameter"><code>T</code></em> seconds. The default time
out is 5 seconds.
<em class="parameter"><code>T</code></em> seconds. The default
timeout is 5 seconds.
An attempt to set <em class="parameter"><code>T</code></em> to less
than 1 will result
in a query timeout of 1 second being applied.
@ -499,7 +499,7 @@
default is
to not try the next server which is the reverse of normal stub
resolver
behaviour.
behavior.
</p></dd>
<dt><span class="term"><code class="option">+[no]besteffort</code></span></dt>
<dd><p>
@ -535,7 +535,7 @@
</dd>
<dt><span class="term"><code class="option">+[no]topdown</code></span></dt>
<dd><p>
When chasing DNSSEC signature chains perform a top down
When chasing DNSSEC signature chains perform a top-down
validation.
Requires dig be compiled with -DDIG_SIGCHASE.
</p></dd>

23
contrib/bind9/bin/dig/dighost.c
View File

@ -2,7 +2,7 @@
* Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and distribute this software for any
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dighost.c,v 1.259.18.39 2007/02/14 23:45:43 marka Exp $ */
/* $Id: dighost.c,v 1.259.18.43 2007/08/28 07:19:55 tbox Exp $ */
/*! \file
* \note
@ -144,6 +144,7 @@ static idn_result_t append_textname(char *name, const char *origin,
static void idn_check_result(idn_result_t r, const char *msg);
#define MAXDLEN 256
int idnoptions = 0;
#endif
/*%
@ -1275,9 +1276,7 @@ clear_query(dig_query_t *query) {
*/
static isc_boolean_t
try_clear_lookup(dig_lookup_t *lookup) {
dig_server_t *s;
dig_query_t *q;
void *ptr;
REQUIRE(lookup != NULL);
@ -1298,7 +1297,16 @@ try_clear_lookup(dig_lookup_t *lookup) {
* At this point, we know there are no queries on the lookup,
* so can make it go away also.
*/
debug("cleared");
destroy_lookup(lookup);
return (ISC_TRUE);
}
void
destroy_lookup(dig_lookup_t *lookup) {
dig_server_t *s;
void *ptr;
debug("destroy");
s = ISC_LIST_HEAD(lookup->my_server_list);
while (s != NULL) {
debug("freeing server %p belonging to %p", s, lookup);
@ -1323,7 +1331,6 @@ try_clear_lookup(dig_lookup_t *lookup) {
dst_context_destroy(&lookup->tsigctx);
isc_mem_free(mctx, lookup);
return (ISC_TRUE);
}
/*%
@ -1816,7 +1823,7 @@ setup_lookup(dig_lookup_t *lookup) {
sizeof(utf8_textname));
idn_check_result(mr, "append origin to textname");
}
mr = idn_encodename(IDN_LOCALMAP | IDN_NAMEPREP | IDN_ASCCHECK |
mr = idn_encodename(idnoptions | IDN_LOCALMAP | IDN_NAMEPREP |
IDN_IDNCONV | IDN_LENCHECK, utf8_textname,
idn_textname, sizeof(idn_textname));
idn_check_result(mr, "convert UTF-8 textname to IDN encoding");
@ -3891,7 +3898,7 @@ get_trusted_key(isc_mem_t *mctx)
filename);
return (ISC_R_FAILURE);
}
while (fgets(buf, 1500, fp) != NULL) {
while (fgets(buf, sizeof(buf), fp) != NULL) {
result = opentmpkey(mctx,"tmp_file", &filetemp, &fptemp);
if (result != ISC_R_SUCCESS) {
fclose(fp);

8
contrib/bind9/bin/dig/host.1
View File

@ -13,7 +13,7 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id: host.1,v 1.14.18.13 2007/01/30 00:23:44 marka Exp $
.\" $Id: host.1,v 1.14.18.14 2007/05/09 03:33:12 marka Exp $
.\"
.hy 0
.ad l
@ -130,7 +130,7 @@ makes. This should mean that the name server receiving the query will not attemp
\fB\-r\fR
option enables
\fBhost\fR
to mimic the behaviour of a name server by making non\-recursive queries and expecting to receive answers to those queries that are usually referrals to other name servers.
to mimic the behavior of a name server by making non\-recursive queries and expecting to receive answers to those queries that are usually referrals to other name servers.
.PP
By default
\fBhost\fR
@ -152,7 +152,7 @@ The
\fB\-t\fR
option is used to select the query type.
\fItype\fR
can be any recognised query type: CNAME, NS, SOA, SIG, KEY, AXFR, etc. When no query type is specified,
can be any recognized query type: CNAME, NS, SOA, SIG, KEY, AXFR, etc. When no query type is specified,
\fBhost\fR
automatically selects an appropriate query type. By default it looks for A records, but if the
\fB\-C\fR
@ -185,7 +185,7 @@ The
option tells
\fBhost\fR
\fInot\fR
to send the query to the next nameserver if any server responds with a SERVFAIL response, which is the reverse of normal stub resolver behaviour.
to send the query to the next nameserver if any server responds with a SERVFAIL response, which is the reverse of normal stub resolver behavior.
.PP
The
\fB\-m\fR

38
contrib/bind9/bin/dig/host.c
View File

@ -1,8 +1,8 @@
/*
* Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and distribute this software for any
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@ -15,13 +15,25 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: host.c,v 1.94.18.14 2006/05/23 04:40:42 marka Exp $ */
/* $Id: host.c,v 1.94.18.19 2007/08/28 07:19:55 tbox Exp $ */
/*! \file */
#include <config.h>
#include <stdlib.h>
#include <limits.h>
#ifdef HAVE_LOCALE_H
#include <locale.h>
#endif
#ifdef WITH_IDN
#include <idn/result.h>
#include <idn/log.h>
#include <idn/resconf.h>
#include <idn/api.h>
#endif
#include <isc/app.h>
#include <isc/commandline.h>
#include <isc/netaddr.h>
@ -414,8 +426,10 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
if (msg->rcode != 0) {
char namestr[DNS_NAME_FORMATSIZE];
dns_name_format(query->lookup->name, namestr, sizeof(namestr));
printf("Host %s not found: %d(%s)\n", namestr,
msg->rcode, rcodetext[msg->rcode]);
printf("Host %s not found: %d(%s)\n",
(msg->rcode != dns_rcode_nxdomain) ? namestr :
query->lookup->textname, msg->rcode,
rcodetext[msg->rcode]);
return (ISC_R_SUCCESS);
}
@ -569,6 +583,7 @@ pre_parse_args(int argc, char **argv) {
while ((c = isc_commandline_parse(argc, argv, optstring)) != -1) {
switch (c) {
case 'm':
memdebugging = ISC_TRUE;
if (strcasecmp("trace", isc_commandline_argument) == 0)
isc_mem_debugging |= ISC_MEM_DEBUGTRACE;
else if (!strcasecmp("record",
@ -664,6 +679,9 @@ parse_args(isc_boolean_t is_batchfile, int argc, char **argv) {
lookup->rdtype != dns_rdatatype_axfr)
lookup->rdtype = rdtype;
lookup->rdtypeset = ISC_TRUE;
#ifdef WITH_IDN
idnoptions = 0;
#endif
if (rdtype == dns_rdatatype_axfr) {
/* -l -t any -v */
list_type = dns_rdatatype_any;
@ -672,6 +690,13 @@ parse_args(isc_boolean_t is_batchfile, int argc, char **argv) {
} else if (rdtype == dns_rdatatype_ixfr) {
lookup->ixfr_serial = serial;
list_type = rdtype;
#ifdef WITH_IDN
} else if (rdtype == dns_rdatatype_a ||
rdtype == dns_rdatatype_aaaa ||
rdtype == dns_rdatatype_mx) {
idnoptions = IDN_ASCCHECK;
list_type = rdtype;
#endif
} else
list_type = rdtype;
list_addresses = ISC_FALSE;
@ -814,6 +839,9 @@ main(int argc, char **argv) {
ISC_LIST_INIT(search_list);
fatalexit = 1;
#ifdef WITH_IDN
idnoptions = IDN_ASCCHECK;
#endif
debug("main()");
progname = argv[0];

10
contrib/bind9/bin/dig/host.docbook
View File

@ -5,7 +5,7 @@
- Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2002 Internet Software Consortium.
-
- Permission to use, copy, modify, and distribute this software for any
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: host.docbook,v 1.5.18.9 2007/01/29 23:57:20 marka Exp $ -->
<!-- $Id: host.docbook,v 1.5.18.11 2007/08/28 07:19:55 tbox Exp $ -->
<refentry id="man.host">
<refentryinfo>
@ -173,7 +173,7 @@
attempt to resolve <parameter>name</parameter>. The
<option>-r</option> option enables <command>host</command>
to mimic
the behaviour of a name server by making non-recursive queries and
the behavior of a name server by making non-recursive queries and
expecting to receive answers to those queries that are usually
referrals to other name servers.
</para>
@ -194,7 +194,7 @@
<para>
The <option>-t</option> option is used to select the query type.
<parameter>type</parameter> can be any recognised query
<parameter>type</parameter> can be any recognized query
type: CNAME,
NS, SOA, SIG, KEY, AXFR, etc. When no query type is specified,
<command>host</command> automatically selects an appropriate
@ -227,7 +227,7 @@
The <option>-s</option> option tells <command>host</command>
<emphasis>not</emphasis> to send the query to the next nameserver
if any server responds with a SERVFAIL response, which is the
reverse of normal stub resolver behaviour.
reverse of normal stub resolver behavior.
</para>
<para>

8
contrib/bind9/bin/dig/host.html
View File

@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: host.html,v 1.7.18.19 2007/01/30 00:23:44 marka Exp $ -->
<!-- $Id: host.html,v 1.7.18.20 2007/05/09 03:33:12 marka Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@ -125,7 +125,7 @@
attempt to resolve <em class="parameter"><code>name</code></em>. The
<code class="option">-r</code> option enables <span><strong class="command">host</strong></span>
to mimic
the behaviour of a name server by making non-recursive queries and
the behavior of a name server by making non-recursive queries and
expecting to receive answers to those queries that are usually
referrals to other name servers.
</p>
@ -143,7 +143,7 @@
</p>
<p>
The <code class="option">-t</code> option is used to select the query type.
<em class="parameter"><code>type</code></em> can be any recognised query
<em class="parameter"><code>type</code></em> can be any recognized query
type: CNAME,
NS, SOA, SIG, KEY, AXFR, etc. When no query type is specified,
<span><strong class="command">host</strong></span> automatically selects an appropriate
@ -174,7 +174,7 @@
The <code class="option">-s</code> option tells <span><strong class="command">host</strong></span>
<span class="emphasis"><em>not</em></span> to send the query to the next nameserver
if any server responds with a SERVFAIL response, which is the
reverse of normal stub resolver behaviour.
reverse of normal stub resolver behavior.
</p>
<p>
The <code class="option">-m</code> can be used to set the memory usage debugging

12
contrib/bind9/bin/dig/include/dig/dig.h
View File

@ -1,8 +1,8 @@
/*
* Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and distribute this software for any
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dig.h,v 1.82.18.19 2006/12/07 06:08:02 marka Exp $ */
/* $Id: dig.h,v 1.82.18.23 2007/08/28 07:19:55 tbox Exp $ */
#ifndef DIG_H
#define DIG_H
@ -277,6 +277,9 @@ extern isc_boolean_t debugging, memdebugging;
extern char *progname;
extern int tries;
extern int fatalexit;
#ifdef WITH_IDN
extern int idnoptions;
#endif
/*
* Routines in dighost.c.
@ -300,6 +303,9 @@ check_result(isc_result_t result, const char *msg);
void
setup_lookup(dig_lookup_t *lookup);
void
destroy_lookup(dig_lookup_t *lookup);
void
do_lookup(dig_lookup_t *lookup);

6
contrib/bind9/bin/dig/nslookup.1
View File

@ -12,7 +12,7 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id: nslookup.1,v 1.1.10.12 2007/01/30 00:23:44 marka Exp $
.\" $Id: nslookup.1,v 1.1.10.14 2007/05/16 06:11:27 marka Exp $
.\"
.hy 0
.ad l
@ -158,7 +158,7 @@ The class specifies the protocol group of the information.
.PP
\fB \fR\fB\fI[no]\fR\fR\fBdebug\fR
.RS 4
Turn debugging mode on. A lot more information is printed about the packet sent to the server and the resulting answer.
Turn on or off the display of the full response packet and any intermediate response packets when searching.
.sp
(Default = nodebug; abbreviation =
[no]deb)
@ -166,7 +166,7 @@ Turn debugging mode on. A lot more information is printed about the packet sent
.PP
\fB \fR\fB\fI[no]\fR\fR\fBd2\fR
.RS 4
Turn debugging mode on. A lot more information is printed about the packet sent to the server and the resulting answer.
Turn debugging mode on or off. This displays more about what nslookup is doing.
.sp
(Default = nod2)
.RE

11
contrib/bind9/bin/dig/nslookup.c
View File

@ -1,8 +1,8 @@
/*
* Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and distribute this software for any
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: nslookup.c,v 1.101.18.12 2006/12/07 06:08:02 marka Exp $ */
/* $Id: nslookup.c,v 1.101.18.15 2007/08/28 07:19:55 tbox Exp $ */
#include <config.h>
@ -410,8 +410,9 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
char nametext[DNS_NAME_FORMATSIZE];
dns_name_format(query->lookup->name,
nametext, sizeof(nametext));
printf("** server can't find %s: %s\n", nametext,
rcodetext[msg->rcode]);
printf("** server can't find %s: %s\n",
(msg->rcode != dns_rcode_nxdomain) ? nametext :
query->lookup->textname, rcodetext[msg->rcode]);
debug("returning with rcode == 0");
return (ISC_R_SUCCESS);
}

14
contrib/bind9/bin/dig/nslookup.docbook
View File

@ -4,7 +4,7 @@
<!--
- Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
-
- Permission to use, copy, modify, and distribute this software for any
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
@ -17,7 +17,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: nslookup.docbook,v 1.4.2.10 2007/01/29 23:57:20 marka Exp $ -->
<!-- $Id: nslookup.docbook,v 1.4.2.13 2007/08/28 07:19:55 tbox Exp $ -->
<!--
- Copyright (c) 1985, 1989
- The Regents of the University of California. All rights reserved.
@ -314,9 +314,8 @@ nslookup -query=hinfo -timeout=10
<replaceable><optional>no</optional></replaceable>debug</constant></term>
<listitem>
<para>
Turn debugging mode on. A lot more information is
printed about the packet sent to the server and the
resulting answer.
Turn on or off the display of the full response packet and
any intermediate response packets when searching.
</para>
<para>
(Default = nodebug; abbreviation = <optional>no</optional>deb)
@ -329,9 +328,8 @@ nslookup -query=hinfo -timeout=10
<replaceable><optional>no</optional></replaceable>d2</constant></term>
<listitem>
<para>
Turn debugging mode on. A lot more information is
printed about the packet sent to the server and the
resulting answer.
Turn debugging mode on or off. This displays more about
what nslookup is doing.
</para>
<para>
(Default = nod2)

12
contrib/bind9/bin/dig/nslookup.html
View File

@ -13,7 +13,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: nslookup.html,v 1.1.10.19 2007/01/30 00:23:44 marka Exp $ -->
<!-- $Id: nslookup.html,v 1.1.10.21 2007/05/16 06:11:27 marka Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@ -180,9 +180,8 @@ nslookup -query=hinfo -timeout=10
<em class="replaceable"><code>[<span class="optional">no</span>]</code></em>debug</code></span></dt>
<dd>
<p>
Turn debugging mode on. A lot more information is
printed about the packet sent to the server and the
resulting answer.
Turn on or off the display of the full response packet and
any intermediate response packets when searching.
</p>
<p>
(Default = nodebug; abbreviation = [<span class="optional">no</span>]deb)
@ -192,9 +191,8 @@ nslookup -query=hinfo -timeout=10
<em class="replaceable"><code>[<span class="optional">no</span>]</code></em>d2</code></span></dt>
<dd>
<p>
Turn debugging mode on. A lot more information is
printed about the packet sent to the server and the
resulting answer.
Turn debugging mode on or off. This displays more about
what nslookup is doing.
</p>
<p>
(Default = nod2)

12
contrib/bind9/bin/dnssec/dnssec-keygen.8
View File

@ -13,7 +13,7 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id: dnssec-keygen.8,v 1.23.18.13 2007/01/30 00:23:44 marka Exp $
.\" $Id: dnssec-keygen.8,v 1.23.18.14 2007/05/09 03:33:12 marka Exp $
.\"
.hy 0
.ad l
@ -37,7 +37,7 @@ dnssec\-keygen \- DNSSEC key generation tool
.SH "DESCRIPTION"
.PP
\fBdnssec\-keygen\fR
generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC <TBA\\>. It can also generate keys for use with TSIG (Transaction Signatures), as defined in RFC 2845.
generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034. It can also generate keys for use with TSIG (Transaction Signatures), as defined in RFC 2845.
.SH "OPTIONS"
.PP
\-a \fIalgorithm\fR
@ -147,7 +147,7 @@ is the numeric representation of the algorithm.
is the key identifier (or footprint).
.PP
\fBdnssec\-keygen\fR
creates two file, with names based on the printed string.
creates two files, with names based on the printed string.
\fIKnnnn.+aaa+iiiii.key\fR
contains the public key, and
\fIKnnnn.+aaa+iiiii.private\fR
@ -159,13 +159,13 @@ file contains a DNS KEY record that can be inserted into a zone file (directly o
.PP
The
\fI.private\fR
file contains algorithm specific fields. For obvious security reasons, this file does not have general read permission.
file contains algorithm\-specific fields. For obvious security reasons, this file does not have general read permission.
.PP
Both
\fI.key\fR
and
\fI.private\fR
files are generated for symmetric encryption algorithm such as HMAC\-MD5, even though the public and private key are equivalent.
files are generated for symmetric encryption algorithms such as HMAC\-MD5, even though the public and private key are equivalent.
.SH "EXAMPLE"
.PP
To generate a 768\-bit DSA key for the domain
@ -182,7 +182,7 @@ In this example,
creates the files
\fIKexample.com.+003+26160.key\fR
and
\fIKexample.com.+003+26160.private\fR
\fIKexample.com.+003+26160.private\fR.
.SH "SEE ALSO"
.PP
\fBdnssec\-signzone\fR(8),

4
contrib/bind9/bin/dnssec/dnssec-keygen.c
View File

@ -3,7 +3,7 @@
* Portions Copyright (C) 1999-2003 Internet Software Consortium.
* Portions Copyright (C) 1995-2000 by Network Associates, Inc.
*
* Permission to use, copy, modify, and distribute this software for any
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@ -16,7 +16,7 @@
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dnssec-keygen.c,v 1.66.18.9 2007/01/18 00:06:11 marka Exp $ */
/* $Id: dnssec-keygen.c,v 1.66.18.10 2007/08/28 07:19:55 tbox Exp $ */
/*! \file */

16
contrib/bind9/bin/dnssec/dnssec-keygen.docbook
View File

@ -5,7 +5,7 @@
- Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and distribute this software for any
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dnssec-keygen.docbook,v 1.7.18.9 2007/01/29 23:57:20 marka Exp $ -->
<!-- $Id: dnssec-keygen.docbook,v 1.7.18.11 2007/08/28 07:20:00 tbox Exp $ -->
<refentry id="man.dnssec-keygen">
<refentryinfo>
<date>June 30, 2000</date>
@ -76,7 +76,7 @@
<title>DESCRIPTION</title>
<para><command>dnssec-keygen</command>
generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
and RFC &lt;TBA\&gt;. It can also generate keys for use with
and RFC 4034. It can also generate keys for use with
TSIG (Transaction Signatures), as defined in RFC 2845.
</para>
</refsect1>
@ -286,7 +286,7 @@
</listitem>
</itemizedlist>
<para><command>dnssec-keygen</command>
creates two file, with names based
creates two files, with names based
on the printed string. <filename>Knnnn.+aaa+iiiii.key</filename>
contains the public key, and
<filename>Knnnn.+aaa+iiiii.private</filename> contains the
@ -300,14 +300,14 @@
statement).
</para>
<para>
The <filename>.private</filename> file contains algorithm
specific
The <filename>.private</filename> file contains
algorithm-specific
fields. For obvious security reasons, this file does not have
general read permission.
</para>
<para>
Both <filename>.key</filename> and <filename>.private</filename>
files are generated for symmetric encryption algorithm such as
files are generated for symmetric encryption algorithms such as
HMAC-MD5, even though the public and private key are equivalent.
</para>
</refsect1>
@ -330,7 +330,7 @@
In this example, <command>dnssec-keygen</command> creates
the files <filename>Kexample.com.+003+26160.key</filename>
and
<filename>Kexample.com.+003+26160.private</filename>
<filename>Kexample.com.+003+26160.private</filename>.
</para>
</refsect1>

14
contrib/bind9/bin/dnssec/dnssec-keygen.html
View File

@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dnssec-keygen.html,v 1.9.18.19 2007/01/30 00:23:44 marka Exp $ -->
<!-- $Id: dnssec-keygen.html,v 1.9.18.20 2007/05/09 03:33:12 marka Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@ -35,7 +35,7 @@
<a name="id2543474"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-keygen</strong></span>
generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
and RFC &lt;TBA\&gt;. It can also generate keys for use with
and RFC 4034. It can also generate keys for use with
TSIG (Transaction Signatures), as defined in RFC 2845.
</p>
</div>
@ -168,7 +168,7 @@
</p></li>
</ul></div>
<p><span><strong class="command">dnssec-keygen</strong></span>
creates two file, with names based
creates two files, with names based
on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>
contains the public key, and
<code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
@ -182,14 +182,14 @@
statement).
</p>
<p>
The <code class="filename">.private</code> file contains algorithm
specific
The <code class="filename">.private</code> file contains
algorithm-specific
fields. For obvious security reasons, this file does not have
general read permission.
</p>
<p>
Both <code class="filename">.key</code> and <code class="filename">.private</code>
files are generated for symmetric encryption algorithm such as
files are generated for symmetric encryption algorithms such as
HMAC-MD5, even though the public and private key are equivalent.
</p>
</div>
@ -211,7 +211,7 @@
In this example, <span><strong class="command">dnssec-keygen</strong></span> creates
the files <code class="filename">Kexample.com.+003+26160.key</code>
and
<code class="filename">Kexample.com.+003+26160.private</code>
<code class="filename">Kexample.com.+003+26160.private</code>.
</p>
</div>
<div class="refsect1" lang="en">

43
contrib/bind9/bin/dnssec/dnssec-signzone.8
View File

@ -13,7 +13,7 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id: dnssec-signzone.8,v 1.28.18.16 2007/01/30 00:23:44 marka Exp $
.\" $Id: dnssec-signzone.8,v 1.28.18.17 2007/05/09 03:33:12 marka Exp $
.\"
.hy 0
.ad l
@ -95,7 +95,7 @@ is specified, 30 days from the start time is used as a default.
.RS 4
The name of the output file containing the signed zone. The default is to append
\fI.signed\fR
to the input file.
to the input filename.
.RE
.PP
\-h
@ -106,7 +106,7 @@ Prints a short summary of the options and arguments to
.PP
\-i \fIinterval\fR
.RS 4
When a previously signed zone is passed as input, records may be resigned. The
When a previously\-signed zone is passed as input, records may be resigned. The
\fBinterval\fR
option specifies the cycle interval as an offset from the current time (in seconds). If a RRSIG record expires after the cycle interval, it is retained. Otherwise, it is considered to be expiring soon, and it will be replaced.
.sp
@ -129,7 +129,7 @@ The format of the input zone file. Possible formats are
.PP
\-j \fIjitter\fR
.RS 4
When signing a zone with a fixed signature lifetime, all RRSIG records issued at the time of signing expires simultaneously. If the zone is incrementally signed, i.e. a previously signed zone is passed as input to the signer, all expired signatures has to be regenerated at about the same time. The
When signing a zone with a fixed signature lifetime, all RRSIG records issued at the time of signing expires simultaneously. If the zone is incrementally signed, i.e. a previously\-signed zone is passed as input to the signer, all expired signatures have to be regenerated at about the same time. The
\fBjitter\fR
option specifies a jitter window that will be used to randomize the signature expire time, thus spreading incremental signature regeneration over time.
.sp
@ -219,29 +219,44 @@ The file containing the zone to be signed.
.PP
key
.RS 4
The keys used to sign the zone. If no keys are specified, the default all zone keys that have private key files in the current directory.
Specify which keys should be used to sign the zone. If no keys are specified, then the zone will be examined for DNSKEY records at the zone apex. If these are found and there are matching private keys, in the current directory, then these will be used for signing.
.RE
.SH "EXAMPLE"
.PP
The following command signs the
\fBexample.com\fR
zone with the DSA key generated in the
zone with the DSA key generated by
\fBdnssec\-keygen\fR
man page. The zone's keys must be in the zone. If there are
(Kexample.com.+003+17247). The zone's keys must be in the master file (\fIdb.example.com\fR). This invocation looks for
\fIkeyset\fR
files associated with child zones, they must be in the current directory.
\fBexample.com\fR, the following command would be issued:
files, in the current directory, so that DS records can be generated from them (\fB\-g\fR).
.sp
.RS 4
.nf
% dnssec\-signzone \-g \-o example.com db.example.com \\
Kexample.com.+003+17247
db.example.com.signed
%
.fi
.RE
.PP
\fBdnssec\-signzone \-o example.com db.example.com Kexample.com.+003+26160\fR
.PP
The command would print a string of the form:
.PP
In this example,
In the above example,
\fBdnssec\-signzone\fR
creates the file
\fIdb.example.com.signed\fR. This file should be referenced in a zone statement in a
\fInamed.conf\fR
file.
.PP
This example re\-signs a previously signed zone with default parameters. The private keys are assumed to be in the current directory.
.sp
.RS 4
.nf
% cp db.example.com.signed db.example.com
% dnssec\-signzone \-o example.com db.example.com
db.example.com.signed
%
.fi
.RE
.SH "SEE ALSO"
.PP
\fBdnssec\-keygen\fR(8),

8
contrib/bind9/bin/dnssec/dnssec-signzone.c
View File

@ -1,9 +1,9 @@
/*
* Portions Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
* Portions Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
* Portions Copyright (C) 1999-2003 Internet Software Consortium.
* Portions Copyright (C) 1995-2000 by Network Associates, Inc.
*
* Permission to use, copy, modify, and distribute this software for any
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@ -16,7 +16,7 @@
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dnssec-signzone.c,v 1.177.18.21 2006/08/30 23:01:54 marka Exp $ */
/* $Id: dnssec-signzone.c,v 1.177.18.24 2007/08/28 07:20:00 tbox Exp $ */
/*! \file */
@ -1481,7 +1481,7 @@ loadzonekeys(dns_db_t *db) {
for (i = 0; i < nkeys; i++) {
signer_key_t *key;
key = newkeystruct(keys[i], ISC_TRUE);
key = newkeystruct(keys[i], dst_key_isprivate(keys[i]));
ISC_LIST_APPEND(keylist, key, link);
}
dns_db_detachnode(db, &node);

55
contrib/bind9/bin/dnssec/dnssec-signzone.docbook
View File

@ -5,7 +5,7 @@
- Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and distribute this software for any
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dnssec-signzone.docbook,v 1.10.18.15 2007/01/29 23:57:20 marka Exp $ -->
<!-- $Id: dnssec-signzone.docbook,v 1.10.18.17 2007/08/28 07:20:00 tbox Exp $ -->
<refentry id="man.dnssec-signzone">
<refentryinfo>
<date>June 30, 2000</date>
@ -193,7 +193,7 @@
The name of the output file containing the signed zone. The
default is to append <filename>.signed</filename> to
the
input file.
input filename.
</para>
</listitem>
</varlistentry>
@ -212,7 +212,7 @@
<term>-i <replaceable class="parameter">interval</replaceable></term>
<listitem>
<para>
When a previously signed zone is passed as input, records
When a previously-signed zone is passed as input, records
may be resigned. The <option>interval</option> option
specifies the cycle interval as an offset from the current
time (in seconds). If a RRSIG record expires after the
@ -256,8 +256,8 @@
When signing a zone with a fixed signature lifetime, all
RRSIG records issued at the time of signing expires
simultaneously. If the zone is incrementally signed, i.e.
a previously signed zone is passed as input to the signer,
all expired signatures has to be regenerated at about the
a previously-signed zone is passed as input to the signer,
all expired signatures have to be regenerated at about the
same time. The <option>jitter</option> option specifies a
jitter window that will be used to randomize the signature
expire time, thus spreading incremental signature
@ -411,9 +411,11 @@
<term>key</term>
<listitem>
<para>
The keys used to sign the zone. If no keys are specified, the
default all zone keys that have private key files in the
current directory.
Specify which keys should be used to sign the zone. If
no keys are specified, then the zone will be examined
for DNSKEY records at the zone apex. If these are found and
there are matching private keys, in the current directory,
then these will be used for signing.
</para>
</listitem>
</varlistentry>
@ -425,27 +427,30 @@
<title>EXAMPLE</title>
<para>
The following command signs the <userinput>example.com</userinput>
zone with the DSA key generated in the <command>dnssec-keygen</command>
man page. The zone's keys must be in the zone. If there are
<filename>keyset</filename> files associated with child
zones,
they must be in the current directory.
<userinput>example.com</userinput>, the following command would be
issued:
</para>
<para><userinput>dnssec-signzone -o example.com db.example.com
Kexample.com.+003+26160</userinput>
zone with the DSA key generated by <command>dnssec-keygen</command>
(Kexample.com.+003+17247). The zone's keys must be in the master
file (<filename>db.example.com</filename>). This invocation looks
for <filename>keyset</filename> files, in the current directory,
so that DS records can be generated from them (<command>-g</command>).
</para>
<programlisting>% dnssec-signzone -g -o example.com db.example.com \
Kexample.com.+003+17247
db.example.com.signed
%</programlisting>
<para>
The command would print a string of the form:
</para>
<para>
In this example, <command>dnssec-signzone</command> creates
In the above example, <command>dnssec-signzone</command> creates
the file <filename>db.example.com.signed</filename>. This
file
should be referenced in a zone statement in a
file should be referenced in a zone statement in a
<filename>named.conf</filename> file.
</para>
<para>
This example re-signs a previously signed zone with default parameters.
The private keys are assumed to be in the current directory.
</para>
<programlisting>% cp db.example.com.signed db.example.com
% dnssec-signzone -o example.com db.example.com
db.example.com.signed
%</programlisting>
</refsect1>
<refsect1>

57
contrib/bind9/bin/dnssec/dnssec-signzone.html
View File

@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dnssec-signzone.html,v 1.8.18.22 2007/01/30 00:23:44 marka Exp $ -->
<!-- $Id: dnssec-signzone.html,v 1.8.18.23 2007/05/09 03:33:12 marka Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@ -99,7 +99,7 @@
The name of the output file containing the signed zone. The
default is to append <code class="filename">.signed</code> to
the
input file.
input filename.
</p></dd>
<dt><span class="term">-h</span></dt>
<dd><p>
@ -109,7 +109,7 @@
<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
<dd>
<p>
When a previously signed zone is passed as input, records
When a previously-signed zone is passed as input, records
may be resigned. The <code class="option">interval</code> option
specifies the cycle interval as an offset from the current
time (in seconds). If a RRSIG record expires after the
@ -145,8 +145,8 @@
When signing a zone with a fixed signature lifetime, all
RRSIG records issued at the time of signing expires
simultaneously. If the zone is incrementally signed, i.e.
a previously signed zone is passed as input to the signer,
all expired signatures has to be regenerated at about the
a previously-signed zone is passed as input to the signer,
all expired signatures have to be regenerated at about the
same time. The <code class="option">jitter</code> option specifies a
jitter window that will be used to randomize the signature
expire time, thus spreading incremental signature
@ -232,9 +232,11 @@
</p></dd>
<dt><span class="term">key</span></dt>
<dd><p>
The keys used to sign the zone. If no keys are specified, the
default all zone keys that have private key files in the
current directory.
Specify which keys should be used to sign the zone. If
no keys are specified, then the zone will be examined
for DNSKEY records at the zone apex. If these are found and
there are matching private keys, in the current directory,
then these will be used for signing.
</p></dd>
</dl></div>
</div>
@ -242,37 +244,40 @@
<a name="id2544327"></a><h2>EXAMPLE</h2>
<p>
The following command signs the <strong class="userinput"><code>example.com</code></strong>
zone with the DSA key generated in the <span><strong class="command">dnssec-keygen</strong></span>
man page. The zone's keys must be in the zone. If there are
<code class="filename">keyset</code> files associated with child
zones,
they must be in the current directory.
<strong class="userinput"><code>example.com</code></strong>, the following command would be
issued:
</p>
<p><strong class="userinput"><code>dnssec-signzone -o example.com db.example.com
Kexample.com.+003+26160</code></strong>
zone with the DSA key generated by <span><strong class="command">dnssec-keygen</strong></span>
(Kexample.com.+003+17247). The zone's keys must be in the master
file (<code class="filename">db.example.com</code>). This invocation looks
for <code class="filename">keyset</code> files, in the current directory,
so that DS records can be generated from them (<span><strong class="command">-g</strong></span>).
</p>
<pre class="programlisting">% dnssec-signzone -g -o example.com db.example.com \
Kexample.com.+003+17247
db.example.com.signed
%</pre>
<p>
The command would print a string of the form:
</p>
<p>
In this example, <span><strong class="command">dnssec-signzone</strong></span> creates
In the above example, <span><strong class="command">dnssec-signzone</strong></span> creates
the file <code class="filename">db.example.com.signed</code>. This
file
should be referenced in a zone statement in a
file should be referenced in a zone statement in a
<code class="filename">named.conf</code> file.
</p>
<p>
This example re-signs a previously signed zone with default parameters.
The private keys are assumed to be in the current directory.
</p>
<pre class="programlisting">% cp db.example.com.signed db.example.com
% dnssec-signzone -o example.com db.example.com
db.example.com.signed
%</pre>
</div>
<div class="refsect1" lang="en">
<a name="id2544375"></a><h2>SEE ALSO</h2>
<a name="id2544378"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 2535</em>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2544400"></a><h2>AUTHOR</h2>
<a name="id2544403"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>

29
contrib/bind9/bin/named/client.c
View File

@ -1,8 +1,8 @@
/*
* Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and distribute this software for any
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: client.c,v 1.219.18.20.14.1 2007/06/26 02:58:54 marka Exp $ */
/* $Id: client.c,v 1.219.18.28 2007/08/28 07:20:00 tbox Exp $ */
#include <config.h>
@ -1180,7 +1180,7 @@ client_addopt(ns_client_t *client) {
rdatalist->ttl = (client->extflags & DNS_MESSAGEEXTFLAG_REPLYPRESERVE);
/*
* No ENDS options in the default case.
* No EDNS options in the default case.
*/
rdata->data = NULL;
rdata->length = 0;
@ -1226,7 +1226,8 @@ ns_client_isself(dns_view_t *myview, dns_tsigkey_t *mykey,
dns_rdataclass_t rdclass, void *arg)
{
dns_view_t *view;
dns_tsigkey_t *key;
dns_tsigkey_t *key = NULL;
dns_name_t *tsig = NULL;
isc_netaddr_t netsrc;
isc_netaddr_t netdst;
@ -1241,7 +1242,6 @@ ns_client_isself(dns_view_t *myview, dns_tsigkey_t *mykey,
for (view = ISC_LIST_HEAD(ns_g_server->viewlist);
view != NULL;
view = ISC_LIST_NEXT(view, link)) {
dns_name_t *tsig = NULL;
if (view->matchrecursiveonly)
continue;
@ -1584,6 +1584,7 @@ client_request(isc_task_t *task, isc_event_t *event) {
"failed to get request's "
"destination: %s",
isc_result_totext(result));
ns_client_next(client, ISC_R_SUCCESS);
goto cleanup;
}
}
@ -1672,21 +1673,29 @@ client_request(isc_task_t *task, isc_event_t *event) {
char tsigrcode[64];
isc_buffer_t b;
dns_name_t *name = NULL;
dns_rcode_t status;
isc_result_t tresult;
isc_buffer_init(&b, tsigrcode, sizeof(tsigrcode) - 1);
RUNTIME_CHECK(dns_tsigrcode_totext(client->message->tsigstatus,
&b) == ISC_R_SUCCESS);
tsigrcode[isc_buffer_usedlength(&b)] = '\0';
/* There is a signature, but it is bad. */
if (dns_message_gettsig(client->message, &name) != NULL) {
char namebuf[DNS_NAME_FORMATSIZE];
dns_name_format(name, namebuf, sizeof(namebuf));
status = client->message->tsigstatus;
isc_buffer_init(&b, tsigrcode, sizeof(tsigrcode) - 1);
tresult = dns_tsigrcode_totext(status, &b);
INSIST(tresult == ISC_R_SUCCESS);
tsigrcode[isc_buffer_usedlength(&b)] = '\0';
ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
NS_LOGMODULE_CLIENT, ISC_LOG_ERROR,
"request has invalid signature: "
"TSIG %s: %s (%s)", namebuf,
isc_result_totext(result), tsigrcode);
} else {
status = client->message->sig0status;
isc_buffer_init(&b, tsigrcode, sizeof(tsigrcode) - 1);
tresult = dns_tsigrcode_totext(status, &b);
INSIST(tresult == ISC_R_SUCCESS);
tsigrcode[isc_buffer_usedlength(&b)] = '\0';
ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
NS_LOGMODULE_CLIENT, ISC_LOG_ERROR,
"request has invalid signature: %s (%s)",

10
contrib/bind9/bin/named/config.c
View File

@ -1,8 +1,8 @@
/*
* Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2001-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and distribute this software for any
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@ -15,14 +15,13 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: config.c,v 1.47.18.28 2006/05/03 01:46:40 marka Exp $ */
/* $Id: config.c,v 1.47.18.32 2007/09/13 05:04:01 each Exp $ */
/*! \file */
#include <config.h>
#include <stdlib.h>
#include <string.h>
#include <isc/buffer.h>
#include <isc/log.h>
@ -31,6 +30,7 @@
#include <isc/region.h>
#include <isc/result.h>
#include <isc/sockaddr.h>
#include <isc/string.h>
#include <isc/util.h>
#include <isccfg/namedconf.h>
@ -182,7 +182,7 @@ options {\n\
"
"#\n\
# Zones in the \"_bind\" view are NOT counted is the count of zones.\n\
# Zones in the \"_bind\" view are NOT counted in the count of zones.\n\
#\n\
view \"_bind\" chaos {\n\
recursion no;\n\

8
contrib/bind9/bin/named/control.c
View File

@ -1,8 +1,8 @@
/*
* Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2001-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and distribute this software for any
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@ -15,17 +15,17 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: control.c,v 1.20.10.8 2006/03/10 00:23:20 marka Exp $ */
/* $Id: control.c,v 1.20.10.10 2007/09/13 23:46:26 tbox Exp $ */
/*! \file */
#include <config.h>
#include <string.h>
#include <isc/app.h>
#include <isc/event.h>
#include <isc/mem.h>
#include <isc/string.h>
#include <isc/timer.h>
#include <isc/util.h>

63
contrib/bind9/bin/named/lwresd.8
View File

@ -13,7 +13,7 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id: lwresd.8,v 1.15.18.10 2007/01/30 00:23:44 marka Exp $
.\" $Id: lwresd.8,v 1.15.18.12 2007/05/16 06:11:27 marka Exp $
.\"
.hy 0
.ad l
@ -33,7 +33,7 @@
lwresd \- lightweight resolver daemon
.SH "SYNOPSIS"
.HP 7
\fBlwresd\fR [\fB\-C\ \fR\fB\fIconfig\-file\fR\fR] [\fB\-d\ \fR\fB\fIdebug\-level\fR\fR] [\fB\-f\fR] [\fB\-g\fR] [\fB\-i\ \fR\fB\fIpid\-file\fR\fR] [\fB\-n\ \fR\fB\fI#cpus\fR\fR] [\fB\-P\ \fR\fB\fIport\fR\fR] [\fB\-p\ \fR\fB\fIport\fR\fR] [\fB\-s\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-u\ \fR\fB\fIuser\fR\fR] [\fB\-v\fR]
\fBlwresd\fR [\fB\-c\ \fR\fB\fIconfig\-file\fR\fR] [\fB\-C\ \fR\fB\fIconfig\-file\fR\fR] [\fB\-d\ \fR\fB\fIdebug\-level\fR\fR] [\fB\-f\fR] [\fB\-g\fR] [\fB\-i\ \fR\fB\fIpid\-file\fR\fR] [\fB\-m\ \fR\fB\fIflag\fR\fR] [\fB\-n\ \fR\fB\fI#cpus\fR\fR] [\fB\-P\ \fR\fB\fIport\fR\fR] [\fB\-p\ \fR\fB\fIport\fR\fR] [\fB\-s\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-u\ \fR\fB\fIuser\fR\fR] [\fB\-v\fR] [\fB\-4\fR] [\fB\-6\fR]
.SH "DESCRIPTION"
.PP
\fBlwresd\fR
@ -61,12 +61,44 @@ entries are present, or if forwarding fails,
resolves the queries autonomously starting at the root name servers, using a built\-in list of root server hints.
.SH "OPTIONS"
.PP
\-4
.RS 4
Use IPv4 only even if the host machine is capable of IPv6.
\fB\-4\fR
and
\fB\-6\fR
are mutually exclusive.
.RE
.PP
\-6
.RS 4
Use IPv6 only even if the host machine is capable of IPv4.
\fB\-4\fR
and
\fB\-6\fR
are mutually exclusive.
.RE
.PP
\-c \fIconfig\-file\fR
.RS 4
Use
\fIconfig\-file\fR
as the configuration file instead of the default,
\fI/etc/lwresd.conf\fR.
<term>\-c</term>
can not be used with
<term>\-C</term>.
.RE
.PP
\-C \fIconfig\-file\fR
.RS 4
Use
\fIconfig\-file\fR
as the configuration file instead of the default,
\fI/etc/resolv.conf\fR.
<term>\-C</term>
can not be used with
<term>\-c</term>.
.RE
.PP
\-d \fIdebug\-level\fR
@ -88,6 +120,25 @@ Run the server in the foreground and force all logging to
\fIstderr\fR.
.RE
.PP
\-i \fIpid\-file\fR
.RS 4
Use
\fIpid\-file\fR
as the PID file instead of the default,
\fI/var/run/lwresd.pid\fR.
.RE
.PP
\-m \fIflag\fR
.RS 4
Turn on memory usage debugging flags. Possible flags are
\fIusage\fR,
\fItrace\fR,
\fIrecord\fR,
\fIsize\fR, and
\fImctx\fR. These correspond to the ISC_MEM_DEBUGXXXX flags described in
\fI<isc/mem.h>\fR.
.RE
.PP
\-n \fI#cpus\fR
.RS 4
Create
@ -122,8 +173,7 @@ This option is mainly of interest to BIND 9 developers and may be removed or cha
.PP
\-t \fIdirectory\fR
.RS 4
\fBchroot()\fR
to
Chroot to
\fIdirectory\fR
after processing the command line arguments, but before reading the configuration file.
.RS
@ -131,15 +181,14 @@ after processing the command line arguments, but before reading the configuratio
This option should be used in conjunction with the
\fB\-u\fR
option, as chrooting a process running as root doesn't enhance security on most systems; the way
\fBchroot()\fR
\fBchroot(2)\fR
is defined allows a process with root privileges to escape a chroot jail.
.RE
.RE
.PP
\-u \fIuser\fR
.RS 4
\fBsetuid()\fR
to
Setuid to
\fIuser\fR
after completing privileged operations, such as creating sockets that listen on privileged ports.
.RE

79
contrib/bind9/bin/named/lwresd.docbook
View File

@ -5,7 +5,7 @@
- Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000, 2001 Internet Software Consortium.
-
- Permission to use, copy, modify, and distribute this software for any
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: lwresd.docbook,v 1.7.18.5 2007/01/29 23:57:20 marka Exp $ -->
<!-- $Id: lwresd.docbook,v 1.7.18.8 2007/08/28 07:20:01 tbox Exp $ -->
<refentry>
<refentryinfo>
<date>June 30, 2000</date>
@ -52,11 +52,13 @@
<refsynopsisdiv>
<cmdsynopsis>
<command>lwresd</command>
<arg><option>-c <replaceable class="parameter">config-file</replaceable></option></arg>
<arg><option>-C <replaceable class="parameter">config-file</replaceable></option></arg>
<arg><option>-d <replaceable class="parameter">debug-level</replaceable></option></arg>
<arg><option>-f</option></arg>
<arg><option>-g</option></arg>
<arg><option>-i <replaceable class="parameter">pid-file</replaceable></option></arg>
<arg><option>-m <replaceable class="parameter">flag</replaceable></option></arg>
<arg><option>-n <replaceable class="parameter">#cpus</replaceable></option></arg>
<arg><option>-P <replaceable class="parameter">port</replaceable></option></arg>
<arg><option>-p <replaceable class="parameter">port</replaceable></option></arg>
@ -64,6 +66,8 @@
<arg><option>-t <replaceable class="parameter">directory</replaceable></option></arg>
<arg><option>-u <replaceable class="parameter">user</replaceable></option></arg>
<arg><option>-v</option></arg>
<arg><option>-4</option></arg>
<arg><option>-6</option></arg>
</cmdsynopsis>
</refsynopsisdiv>
@ -109,6 +113,43 @@
<title>OPTIONS</title>
<variablelist>
<varlistentry>
<term>-4</term>
<listitem>
<para>
Use IPv4 only even if the host machine is capable of IPv6.
<option>-4</option> and <option>-6</option> are mutually
exclusive.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-6</term>
<listitem>
<para>
Use IPv6 only even if the host machine is capable of IPv4.
<option>-4</option> and <option>-6</option> are mutually
exclusive.
</para>
</listitem>
</varlistentry>
<!-- this is in source but not mentioned? does this matter? -->
<varlistentry>
<term>-c <replaceable class="parameter">config-file</replaceable></term>
<listitem>
<para>
Use <replaceable class="parameter">config-file</replaceable> as the
configuration file instead of the default,
<filename>/etc/lwresd.conf</filename>.
<!-- Should this be an absolute path name? -->
<term>-c</term> can not be used with <term>-C</term>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-C <replaceable class="parameter">config-file</replaceable></term>
<listitem>
@ -116,6 +157,7 @@
Use <replaceable class="parameter">config-file</replaceable> as the
configuration file instead of the default,
<filename>/etc/resolv.conf</filename>.
<term>-C</term> can not be used with <term>-c</term>.
</para>
</listitem>
</varlistentry>
@ -150,6 +192,33 @@
</listitem>
</varlistentry>
<varlistentry>
<term>-i <replaceable class="parameter">pid-file</replaceable></term>
<listitem>
<para>
Use <replaceable class="parameter">pid-file</replaceable> as the
PID file instead of the default,
<filename>/var/run/lwresd.pid</filename>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-m <replaceable class="parameter">flag</replaceable></term>
<listitem>
<para>
Turn on memory usage debugging flags. Possible flags are
<replaceable class="parameter">usage</replaceable>,
<replaceable class="parameter">trace</replaceable>,
<replaceable class="parameter">record</replaceable>,
<replaceable class="parameter">size</replaceable>, and
<replaceable class="parameter">mctx</replaceable>.
These correspond to the ISC_MEM_DEBUGXXXX flags described in
<filename>&lt;isc/mem.h&gt;</filename>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-n <replaceable class="parameter">#cpus</replaceable></term>
<listitem>
@ -207,7 +276,7 @@
<varlistentry>
<term>-t <replaceable class="parameter">directory</replaceable></term>
<listitem>
<para><function>chroot()</function>
<para>Chroot
to <replaceable class="parameter">directory</replaceable> after
processing the command line arguments, but before
reading the configuration file.
@ -217,7 +286,7 @@
This option should be used in conjunction with the
<option>-u</option> option, as chrooting a process
running as root doesn't enhance security on most
systems; the way <function>chroot()</function> is
systems; the way <function>chroot(2)</function> is
defined allows a process with root privileges to
escape a chroot jail.
</para>
@ -228,7 +297,7 @@
<varlistentry>
<term>-u <replaceable class="parameter">user</replaceable></term>
<listitem>
<para><function>setuid()</function>
<para>Setuid
to <replaceable class="parameter">user</replaceable> after completing
privileged operations, such as creating sockets that
listen on privileged ports.

58
contrib/bind9/bin/named/lwresd.html
View File

@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: lwresd.html,v 1.5.18.16 2007/01/30 00:23:44 marka Exp $ -->
<!-- $Id: lwresd.html,v 1.5.18.18 2007/05/16 06:11:27 marka Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@ -29,10 +29,10 @@
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">lwresd</code> [<code class="option">-C <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>debug-level</code></em></code>] [<code class="option">-f</code>] [<code class="option">-g</code>] [<code class="option">-i <em class="replaceable"><code>pid-file</code></em></code>] [<code class="option">-n <em class="replaceable"><code>#cpus</code></em></code>] [<code class="option">-P <em class="replaceable"><code>port</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-s</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>] [<code class="option">-v</code>]</p></div>
<div class="cmdsynopsis"><p><code class="command">lwresd</code> [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-C <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>debug-level</code></em></code>] [<code class="option">-f</code>] [<code class="option">-g</code>] [<code class="option">-i <em class="replaceable"><code>pid-file</code></em></code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-n <em class="replaceable"><code>#cpus</code></em></code>] [<code class="option">-P <em class="replaceable"><code>port</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-s</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>] [<code class="option">-v</code>] [<code class="option">-4</code>] [<code class="option">-6</code>]</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543435"></a><h2>DESCRIPTION</h2>
<a name="id2543461"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">lwresd</strong></span>
is the daemon providing name lookup
services to clients that use the BIND 9 lightweight resolver
@ -67,13 +67,34 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543482"></a><h2>OPTIONS</h2>
<a name="id2543508"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-4</span></dt>
<dd><p>
Use IPv4 only even if the host machine is capable of IPv6.
<code class="option">-4</code> and <code class="option">-6</code> are mutually
exclusive.
</p></dd>
<dt><span class="term">-6</span></dt>
<dd><p>
Use IPv6 only even if the host machine is capable of IPv4.
<code class="option">-4</code> and <code class="option">-6</code> are mutually
exclusive.
</p></dd>
<dt><span class="term">-c <em class="replaceable"><code>config-file</code></em></span></dt>
<dd><p>
Use <em class="replaceable"><code>config-file</code></em> as the
configuration file instead of the default,
<code class="filename">/etc/lwresd.conf</code>.
<font color="red">&lt;term&gt;-c&lt;/term&gt;</font> can not be used with <font color="red">&lt;term&gt;-C&lt;/term&gt;</font>.
</p></dd>
<dt><span class="term">-C <em class="replaceable"><code>config-file</code></em></span></dt>
<dd><p>
Use <em class="replaceable"><code>config-file</code></em> as the
configuration file instead of the default,
<code class="filename">/etc/resolv.conf</code>.
<font color="red">&lt;term&gt;-C&lt;/term&gt;</font> can not be used with <font color="red">&lt;term&gt;-c&lt;/term&gt;</font>.
</p></dd>
<dt><span class="term">-d <em class="replaceable"><code>debug-level</code></em></span></dt>
<dd><p>
@ -90,6 +111,23 @@
Run the server in the foreground and force all logging
to <code class="filename">stderr</code>.
</p></dd>
<dt><span class="term">-i <em class="replaceable"><code>pid-file</code></em></span></dt>
<dd><p>
Use <em class="replaceable"><code>pid-file</code></em> as the
PID file instead of the default,
<code class="filename">/var/run/lwresd.pid</code>.
</p></dd>
<dt><span class="term">-m <em class="replaceable"><code>flag</code></em></span></dt>
<dd><p>
Turn on memory usage debugging flags. Possible flags are
<em class="replaceable"><code>usage</code></em>,
<em class="replaceable"><code>trace</code></em>,
<em class="replaceable"><code>record</code></em>,
<em class="replaceable"><code>size</code></em>, and
<em class="replaceable"><code>mctx</code></em>.
These correspond to the ISC_MEM_DEBUGXXXX flags described in
<code class="filename">&lt;isc/mem.h&gt;</code>.
</p></dd>
<dt><span class="term">-n <em class="replaceable"><code>#cpus</code></em></span></dt>
<dd><p>
Create <em class="replaceable"><code>#cpus</code></em> worker threads
@ -129,7 +167,7 @@
</dd>
<dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
<dd>
<p><code class="function">chroot()</code>
<p>Chroot
to <em class="replaceable"><code>directory</code></em> after
processing the command line arguments, but before
reading the configuration file.
@ -140,14 +178,14 @@
This option should be used in conjunction with the
<code class="option">-u</code> option, as chrooting a process
running as root doesn't enhance security on most
systems; the way <code class="function">chroot()</code> is
systems; the way <code class="function">chroot(2)</code> is
defined allows a process with root privileges to
escape a chroot jail.
</p>
</div>
</dd>
<dt><span class="term">-u <em class="replaceable"><code>user</code></em></span></dt>
<dd><p><code class="function">setuid()</code>
<dd><p>Setuid
to <em class="replaceable"><code>user</code></em> after completing
privileged operations, such as creating sockets that
listen on privileged ports.
@ -159,7 +197,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543746"></a><h2>FILES</h2>
<a name="id2543925"></a><h2>FILES</h2>
<div class="variablelist"><dl>
<dt><span class="term"><code class="filename">/etc/resolv.conf</code></span></dt>
<dd><p>
@ -172,14 +210,14 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543785"></a><h2>SEE ALSO</h2>
<a name="id2543964"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">lwres</span>(3)</span>,
<span class="citerefentry"><span class="refentrytitle">resolver</span>(5)</span>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543819"></a><h2>AUTHOR</h2>
<a name="id2543998"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>

29
contrib/bind9/bin/named/named.8
View File

@ -13,7 +13,7 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id: named.8,v 1.20.18.12 2007/01/30 00:23:44 marka Exp $
.\" $Id: named.8,v 1.20.18.15 2007/06/20 02:26:58 marka Exp $
.\"
.hy 0
.ad l
@ -33,7 +33,7 @@
named \- Internet domain name server
.SH "SYNOPSIS"
.HP 6
\fBnamed\fR [\fB\-4\fR] [\fB\-6\fR] [\fB\-c\ \fR\fB\fIconfig\-file\fR\fR] [\fB\-d\ \fR\fB\fIdebug\-level\fR\fR] [\fB\-f\fR] [\fB\-g\fR] [\fB\-n\ \fR\fB\fI#cpus\fR\fR] [\fB\-p\ \fR\fB\fIport\fR\fR] [\fB\-s\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-u\ \fR\fB\fIuser\fR\fR] [\fB\-v\fR] [\fB\-x\ \fR\fB\fIcache\-file\fR\fR]
\fBnamed\fR [\fB\-4\fR] [\fB\-6\fR] [\fB\-c\ \fR\fB\fIconfig\-file\fR\fR] [\fB\-d\ \fR\fB\fIdebug\-level\fR\fR] [\fB\-f\fR] [\fB\-g\fR] [\fB\-m\ \fR\fB\fIflag\fR\fR] [\fB\-n\ \fR\fB\fI#cpus\fR\fR] [\fB\-p\ \fR\fB\fIport\fR\fR] [\fB\-s\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-u\ \fR\fB\fIuser\fR\fR] [\fB\-v\fR] [\fB\-x\ \fR\fB\fIcache\-file\fR\fR]
.SH "DESCRIPTION"
.PP
\fBnamed\fR
@ -94,6 +94,17 @@ Run the server in the foreground and force all logging to
\fIstderr\fR.
.RE
.PP
\-m \fIflag\fR
.RS 4
Turn on memory usage debugging flags. Possible flags are
\fIusage\fR,
\fItrace\fR,
\fIrecord\fR,
\fIsize\fR, and
\fImctx\fR. These correspond to the ISC_MEM_DEBUGXXXX flags described in
\fI<isc/mem.h>\fR.
.RE
.PP
\-n \fI#cpus\fR
.RS 4
Create
@ -122,8 +133,7 @@ This option is mainly of interest to BIND 9 developers and may be removed or cha
.PP
\-t \fIdirectory\fR
.RS 4
\fBchroot()\fR
to
Chroot to
\fIdirectory\fR
after processing the command line arguments, but before reading the configuration file.
.RS
@ -131,15 +141,14 @@ after processing the command line arguments, but before reading the configuratio
This option should be used in conjunction with the
\fB\-u\fR
option, as chrooting a process running as root doesn't enhance security on most systems; the way
\fBchroot()\fR
\fBchroot(2)\fR
is defined allows a process with root privileges to escape a chroot jail.
.RE
.RE
.PP
\-u \fIuser\fR
.RS 4
\fBsetuid()\fR
to
Setuid to
\fIuser\fR
after completing privileged operations, such as creating sockets that listen on privileged ports.
.RS
@ -147,13 +156,13 @@ after completing privileged operations, such as creating sockets that listen on
On Linux,
\fBnamed\fR
uses the kernel's capability mechanism to drop all root privileges except the ability to
\fBbind()\fR
\fBbind(2)\fR
to a privileged port and set process resource limits. Unfortunately, this means that the
\fB\-u\fR
option only works when
\fBnamed\fR
is run on kernel 2.2.18 or later, or kernel 2.3.99\-pre3 or later, since previous kernels did not allow privileges to be retained after
\fBsetuid()\fR.
\fBsetuid(2)\fR.
.RE
.RE
.PP
@ -211,6 +220,8 @@ The default process\-id file.
RFC 1033,
RFC 1034,
RFC 1035,
\fBnamed\-checkconf\fR(8),
\fBnamed\-checkzone\fR(8),
\fBrndc\fR(8),
\fBlwresd\fR(8),
\fBnamed.conf\fR(5),

8
contrib/bind9/bin/named/named.conf.5
View File

@ -12,7 +12,7 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id: named.conf.5,v 1.1.2.23 2007/01/30 00:23:44 marka Exp $
.\" $Id: named.conf.5,v 1.1.2.26 2007/08/19 23:26:13 marka Exp $
.\"
.hy 0
.ad l
@ -253,6 +253,7 @@ options {
allow\-update { \fIaddress_match_element\fR; ... };
allow\-update\-forwarding { \fIaddress_match_element\fR; ... };
update\-check\-ksk \fIboolean\fR;
masterfile\-format ( text | raw );
notify \fInotifytype\fR;
notify\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ];
notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ];
@ -386,6 +387,7 @@ view \fIstring\fR \fIoptional_class\fR {
allow\-update { \fIaddress_match_element\fR; ... };
allow\-update\-forwarding { \fIaddress_match_element\fR; ... };
update\-check\-ksk \fIboolean\fR;
masterfile\-format ( text | raw );
notify \fInotifytype\fR;
notify\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ];
notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ];
@ -462,6 +464,7 @@ zone \fIstring\fR \fIoptional_class\fR {
\fIrrtypelist\fR; ...
};
update\-check\-ksk \fIboolean\fR;
masterfile\-format ( text | raw );
notify \fInotifytype\fR;
notify\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ];
notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ];
@ -509,8 +512,9 @@ zone \fIstring\fR \fIoptional_class\fR {
.SH "SEE ALSO"
.PP
\fBnamed\fR(8),
\fBnamed\-checkconf\fR(8),
\fBrndc\fR(8),
\fBBIND 9 Administrator Reference Manual\fR().
BIND 9 Administrator Reference Manual.
.SH "COPYRIGHT"
Copyright \(co 2004\-2007 Internet Systems Consortium, Inc. ("ISC")
.br

14
contrib/bind9/bin/named/named.conf.docbook
View File

@ -4,7 +4,7 @@
<!--
- Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
-
- Permission to use, copy, modify, and distribute this software for any
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
@ -17,7 +17,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: named.conf.docbook,v 1.1.2.25 2007/01/29 23:57:20 marka Exp $ -->
<!-- $Id: named.conf.docbook,v 1.1.2.29 2007/08/28 07:20:01 tbox Exp $ -->
<refentry>
<refentryinfo>
<date>Aug 13, 2004</date>
@ -284,6 +284,7 @@ options {
allow-update-forwarding { <replaceable>address_match_element</replaceable>; ... };
update-check-ksk <replaceable>boolean</replaceable>;
masterfile-format ( text | raw );
notify <replaceable>notifytype</replaceable>;
notify-source ( <replaceable>ipv4_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
notify-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
@ -432,6 +433,7 @@ view <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
allow-update-forwarding { <replaceable>address_match_element</replaceable>; ... };
update-check-ksk <replaceable>boolean</replaceable>;
masterfile-format ( text | raw );
notify <replaceable>notifytype</replaceable>;
notify-source ( <replaceable>ipv4_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
notify-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
@ -518,6 +520,7 @@ zone <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
};
update-check-ksk <replaceable>boolean</replaceable>;
masterfile-format ( text | raw );
notify <replaceable>notifytype</replaceable>;
notify-source ( <replaceable>ipv4_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
notify-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
@ -578,11 +581,12 @@ zone <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>rndc</refentrytitle><manvolnum>8</manvolnum>
<refentrytitle>named-checkconf</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>BIND 9 Administrator Reference Manual</refentrytitle>
</citerefentry>.
<refentrytitle>rndc</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>.
</para>
</refsect1>

16
contrib/bind9/bin/named/named.conf.html
View File

@ -13,7 +13,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: named.conf.html,v 1.1.2.32 2007/01/30 00:23:44 marka Exp $ -->
<!-- $Id: named.conf.html,v 1.1.2.35 2007/08/19 23:26:13 marka Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@ -255,6 +255,7 @@ options
allow-update-forwarding { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br>
<br>
masterfile-format ( text | raw );<br>
notify <em class="replaceable"><code>notifytype</code></em>;<br>
notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
@ -312,7 +313,7 @@ options
</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2544400"></a><h2>VIEW</h2>
<a name="id2544401"></a><h2>VIEW</h2>
<div class="literallayout"><p><br>
view <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>optional_class</code></em> {<br>
match-clients { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
@ -402,6 +403,7 @@ view
allow-update-forwarding { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br>
<br>
masterfile-format ( text | raw );<br>
notify <em class="replaceable"><code>notifytype</code></em>;<br>
notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
@ -451,7 +453,7 @@ view
</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2544964"></a><h2>ZONE</h2>
<a name="id2544966"></a><h2>ZONE</h2>
<div class="literallayout"><p><br>
zone <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>optional_class</code></em> {<br>
type ( master | slave | stub | hint |<br>
@ -487,6 +489,7 @@ zone
};<br>
update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br>
<br>
masterfile-format ( text | raw );<br>
notify <em class="replaceable"><code>notifytype</code></em>;<br>
notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
@ -535,15 +538,16 @@ zone
</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2545316"></a><h2>FILES</h2>
<a name="id2545319"></a><h2>FILES</h2>
<p><code class="filename">/etc/named.conf</code>
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2545328"></a><h2>SEE ALSO</h2>
<a name="id2545331"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">named-checkconf</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">BIND 9 Administrator Reference Manual</span></span>.
<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
</p>
</div>
</div></body>

39
contrib/bind9/bin/named/named.docbook
View File

@ -5,7 +5,7 @@
- Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and distribute this software for any
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: named.docbook,v 1.7.18.8 2007/01/29 23:57:20 marka Exp $ -->
<!-- $Id: named.docbook,v 1.7.18.12 2007/08/28 07:20:01 tbox Exp $ -->
<refentry id="man.named">
<refentryinfo>
<date>June 30, 2000</date>
@ -60,6 +60,7 @@
<arg><option>-d <replaceable class="parameter">debug-level</replaceable></option></arg>
<arg><option>-f</option></arg>
<arg><option>-g</option></arg>
<arg><option>-m <replaceable class="parameter">flag</replaceable></option></arg>
<arg><option>-n <replaceable class="parameter">#cpus</replaceable></option></arg>
<arg><option>-p <replaceable class="parameter">port</replaceable></option></arg>
<arg><option>-s</option></arg>
@ -158,6 +159,22 @@
</listitem>
</varlistentry>
<varlistentry>
<term>-m <replaceable class="parameter">flag</replaceable></term>
<listitem>
<para>
Turn on memory usage debugging flags. Possible flags are
<replaceable class="parameter">usage</replaceable>,
<replaceable class="parameter">trace</replaceable>,
<replaceable class="parameter">record</replaceable>,
<replaceable class="parameter">size</replaceable>, and
<replaceable class="parameter">mctx</replaceable>.
These correspond to the ISC_MEM_DEBUGXXXX flags described in
<filename>&lt;isc/mem.h&gt;</filename>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-n <replaceable class="parameter">#cpus</replaceable></term>
<listitem>
@ -200,7 +217,7 @@
<varlistentry>
<term>-t <replaceable class="parameter">directory</replaceable></term>
<listitem>
<para><function>chroot()</function>
<para>Chroot
to <replaceable class="parameter">directory</replaceable> after
processing the command line arguments, but before
reading the configuration file.
@ -210,7 +227,7 @@
This option should be used in conjunction with the
<option>-u</option> option, as chrooting a process
running as root doesn't enhance security on most
systems; the way <function>chroot()</function> is
systems; the way <function>chroot(2)</function> is
defined allows a process with root privileges to
escape a chroot jail.
</para>
@ -221,7 +238,7 @@
<varlistentry>
<term>-u <replaceable class="parameter">user</replaceable></term>
<listitem>
<para><function>setuid()</function>
<para>Setuid
to <replaceable class="parameter">user</replaceable> after completing
privileged operations, such as creating sockets that
listen on privileged ports.
@ -230,7 +247,7 @@
<para>
On Linux, <command>named</command> uses the kernel's
capability mechanism to drop all root privileges
except the ability to <function>bind()</function> to
except the ability to <function>bind(2)</function> to
a
privileged port and set process resource limits.
Unfortunately, this means that the <option>-u</option>
@ -238,7 +255,7 @@
run
on kernel 2.2.18 or later, or kernel 2.3.99-pre3 or
later, since previous kernels did not allow privileges
to be retained after <function>setuid()</function>.
to be retained after <function>setuid(2)</function>.
</para>
</note>
</listitem>
@ -352,6 +369,14 @@
<para><citetitle>RFC 1033</citetitle>,
<citetitle>RFC 1034</citetitle>,
<citetitle>RFC 1035</citetitle>,
<citerefentry>
<refentrytitle>named-checkconf</refentrytitle>
<manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>named-checkzone</refentrytitle>
<manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>rndc</refentrytitle>
<manvolnum>8</manvolnum>

41
contrib/bind9/bin/named/named.html
View File

@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: named.html,v 1.6.18.18 2007/01/30 00:23:44 marka Exp $ -->
<!-- $Id: named.html,v 1.6.18.21 2007/06/20 02:26:58 marka Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@ -29,10 +29,10 @@
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">named</code> [<code class="option">-4</code>] [<code class="option">-6</code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>debug-level</code></em></code>] [<code class="option">-f</code>] [<code class="option">-g</code>] [<code class="option">-n <em class="replaceable"><code>#cpus</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-s</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>] [<code class="option">-v</code>] [<code class="option">-x <em class="replaceable"><code>cache-file</code></em></code>]</p></div>
<div class="cmdsynopsis"><p><code class="command">named</code> [<code class="option">-4</code>] [<code class="option">-6</code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>debug-level</code></em></code>] [<code class="option">-f</code>] [<code class="option">-g</code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-n <em class="replaceable"><code>#cpus</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-s</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>] [<code class="option">-v</code>] [<code class="option">-x <em class="replaceable"><code>cache-file</code></em></code>]</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543444"></a><h2>DESCRIPTION</h2>
<a name="id2543452"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">named</strong></span>
is a Domain Name System (DNS) server,
part of the BIND 9 distribution from ISC. For more
@ -47,7 +47,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543468"></a><h2>OPTIONS</h2>
<a name="id2543477"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-4</span></dt>
<dd><p>
@ -88,6 +88,17 @@
Run the server in the foreground and force all logging
to <code class="filename">stderr</code>.
</p></dd>
<dt><span class="term">-m <em class="replaceable"><code>flag</code></em></span></dt>
<dd><p>
Turn on memory usage debugging flags. Possible flags are
<em class="replaceable"><code>usage</code></em>,
<em class="replaceable"><code>trace</code></em>,
<em class="replaceable"><code>record</code></em>,
<em class="replaceable"><code>size</code></em>, and
<em class="replaceable"><code>mctx</code></em>.
These correspond to the ISC_MEM_DEBUGXXXX flags described in
<code class="filename">&lt;isc/mem.h&gt;</code>.
</p></dd>
<dt><span class="term">-n <em class="replaceable"><code>#cpus</code></em></span></dt>
<dd><p>
Create <em class="replaceable"><code>#cpus</code></em> worker threads
@ -117,7 +128,7 @@
</dd>
<dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
<dd>
<p><code class="function">chroot()</code>
<p>Chroot
to <em class="replaceable"><code>directory</code></em> after
processing the command line arguments, but before
reading the configuration file.
@ -128,7 +139,7 @@
This option should be used in conjunction with the
<code class="option">-u</code> option, as chrooting a process
running as root doesn't enhance security on most
systems; the way <code class="function">chroot()</code> is
systems; the way <code class="function">chroot(2)</code> is
defined allows a process with root privileges to
escape a chroot jail.
</p>
@ -136,7 +147,7 @@
</dd>
<dt><span class="term">-u <em class="replaceable"><code>user</code></em></span></dt>
<dd>
<p><code class="function">setuid()</code>
<p>Setuid
to <em class="replaceable"><code>user</code></em> after completing
privileged operations, such as creating sockets that
listen on privileged ports.
@ -146,7 +157,7 @@
<p>
On Linux, <span><strong class="command">named</strong></span> uses the kernel's
capability mechanism to drop all root privileges
except the ability to <code class="function">bind()</code> to
except the ability to <code class="function">bind(2)</code> to
a
privileged port and set process resource limits.
Unfortunately, this means that the <code class="option">-u</code>
@ -154,7 +165,7 @@
run
on kernel 2.2.18 or later, or kernel 2.3.99-pre3 or
later, since previous kernels did not allow privileges
to be retained after <code class="function">setuid()</code>.
to be retained after <code class="function">setuid(2)</code>.
</p>
</div>
</dd>
@ -180,7 +191,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543813"></a><h2>SIGNALS</h2>
<a name="id2543864"></a><h2>SIGNALS</h2>
<p>
In routine operation, signals should not be used to control
the nameserver; <span><strong class="command">rndc</strong></span> should be used
@ -201,7 +212,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543861"></a><h2>CONFIGURATION</h2>
<a name="id2543912"></a><h2>CONFIGURATION</h2>
<p>
The <span><strong class="command">named</strong></span> configuration file is too complex
to describe in detail here. A complete description is provided
@ -210,7 +221,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543878"></a><h2>FILES</h2>
<a name="id2543929"></a><h2>FILES</h2>
<div class="variablelist"><dl>
<dt><span class="term"><code class="filename">/etc/named.conf</code></span></dt>
<dd><p>
@ -223,10 +234,12 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543917"></a><h2>SEE ALSO</h2>
<a name="id2543969"></a><h2>SEE ALSO</h2>
<p><em class="citetitle">RFC 1033</em>,
<em class="citetitle">RFC 1034</em>,
<em class="citetitle">RFC 1035</em>,
<span class="citerefentry"><span class="refentrytitle">named-checkconf</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">named-checkzone</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">lwresd</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>,
@ -234,7 +247,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543969"></a><h2>AUTHOR</h2>
<a name="id2544039"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>

40
contrib/bind9/bin/named/query.c
View File

@ -2,7 +2,7 @@
* Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and distribute this software for any
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: query.c,v 1.257.18.36.12.1 2007/04/30 01:10:19 marka Exp $ */
/* $Id: query.c,v 1.257.18.40 2007/09/26 03:08:14 each Exp $ */
/*! \file */
@ -2592,7 +2592,9 @@ query_addbestns(ns_client_t *client) {
}
static void
query_addds(ns_client_t *client, dns_db_t *db, dns_dbnode_t *node) {
query_addds(ns_client_t *client, dns_db_t *db, dns_dbnode_t *node,
dns_dbversion_t *version)
{
dns_name_t *rname;
dns_rdataset_t *rdataset, *sigrdataset;
isc_result_t result;
@ -2613,12 +2615,12 @@ query_addds(ns_client_t *client, dns_db_t *db, dns_dbnode_t *node) {
/*
* Look for the DS record, which may or may not be present.
*/
result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_ds, 0,
result = dns_db_findrdataset(db, node, version, dns_rdatatype_ds, 0,
client->now, rdataset, sigrdataset);
/*
* If we didn't find it, look for an NSEC. */
if (result == ISC_R_NOTFOUND)
result = dns_db_findrdataset(db, node, NULL,
result = dns_db_findrdataset(db, node, version,
dns_rdatatype_nsec, 0, client->now,
rdataset, sigrdataset);
if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND)
@ -2657,7 +2659,8 @@ query_addds(ns_client_t *client, dns_db_t *db, dns_dbnode_t *node) {
static void
query_addwildcardproof(ns_client_t *client, dns_db_t *db,
dns_name_t *name, isc_boolean_t ispositive)
dns_dbversion_t *version, dns_name_t *name,
isc_boolean_t ispositive)
{
isc_buffer_t *dbuf, b;
dns_name_t *fname;
@ -2738,7 +2741,7 @@ query_addwildcardproof(ns_client_t *client, dns_db_t *db,
if (fname == NULL || rdataset == NULL || sigrdataset == NULL)
goto cleanup;
result = dns_db_find(db, name, NULL, dns_rdatatype_nsec, options,
result = dns_db_find(db, name, version, dns_rdatatype_nsec, options,
0, &node, fname, rdataset, sigrdataset);
if (node != NULL)
dns_db_detachnode(db, &node);
@ -2790,8 +2793,9 @@ query_addwildcardproof(ns_client_t *client, dns_db_t *db,
}
static void
query_addnxrrsetnsec(ns_client_t *client, dns_db_t *db, dns_name_t **namep,
dns_rdataset_t **rdatasetp, dns_rdataset_t **sigrdatasetp)
query_addnxrrsetnsec(ns_client_t *client, dns_db_t *db,
dns_dbversion_t *version, dns_name_t **namep,
dns_rdataset_t **rdatasetp, dns_rdataset_t **sigrdatasetp)
{
dns_name_t *name;
dns_rdataset_t *sigrdataset;
@ -2828,8 +2832,7 @@ query_addnxrrsetnsec(ns_client_t *client, dns_db_t *db, dns_name_t **namep,
return;
/* XXX */
query_addwildcardproof(client, db,
client->query.qname,
query_addwildcardproof(client, db, version, client->query.qname,
ISC_TRUE);
/*
@ -3705,7 +3708,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
dbuf, DNS_SECTION_AUTHORITY);
client->query.gluedb = NULL;
if (WANTDNSSEC(client) && dns_db_issecure(db))
query_addds(client, db, node);
query_addds(client, db, node, version);
} else {
/*
* We might have a better answer or delegation
@ -3809,7 +3812,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
client->query.attributes &=
~NS_QUERYATTR_CACHEGLUEOK;
if (WANTDNSSEC(client))
query_addds(client, db, node);
query_addds(client, db, node, version);
}
}
goto cleanup;
@ -3846,8 +3849,9 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
*/
if (WANTDNSSEC(client)) {
if (dns_rdataset_isassociated(rdataset))
query_addnxrrsetnsec(client, db, &fname,
&rdataset, &sigrdataset);
query_addnxrrsetnsec(client, db, version,
&fname, &rdataset,
&sigrdataset);
}
goto cleanup;
case DNS_R_EMPTYWILD:
@ -3896,7 +3900,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
query_addrrset(client, &fname, &rdataset,
&sigrdataset,
NULL, DNS_SECTION_AUTHORITY);
query_addwildcardproof(client, db,
query_addwildcardproof(client, db, version,
client->query.qname,
ISC_FALSE);
}
@ -4305,7 +4309,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
* DNSSEC wildcard proofs.
*/
if (need_wildcardproof && dns_db_issecure(db))
query_addwildcardproof(client, db,
query_addwildcardproof(client, db, version,
dns_fixedname_name(&wildcardname),
ISC_TRUE);
cleanup:
@ -4590,7 +4594,7 @@ ns_query_start(ns_client_t *client) {
* Set AD. We must clear it if we add non-validated data to a
* response.
*/
if (client->view->enablednssec)
if (WANTDNSSEC(client))
message->flags |= DNS_MESSAGEFLAG_AD;
qclient = NULL;

37
contrib/bind9/bin/named/server.c
View File

@ -1,8 +1,8 @@
/*
* Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and distribute this software for any
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: server.c,v 1.419.18.49.12.2 2007/07/09 02:23:16 marka Exp $ */
/* $Id: server.c,v 1.419.18.57 2007/08/28 07:20:01 tbox Exp $ */
/*! \file */
@ -1773,6 +1773,7 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
empty_dbtype, mctx);
if (zone != NULL) {
dns_zone_setview(zone, view);
CHECK(dns_view_addzone(view, zone));
dns_zone_detach(&zone);
continue;
}
@ -3977,6 +3978,7 @@ ns_server_reloadcommand(ns_server_t *server, char *args, isc_buffer_t *text) {
type = dns_zone_gettype(zone);
if (type == dns_zone_slave || type == dns_zone_stub) {
dns_zone_refresh(zone);
dns_zone_detach(&zone);
msg = "zone refresh queued";
} else {
result = dns_zone_load(zone);
@ -4593,7 +4595,8 @@ isc_result_t
ns_server_flushcache(ns_server_t *server, char *args) {
char *ptr, *viewname;
dns_view_t *view;
isc_boolean_t flushed = ISC_FALSE;
isc_boolean_t flushed;
isc_boolean_t found;
isc_result_t result;
/* Skip the command name. */
@ -4606,22 +4609,27 @@ ns_server_flushcache(ns_server_t *server, char *args) {
result = isc_task_beginexclusive(server->task);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
flushed = ISC_TRUE;
found = ISC_FALSE;
for (view = ISC_LIST_HEAD(server->viewlist);
view != NULL;
view = ISC_LIST_NEXT(view, link))
{
if (viewname != NULL && strcasecmp(viewname, view->name) != 0)
continue;
found = ISC_TRUE;
result = dns_view_flushcache(view);
if (result != ISC_R_SUCCESS)
goto out;
flushed = ISC_TRUE;
flushed = ISC_FALSE;
}
if (flushed)
if (flushed && found) {
result = ISC_R_SUCCESS;
else
result = ISC_R_FAILURE;
out:
} else {
if (!found)
result = ISC_R_NOTFOUND;
else
result = ISC_R_FAILURE;
}
isc_task_endexclusive(server->task);
return (result);
}
@ -4630,7 +4638,8 @@ isc_result_t
ns_server_flushname(ns_server_t *server, char *args) {
char *ptr, *target, *viewname;
dns_view_t *view;
isc_boolean_t flushed = ISC_FALSE;
isc_boolean_t flushed;
isc_boolean_t found;
isc_result_t result;
isc_buffer_t b;
dns_fixedname_t fixed;
@ -4660,18 +4669,22 @@ ns_server_flushname(ns_server_t *server, char *args) {
result = isc_task_beginexclusive(server->task);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
flushed = ISC_TRUE;
found = ISC_FALSE;
for (view = ISC_LIST_HEAD(server->viewlist);
view != NULL;
view = ISC_LIST_NEXT(view, link))
{
if (viewname != NULL && strcasecmp(viewname, view->name) != 0)
continue;
found = ISC_TRUE;
result = dns_view_flushname(view, name);
if (result != ISC_R_SUCCESS)
flushed = ISC_FALSE;
}
if (flushed)
if (flushed && found)
result = ISC_R_SUCCESS;
else if (!found)
result = ISC_R_NOTFOUND;
else
result = ISC_R_FAILURE;
isc_task_endexclusive(server->task);

13
contrib/bind9/bin/named/update.c
View File

@ -1,8 +1,8 @@
/*
* Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and distribute this software for any
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: update.c,v 1.109.18.19 2006/03/06 01:38:00 marka Exp $ */
/* $Id: update.c,v 1.109.18.23 2007/08/28 07:20:01 tbox Exp $ */
#include <config.h>
@ -1675,6 +1675,9 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
if (check_ksk && type != dns_rdatatype_dnskey &&
(dst_key_flags(keys[i]) & DNS_KEYFLAG_KSK) != 0)
continue;
if (!dst_key_isprivate(keys[i]))
continue;
/* Calculate the signature, creating a RRSIG RDATA. */
CHECK(dns_dnssec_sign(name, &rdataset, keys[i],
@ -2186,7 +2189,7 @@ remove_orphaned_ds(dns_db_t *db, dns_dbversion_t *newver, dns_diff_t *diff) {
for (t = ISC_LIST_HEAD(diff->tuples);
t != NULL;
t = ISC_LIST_NEXT(t, link)) {
if (t->op != DNS_DIFFOP_DEL ||
if (t->op != DNS_DIFFOP_ADD ||
t->rdata.type != dns_rdatatype_ns)
continue;
CHECK(rrset_exists(db, newver, &t->name, dns_rdatatype_ns, 0,
@ -2237,7 +2240,7 @@ check_mx(ns_client_t *client, dns_zone_t *zone,
for (t = ISC_LIST_HEAD(diff->tuples);
t != NULL;
t = ISC_LIST_NEXT(t, link)) {
if (t->op != DNS_DIFFOP_DEL ||
if (t->op != DNS_DIFFOP_ADD ||
t->rdata.type != dns_rdatatype_mx)
continue;

18
contrib/bind9/bin/nsupdate/nsupdate.8
View File

@ -13,7 +13,7 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id: nsupdate.8,v 1.30.18.13 2007/01/30 00:23:44 marka Exp $
.\" $Id: nsupdate.8,v 1.30.18.14 2007/05/09 03:33:13 marka Exp $
.\"
.hy 0
.ad l
@ -55,7 +55,7 @@ operate in debug mode. This provides tracing information about the update reques
.PP
Transaction signatures can be used to authenticate the Dynamic DNS updates. These use the TSIG resource record type described in RFC2845 or the SIG(0) record described in RFC3535 and RFC2931. TSIG relies on a shared secret that should only be known to
\fBnsupdate\fR
and the name server. Currently, the only supported encryption algorithm for TSIG is HMAC\-MD5, which is defined in RFC 2104. Once other algorithms are defined for TSIG, applications will need to ensure they select the appropriate algorithm as well as the key when authenticating each other. For instance suitable
and the name server. Currently, the only supported encryption algorithm for TSIG is HMAC\-MD5, which is defined in RFC 2104. Once other algorithms are defined for TSIG, applications will need to ensure they select the appropriate algorithm as well as the key when authenticating each other. For instance, suitable
\fBkey\fR
and
\fBserver\fR
@ -106,15 +106,15 @@ use a TCP connection. This may be preferable when a batch of update requests is
.PP
The
\fB\-t\fR
option sets the maximum time a update request can take before it is aborted. The default is 300 seconds. Zero can be used to disable the timeout.
option sets the maximum time an update request can take before it is aborted. The default is 300 seconds. Zero can be used to disable the timeout.
.PP
The
\fB\-u\fR
option sets the UDP retry interval. The default is 3 seconds. If zero the interval will be computed from the timeout interval and number of UDP retries.
option sets the UDP retry interval. The default is 3 seconds. If zero, the interval will be computed from the timeout interval and number of UDP retries.
.PP
The
\fB\-r\fR
option sets the number of UDP retries. The default is 3. If zero only one update request will be made.
option sets the number of UDP retries. The default is 3. If zero, only one update request will be made.
.SH "INPUT FORMAT"
.PP
\fBnsupdate\fR
@ -164,13 +164,13 @@ will attempt determine the correct zone to update based on the rest of the input
.RS 4
Specify the default class. If no
\fIclass\fR
is specified the default class is
is specified, the default class is
\fIIN\fR.
.RE
.PP
\fBkey\fR {name} {secret}
.RS 4
Specifies that all updates are to be TSIG signed using the
Specifies that all updates are to be TSIG\-signed using the
\fIkeyname\fR
\fIkeysecret\fR
pair. The
@ -293,9 +293,9 @@ zone. Notice that the input in each example contains a trailing blank line so th
.PP
Any A records for
\fBoldhost.example.com\fR
are deleted. and an A record for
are deleted. And an A record for
\fBnewhost.example.com\fR
it IP address 172.16.1.1 is added. The newly\-added record has a 1 day TTL (86400 seconds)
with IP address 172.16.1.1 is added. The newly\-added record has a 1 day TTL (86400 seconds).
.sp
.RS 4
.nf

15
contrib/bind9/bin/nsupdate/nsupdate.c
View File

@ -1,8 +1,8 @@
/*
* Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and distribute this software for any
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: nsupdate.c,v 1.130.18.15 2006/12/07 05:39:45 marka Exp $ */
/* $Id: nsupdate.c,v 1.130.18.19 2007/08/28 07:20:01 tbox Exp $ */
/*! \file */
@ -1565,8 +1565,11 @@ user_interaction(void) {
isc_uint16_t result = STATUS_MORE;
ddebug("user_interaction()");
while ((result == STATUS_MORE) || (result == STATUS_SYNTAX))
while ((result == STATUS_MORE) || (result == STATUS_SYNTAX)) {
result = get_next_command();
if (!interactive && result == STATUS_SYNTAX)
fatal("syntax error");
}
if (result == STATUS_SEND)
return (ISC_TRUE);
return (ISC_FALSE);
@ -2063,6 +2066,10 @@ start_update(void) {
result = dns_message_firstname(updatemsg, section);
}
if (result != ISC_R_SUCCESS) {
dns_message_puttempname(soaquery, &name);
dns_rdataset_disassociate(rdataset);
dns_message_puttemprdataset(soaquery, &rdataset);
dns_message_destroy(&soaquery);
done_update();
return;
}

22
contrib/bind9/bin/nsupdate/nsupdate.docbook
View File

@ -5,7 +5,7 @@
- Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and distribute this software for any
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: nsupdate.docbook,v 1.18.18.8 2007/01/29 23:57:20 marka Exp $ -->
<!-- $Id: nsupdate.docbook,v 1.18.18.10 2007/08/28 07:20:01 tbox Exp $ -->
<refentry>
<refentryinfo>
<date>Jun 30, 2000</date>
@ -112,7 +112,7 @@
Once other algorithms are defined for TSIG, applications will need to
ensure they select the appropriate algorithm as well as the key when
authenticating each other.
For instance suitable
For instance, suitable
<type>key</type>
and
<type>server</type>
@ -170,7 +170,7 @@
This may be preferable when a batch of update requests is made.
</para>
<para>
The <option>-t</option> option sets the maximum time a update request
The <option>-t</option> option sets the maximum time an update request
can
take before it is aborted. The default is 300 seconds. Zero can be
used
@ -179,14 +179,14 @@
<para>
The <option>-u</option> option sets the UDP retry interval. The default
is
3 seconds. If zero the interval will be computed from the timeout
3 seconds. If zero, the interval will be computed from the timeout
interval
and number of UDP retries.
</para>
<para>
The <option>-r</option> option sets the number of UDP retries. The
default is
3. If zero only one update request will be made.
3. If zero, only one update request will be made.
</para>
</refsect1>
@ -297,7 +297,7 @@
<listitem>
<para>
Specify the default class.
If no <parameter>class</parameter> is specified the
If no <parameter>class</parameter> is specified, the
default class is
<parameter>IN</parameter>.
</para>
@ -312,7 +312,7 @@
</term>
<listitem>
<para>
Specifies that all updates are to be TSIG signed using the
Specifies that all updates are to be TSIG-signed using the
<parameter>keyname</parameter> <parameter>keysecret</parameter> pair.
The <command>key</command> command
overrides any key specified on the command line via
@ -543,10 +543,10 @@
Any A records for
<type>oldhost.example.com</type>
are deleted.
and an A record for
And an A record for
<type>newhost.example.com</type>
it IP address 172.16.1.1 is added.
The newly-added record has a 1 day TTL (86400 seconds)
with IP address 172.16.1.1 is added.
The newly-added record has a 1 day TTL (86400 seconds).
<programlisting>
# nsupdate
&gt; prereq nxdomain nickname.example.com

28
contrib/bind9/bin/nsupdate/nsupdate.html
View File

@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: nsupdate.html,v 1.14.18.21 2007/01/30 00:23:44 marka Exp $ -->
<!-- $Id: nsupdate.html,v 1.14.18.22 2007/05/09 03:33:13 marka Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@ -77,7 +77,7 @@
Once other algorithms are defined for TSIG, applications will need to
ensure they select the appropriate algorithm as well as the key when
authenticating each other.
For instance suitable
For instance, suitable
<span class="type">key</span>
and
<span class="type">server</span>
@ -133,7 +133,7 @@
This may be preferable when a batch of update requests is made.
</p>
<p>
The <code class="option">-t</code> option sets the maximum time a update request
The <code class="option">-t</code> option sets the maximum time an update request
can
take before it is aborted. The default is 300 seconds. Zero can be
used
@ -142,14 +142,14 @@
<p>
The <code class="option">-u</code> option sets the UDP retry interval. The default
is
3 seconds. If zero the interval will be computed from the timeout
3 seconds. If zero, the interval will be computed from the timeout
interval
and number of UDP retries.
</p>
<p>
The <code class="option">-r</code> option sets the number of UDP retries. The
default is
3. If zero only one update request will be made.
3. If zero, only one update request will be made.
</p>
</div>
<div class="refsect1" lang="en">
@ -242,7 +242,7 @@
</span></dt>
<dd><p>
Specify the default class.
If no <em class="parameter"><code>class</code></em> is specified the
If no <em class="parameter"><code>class</code></em> is specified, the
default class is
<em class="parameter"><code>IN</code></em>.
</p></dd>
@ -252,7 +252,7 @@
{secret}
</span></dt>
<dd><p>
Specifies that all updates are to be TSIG signed using the
Specifies that all updates are to be TSIG-signed using the
<em class="parameter"><code>keyname</code></em> <em class="parameter"><code>keysecret</code></em> pair.
The <span><strong class="command">key</strong></span> command
overrides any key specified on the command line via
@ -402,7 +402,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2544649"></a><h2>EXAMPLES</h2>
<a name="id2544648"></a><h2>EXAMPLES</h2>
<p>
The examples below show how
<span><strong class="command">nsupdate</strong></span>
@ -428,10 +428,10 @@
Any A records for
<span class="type">oldhost.example.com</span>
are deleted.
and an A record for
And an A record for
<span class="type">newhost.example.com</span>
it IP address 172.16.1.1 is added.
The newly-added record has a 1 day TTL (86400 seconds)
with IP address 172.16.1.1 is added.
The newly-added record has a 1 day TTL (86400 seconds).
</p>
<pre class="programlisting">
# nsupdate
@ -456,7 +456,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2544693"></a><h2>FILES</h2>
<a name="id2544692"></a><h2>FILES</h2>
<div class="variablelist"><dl>
<dt><span class="term"><code class="constant">/etc/resolv.conf</code></span></dt>
<dd><p>
@ -475,7 +475,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2544830"></a><h2>SEE ALSO</h2>
<a name="id2544829"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">RFC2136</span></span>,
<span class="citerefentry"><span class="refentrytitle">RFC3007</span></span>,
<span class="citerefentry"><span class="refentrytitle">RFC2104</span></span>,
@ -488,7 +488,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2544901"></a><h2>BUGS</h2>
<a name="id2544900"></a><h2>BUGS</h2>
<p>
The TSIG key is redundantly stored in two separate files.
This is a consequence of nsupdate using the DST library

4
contrib/bind9/bin/rndc/Makefile.in
View File

@ -1,7 +1,7 @@
# Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2000-2002 Internet Software Consortium.
#
# Permission to use, copy, modify, and distribute this software for any
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
@ -13,7 +13,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: Makefile.in,v 1.40.18.3 2007/01/19 00:55:49 marka Exp $
# $Id: Makefile.in,v 1.40.18.4 2007/08/28 07:20:01 tbox Exp $
srcdir = @srcdir@
VPATH = @srcdir@

4
contrib/bind9/bin/rndc/rndc-confgen.docbook
View File

@ -5,7 +5,7 @@
- Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2001, 2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and distribute this software for any
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: rndc-confgen.docbook,v 1.6.18.6 2007/01/29 23:57:20 marka Exp $ -->
<!-- $Id: rndc-confgen.docbook,v 1.6.18.7 2007/08/28 07:20:01 tbox Exp $ -->
<refentry id="man.rndc-confgen">
<refentryinfo>
<date>Aug 27, 2001</date>

19
contrib/bind9/bin/rndc/rndc.8
View File

@ -13,7 +13,7 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id: rndc.8,v 1.26.18.12 2007/01/30 00:23:44 marka Exp $
.\" $Id: rndc.8,v 1.26.18.15 2007/06/20 02:26:58 marka Exp $
.\"
.hy 0
.ad l
@ -47,8 +47,7 @@ is invoked with no command line options or arguments, it prints a short summary
communicates with the name server over a TCP connection, sending commands authenticated with digital signatures. In the current versions of
\fBrndc\fR
and
\fBnamed\fR
named the only supported authentication algorithm is HMAC\-MD5, which uses a shared secret on each end of the connection. This provides TSIG\-style authentication for the command request and the name server's response. All commands sent over the channel must be signed by a key_id known to the server.
\fBnamed\fR, the only supported authentication algorithm is HMAC\-MD5, which uses a shared secret on each end of the connection. This provides TSIG\-style authentication for the command request and the name server's response. All commands sent over the channel must be signed by a key_id known to the server.
.PP
\fBrndc\fR
reads a configuration file to determine how to contact the name server and decide what algorithm and key it should use.
@ -85,7 +84,9 @@ does not exist.
.RS 4
\fIserver\fR
is the name or address of the server which matches a server statement in the configuration file for
\fBrndc\fR. If no server is supplied on the command line, the host named by the default\-server clause in the option statement of the configuration file will be used.
\fBrndc\fR. If no server is supplied on the command line, the host named by the default\-server clause in the options statement of the
\fBrndc\fR
configuration file will be used.
.RE
.PP
\-p \fIport\fR
@ -100,14 +101,14 @@ instead of BIND 9's default control channel port, 953.
Enable verbose logging.
.RE
.PP
\-y \fIkeyid\fR
\-y \fIkey_id\fR
.RS 4
Use the key
\fIkeyid\fR
\fIkey_id\fR
from the configuration file.
\fIkeyid\fR
\fIkey_id\fR
must be known by named with the same algorithm and secret string in order for control message validation to succeed. If no
\fIkeyid\fR
\fIkey_id\fR
is specified,
\fBrndc\fR
will first look for a key clause in the server statement of the server being used, or if no server statement is present for that host, then the default\-key clause of the options statement. Note that the configuration file contains shared secrets which are used to send authenticated control commands to name servers. It should therefore not have general read or write access.
@ -133,7 +134,7 @@ Several error messages could be clearer.
.PP
\fBrndc.conf\fR(5),
\fBnamed\fR(8),
\fBnamed.conf\fR(5)
\fBnamed.conf\fR(5),
\fBndc\fR(8),
BIND 9 Administrator Reference Manual.
.SH "AUTHOR"

8
contrib/bind9/bin/rndc/rndc.conf.5
View File

@ -13,7 +13,7 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id: rndc.conf.5,v 1.23.18.13 2007/01/30 00:23:44 marka Exp $
.\" $Id: rndc.conf.5,v 1.23.18.15 2007/05/09 13:35:47 marka Exp $
.\"
.hy 0
.ad l
@ -88,7 +88,7 @@ keyword, the server statement includes a string which is the hostname or address
and
\fBaddresses\fR. The key name must match the name of a key statement in the file. The port number specifies the port to connect to. If an
\fBaddresses\fR
clause is supplied these addresses will be used instead of the server name. Each address can take a optional port. If an
clause is supplied these addresses will be used instead of the server name. Each address can take an optional port. If an
\fBsource\-address\fR
or
\fBsource\-address\-v6\fR
@ -156,7 +156,7 @@ does not ship with BIND 9 but is available on many systems. See the EXAMPLE sect
key testkey {
algorithm hmac\-md5;
secret "R3HI8P6BKw9ZwXwN3VZKuQ==";
}
};
.fi
.RE
.sp
@ -178,7 +178,7 @@ To generate a random secret with
.PP
A complete
\fIrndc.conf\fR
file, including the randomly generated key, will be written to the standard output. Commented out
file, including the randomly generated key, will be written to the standard output. Commented\-out
\fBkey\fR
and
\fBcontrols\fR

10
contrib/bind9/bin/rndc/rndc.conf.docbook
View File

@ -5,7 +5,7 @@
- Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000, 2001 Internet Software Consortium.
-
- Permission to use, copy, modify, and distribute this software for any
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: rndc.conf.docbook,v 1.5.18.9 2007/01/29 23:57:20 marka Exp $ -->
<!-- $Id: rndc.conf.docbook,v 1.5.18.12 2007/08/28 07:20:01 tbox Exp $ -->
<refentry id="man.rndc.conf">
<refentryinfo>
<date>June 30, 2000</date>
@ -111,7 +111,7 @@
name of a key statement in the file. The port number
specifies the port to connect to. If an <option>addresses</option>
clause is supplied these addresses will be used instead of
the server name. Each address can take a optional port.
the server name. Each address can take an optional port.
If an <option>source-address</option> or <option>source-address-v6</option>
of supplied then these will be used to specify the IPv4 and IPv6
source addresses respectively.
@ -175,7 +175,7 @@
key testkey {
algorithm hmac-md5;
secret "R3HI8P6BKw9ZwXwN3VZKuQ==";
}
};
</programlisting>
</para>
@ -202,7 +202,7 @@
A complete <filename>rndc.conf</filename> file, including
the
randomly generated key, will be written to the standard
output. Commented out <option>key</option> and
output. Commented-out <option>key</option> and
<option>controls</option> statements for
<filename>named.conf</filename> are also printed.
</para>

8
contrib/bind9/bin/rndc/rndc.conf.html
View File

@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: rndc.conf.html,v 1.6.18.21 2007/01/30 00:23:44 marka Exp $ -->
<!-- $Id: rndc.conf.html,v 1.6.18.23 2007/05/09 13:35:47 marka Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@ -87,7 +87,7 @@
name of a key statement in the file. The port number
specifies the port to connect to. If an <code class="option">addresses</code>
clause is supplied these addresses will be used instead of
the server name. Each address can take a optional port.
the server name. Each address can take an optional port.
If an <code class="option">source-address</code> or <code class="option">source-address-v6</code>
of supplied then these will be used to specify the IPv4 and IPv6
source addresses respectively.
@ -153,7 +153,7 @@
key testkey {
algorithm hmac-md5;
secret "R3HI8P6BKw9ZwXwN3VZKuQ==";
}
};
</pre>
<p>
</p>
@ -180,7 +180,7 @@
A complete <code class="filename">rndc.conf</code> file, including
the
randomly generated key, will be written to the standard
output. Commented out <code class="option">key</code> and
output. Commented-out <code class="option">key</code> and
<code class="option">controls</code> statements for
<code class="filename">named.conf</code> are also printed.
</p>

25
contrib/bind9/bin/rndc/rndc.docbook
View File

@ -5,7 +5,7 @@
- Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000, 2001 Internet Software Consortium.
-
- Permission to use, copy, modify, and distribute this software for any
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: rndc.docbook,v 1.8.18.8 2007/01/29 23:57:20 marka Exp $ -->
<!-- $Id: rndc.docbook,v 1.8.18.12 2007/08/28 07:20:01 tbox Exp $ -->
<refentry id="man.rndc">
<refentryinfo>
<date>June 30, 2000</date>
@ -78,7 +78,7 @@
communicates with the name server
over a TCP connection, sending commands authenticated with
digital signatures. In the current versions of
<command>rndc</command> and <command>named</command> named
<command>rndc</command> and <command>named</command>,
the only supported authentication algorithm is HMAC-MD5,
which uses a shared secret on each end of the connection.
This provides TSIG-style authentication for the command
@ -139,13 +139,12 @@
<term>-s <replaceable class="parameter">server</replaceable></term>
<listitem>
<para><replaceable class="parameter">server</replaceable> is
the name or address of the server which matches a
the name or address of the server which matches a
server statement in the configuration file for
<command>rndc</command>. If no server is supplied on
the
<command>rndc</command>. If no server is supplied on the
command line, the host named by the default-server clause
in the option statement of the configuration file will be
used.
in the options statement of the <command>rndc</command>
configuration file will be used.
</para>
</listitem>
</varlistentry>
@ -172,16 +171,16 @@
</varlistentry>
<varlistentry>
<term>-y <replaceable class="parameter">keyid</replaceable></term>
<term>-y <replaceable class="parameter">key_id</replaceable></term>
<listitem>
<para>
Use the key <replaceable class="parameter">keyid</replaceable>
Use the key <replaceable class="parameter">key_id</replaceable>
from the configuration file.
<replaceable class="parameter">keyid</replaceable>
<replaceable class="parameter">key_id</replaceable>
must be
known by named with the same algorithm and secret string
in order for control message validation to succeed.
If no <replaceable class="parameter">keyid</replaceable>
If no <replaceable class="parameter">key_id</replaceable>
is specified, <command>rndc</command> will first look
for a key clause in the server statement of the server
being used, or if no server statement is present for that
@ -230,7 +229,7 @@
</citerefentry>,
<citerefentry>
<refentrytitle>named.conf</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>
</citerefentry>,
<citerefentry>
<refentrytitle>ndc</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,

29
contrib/bind9/bin/rndc/rndc.html
View File

@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: rndc.html,v 1.8.18.19 2007/01/30 00:23:44 marka Exp $ -->
<!-- $Id: rndc.html,v 1.8.18.22 2007/06/20 02:26:58 marka Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@ -46,7 +46,7 @@
communicates with the name server
over a TCP connection, sending commands authenticated with
digital signatures. In the current versions of
<span><strong class="command">rndc</strong></span> and <span><strong class="command">named</strong></span> named
<span><strong class="command">rndc</strong></span> and <span><strong class="command">named</strong></span>,
the only supported authentication algorithm is HMAC-MD5,
which uses a shared secret on each end of the connection.
This provides TSIG-style authentication for the command
@ -88,13 +88,12 @@
</p></dd>
<dt><span class="term">-s <em class="replaceable"><code>server</code></em></span></dt>
<dd><p><em class="replaceable"><code>server</code></em> is
the name or address of the server which matches a
the name or address of the server which matches a
server statement in the configuration file for
<span><strong class="command">rndc</strong></span>. If no server is supplied on
the
<span><strong class="command">rndc</strong></span>. If no server is supplied on the
command line, the host named by the default-server clause
in the option statement of the configuration file will be
used.
in the options statement of the <span><strong class="command">rndc</strong></span>
configuration file will be used.
</p></dd>
<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
<dd><p>
@ -107,15 +106,15 @@
<dd><p>
Enable verbose logging.
</p></dd>
<dt><span class="term">-y <em class="replaceable"><code>keyid</code></em></span></dt>
<dt><span class="term">-y <em class="replaceable"><code>key_id</code></em></span></dt>
<dd><p>
Use the key <em class="replaceable"><code>keyid</code></em>
Use the key <em class="replaceable"><code>key_id</code></em>
from the configuration file.
<em class="replaceable"><code>keyid</code></em>
<em class="replaceable"><code>key_id</code></em>
must be
known by named with the same algorithm and secret string
in order for control message validation to succeed.
If no <em class="replaceable"><code>keyid</code></em>
If no <em class="replaceable"><code>key_id</code></em>
is specified, <span><strong class="command">rndc</strong></span> will first look
for a key clause in the server statement of the server
being used, or if no server statement is present for that
@ -134,7 +133,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543652"></a><h2>LIMITATIONS</h2>
<a name="id2543656"></a><h2>LIMITATIONS</h2>
<p><span><strong class="command">rndc</strong></span>
does not yet support all the commands of
the BIND 8 <span><strong class="command">ndc</strong></span> utility.
@ -148,16 +147,16 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543678"></a><h2>SEE ALSO</h2>
<a name="id2543683"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>
<span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>,
<span class="citerefentry"><span class="refentrytitle">ndc</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543725"></a><h2>AUTHOR</h2>
<a name="id2543730"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>

29
contrib/bind9/configure.in
View File

@ -1,7 +1,7 @@
# Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 1998-2003 Internet Software Consortium.
#
# Permission to use, copy, modify, and distribute this software for any
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
@ -18,7 +18,7 @@ AC_DIVERT_PUSH(1)dnl
esyscmd([sed "s/^/# /" COPYRIGHT])dnl
AC_DIVERT_POP()dnl
AC_REVISION($Revision: 1.355.18.67 $)
AC_REVISION($Revision: 1.355.18.71 $)
AC_INIT(lib/dns/name.c)
AC_PREREQ(2.59)
@ -429,6 +429,21 @@ case "$use_openssl" in
*-hp-hpux*)
DNS_OPENSSL_LIBS="-L$use_openssl/lib -Wl,+b: -lcrypto"
;;
*-apple-darwin*)
#
# Apple's ld seaches for serially for dynamic
# then static libraries. This means you can't
# use -L to override dynamic system libraries
# with static ones when linking. Instead
# we specify a absolute path.
#
if test -f "$use_openssl/lib/libcrypto.dylib"
then
DNS_OPENSSL_LIBS="-L$use_openssl/lib -lcrypto"
else
DNS_OPENSSL_LIBS="$use_openssl/lib/libcrypto.a"
fi
;;
*)
DNS_OPENSSL_LIBS="-L$use_openssl/lib -lcrypto"
;;
@ -1865,6 +1880,13 @@ case "$hack_shutup_stdargcast" in
;;
esac
AC_CHECK_HEADERS(strings.h,
ISC_PLATFORM_HAVESTRINGSH="#define ISC_PLATFORM_HAVESTRINGSH 1"
,
ISC_PLATFORM_HAVESTRINGSH="#undef ISC_PLATFORM_HAVESTRINGSH"
)
AC_SUBST(ISC_PLATFORM_HAVESTRINGSH)
#
# Check for if_nametoindex() for IPv6 scoped addresses support
#
@ -2424,6 +2446,9 @@ AC_CONFIG_FILES([
lib/isc/$thread_dir/Makefile
lib/isc/$thread_dir/include/Makefile
lib/isc/$thread_dir/include/isc/Makefile
lib/isc/$arch/Makefile
lib/isc/$arch/include/Makefile
lib/isc/$arch/include/isc/Makefile
lib/isccc/Makefile
lib/isccc/include/Makefile
lib/isccc/include/isccc/Makefile

251
contrib/bind9/doc/arm/Bv9ARM-book.xml
View File

@ -5,7 +5,7 @@
- Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and distribute this software for any
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- File: $Id: Bv9ARM-book.xml,v 1.241.18.66.10.1 2007/07/09 02:23:16 marka Exp $ -->
<!-- File: $Id: Bv9ARM-book.xml,v 1.241.18.82 2007/09/26 03:28:27 marka Exp $ -->
<book xmlns:xi="http://www.w3.org/2001/XInclude">
<title>BIND 9 Administrator Reference Manual</title>
@ -91,8 +91,8 @@
security considerations, and
<emphasis>Section 8</emphasis> contains troubleshooting help. The
main body of the document is followed by several
<emphasis>Appendices</emphasis> which contain useful reference
information, such as a <emphasis>Bibliography</emphasis> and
<emphasis>appendices</emphasis> which contain useful reference
information, such as a <emphasis>bibliography</emphasis> and
historic information related to <acronym>BIND</acronym>
and the Domain Name
System.
@ -229,8 +229,8 @@
<title>The Domain Name System (<acronym>DNS</acronym>)</title>
<para>
The purpose of this document is to explain the installation
and upkeep of the <acronym>BIND</acronym> software
package, and we
and upkeep of the <acronym>BIND</acronym> (Berkeley Internet
Name Domain) software package, and we
begin by reviewing the fundamentals of the Domain Name System
(<acronym>DNS</acronym>) as they relate to <acronym>BIND</acronym>.
</para>
@ -464,7 +464,7 @@
<title>Caching Name Servers</title>
<!--
- Terminology here is inconsistant. Probably ought to
- Terminology here is inconsistent. Probably ought to
- convert to using "recursive name server" everywhere
- with just a note about "caching" terminology.
-->
@ -600,7 +600,7 @@
traffic.
Additionally, if additional section caching
(<xref linkend="acache"/>) is enabled,
the <command>max-acache-size</command> can be used to
the <command>max-acache-size</command> option can be used to
limit the amount
of memory used by the mechanism.
It is still good practice to have enough memory to load
@ -741,8 +741,8 @@ zone "eng.example.com" {
<para>
A primitive form of load balancing can be achieved in
the <acronym>DNS</acronym> by using multiple A records for
one name.
the <acronym>DNS</acronym> by using multiple records
(such as multiple A records) for one name.
</para>
<para>
@ -955,12 +955,15 @@ zone "eng.example.com" {
</para>
<cmdsynopsis label="Usage">
<command>host</command>
<arg>-aCdlrTwv</arg>
<arg>-aCdlnrsTwv</arg>
<arg>-c <replaceable>class</replaceable></arg>
<arg>-N <replaceable>ndots</replaceable></arg>
<arg>-t <replaceable>type</replaceable></arg>
<arg>-W <replaceable>timeout</replaceable></arg>
<arg>-R <replaceable>retries</replaceable></arg>
<arg>-m <replaceable>flag</replaceable></arg>
<arg>-4</arg>
<arg>-6</arg>
<arg choice="plain"><replaceable>hostname</replaceable></arg>
<arg><replaceable>server</replaceable></arg>
</cmdsynopsis>
@ -1085,6 +1088,12 @@ zone "eng.example.com" {
(<command>rndc</command>) program allows the
system
administrator to control the operation of a name server.
Since <acronym>BIND</acronym> 9.2, <command>rndc</command>
supports all the commands of the BIND 8 <command>ndc</command>
utility except <command>ndc start</command> and
<command>ndc restart</command>, which were also
not supported in <command>ndc</command>'s
channel mode.
If you run <command>rndc</command> without any
options
it will display a usage message as follows:
@ -1356,15 +1365,6 @@ zone "eng.example.com" {
</variablelist>
<para>
In <acronym>BIND</acronym> 9.2, <command>rndc</command>
supports all the commands of the BIND 8 <command>ndc</command>
utility except <command>ndc start</command> and
<command>ndc restart</command>, which were also
not supported in <command>ndc</command>'s
channel mode.
</para>
<para>
A configuration file is required, since all
communication with the server is authenticated with
@ -1743,7 +1743,7 @@ controls {
However, since listing addresses of internal servers that
external clients cannot possibly reach can result in
connection delays and other annoyances, an organization may
choose to use a Split DNS to present a consistant view of itself
choose to use a Split DNS to present a consistent view of itself
to the outside world.
</para>
<para>
@ -1753,9 +1753,8 @@ controls {
on the Internet. Split DNS can also be used to allow mail from outside
back in to the internal network.
</para>
<para>
Here is an example of a split DNS setup:
</para>
<sect2>
<title>Example split DNS setup</title>
<para>
Let's say a company named <emphasis>Example, Inc.</emphasis>
(<literal>example.com</literal>)
@ -1990,6 +1989,7 @@ nameserver 172.16.72.3
nameserver 172.16.72.4
</programlisting>
</sect2>
</sect1>
<sect1 id="tsig">
<title>TSIG</title>
@ -2187,7 +2187,7 @@ allow-update { key host1-host2. ;};
outside of the allowed range, the response will be signed with
the TSIG extended error code set to BADTIME, and the time values
will be adjusted so that the response can be successfully
verified. In any of these cases, the message's rcode is set to
verified. In any of these cases, the message's rcode (response code) is set to
NOTAUTH (not authenticated).
</para>
@ -2266,7 +2266,7 @@ allow-update { key host1-host2. ;};
<para>
Cryptographic authentication of DNS information is possible
through the DNS Security (<emphasis>DNSSEC-bis</emphasis>) extensions,
defined in RFC 4033, RFC 4034 and RFC 4035.
defined in RFC 4033, RFC 4034, and RFC 4035.
This section describes the creation and use of DNSSEC signed zones.
</para>
@ -2334,7 +2334,7 @@ allow-update { key host1-host2. ;};
<filename>Kchild.example.+005+12345.key</filename> and
<filename>Kchild.example.+005+12345.private</filename>
(where
12345 is an example of a key tag). The key file names contain
12345 is an example of a key tag). The key filenames contain
the key name (<filename>child.example.</filename>),
algorithm (3
is DSA, 1 is RSAMD5, 5 is RSASHA1, etc.), and the key tag (12345 in
@ -2402,7 +2402,7 @@ allow-update { key host1-host2. ;};
<para><command>dnssec-signzone</command>
will also produce a keyset and dsset files and optionally a
dlvset file. These are used to provide the parent zone
administators with the <literal>DNSKEYs</literal> (or their
administrators with the <literal>DNSKEYs</literal> (or their
corresponding <literal>DS</literal> records) that are the
secure entry point to the zone.
</para>
@ -2421,7 +2421,7 @@ allow-update { key host1-host2. ;};
<para>
To enable <command>named</command> to validate answers from
other servers both <command>dnssec-enable</command> and
<command>dnssec-validate</command> must be set and some
<command>dnssec-validation</command> must be set and some
<command>trusted-keys</command> must be configured
into <filename>named.conf</filename>.
</para>
@ -2840,7 +2840,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
<entry colname="2">
<para>
An IP port <varname>number</varname>.
<varname>number</varname> is limited to 0
The <varname>number</varname> is limited to 0
through 65535, with values
below 1024 typically restricted to use by processes running
as root.
@ -3109,7 +3109,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
<para>
The <acronym>BIND</acronym> 9 comment syntax allows for
comments to appear
anywhere that white space may appear in a <acronym>BIND</acronym> configuration
anywhere that whitespace may appear in a <acronym>BIND</acronym> configuration
file. To appeal to programmers of all kinds, they can be written
in the C, C++, or shell/perl style.
</para>
@ -3126,7 +3126,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
<sect3>
<title>Definition and Usage</title>
<para>
Comments may appear anywhere that white space may appear in
Comments may appear anywhere that whitespace may appear in
a <acronym>BIND</acronym> configuration file.
</para>
<para>
@ -3649,7 +3649,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
<literal>hmac-sha256</literal>, <literal>hmac-sha384</literal>
and <literal>hmac-sha512</literal> TSIG authentication.
Truncated hashes are supported by appending the minimum
number of required bits preceeded by a dash, e.g.
number of required bits preceded by a dash, e.g.
<literal>hmac-sha1-80</literal>. The
<replaceable>secret_string</replaceable> is the secret
to be used by the algorithm, and is treated as a base-64
@ -4289,7 +4289,7 @@ category notify { null; };
The <command>lwres</command> statement configures the
name
server to also act as a lightweight resolver server. (See
<xref linkend="lwresd"/>.) There may be be multiple
<xref linkend="lwresd"/>.) There may be multiple
<command>lwres</command> statements configuring
lightweight resolver servers with different properties.
</para>
@ -4376,6 +4376,7 @@ category notify { null; };
<optional> dump-file <replaceable>path_name</replaceable>; </optional>
<optional> memstatistics-file <replaceable>path_name</replaceable>; </optional>
<optional> pid-file <replaceable>path_name</replaceable>; </optional>
<optional> recursing-file <replaceable>path_name</replaceable>; </optional>
<optional> statistics-file <replaceable>path_name</replaceable>; </optional>
<optional> zone-statistics <replaceable>yes_or_no</replaceable>; </optional>
<optional> auth-nxdomain <replaceable>yes_or_no</replaceable>; </optional>
@ -4453,6 +4454,7 @@ category notify { null; };
<optional> alt-transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
<optional> alt-transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
<optional> use-alt-transfer-source <replaceable>yes_or_no</replaceable>; </optional>
<optional> notify-delay <replaceable>seconds</replaceable> ; </optional>
<optional> notify-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
<optional> notify-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
<optional> also-notify { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
@ -4639,12 +4641,18 @@ digits</varname>" + "<varname>tkey-domain</varname>". In most cases,
<listitem>
<para>
The pathname of the file the server writes memory
usage statistics to on exit. If not specified,
the default is
<filename>named.memstats</filename>.
usage statistics to on exit. If specified the
statistics will be written to the file on exit.
</para>
</listitem>
</varlistentry>
<para>
In <acronym>BIND</acronym> 9.5 and later this will
default to <filename>named.memstats</filename>.
<acronym>BIND</acronym> 9.5 will also introduce
<command>memstatistics</command> to control the
writing.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>pid-file</command></term>
@ -4657,13 +4665,25 @@ digits</varname>" + "<varname>tkey-domain</varname>". In most cases,
name server. Specifying <command>pid-file none</command> disables the
use of a PID file &mdash; no file will be written and any
existing one will be removed. Note that <command>none</command>
is a keyword, not a file name, and therefore is not enclosed
is a keyword, not a filename, and therefore is not enclosed
in
double quotes.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>recursing-file</command></term>
<listitem>
<para>
The pathname of the file the server dumps
the queries that are currently recursing when instructed
to do so with <command>rndc recursing</command>.
If not specified, the default is <filename>named.recursing</filename>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>statistics-file</command></term>
<listitem>
@ -5286,7 +5306,7 @@ options {
<para>
<emphasis>This option is obsolete</emphasis>.
If you need to disable IXFR to a particular server or
servers see
servers, see
the information on the <command>provide-ixfr</command> option
in <xref linkend="server_statement_definition_and_usage"/>.
See also
@ -5520,6 +5540,7 @@ options {
<para>
Accept expired signatures when verifying DNSSEC signatures.
The default is <userinput>no</userinput>.
Setting this option to "yes" leaves named vulnerable to replay attacks.
</para>
</listitem>
</varlistentry>
@ -5563,7 +5584,7 @@ options {
and MX records.
It also applies to the RDATA of PTR records where the owner
name indicated that it is a reverse lookup of a hostname
(the owner name ends in IN-ADDR.ARPA, IP6.ARPA or IP6.INT).
(the owner name ends in IN-ADDR.ARPA, IP6.ARPA, or IP6.INT).
</para>
</listitem>
</varlistentry>
@ -5606,7 +5627,7 @@ options {
MX and SRV records only in-zone hostnames are
checked (for out-of-zone hostnames use named-checkzone).
For NS records only names below top of zone are
checked (for out-of-zone names and glue consistancy
checked (for out-of-zone names and glue consistency
checks use named-checkzone). The default is
<command>yes</command>.
</para>
@ -6680,7 +6701,7 @@ query-source-v6 address * port *;
</para><note>
<simpara>
Not yet implemented in
<acronym>BIND</acronym>9.
<acronym>BIND</acronym> 9.
</simpara>
</note>
</listitem>
@ -7067,7 +7088,7 @@ query-source-v6 address * port *;
values are 512 to 4096 (values outside this range
will be silently adjusted). The default value is
4096. The usual reason for setting edns-udp-size to
a non-default value it to get UDP answers to pass
a non-default value is to get UDP answers to pass
through broken firewalls that block fragmented
packets and/or block UDP packets that are greater
than 512 bytes.
@ -7087,6 +7108,8 @@ query-source-v6 address * port *;
answers to pass through broken firewalls that
block fragmented packets and/or block UDP packets
that are greater than 512 bytes.
This is independent of the advertised receive
buffer (<command>edns-udp-size</command>).
</para>
</listitem>
</varlistentry>
@ -7155,6 +7178,16 @@ query-source-v6 address * port *;
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>notify-delay</command></term>
<listitem>
<para>
The delay, in seconds, between sending sets of notify
messages for a zone. The default is zero.
</para>
</listitem>
</varlistentry>
</variablelist>
</sect3>
@ -7245,7 +7278,7 @@ query-source-v6 address * port *;
Named has some built-in empty zones (SOA and NS records only).
These are for zones that should normally be answered locally
and which queries should not be sent to the Internet's root
servers. The offical servers which cover these namespaces
servers. The official servers which cover these namespaces
return NXDOMAIN responses to these queries. In particular,
these cover the reverse namespace for addresses from RFC 1918 and
RFC 3330. They also include the reverse namespace for IPv6 local
@ -7304,10 +7337,10 @@ query-source-v6 address * port *;
If you are using the address ranges covered here, you should
already have reverse zones covering the addresses you use.
In practice this appears to not be the case with many queries
being made to the infrustructure servers for names in these
being made to the infrastructure servers for names in these
spaces. So many in fact that sacrificial servers were needed
to be deployed to channel the query load away from the
infrustructure servers.
infrastructure servers.
</para>
<note>
The real parent servers for these zones should disable all
@ -7472,6 +7505,32 @@ query-source-v6 address * port *;
</para>
</entry>
</row>
<row rowsep="0">
<entry colname="1">
<para><command>duplicate</command></para>
</entry>
<entry colname="2">
<para>
The number of queries which the server attempted to
recurse but discover a existing query with the same
IP address, port, query id, name, type and class
already being processed.
</para>
</entry>
</row>
<row rowsep="0">
<entry colname="1">
<para><command>dropped</command></para>
</entry>
<entry colname="2">
<para>
The number of queries for which the server
discovered a excessive number of existing
recursive queries for the same name, type and
class and were subsequently dropped.
</para>
</entry>
</row>
</tbody>
</tgroup>
</informaltable>
@ -8028,6 +8087,7 @@ view "external" {
<optional> max-transfer-idle-out <replaceable>number</replaceable> ; </optional>
<optional> max-transfer-time-out <replaceable>number</replaceable> ; </optional>
<optional> notify <replaceable>yes_or_no</replaceable> | <replaceable>explicit</replaceable> | <replaceable>master-only</replaceable> ; </optional>
<optional> notify-delay <replaceable>seconds</replaceable> ; </optional>
<optional> pubkey <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ; </optional>
<optional> notify-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
<optional> notify-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
@ -8194,7 +8254,7 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
numbers (in the
tens or hundreds of thousands) of zones per server, it
is best to
use a two-level naming scheme for zone file names. For
use a two-level naming scheme for zone filenames. For
example,
a slave server for the zone <literal>example.com</literal> might place
the zone contents into a file called
@ -8364,7 +8424,7 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
a synonym for hesiod.
</para>
<para>
Another MIT development is CHAOSnet, a LAN protocol created
Another MIT development is Chaosnet, a LAN protocol created
in the mid-1970s. Zone data for it can be specified with the <literal>CHAOS</literal> class.
</para>
</sect3>
@ -8640,8 +8700,8 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
<term><command>journal</command></term>
<listitem>
<para>
Allow the default journal's file name to be overridden.
The default is the zone's file with "<filename>.jnl</filename>" appended.
Allow the default journal's filename to be overridden.
The default is the zone's filename with "<filename>.jnl</filename>" appended.
This is applicable to <command>master</command> and <command>slave</command> zones.
</para>
</listitem>
@ -8697,6 +8757,16 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
</listitem>
</varlistentry>
<varlistentry>
<term><command>notify-delay</command></term>
<listitem>
<para>
See the description of
<command>notify-delay</command> in <xref linkend="tuning"/>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>pubkey</command></term>
<listitem>
@ -8932,7 +9002,7 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
wildcard name, it is subject to DNS wildcard expansion, so the
rule will apply
to multiple identities. The <replaceable>identity</replaceable> field must
contain a fully qualified domain name.
contain a fully-qualified domain name.
</para>
<para>
@ -9046,7 +9116,7 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
<para>
In all cases, the <replaceable>name</replaceable>
field must
specify a fully qualified domain name.
specify a fully-qualified domain name.
</para>
<para>
@ -9659,7 +9729,7 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
</entry>
<entry colname="2">
<para>
CHAOSnet, a LAN protocol created at MIT in the
Chaosnet, a LAN protocol created at MIT in the
mid-1970s.
Rarely used for its historical purpose, but reused for
BIND's
@ -10239,7 +10309,7 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
<note>
<para>
The <command>$ORIGIN</command> lines in the examples
are for providing context to the examples only-they do not
are for providing context to the examples only &mdash; they do not
necessarily
appear in the actual usage. They are only used here to indicate
that the example is relative to the listed origin.
@ -10403,14 +10473,14 @@ $GENERATE 1-127 $ CNAME $.0</programlisting>
<para><command>lhs</command></para>
</entry>
<entry colname="2">
<para><command>lhs</command>
<para>This
describes the owner name of the resource records
to be created. Any single <command>$</command>
(dollar sign)
symbols within the <command>lhs</command> side
are replaced by the iterator value.
To get a $ in the output you need to escape the
To get a $ in the output, you need to escape the
<command>$</command> using a backslash
<command>\</command>,
e.g. <command>\$</command>. The
@ -10419,7 +10489,7 @@ $GENERATE 1-127 $ CNAME $.0</programlisting>
iterator, field width and base.
Modifiers are introduced by a
<command>{</command> immediately following the
<command>{</command> (left brace) immediately following the
<command>$</command> as
<command>${offset[,width[,base]]}</command>.
For example, <command>${-20,3,d}</command>
@ -10492,7 +10562,7 @@ $GENERATE 1-127 $ CNAME $.0</programlisting>
</entry>
<entry colname="2">
<para>
A domain name. It is processed
<command>rhs</command> is a domain name. It is processed
similarly to lhs.
</para>
</entry>
@ -10619,7 +10689,7 @@ zone "example.com" {
</para>
</sect1>
<sect1>
<title><command>chroot</command> and <command>setuid</command></title>
<title><command>Chroot</command> and <command>Setuid</command></title>
<para>
On UNIX servers, it is possible to run <acronym>BIND</acronym> in a <emphasis>chrooted</emphasis> environment
(using the <command>chroot()</command> function) by specifying the "<option>-t</option>"
@ -10658,7 +10728,7 @@ zone "example.com" {
for this.
</para>
<para>
Unlike with earlier versions of BIND, you will typically
Unlike with earlier versions of BIND, you typically will
<emphasis>not</emphasis> need to compile <command>named</command>
statically nor install shared libraries under the new root.
However, depending on your operating system, you may need
@ -10758,18 +10828,18 @@ zone "example.com" {
<sect1>
<title>Incrementing and Changing the Serial Number</title>
<para>
Zone serial numbers are just numbers-they aren't date
related. A lot of people set them to a number that represents a
date, usually of the form YYYYMMDDRR. A number of people have been
testing these numbers for Y2K compliance and have set the number
to the year 2000 to see if it will work. They then try to restore
the old serial number. This will cause problems because serial
numbers are used to indicate that a zone has been updated. If the
serial number on the slave server is lower than the serial number
on the master, the slave server will attempt to update its copy of
the zone.
</para>
<para>
Zone serial numbers are just numbers &mdash; they aren't
date related. A lot of people set them to a number that
represents a date, usually of the form YYYYMMDDRR.
Occasionally they will make a mistake and set them to a
"date in the future" then try to correct them by setting
them to the "current date". This causes problems because
serial numbers are used to indicate that a zone has been
updated. If the serial number on the slave server is
lower than the serial number on the master, the slave
server will attempt to update its copy of the zone.
</para>
<para>
Setting the serial number to a lower number on the master
@ -10866,7 +10936,7 @@ zone "example.com" {
during that time: Doug Kingston, Craig Partridge, Smoot
Carl-Mitchell,
Mike Muuss, Jim Bloom and Mike Schwartz. <acronym>BIND</acronym> maintenance was subsequently
handled by Mike Karels and O. Kure.
handled by Mike Karels and &#216;ivind Kure.
</para>
<para>
<acronym>BIND</acronym> versions 4.9 and 4.9.1 were
@ -10881,7 +10951,7 @@ zone "example.com" {
Wolfhugel, and others.
</para>
<para>
<acronym>BIND</acronym> version 4.9.2 was sponsored by
In 1994, <acronym>BIND</acronym> version 4.9.2 was sponsored by
Vixie Enterprises. Paul
Vixie became <acronym>BIND</acronym>'s principal
architect/programmer.
@ -10891,10 +10961,25 @@ zone "example.com" {
have been developed and maintained
by the Internet Systems Consortium and its predecessor,
the Internet Software Consortium, with support being provided
by ISC's sponsors. As co-architects/programmers, Bob Halley and
by ISC's sponsors.
</para>
<para>
As co-architects/programmers, Bob Halley and
Paul Vixie released the first production-ready version of
<acronym>BIND</acronym> version 8 in May 1997.
</para>
<para>
BIND version 9 was released in September 2000 and is a
major rewrite of nearly all aspects of the underlying
BIND architecture.
</para>
<para>
BIND version 4 is officially deprecated and BIND version
8 development is considered maintenance-only in favor
of BIND version 9. No additional development is done
on BIND version 4 or BIND version 8 other than for
security-related patches.
</para>
<para>
<acronym>BIND</acronym> development work is made
possible today by the sponsorship
@ -10915,7 +11000,8 @@ zone "example.com" {
<emphasis>Anycast</emphasis>,
an identifier for a set of interfaces; and <emphasis>Multicast</emphasis>,
an identifier for a set of interfaces. Here we describe the global
Unicast address scheme. For more information, see RFC 3587.
Unicast address scheme. For more information, see RFC 3587,
"Global Unicast Address Format."
</para>
<para>
IPv6 unicast addresses consist of a
@ -11966,15 +12052,6 @@ zone "example.com" {
<title>DNS IPv6 Transport Operational Guidelines</title>
<pubdate>September 2004</pubdate>
</biblioentry>
<biblioentry>
<abbrev>RFC2352</abbrev>
<author>
<surname>Vaughan</surname>
<firstname>O.</firstname>
</author>
<title>A Convention For Using Legal Names as Domain Names</title>
<pubdate>May 1998</pubdate>
</biblioentry>
</bibliodiv>
<bibliodiv>
<title>Obsolete and Unimplemented Experimental RFC</title>

58
contrib/bind9/doc/arm/Bv9ARM.ch01.html
View File

@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: Bv9ARM.ch01.html,v 1.16.18.19.10.1 2007/07/09 02:25:50 marka Exp $ -->
<!-- $Id: Bv9ARM.ch01.html,v 1.16.18.21 2007/10/31 01:35:57 marka Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@ -45,17 +45,17 @@
<div class="toc">
<p><b>Table of Contents</b></p>
<dl>
<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564115">Scope of Document</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564138">Organization of This Document</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2563472">Conventions Used in This Document</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564813">The Domain Name System (<acronym class="acronym">DNS</acronym>)</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564117">Scope of Document</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564140">Organization of This Document</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2563474">Conventions Used in This Document</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564816">The Domain Name System (<acronym class="acronym">DNS</acronym>)</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564835">DNS Fundamentals</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564869">Domains and Domain Names</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564953">Zones</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567283">Authoritative Name Servers</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567524">Caching Name Servers</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567586">Name Servers in Multiple Roles</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564837">DNS Fundamentals</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564871">Domains and Domain Names</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567208">Zones</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567285">Authoritative Name Servers</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567526">Caching Name Servers</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567588">Name Servers in Multiple Roles</a></span></dt>
</dl></dd>
</dl>
</div>
@ -71,7 +71,7 @@
</p>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2564115"></a>Scope of Document</h2></div></div></div>
<a name="id2564117"></a>Scope of Document</h2></div></div></div>
<p>
The Berkeley Internet Name Domain
(<acronym class="acronym">BIND</acronym>) implements a
@ -87,7 +87,7 @@
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2564138"></a>Organization of This Document</h2></div></div></div>
<a name="id2564140"></a>Organization of This Document</h2></div></div></div>
<p>
In this document, <span class="emphasis"><em>Section 1</em></span> introduces
the basic <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym> concepts. <span class="emphasis"><em>Section 2</em></span>
@ -107,8 +107,8 @@
security considerations, and
<span class="emphasis"><em>Section 8</em></span> contains troubleshooting help. The
main body of the document is followed by several
<span class="emphasis"><em>Appendices</em></span> which contain useful reference
information, such as a <span class="emphasis"><em>Bibliography</em></span> and
<span class="emphasis"><em>appendices</em></span> which contain useful reference
information, such as a <span class="emphasis"><em>bibliography</em></span> and
historic information related to <acronym class="acronym">BIND</acronym>
and the Domain Name
System.
@ -116,7 +116,7 @@
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2563472"></a>Conventions Used in This Document</h2></div></div></div>
<a name="id2563474"></a>Conventions Used in This Document</h2></div></div></div>
<p>
In this document, we use the following general typographic
conventions:
@ -243,17 +243,17 @@
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2564813"></a>The Domain Name System (<acronym class="acronym">DNS</acronym>)</h2></div></div></div>
<a name="id2564816"></a>The Domain Name System (<acronym class="acronym">DNS</acronym>)</h2></div></div></div>
<p>
The purpose of this document is to explain the installation
and upkeep of the <acronym class="acronym">BIND</acronym> software
package, and we
and upkeep of the <acronym class="acronym">BIND</acronym> (Berkeley Internet
Name Domain) software package, and we
begin by reviewing the fundamentals of the Domain Name System
(<acronym class="acronym">DNS</acronym>) as they relate to <acronym class="acronym">BIND</acronym>.
</p>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2564835"></a>DNS Fundamentals</h3></div></div></div>
<a name="id2564837"></a>DNS Fundamentals</h3></div></div></div>
<p>
The Domain Name System (DNS) is a hierarchical, distributed
database. It stores information for mapping Internet host names to
@ -273,7 +273,7 @@
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2564869"></a>Domains and Domain Names</h3></div></div></div>
<a name="id2564871"></a>Domains and Domain Names</h3></div></div></div>
<p>
The data stored in the DNS is identified by <span class="emphasis"><em>domain names</em></span> that are organized as a tree according to
organizational or administrative boundaries. Each node of the tree,
@ -319,7 +319,7 @@
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2564953"></a>Zones</h3></div></div></div>
<a name="id2567208"></a>Zones</h3></div></div></div>
<p>
To properly operate a name server, it is important to understand
the difference between a <span class="emphasis"><em>zone</em></span>
@ -372,7 +372,7 @@
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2567283"></a>Authoritative Name Servers</h3></div></div></div>
<a name="id2567285"></a>Authoritative Name Servers</h3></div></div></div>
<p>
Each zone is served by at least
one <span class="emphasis"><em>authoritative name server</em></span>,
@ -389,7 +389,7 @@
</p>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2567306"></a>The Primary Master</h4></div></div></div>
<a name="id2567308"></a>The Primary Master</h4></div></div></div>
<p>
The authoritative server where the master copy of the zone
data is maintained is called the
@ -409,7 +409,7 @@
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2567336"></a>Slave Servers</h4></div></div></div>
<a name="id2567338"></a>Slave Servers</h4></div></div></div>
<p>
The other authoritative servers, the <span class="emphasis"><em>slave</em></span>
servers (also known as <span class="emphasis"><em>secondary</em></span> servers)
@ -425,7 +425,7 @@
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2567357"></a>Stealth Servers</h4></div></div></div>
<a name="id2567360"></a>Stealth Servers</h4></div></div></div>
<p>
Usually all of the zone's authoritative servers are listed in
NS records in the parent zone. These NS records constitute
@ -460,7 +460,7 @@
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2567524"></a>Caching Name Servers</h3></div></div></div>
<a name="id2567526"></a>Caching Name Servers</h3></div></div></div>
<p>
The resolver libraries provided by most operating systems are
<span class="emphasis"><em>stub resolvers</em></span>, meaning that they are not
@ -487,7 +487,7 @@
</p>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2567559"></a>Forwarding</h4></div></div></div>
<a name="id2567561"></a>Forwarding</h4></div></div></div>
<p>
Even a caching name server does not necessarily perform
the complete recursive lookup itself. Instead, it can
@ -514,7 +514,7 @@
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2567586"></a>Name Servers in Multiple Roles</h3></div></div></div>
<a name="id2567588"></a>Name Servers in Multiple Roles</h3></div></div></div>
<p>
The <acronym class="acronym">BIND</acronym> name server can
simultaneously act as

24
contrib/bind9/doc/arm/Bv9ARM.ch02.html
View File

@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: Bv9ARM.ch02.html,v 1.13.18.18.10.1 2007/07/09 02:25:50 marka Exp $ -->
<!-- $Id: Bv9ARM.ch02.html,v 1.13.18.21 2007/10/31 01:35:57 marka Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@ -45,16 +45,16 @@
<div class="toc">
<p><b>Table of Contents</b></p>
<dl>
<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567620">Hardware requirements</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567646">CPU Requirements</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567659">Memory Requirements</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567686">Name Server Intensive Environment Issues</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567697">Supported Operating Systems</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567622">Hardware requirements</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567649">CPU Requirements</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567661">Memory Requirements</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567688">Name Server Intensive Environment Issues</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567699">Supported Operating Systems</a></span></dt>
</dl>
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2567620"></a>Hardware requirements</h2></div></div></div>
<a name="id2567622"></a>Hardware requirements</h2></div></div></div>
<p>
<acronym class="acronym">DNS</acronym> hardware requirements have
traditionally been quite modest.
@ -73,7 +73,7 @@
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2567646"></a>CPU Requirements</h2></div></div></div>
<a name="id2567649"></a>CPU Requirements</h2></div></div></div>
<p>
CPU requirements for <acronym class="acronym">BIND</acronym> 9 range from
i486-class machines
@ -84,7 +84,7 @@
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2567659"></a>Memory Requirements</h2></div></div></div>
<a name="id2567661"></a>Memory Requirements</h2></div></div></div>
<p>
The memory of the server has to be large enough to fit the
cache and zones loaded off disk. The <span><strong class="command">max-cache-size</strong></span>
@ -93,7 +93,7 @@
traffic.
Additionally, if additional section caching
(<a href="Bv9ARM.ch06.html#acache" title="Additional Section Caching">the section called &#8220;Additional Section Caching&#8221;</a>) is enabled,
the <span><strong class="command">max-acache-size</strong></span> can be used to
the <span><strong class="command">max-acache-size</strong></span> option can be used to
limit the amount
of memory used by the mechanism.
It is still good practice to have enough memory to load
@ -107,7 +107,7 @@
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2567686"></a>Name Server Intensive Environment Issues</h2></div></div></div>
<a name="id2567688"></a>Name Server Intensive Environment Issues</h2></div></div></div>
<p>
For name server intensive environments, there are two alternative
configurations that may be used. The first is where clients and
@ -124,7 +124,7 @@
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2567697"></a>Supported Operating Systems</h2></div></div></div>
<a name="id2567699"></a>Supported Operating Systems</h2></div></div></div>
<p>
ISC <acronym class="acronym">BIND</acronym> 9 compiles and runs on a large
number

46
contrib/bind9/doc/arm/Bv9ARM.ch03.html
View File

@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: Bv9ARM.ch03.html,v 1.35.18.26.10.1 2007/07/09 02:25:50 marka Exp $ -->
<!-- $Id: Bv9ARM.ch03.html,v 1.35.18.31 2007/10/31 01:35:57 marka Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@ -47,14 +47,14 @@
<dl>
<dt><span class="sect1"><a href="Bv9ARM.ch03.html#sample_configuration">Sample Configurations</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2568002">A Caching-only Name Server</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2568018">An Authoritative-only Name Server</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2568004">A Caching-only Name Server</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2568020">An Authoritative-only Name Server</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568040">Load Balancing</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568464">Name Server Operations</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568042">Load Balancing</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568465">Name Server Operations</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2568469">Tools for Use With the Name Server Daemon</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2570039">Signals</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2568470">Tools for Use With the Name Server Daemon</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2570184">Signals</a></span></dt>
</dl></dd>
</dl>
</div>
@ -68,7 +68,7 @@
<a name="sample_configuration"></a>Sample Configurations</h2></div></div></div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2568002"></a>A Caching-only Name Server</h3></div></div></div>
<a name="id2568004"></a>A Caching-only Name Server</h3></div></div></div>
<p>
The following sample configuration is appropriate for a caching-only
name server for use by clients internal to a corporation. All
@ -95,7 +95,7 @@ zone "0.0.127.in-addr.arpa" {
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2568018"></a>An Authoritative-only Name Server</h3></div></div></div>
<a name="id2568020"></a>An Authoritative-only Name Server</h3></div></div></div>
<p>
This sample configuration is for an authoritative-only server
that is the master server for "<code class="filename">example.com</code>"
@ -137,11 +137,11 @@ zone "eng.example.com" {
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2568040"></a>Load Balancing</h2></div></div></div>
<a name="id2568042"></a>Load Balancing</h2></div></div></div>
<p>
A primitive form of load balancing can be achieved in
the <acronym class="acronym">DNS</acronym> by using multiple A records for
one name.
the <acronym class="acronym">DNS</acronym> by using multiple records
(such as multiple A records) for one name.
</p>
<p>
For example, if you have three WWW servers with network addresses
@ -280,10 +280,10 @@ zone "eng.example.com" {
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2568464"></a>Name Server Operations</h2></div></div></div>
<a name="id2568465"></a>Name Server Operations</h2></div></div></div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2568469"></a>Tools for Use With the Name Server Daemon</h3></div></div></div>
<a name="id2568470"></a>Tools for Use With the Name Server Daemon</h3></div></div></div>
<p>
This section describes several indispensable diagnostic,
administrative and monitoring tools available to the system
@ -336,7 +336,7 @@ zone "eng.example.com" {
functionality
can be extended with the use of options.
</p>
<div class="cmdsynopsis"><p><code class="command">host</code> [-aCdlrTwv] [-c <em class="replaceable"><code>class</code></em>] [-N <em class="replaceable"><code>ndots</code></em>] [-t <em class="replaceable"><code>type</code></em>] [-W <em class="replaceable"><code>timeout</code></em>] [-R <em class="replaceable"><code>retries</code></em>] <em class="replaceable"><code>hostname</code></em> [<em class="replaceable"><code>server</code></em>]</p></div>
<div class="cmdsynopsis"><p><code class="command">host</code> [-aCdlnrsTwv] [-c <em class="replaceable"><code>class</code></em>] [-N <em class="replaceable"><code>ndots</code></em>] [-t <em class="replaceable"><code>type</code></em>] [-W <em class="replaceable"><code>timeout</code></em>] [-R <em class="replaceable"><code>retries</code></em>] [-m <em class="replaceable"><code>flag</code></em>] [-4] [-6] <em class="replaceable"><code>hostname</code></em> [<em class="replaceable"><code>server</code></em>]</p></div>
<p>
For more information and a list of available commands and
options, see the <span><strong class="command">host</strong></span> man
@ -425,6 +425,12 @@ zone "eng.example.com" {
(<span><strong class="command">rndc</strong></span>) program allows the
system
administrator to control the operation of a name server.
Since <acronym class="acronym">BIND</acronym> 9.2, <span><strong class="command">rndc</strong></span>
supports all the commands of the BIND 8 <span><strong class="command">ndc</strong></span>
utility except <span><strong class="command">ndc start</strong></span> and
<span><strong class="command">ndc restart</strong></span>, which were also
not supported in <span><strong class="command">ndc</strong></span>'s
channel mode.
If you run <span><strong class="command">rndc</strong></span> without any
options
it will display a usage message as follows:
@ -584,14 +590,6 @@ zone "eng.example.com" {
on.
</p></dd>
</dl></div>
<p>
In <acronym class="acronym">BIND</acronym> 9.2, <span><strong class="command">rndc</strong></span>
supports all the commands of the BIND 8 <span><strong class="command">ndc</strong></span>
utility except <span><strong class="command">ndc start</strong></span> and
<span><strong class="command">ndc restart</strong></span>, which were also
not supported in <span><strong class="command">ndc</strong></span>'s
channel mode.
</p>
<p>
A configuration file is required, since all
communication with the server is authenticated with
@ -741,7 +739,7 @@ controls {
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2570039"></a>Signals</h3></div></div></div>
<a name="id2570184"></a>Signals</h3></div></div></div>
<p>
Certain UNIX signals cause the name server to take specific
actions, as described in the following table. These signals can

86
contrib/bind9/doc/arm/Bv9ARM.ch04.html
View File

@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: Bv9ARM.ch04.html,v 1.40.18.34.10.1 2007/07/09 02:25:50 marka Exp $ -->
<!-- $Id: Bv9ARM.ch04.html,v 1.40.18.41 2007/10/31 01:35:57 marka Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@ -49,28 +49,29 @@
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dynamic_update">Dynamic Update</a></span></dt>
<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#journal">The journal file</a></span></dt></dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#incremental_zone_transfers">Incremental Zone Transfers (IXFR)</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2570428">Split DNS</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2570642">Split DNS</a></span></dt>
<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570660">Example split DNS setup</a></span></dt></dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#tsig">TSIG</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570948">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571021">Copying the Shared Secret to Both Machines</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571032">Informing the Servers of the Key's Existence</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571140">Instructing the Server to Use the Key</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571197">TSIG Key Based Access Control</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571242">Errors</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571095">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571169">Copying the Shared Secret to Both Machines</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571179">Informing the Servers of the Key's Existence</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571219">Instructing the Server to Use the Key</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571413">TSIG Key Based Access Control</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571458">Errors</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571256">TKEY</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571305">SIG(0)</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571472">TKEY</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571521">SIG(0)</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571578">Generating Keys</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571648">Signing the Zone</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571726">Configuring Servers</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571725">Generating Keys</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571795">Signing the Zone</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571874">Configuring Servers</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571801">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2572153">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572000">Address Lookups Using AAAA Records</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572021">Address to Name Lookups Using Nibble Format</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572215">Address Lookups Using AAAA Records</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572236">Address to Name Lookups Using Nibble Format</a></span></dt>
</dl></dd>
</dl>
</div>
@ -204,7 +205,7 @@
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2570428"></a>Split DNS</h2></div></div></div>
<a name="id2570642"></a>Split DNS</h2></div></div></div>
<p>
Setting up different views, or visibility, of the DNS space to
internal and external resolvers is usually referred to as a
@ -222,7 +223,7 @@
However, since listing addresses of internal servers that
external clients cannot possibly reach can result in
connection delays and other annoyances, an organization may
choose to use a Split DNS to present a consistant view of itself
choose to use a Split DNS to present a consistent view of itself
to the outside world.
</p>
<p>
@ -232,9 +233,9 @@
on the Internet. Split DNS can also be used to allow mail from outside
back in to the internal network.
</p>
<p>
Here is an example of a split DNS setup:
</p>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2570660"></a>Example split DNS setup</h3></div></div></div>
<p>
Let's say a company named <span class="emphasis"><em>Example, Inc.</em></span>
(<code class="literal">example.com</code>)
@ -450,6 +451,7 @@ nameserver 172.16.72.3
nameserver 172.16.72.4
</pre>
</div>
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="tsig"></a>TSIG</h2></div></div></div>
@ -479,7 +481,7 @@ nameserver 172.16.72.4
</p>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2570948"></a>Generate Shared Keys for Each Pair of Hosts</h3></div></div></div>
<a name="id2571095"></a>Generate Shared Keys for Each Pair of Hosts</h3></div></div></div>
<p>
A shared secret is generated to be shared between <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host2</em></span>.
An arbitrary key name is chosen: "host1-host2.". The key name must
@ -487,7 +489,7 @@ nameserver 172.16.72.4
</p>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2570965"></a>Automatic Generation</h4></div></div></div>
<a name="id2571112"></a>Automatic Generation</h4></div></div></div>
<p>
The following command will generate a 128-bit (16 byte) HMAC-MD5
key as described above. Longer keys are better, but shorter keys
@ -512,7 +514,7 @@ nameserver 172.16.72.4
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2571003"></a>Manual Generation</h4></div></div></div>
<a name="id2571150"></a>Manual Generation</h4></div></div></div>
<p>
The shared secret is simply a random sequence of bits, encoded
in base-64. Most ASCII strings are valid base-64 strings (assuming
@ -527,7 +529,7 @@ nameserver 172.16.72.4
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2571021"></a>Copying the Shared Secret to Both Machines</h3></div></div></div>
<a name="id2571169"></a>Copying the Shared Secret to Both Machines</h3></div></div></div>
<p>
This is beyond the scope of DNS. A secure transport mechanism
should be used. This could be secure FTP, ssh, telephone, etc.
@ -535,7 +537,7 @@ nameserver 172.16.72.4
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2571032"></a>Informing the Servers of the Key's Existence</h3></div></div></div>
<a name="id2571179"></a>Informing the Servers of the Key's Existence</h3></div></div></div>
<p>
Imagine <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host 2</em></span>
are
@ -564,7 +566,7 @@ key host1-host2. {
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2571140"></a>Instructing the Server to Use the Key</h3></div></div></div>
<a name="id2571219"></a>Instructing the Server to Use the Key</h3></div></div></div>
<p>
Since keys are shared between two hosts only, the server must
be told when keys are to be used. The following is added to the <code class="filename">named.conf</code> file
@ -596,7 +598,7 @@ server 10.1.2.3 {
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2571197"></a>TSIG Key Based Access Control</h3></div></div></div>
<a name="id2571413"></a>TSIG Key Based Access Control</h3></div></div></div>
<p>
<acronym class="acronym">BIND</acronym> allows IP addresses and ranges
to be specified in ACL
@ -624,7 +626,7 @@ allow-update { key host1-host2. ;};
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2571242"></a>Errors</h3></div></div></div>
<a name="id2571458"></a>Errors</h3></div></div></div>
<p>
The processing of TSIG signed messages can result in
several errors. If a signed message is sent to a non-TSIG aware
@ -643,14 +645,14 @@ allow-update { key host1-host2. ;};
outside of the allowed range, the response will be signed with
the TSIG extended error code set to BADTIME, and the time values
will be adjusted so that the response can be successfully
verified. In any of these cases, the message's rcode is set to
verified. In any of these cases, the message's rcode (response code) is set to
NOTAUTH (not authenticated).
</p>
</div>
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2571256"></a>TKEY</h2></div></div></div>
<a name="id2571472"></a>TKEY</h2></div></div></div>
<p><span><strong class="command">TKEY</strong></span>
is a mechanism for automatically generating a shared secret
between two hosts. There are several "modes" of
@ -686,7 +688,7 @@ allow-update { key host1-host2. ;};
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2571305"></a>SIG(0)</h2></div></div></div>
<a name="id2571521"></a>SIG(0)</h2></div></div></div>
<p>
<acronym class="acronym">BIND</acronym> 9 partially supports DNSSEC SIG(0)
transaction signatures as specified in RFC 2535 and RFC2931.
@ -715,7 +717,7 @@ allow-update { key host1-host2. ;};
<p>
Cryptographic authentication of DNS information is possible
through the DNS Security (<span class="emphasis"><em>DNSSEC-bis</em></span>) extensions,
defined in RFC 4033, RFC 4034 and RFC 4035.
defined in RFC 4033, RFC 4034, and RFC 4035.
This section describes the creation and use of DNSSEC signed zones.
</p>
<p>
@ -747,7 +749,7 @@ allow-update { key host1-host2. ;};
</p>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2571578"></a>Generating Keys</h3></div></div></div>
<a name="id2571725"></a>Generating Keys</h3></div></div></div>
<p>
The <span><strong class="command">dnssec-keygen</strong></span> program is used to
generate keys.
@ -775,7 +777,7 @@ allow-update { key host1-host2. ;};
<code class="filename">Kchild.example.+005+12345.key</code> and
<code class="filename">Kchild.example.+005+12345.private</code>
(where
12345 is an example of a key tag). The key file names contain
12345 is an example of a key tag). The key filenames contain
the key name (<code class="filename">child.example.</code>),
algorithm (3
is DSA, 1 is RSAMD5, 5 is RSASHA1, etc.), and the key tag (12345 in
@ -798,7 +800,7 @@ allow-update { key host1-host2. ;};
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2571648"></a>Signing the Zone</h3></div></div></div>
<a name="id2571795"></a>Signing the Zone</h3></div></div></div>
<p>
The <span><strong class="command">dnssec-signzone</strong></span> program is used
to
@ -835,14 +837,14 @@ allow-update { key host1-host2. ;};
<p><span><strong class="command">dnssec-signzone</strong></span>
will also produce a keyset and dsset files and optionally a
dlvset file. These are used to provide the parent zone
administators with the <code class="literal">DNSKEYs</code> (or their
administrators with the <code class="literal">DNSKEYs</code> (or their
corresponding <code class="literal">DS</code> records) that are the
secure entry point to the zone.
</p>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2571726"></a>Configuring Servers</h3></div></div></div>
<a name="id2571874"></a>Configuring Servers</h3></div></div></div>
<p>
To enable <span><strong class="command">named</strong></span> to respond appropriately
to DNS requests from DNSSEC aware clients,
@ -851,7 +853,7 @@ allow-update { key host1-host2. ;};
<p>
To enable <span><strong class="command">named</strong></span> to validate answers from
other servers both <span><strong class="command">dnssec-enable</strong></span> and
<span><strong class="command">dnssec-validate</strong></span> must be set and some
<span><strong class="command">dnssec-validation</strong></span> must be set and some
<span><strong class="command">trusted-keys</strong></span> must be configured
into <code class="filename">named.conf</code>.
</p>
@ -930,7 +932,7 @@ options {
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2571801"></a>IPv6 Support in <acronym class="acronym">BIND</acronym> 9</h2></div></div></div>
<a name="id2572153"></a>IPv6 Support in <acronym class="acronym">BIND</acronym> 9</h2></div></div></div>
<p>
<acronym class="acronym">BIND</acronym> 9 fully supports all currently
defined forms of IPv6
@ -969,7 +971,7 @@ options {
</p>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2572000"></a>Address Lookups Using AAAA Records</h3></div></div></div>
<a name="id2572215"></a>Address Lookups Using AAAA Records</h3></div></div></div>
<p>
The IPv6 AAAA record is a parallel to the IPv4 A record,
and, unlike the deprecated A6 record, specifies the entire
@ -988,7 +990,7 @@ host 3600 IN AAAA 2001:db8::1
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2572021"></a>Address to Name Lookups Using Nibble Format</h3></div></div></div>
<a name="id2572236"></a>Address to Name Lookups Using Nibble Format</h3></div></div></div>
<p>
When looking up an address in nibble format, the address
components are simply reversed, just as in IPv4, and

6
contrib/bind9/doc/arm/Bv9ARM.ch05.html
View File

@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: Bv9ARM.ch05.html,v 1.33.18.28.10.1 2007/07/09 02:25:50 marka Exp $ -->
<!-- $Id: Bv9ARM.ch05.html,v 1.33.18.33 2007/10/31 01:35:58 marka Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@ -45,13 +45,13 @@
<div class="toc">
<p><b>Table of Contents</b></p>
<dl>
<dt><span class="sect1"><a href="Bv9ARM.ch05.html#id2572054">The Lightweight Resolver Library</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch05.html#id2572269">The Lightweight Resolver Library</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch05.html#lwresd">Running a Resolver Daemon</a></span></dt>
</dl>
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2572054"></a>The Lightweight Resolver Library</h2></div></div></div>
<a name="id2572269"></a>The Lightweight Resolver Library</h2></div></div></div>
<p>
Traditionally applications have been linked with a stub resolver
library that sends recursive DNS queries to a local caching name

255
contrib/bind9/doc/arm/Bv9ARM.ch06.html
View File

@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: Bv9ARM.ch06.html,v 1.82.18.63.10.1 2007/07/09 02:25:50 marka Exp $ -->
<!-- $Id: Bv9ARM.ch06.html,v 1.82.18.73 2007/10/31 01:35:58 marka Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@ -48,52 +48,52 @@
<dt><span class="sect1"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573333">Comment Syntax</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573480">Comment Syntax</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574013"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574092"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#acl"><span><strong class="command">acl</strong></span> Statement Definition and
Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574203"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574282"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span><strong class="command">controls</strong></span> Statement Definition and
Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574632"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574647"><span><strong class="command">include</strong></span> Statement Definition and
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574711"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574726"><span><strong class="command">include</strong></span> Statement Definition and
Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574670"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574692"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574782"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574908"><span><strong class="command">logging</strong></span> Statement Definition and
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574749"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574771"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574930"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575056"><span><strong class="command">logging</strong></span> Statement Definition and
Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576395"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576469"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576533"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576577"><span><strong class="command">masters</strong></span> Statement Definition and
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576406"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576480"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576544"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576587"><span><strong class="command">masters</strong></span> Statement Definition and
Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576592"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576602"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#options"><span><strong class="command">options</strong></span> Statement Definition and
Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span><strong class="command">server</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span><strong class="command">server</strong></span> Statement Definition and
Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2585031"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2585080"><span><strong class="command">trusted-keys</strong></span> Statement Definition
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2585361"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2585410"><span><strong class="command">trusted-keys</strong></span> Statement Definition
and Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#view_statement_grammar"><span><strong class="command">view</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2585228"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2585490"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span><strong class="command">zone</strong></span>
Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2586599"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2586798"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2588791">Zone File</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2589080">Zone File</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590812">Discussion of MX Records</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591101">Discussion of MX Records</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591432">Inverse Mapping in IPv4</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591559">Other Zone File Directives</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591816"><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591653">Inverse Mapping in IPv4</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591848">Other Zone File Directives</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2592173"><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zonefile_format">Additional File Formats</a></span></dt>
</dl></dd>
</dl>
@ -266,7 +266,7 @@
<td>
<p>
An IP port <code class="varname">number</code>.
<code class="varname">number</code> is limited to 0
The <code class="varname">number</code> is limited to 0
through 65535, with values
below 1024 typically restricted to use by processes running
as root.
@ -428,7 +428,7 @@
<a name="address_match_lists"></a>Address Match Lists</h3></div></div></div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2573198"></a>Syntax</h4></div></div></div>
<a name="id2573277"></a>Syntax</h4></div></div></div>
<pre class="programlisting"><code class="varname">address_match_list</code> = address_match_list_element ;
[<span class="optional"> address_match_list_element; ... </span>]
<code class="varname">address_match_list_element</code> = [<span class="optional"> ! </span>] (ip_address [<span class="optional">/length</span>] |
@ -437,7 +437,7 @@
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2573226"></a>Definition and Usage</h4></div></div></div>
<a name="id2573305"></a>Definition and Usage</h4></div></div></div>
<p>
Address match lists are primarily used to determine access
control for various server operations. They are also used in
@ -515,17 +515,17 @@
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2573333"></a>Comment Syntax</h3></div></div></div>
<a name="id2573480"></a>Comment Syntax</h3></div></div></div>
<p>
The <acronym class="acronym">BIND</acronym> 9 comment syntax allows for
comments to appear
anywhere that white space may appear in a <acronym class="acronym">BIND</acronym> configuration
anywhere that whitespace may appear in a <acronym class="acronym">BIND</acronym> configuration
file. To appeal to programmers of all kinds, they can be written
in the C, C++, or shell/perl style.
</p>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2573348"></a>Syntax</h4></div></div></div>
<a name="id2573495"></a>Syntax</h4></div></div></div>
<p>
</p>
<pre class="programlisting">/* This is a <acronym class="acronym">BIND</acronym> comment as in C */</pre>
@ -540,9 +540,9 @@
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2573378"></a>Definition and Usage</h4></div></div></div>
<a name="id2573525"></a>Definition and Usage</h4></div></div></div>
<p>
Comments may appear anywhere that white space may appear in
Comments may appear anywhere that whitespace may appear in
a <acronym class="acronym">BIND</acronym> configuration file.
</p>
<p>
@ -774,7 +774,7 @@
</p>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2574013"></a><span><strong class="command">acl</strong></span> Statement Grammar</h3></div></div></div>
<a name="id2574092"></a><span><strong class="command">acl</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting"><span><strong class="command">acl</strong></span> acl-name {
address_match_list
};
@ -857,7 +857,7 @@
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2574203"></a><span><strong class="command">controls</strong></span> Statement Grammar</h3></div></div></div>
<a name="id2574282"></a><span><strong class="command">controls</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting"><span><strong class="command">controls</strong></span> {
[ inet ( ip_addr | * ) [ port ip_port ] allow { <em class="replaceable"><code> address_match_list </code></em> }
keys { <em class="replaceable"><code>key_list</code></em> }; ]
@ -979,12 +979,12 @@
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2574632"></a><span><strong class="command">include</strong></span> Statement Grammar</h3></div></div></div>
<a name="id2574711"></a><span><strong class="command">include</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting">include <em class="replaceable"><code>filename</code></em>;</pre>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2574647"></a><span><strong class="command">include</strong></span> Statement Definition and
<a name="id2574726"></a><span><strong class="command">include</strong></span> Statement Definition and
Usage</h3></div></div></div>
<p>
The <span><strong class="command">include</strong></span> statement inserts the
@ -999,7 +999,7 @@
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2574670"></a><span><strong class="command">key</strong></span> Statement Grammar</h3></div></div></div>
<a name="id2574749"></a><span><strong class="command">key</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting">key <em class="replaceable"><code>key_id</code></em> {
algorithm <em class="replaceable"><code>string</code></em>;
secret <em class="replaceable"><code>string</code></em>;
@ -1008,7 +1008,7 @@
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2574692"></a><span><strong class="command">key</strong></span> Statement Definition and Usage</h3></div></div></div>
<a name="id2574771"></a><span><strong class="command">key</strong></span> Statement Definition and Usage</h3></div></div></div>
<p>
The <span><strong class="command">key</strong></span> statement defines a shared
secret key for use with TSIG (see <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called &#8220;TSIG&#8221;</a>)
@ -1046,7 +1046,7 @@
<code class="literal">hmac-sha256</code>, <code class="literal">hmac-sha384</code>
and <code class="literal">hmac-sha512</code> TSIG authentication.
Truncated hashes are supported by appending the minimum
number of required bits preceeded by a dash, e.g.
number of required bits preceded by a dash, e.g.
<code class="literal">hmac-sha1-80</code>. The
<em class="replaceable"><code>secret_string</code></em> is the secret
to be used by the algorithm, and is treated as a base-64
@ -1055,7 +1055,7 @@
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2574782"></a><span><strong class="command">logging</strong></span> Statement Grammar</h3></div></div></div>
<a name="id2574930"></a><span><strong class="command">logging</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting"><span><strong class="command">logging</strong></span> {
[ <span><strong class="command">channel</strong></span> <em class="replaceable"><code>channel_name</code></em> {
( <span><strong class="command">file</strong></span> <em class="replaceable"><code>path name</code></em>
@ -1079,7 +1079,7 @@
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2574908"></a><span><strong class="command">logging</strong></span> Statement Definition and
<a name="id2575056"></a><span><strong class="command">logging</strong></span> Statement Definition and
Usage</h3></div></div></div>
<p>
The <span><strong class="command">logging</strong></span> statement configures a
@ -1113,7 +1113,7 @@
</p>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2574961"></a>The <span><strong class="command">channel</strong></span> Phrase</h4></div></div></div>
<a name="id2575108"></a>The <span><strong class="command">channel</strong></span> Phrase</h4></div></div></div>
<p>
All log output goes to one or more <span class="emphasis"><em>channels</em></span>;
you can make as many of them as you want.
@ -1632,7 +1632,7 @@ category notify { null; };
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2576395"></a><span><strong class="command">lwres</strong></span> Statement Grammar</h3></div></div></div>
<a name="id2576406"></a><span><strong class="command">lwres</strong></span> Statement Grammar</h3></div></div></div>
<p>
This is the grammar of the <span><strong class="command">lwres</strong></span>
statement in the <code class="filename">named.conf</code> file:
@ -1647,12 +1647,12 @@ category notify { null; };
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2576469"></a><span><strong class="command">lwres</strong></span> Statement Definition and Usage</h3></div></div></div>
<a name="id2576480"></a><span><strong class="command">lwres</strong></span> Statement Definition and Usage</h3></div></div></div>
<p>
The <span><strong class="command">lwres</strong></span> statement configures the
name
server to also act as a lightweight resolver server. (See
<a href="Bv9ARM.ch05.html#lwresd" title="Running a Resolver Daemon">the section called &#8220;Running a Resolver Daemon&#8221;</a>.) There may be be multiple
<a href="Bv9ARM.ch05.html#lwresd" title="Running a Resolver Daemon">the section called &#8220;Running a Resolver Daemon&#8221;</a>.) There may be multiple
<span><strong class="command">lwres</strong></span> statements configuring
lightweight resolver servers with different properties.
</p>
@ -1698,14 +1698,14 @@ category notify { null; };
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2576533"></a><span><strong class="command">masters</strong></span> Statement Grammar</h3></div></div></div>
<a name="id2576544"></a><span><strong class="command">masters</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting">
<span><strong class="command">masters</strong></span> <em class="replaceable"><code>name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] };
</pre>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2576577"></a><span><strong class="command">masters</strong></span> Statement Definition and
<a name="id2576587"></a><span><strong class="command">masters</strong></span> Statement Definition and
Usage</h3></div></div></div>
<p><span><strong class="command">masters</strong></span>
lists allow for a common set of masters to be easily used by
@ -1714,7 +1714,7 @@ category notify { null; };
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2576592"></a><span><strong class="command">options</strong></span> Statement Grammar</h3></div></div></div>
<a name="id2576602"></a><span><strong class="command">options</strong></span> Statement Grammar</h3></div></div></div>
<p>
This is the grammar of the <span><strong class="command">options</strong></span>
statement in the <code class="filename">named.conf</code> file:
@ -1732,6 +1732,7 @@ category notify { null; };
[<span class="optional"> dump-file <em class="replaceable"><code>path_name</code></em>; </span>]
[<span class="optional"> memstatistics-file <em class="replaceable"><code>path_name</code></em>; </span>]
[<span class="optional"> pid-file <em class="replaceable"><code>path_name</code></em>; </span>]
[<span class="optional"> recursing-file <em class="replaceable"><code>path_name</code></em>; </span>]
[<span class="optional"> statistics-file <em class="replaceable"><code>path_name</code></em>; </span>]
[<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> auth-nxdomain <em class="replaceable"><code>yes_or_no</code></em>; </span>]
@ -1809,6 +1810,7 @@ category notify { null; };
[<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> notify-delay <em class="replaceable"><code>seconds</code></em> ; </span>]
[<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
@ -1951,12 +1953,20 @@ digits</code>" + "<code class="varname">tkey-domain</code>". In most cases,
If not specified, the default is <code class="filename">named_dump.db</code>.
</p></dd>
<dt><span class="term"><span><strong class="command">memstatistics-file</strong></span></span></dt>
<dd><p>
<dd>
<p>
The pathname of the file the server writes memory
usage statistics to on exit. If not specified,
the default is
<code class="filename">named.memstats</code>.
</p></dd>
usage statistics to on exit. If specified the
statistics will be written to the file on exit.
</p>
<p>
In <acronym class="acronym">BIND</acronym> 9.5 and later this will
default to <code class="filename">named.memstats</code>.
<acronym class="acronym">BIND</acronym> 9.5 will also introduce
<span><strong class="command">memstatistics</strong></span> to control the
writing.
</p>
</dd>
<dt><span class="term"><span><strong class="command">pid-file</strong></span></span></dt>
<dd><p>
The pathname of the file the server writes its process ID
@ -1966,10 +1976,17 @@ digits</code>" + "<code class="varname">tkey-domain</code>". In most cases,
name server. Specifying <span><strong class="command">pid-file none</strong></span> disables the
use of a PID file &#8212; no file will be written and any
existing one will be removed. Note that <span><strong class="command">none</strong></span>
is a keyword, not a file name, and therefore is not enclosed
is a keyword, not a filename, and therefore is not enclosed
in
double quotes.
</p></dd>
<dt><span class="term"><span><strong class="command">recursing-file</strong></span></span></dt>
<dd><p>
The pathname of the file the server dumps
the queries that are currently recursing when instructed
to do so with <span><strong class="command">rndc recursing</strong></span>.
If not specified, the default is <code class="filename">named.recursing</code>.
</p></dd>
<dt><span class="term"><span><strong class="command">statistics-file</strong></span></span></dt>
<dd><p>
The pathname of the file the server appends statistics
@ -2472,7 +2489,7 @@ options {
<dd><p>
<span class="emphasis"><em>This option is obsolete</em></span>.
If you need to disable IXFR to a particular server or
servers see
servers, see
the information on the <span><strong class="command">provide-ixfr</strong></span> option
in <a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and
Usage">the section called &#8220;<span><strong class="command">server</strong></span> Statement Definition and
@ -2660,6 +2677,7 @@ options {
<dd><p>
Accept expired signatures when verifying DNSSEC signatures.
The default is <strong class="userinput"><code>no</code></strong>.
Setting this option to "yes" leaves named vulnerable to replay attacks.
</p></dd>
<dt><span class="term"><span><strong class="command">querylog</strong></span></span></dt>
<dd><p>
@ -2694,7 +2712,7 @@ options {
and MX records.
It also applies to the RDATA of PTR records where the owner
name indicated that it is a reverse lookup of a hostname
(the owner name ends in IN-ADDR.ARPA, IP6.ARPA or IP6.INT).
(the owner name ends in IN-ADDR.ARPA, IP6.ARPA, or IP6.INT).
</p>
</dd>
<dt><span class="term"><span><strong class="command">check-mx</strong></span></span></dt>
@ -2723,7 +2741,7 @@ options {
MX and SRV records only in-zone hostnames are
checked (for out-of-zone hostnames use named-checkzone).
For NS records only names below top of zone are
checked (for out-of-zone names and glue consistancy
checked (for out-of-zone names and glue consistency
checks use named-checkzone). The default is
<span><strong class="command">yes</strong></span>.
</p></dd>
@ -2771,7 +2789,7 @@ options {
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2580407"></a>Forwarding</h4></div></div></div>
<a name="id2580536"></a>Forwarding</h4></div></div></div>
<p>
The forwarding facility can be used to create a large site-wide
cache on a few servers, reducing traffic over links to external
@ -2815,7 +2833,7 @@ options {
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2580466"></a>Dual-stack Servers</h4></div></div></div>
<a name="id2580595"></a>Dual-stack Servers</h4></div></div></div>
<p>
Dual-stack servers are used as servers of last resort to work
around
@ -2970,7 +2988,7 @@ options {
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2580955"></a>Interfaces</h4></div></div></div>
<a name="id2581153"></a>Interfaces</h4></div></div></div>
<p>
The interfaces and ports that the server will answer queries
from may be specified using the <span><strong class="command">listen-on</strong></span> option. <span><strong class="command">listen-on</strong></span> takes
@ -3050,7 +3068,7 @@ listen-on-v6 port 1234 { !2001:db8::/32; any; };
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2581112"></a>Query Address</h4></div></div></div>
<a name="id2581241"></a>Query Address</h4></div></div></div>
<p>
If the server doesn't know the answer to a question, it will
query other name servers. <span><strong class="command">query-source</strong></span> specifies
@ -3330,7 +3348,7 @@ query-source-v6 address * port *;
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2581859"></a>Bad UDP Port Lists</h4></div></div></div>
<a name="id2581988"></a>Bad UDP Port Lists</h4></div></div></div>
<p><span><strong class="command">avoid-v4-udp-ports</strong></span>
and <span><strong class="command">avoid-v6-udp-ports</strong></span> specify a list
of IPv4 and IPv6 UDP ports that will not be used as system
@ -3344,7 +3362,7 @@ query-source-v6 address * port *;
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2581874"></a>Operating System Resource Limits</h4></div></div></div>
<a name="id2582003"></a>Operating System Resource Limits</h4></div></div></div>
<p>
The server's usage of many system resources can be limited.
Scaled values are allowed when specifying resource limits. For
@ -3403,7 +3421,7 @@ query-source-v6 address * port *;
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2582057"></a>Server Resource Limits</h4></div></div></div>
<a name="id2582186"></a>Server Resource Limits</h4></div></div></div>
<p>
The following options set limits on the server's
resource consumption that are enforced internally by the
@ -3481,7 +3499,7 @@ query-source-v6 address * port *;
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2582190"></a>Periodic Task Intervals</h4></div></div></div>
<a name="id2582320"></a>Periodic Task Intervals</h4></div></div></div>
<div class="variablelist"><dl>
<dt><span class="term"><span><strong class="command">cleaning-interval</strong></span></span></dt>
<dd><p>
@ -3529,7 +3547,7 @@ query-source-v6 address * port *;
<h3 class="title">Note</h3>
<p>
Not yet implemented in
<acronym class="acronym">BIND</acronym>9.
<acronym class="acronym">BIND</acronym> 9.
</p>
</div>
</dd>
@ -3869,7 +3887,7 @@ query-source-v6 address * port *;
values are 512 to 4096 (values outside this range
will be silently adjusted). The default value is
4096. The usual reason for setting edns-udp-size to
a non-default value it to get UDP answers to pass
a non-default value is to get UDP answers to pass
through broken firewalls that block fragmented
packets and/or block UDP packets that are greater
than 512 bytes.
@ -3884,6 +3902,8 @@ query-source-v6 address * port *;
answers to pass through broken firewalls that
block fragmented packets and/or block UDP packets
that are greater than 512 bytes.
This is independent of the advertised receive
buffer (<span><strong class="command">edns-udp-size</strong></span>).
</p></dd>
<dt><span class="term"><span><strong class="command">masterfile-format</strong></span></span></dt>
<dd><p>Specifies
@ -3943,6 +3963,11 @@ query-source-v6 address * port *;
<span><strong class="command">recursive-clients</strong></span>.
</p>
</dd>
<dt><span class="term"><span><strong class="command">notify-delay</strong></span></span></dt>
<dd><p>
The delay, in seconds, between sending sets of notify
messages for a zone. The default is zero.
</p></dd>
</dl></div>
</div>
<div class="sect3" lang="en">
@ -4013,7 +4038,7 @@ query-source-v6 address * port *;
Named has some built-in empty zones (SOA and NS records only).
These are for zones that should normally be answered locally
and which queries should not be sent to the Internet's root
servers. The offical servers which cover these namespaces
servers. The official servers which cover these namespaces
return NXDOMAIN responses to these queries. In particular,
these cover the reverse namespace for addresses from RFC 1918 and
RFC 3330. They also include the reverse namespace for IPv6 local
@ -4076,10 +4101,10 @@ query-source-v6 address * port *;
If you are using the address ranges covered here, you should
already have reverse zones covering the addresses you use.
In practice this appears to not be the case with many queries
being made to the infrustructure servers for names in these
being made to the infrastructure servers for names in these
spaces. So many in fact that sacrificial servers were needed
to be deployed to channel the query load away from the
infrustructure servers.
infrastructure servers.
</p>
<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
<h3 class="title">Note</h3>
@ -4226,6 +4251,32 @@ query-source-v6 address * port *;
</p>
</td>
</tr>
<tr>
<td>
<p><span><strong class="command">duplicate</strong></span></p>
</td>
<td>
<p>
The number of queries which the server attempted to
recurse but discover a existing query with the same
IP address, port, query id, name, type and class
already being processed.
</p>
</td>
</tr>
<tr>
<td>
<p><span><strong class="command">dropped</strong></span></p>
</td>
<td>
<p>
The number of queries for which the server
discovered a excessive number of existing
recursive queries for the same name, type and
class and were subsequently dropped.
</p>
</td>
</tr>
</tbody>
</table></div>
<p>
@ -4528,7 +4579,7 @@ query-source-v6 address * port *;
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2585031"></a><span><strong class="command">trusted-keys</strong></span> Statement Grammar</h3></div></div></div>
<a name="id2585361"></a><span><strong class="command">trusted-keys</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting">trusted-keys {
<em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ;
[<span class="optional"> <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; [<span class="optional">...</span>]</span>]
@ -4537,7 +4588,7 @@ query-source-v6 address * port *;
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2585080"></a><span><strong class="command">trusted-keys</strong></span> Statement Definition
<a name="id2585410"></a><span><strong class="command">trusted-keys</strong></span> Statement Definition
and Usage</h3></div></div></div>
<p>
The <span><strong class="command">trusted-keys</strong></span> statement defines
@ -4580,7 +4631,7 @@ query-source-v6 address * port *;
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2585228"></a><span><strong class="command">view</strong></span> Statement Definition and Usage</h3></div></div></div>
<a name="id2585490"></a><span><strong class="command">view</strong></span> Statement Definition and Usage</h3></div></div></div>
<p>
The <span><strong class="command">view</strong></span> statement is a powerful
feature
@ -4724,6 +4775,7 @@ view "external" {
[<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em> ; </span>]
[<span class="optional"> notify-delay <em class="replaceable"><code>seconds</code></em> ; </span>]
[<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
[<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
@ -4831,10 +4883,10 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2586599"></a><span><strong class="command">zone</strong></span> Statement Definition and Usage</h3></div></div></div>
<a name="id2586798"></a><span><strong class="command">zone</strong></span> Statement Definition and Usage</h3></div></div></div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2586606"></a>Zone Types</h4></div></div></div>
<a name="id2586806"></a>Zone Types</h4></div></div></div>
<div class="informaltable"><table border="1">
<colgroup>
<col>
@ -4890,7 +4942,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
numbers (in the
tens or hundreds of thousands) of zones per server, it
is best to
use a two-level naming scheme for zone file names. For
use a two-level naming scheme for zone filenames. For
example,
a slave server for the zone <code class="literal">example.com</code> might place
the zone contents into a file called
@ -5043,7 +5095,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2587026"></a>Class</h4></div></div></div>
<a name="id2587362"></a>Class</h4></div></div></div>
<p>
The zone's name may optionally be followed by a class. If
a class is not specified, class <code class="literal">IN</code> (for <code class="varname">Internet</code>),
@ -5059,13 +5111,13 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
a synonym for hesiod.
</p>
<p>
Another MIT development is CHAOSnet, a LAN protocol created
Another MIT development is Chaosnet, a LAN protocol created
in the mid-1970s. Zone data for it can be specified with the <code class="literal">CHAOS</code> class.
</p>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2587059"></a>Zone Options</h4></div></div></div>
<a name="id2587395"></a>Zone Options</h4></div></div></div>
<div class="variablelist"><dl>
<dt><span class="term"><span><strong class="command">allow-notify</strong></span></span></dt>
<dd><p>
@ -5228,8 +5280,8 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
</p></dd>
<dt><span class="term"><span><strong class="command">journal</strong></span></span></dt>
<dd><p>
Allow the default journal's file name to be overridden.
The default is the zone's file with "<code class="filename">.jnl</code>" appended.
Allow the default journal's filename to be overridden.
The default is the zone's filename with "<code class="filename">.jnl</code>" appended.
This is applicable to <span><strong class="command">master</strong></span> and <span><strong class="command">slave</strong></span> zones.
</p></dd>
<dt><span class="term"><span><strong class="command">max-transfer-time-in</strong></span></span></dt>
@ -5257,6 +5309,11 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
See the description of
<span><strong class="command">notify</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
</p></dd>
<dt><span class="term"><span><strong class="command">notify-delay</strong></span></span></dt>
<dd><p>
See the description of
<span><strong class="command">notify-delay</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.
</p></dd>
<dt><span class="term"><span><strong class="command">pubkey</strong></span></span></dt>
<dd><p>
In <acronym class="acronym">BIND</acronym> 8, this option was
@ -5414,7 +5471,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
wildcard name, it is subject to DNS wildcard expansion, so the
rule will apply
to multiple identities. The <em class="replaceable"><code>identity</code></em> field must
contain a fully qualified domain name.
contain a fully-qualified domain name.
</p>
<p>
The <em class="replaceable"><code>nametype</code></em> field has 6
@ -5531,7 +5588,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
<p>
In all cases, the <em class="replaceable"><code>name</code></em>
field must
specify a fully qualified domain name.
specify a fully-qualified domain name.
</p>
<p>
If no types are explicitly specified, this rule matches all
@ -5548,7 +5605,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2588791"></a>Zone File</h2></div></div></div>
<a name="id2589080"></a>Zone File</h2></div></div></div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="types_of_resource_records_and_when_to_use_them"></a>Types of Resource Records and When to Use Them</h3></div></div></div>
@ -5561,7 +5618,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
</p>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2588809"></a>Resource Records</h4></div></div></div>
<a name="id2589098"></a>Resource Records</h4></div></div></div>
<p>
A domain name identifies a node. Each node has a set of
resource information, which may be empty. The set of resource
@ -6144,7 +6201,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
</td>
<td>
<p>
CHAOSnet, a LAN protocol created at MIT in the
Chaosnet, a LAN protocol created at MIT in the
mid-1970s.
Rarely used for its historical purpose, but reused for
BIND's
@ -6212,7 +6269,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2590224"></a>Textual expression of RRs</h4></div></div></div>
<a name="id2590513"></a>Textual expression of RRs</h4></div></div></div>
<p>
RRs are represented in binary form in the packets of the DNS
protocol, and are usually represented in highly encoded form
@ -6415,7 +6472,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2590812"></a>Discussion of MX Records</h3></div></div></div>
<a name="id2591101"></a>Discussion of MX Records</h3></div></div></div>
<p>
As described above, domain servers store information as a
series of resource records, each of which contains a particular
@ -6673,7 +6730,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2591432"></a>Inverse Mapping in IPv4</h3></div></div></div>
<a name="id2591653"></a>Inverse Mapping in IPv4</h3></div></div></div>
<p>
Reverse name resolution (that is, translation from IP address
to name) is achieved by means of the <span class="emphasis"><em>in-addr.arpa</em></span> domain
@ -6725,7 +6782,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
<h3 class="title">Note</h3>
<p>
The <span><strong class="command">$ORIGIN</strong></span> lines in the examples
are for providing context to the examples only-they do not
are for providing context to the examples only &#8212; they do not
necessarily
appear in the actual usage. They are only used here to indicate
that the example is relative to the listed origin.
@ -6734,7 +6791,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2591559"></a>Other Zone File Directives</h3></div></div></div>
<a name="id2591848"></a>Other Zone File Directives</h3></div></div></div>
<p>
The Master File Format was initially defined in RFC 1035 and
has subsequently been extended. While the Master File Format
@ -6749,7 +6806,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
</p>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2591581"></a>The <span><strong class="command">$ORIGIN</strong></span> Directive</h4></div></div></div>
<a name="id2591870"></a>The <span><strong class="command">$ORIGIN</strong></span> Directive</h4></div></div></div>
<p>
Syntax: <span><strong class="command">$ORIGIN</strong></span>
<em class="replaceable"><code>domain-name</code></em>
@ -6777,7 +6834,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2591642"></a>The <span><strong class="command">$INCLUDE</strong></span> Directive</h4></div></div></div>
<a name="id2592000"></a>The <span><strong class="command">$INCLUDE</strong></span> Directive</h4></div></div></div>
<p>
Syntax: <span><strong class="command">$INCLUDE</strong></span>
<em class="replaceable"><code>filename</code></em>
@ -6813,7 +6870,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2591780"></a>The <span><strong class="command">$TTL</strong></span> Directive</h4></div></div></div>
<a name="id2592069"></a>The <span><strong class="command">$TTL</strong></span> Directive</h4></div></div></div>
<p>
Syntax: <span><strong class="command">$TTL</strong></span>
<em class="replaceable"><code>default-ttl</code></em>
@ -6832,7 +6889,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2591816"></a><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</h3></div></div></div>
<a name="id2592173"></a><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</h3></div></div></div>
<p>
Syntax: <span><strong class="command">$GENERATE</strong></span>
<em class="replaceable"><code>range</code></em>
@ -6888,14 +6945,14 @@ $GENERATE 1-127 $ CNAME $.0</pre>
<p><span><strong class="command">lhs</strong></span></p>
</td>
<td>
<p><span><strong class="command">lhs</strong></span>
<p>This
describes the owner name of the resource records
to be created. Any single <span><strong class="command">$</strong></span>
(dollar sign)
symbols within the <span><strong class="command">lhs</strong></span> side
are replaced by the iterator value.
To get a $ in the output you need to escape the
To get a $ in the output, you need to escape the
<span><strong class="command">$</strong></span> using a backslash
<span><strong class="command">\</strong></span>,
e.g. <span><strong class="command">\$</strong></span>. The
@ -6904,7 +6961,7 @@ $GENERATE 1-127 $ CNAME $.0</pre>
iterator, field width and base.
Modifiers are introduced by a
<span><strong class="command">{</strong></span> immediately following the
<span><strong class="command">{</strong></span> (left brace) immediately following the
<span><strong class="command">$</strong></span> as
<span><strong class="command">${offset[,width[,base]]}</strong></span>.
For example, <span><strong class="command">${-20,3,d}</strong></span>
@ -6977,7 +7034,7 @@ $GENERATE 1-127 $ CNAME $.0</pre>
</td>
<td>
<p>
A domain name. It is processed
<span><strong class="command">rhs</strong></span> is a domain name. It is processed
similarly to lhs.
</p>
</td>

16
contrib/bind9/doc/arm/Bv9ARM.ch07.html
View File

@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: Bv9ARM.ch07.html,v 1.75.18.54.10.1 2007/07/09 02:25:51 marka Exp $ -->
<!-- $Id: Bv9ARM.ch07.html,v 1.75.18.63 2007/10/31 01:35:59 marka Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@ -46,10 +46,10 @@
<p><b>Table of Contents</b></p>
<dl>
<dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2592492"><span><strong class="command">chroot</strong></span> and <span><strong class="command">setuid</strong></span></a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2592714"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2592569">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2592629">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2592791">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2592851">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
</dl>
@ -118,7 +118,7 @@ zone "example.com" {
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2592492"></a><span><strong class="command">chroot</strong></span> and <span><strong class="command">setuid</strong></span>
<a name="id2592714"></a><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span>
</h2></div></div></div>
<p>
On UNIX servers, it is possible to run <acronym class="acronym">BIND</acronym> in a <span class="emphasis"><em>chrooted</em></span> environment
@ -142,7 +142,7 @@ zone "example.com" {
</p>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2592569"></a>The <span><strong class="command">chroot</strong></span> Environment</h3></div></div></div>
<a name="id2592791"></a>The <span><strong class="command">chroot</strong></span> Environment</h3></div></div></div>
<p>
In order for a <span><strong class="command">chroot</strong></span> environment
to
@ -157,7 +157,7 @@ zone "example.com" {
for this.
</p>
<p>
Unlike with earlier versions of BIND, you will typically
Unlike with earlier versions of BIND, you typically will
<span class="emphasis"><em>not</em></span> need to compile <span><strong class="command">named</strong></span>
statically nor install shared libraries under the new root.
However, depending on your operating system, you may need
@ -170,7 +170,7 @@ zone "example.com" {
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2592629"></a>Using the <span><strong class="command">setuid</strong></span> Function</h3></div></div></div>
<a name="id2592851"></a>Using the <span><strong class="command">setuid</strong></span> Function</h3></div></div></div>
<p>
Prior to running the <span><strong class="command">named</strong></span> daemon,
use

38
contrib/bind9/doc/arm/Bv9ARM.ch08.html
View File

@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: Bv9ARM.ch08.html,v 1.75.18.53.10.1 2007/07/09 02:25:52 marka Exp $ -->
<!-- $Id: Bv9ARM.ch08.html,v 1.75.18.64 2007/10/31 01:35:59 marka Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@ -45,18 +45,18 @@
<div class="toc">
<p><b>Table of Contents</b></p>
<dl>
<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2592709">Common Problems</a></span></dt>
<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch08.html#id2592714">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2592726">Incrementing and Changing the Serial Number</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2592743">Where Can I Get Help?</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2592999">Common Problems</a></span></dt>
<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch08.html#id2593004">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2593016">Incrementing and Changing the Serial Number</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2593033">Where Can I Get Help?</a></span></dt>
</dl>
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2592709"></a>Common Problems</h2></div></div></div>
<a name="id2592999"></a>Common Problems</h2></div></div></div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2592714"></a>It's not working; how can I figure out what's wrong?</h3></div></div></div>
<a name="id2593004"></a>It's not working; how can I figure out what's wrong?</h3></div></div></div>
<p>
The best solution to solving installation and
configuration issues is to take preventative measures by setting
@ -68,18 +68,18 @@
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2592726"></a>Incrementing and Changing the Serial Number</h2></div></div></div>
<a name="id2593016"></a>Incrementing and Changing the Serial Number</h2></div></div></div>
<p>
Zone serial numbers are just numbers-they aren't date
related. A lot of people set them to a number that represents a
date, usually of the form YYYYMMDDRR. A number of people have been
testing these numbers for Y2K compliance and have set the number
to the year 2000 to see if it will work. They then try to restore
the old serial number. This will cause problems because serial
numbers are used to indicate that a zone has been updated. If the
serial number on the slave server is lower than the serial number
on the master, the slave server will attempt to update its copy of
the zone.
Zone serial numbers are just numbers &#8212; they aren't
date related. A lot of people set them to a number that
represents a date, usually of the form YYYYMMDDRR.
Occasionally they will make a mistake and set them to a
"date in the future" then try to correct them by setting
them to the "current date". This causes problems because
serial numbers are used to indicate that a zone has been
updated. If the serial number on the slave server is
lower than the serial number on the master, the slave
server will attempt to update its copy of the zone.
</p>
<p>
Setting the serial number to a lower number on the master
@ -95,7 +95,7 @@
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2592743"></a>Where Can I Get Help?</h2></div></div></div>
<a name="id2593033"></a>Where Can I Get Help?</h2></div></div></div>
<p>
The Internet Systems Consortium
(<acronym class="acronym">ISC</acronym>) offers a wide range

207
contrib/bind9/doc/arm/Bv9ARM.ch09.html
View File

@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: Bv9ARM.ch09.html,v 1.75.18.56.10.1 2007/07/09 02:25:52 marka Exp $ -->
<!-- $Id: Bv9ARM.ch09.html,v 1.75.18.66 2007/10/31 01:35:59 marka Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@ -45,21 +45,21 @@
<div class="toc">
<p><b>Table of Contents</b></p>
<dl>
<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2593078">Acknowledgments</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2593300">Acknowledgments</a></span></dt>
<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#historical_dns_information">A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></a></span></dt></dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2593172">General <acronym class="acronym">DNS</acronym> Reference Information</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2593472">General <acronym class="acronym">DNS</acronym> Reference Information</a></span></dt>
<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#ipv6addresses">IPv6 addresses (AAAA)</a></span></dt></dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch09.html#bibliography">Bibliography (and Suggested Reading)</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch09.html#rfcs">Request for Comments (RFCs)</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch09.html#internet_drafts">Internet Drafts</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2596339">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2596683">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt>
</dl></dd>
</dl>
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2593078"></a>Acknowledgments</h2></div></div></div>
<a name="id2593300"></a>Acknowledgments</h2></div></div></div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="historical_dns_information"></a>A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym>
@ -110,7 +110,7 @@
during that time: Doug Kingston, Craig Partridge, Smoot
Carl-Mitchell,
Mike Muuss, Jim Bloom and Mike Schwartz. <acronym class="acronym">BIND</acronym> maintenance was subsequently
handled by Mike Karels and O. Kure.
handled by Mike Karels and Øivind Kure.
</p>
<p>
<acronym class="acronym">BIND</acronym> versions 4.9 and 4.9.1 were
@ -125,7 +125,7 @@
Wolfhugel, and others.
</p>
<p>
<acronym class="acronym">BIND</acronym> version 4.9.2 was sponsored by
In 1994, <acronym class="acronym">BIND</acronym> version 4.9.2 was sponsored by
Vixie Enterprises. Paul
Vixie became <acronym class="acronym">BIND</acronym>'s principal
architect/programmer.
@ -135,10 +135,25 @@
have been developed and maintained
by the Internet Systems Consortium and its predecessor,
the Internet Software Consortium, with support being provided
by ISC's sponsors. As co-architects/programmers, Bob Halley and
by ISC's sponsors.
</p>
<p>
As co-architects/programmers, Bob Halley and
Paul Vixie released the first production-ready version of
<acronym class="acronym">BIND</acronym> version 8 in May 1997.
</p>
<p>
BIND version 9 was released in September 2000 and is a
major rewrite of nearly all aspects of the underlying
BIND architecture.
</p>
<p>
BIND version 4 is officially deprecated and BIND version
8 development is considered maintenance-only in favor
of BIND version 9. No additional development is done
on BIND version 4 or BIND version 8 other than for
security-related patches.
</p>
<p>
<acronym class="acronym">BIND</acronym> development work is made
possible today by the sponsorship
@ -149,7 +164,7 @@
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2593172"></a>General <acronym class="acronym">DNS</acronym> Reference Information</h2></div></div></div>
<a name="id2593472"></a>General <acronym class="acronym">DNS</acronym> Reference Information</h2></div></div></div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="ipv6addresses"></a>IPv6 addresses (AAAA)</h3></div></div></div>
@ -161,7 +176,8 @@
<span class="emphasis"><em>Anycast</em></span>,
an identifier for a set of interfaces; and <span class="emphasis"><em>Multicast</em></span>,
an identifier for a set of interfaces. Here we describe the global
Unicast address scheme. For more information, see RFC 3587.
Unicast address scheme. For more information, see RFC 3587,
"Global Unicast Address Format."
</p>
<p>
IPv6 unicast addresses consist of a
@ -236,17 +252,17 @@
</p>
<div class="bibliography">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2593360"></a>Bibliography</h4></div></div></div>
<a name="id2593659"></a>Bibliography</h4></div></div></div>
<div class="bibliodiv">
<h3 class="title">Standards</h3>
<div class="biblioentry">
<a name="id2593370"></a><p>[<abbr class="abbrev">RFC974</abbr>] <span class="author"><span class="firstname">C.</span> <span class="surname">Partridge</span>. </span><span class="title"><i>Mail Routing and the Domain System</i>. </span><span class="pubdate">January 1986. </span></p>
<a name="id2593670"></a><p>[<abbr class="abbrev">RFC974</abbr>] <span class="author"><span class="firstname">C.</span> <span class="surname">Partridge</span>. </span><span class="title"><i>Mail Routing and the Domain System</i>. </span><span class="pubdate">January 1986. </span></p>
</div>
<div class="biblioentry">
<a name="id2593394"></a><p>[<abbr class="abbrev">RFC1034</abbr>] <span class="author"><span class="firstname">P.V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>Domain Names &#8212; Concepts and Facilities</i>. </span><span class="pubdate">November 1987. </span></p>
<a name="id2593693"></a><p>[<abbr class="abbrev">RFC1034</abbr>] <span class="author"><span class="firstname">P.V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>Domain Names &#8212; Concepts and Facilities</i>. </span><span class="pubdate">November 1987. </span></p>
</div>
<div class="biblioentry">
<a name="id2593417"></a><p>[<abbr class="abbrev">RFC1035</abbr>] <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>Domain Names &#8212; Implementation and
<a name="id2593717"></a><p>[<abbr class="abbrev">RFC1035</abbr>] <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>Domain Names &#8212; Implementation and
Specification</i>. </span><span class="pubdate">November 1987. </span></p>
</div>
</div>
@ -254,42 +270,42 @@
<h3 class="title">
<a name="proposed_standards"></a>Proposed Standards</h3>
<div class="biblioentry">
<a name="id2593453"></a><p>[<abbr class="abbrev">RFC2181</abbr>] <span class="author"><span class="firstname">R., R. Bush</span> <span class="surname">Elz</span>. </span><span class="title"><i>Clarifications to the <acronym class="acronym">DNS</acronym>
<a name="id2593753"></a><p>[<abbr class="abbrev">RFC2181</abbr>] <span class="author"><span class="firstname">R., R. Bush</span> <span class="surname">Elz</span>. </span><span class="title"><i>Clarifications to the <acronym class="acronym">DNS</acronym>
Specification</i>. </span><span class="pubdate">July 1997. </span></p>
</div>
<div class="biblioentry">
<a name="id2593480"></a><p>[<abbr class="abbrev">RFC2308</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Andrews</span>. </span><span class="title"><i>Negative Caching of <acronym class="acronym">DNS</acronym>
<a name="id2593780"></a><p>[<abbr class="abbrev">RFC2308</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Andrews</span>. </span><span class="title"><i>Negative Caching of <acronym class="acronym">DNS</acronym>
Queries</i>. </span><span class="pubdate">March 1998. </span></p>
</div>
<div class="biblioentry">
<a name="id2593506"></a><p>[<abbr class="abbrev">RFC1995</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Ohta</span>. </span><span class="title"><i>Incremental Zone Transfer in <acronym class="acronym">DNS</acronym></i>. </span><span class="pubdate">August 1996. </span></p>
<a name="id2593805"></a><p>[<abbr class="abbrev">RFC1995</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Ohta</span>. </span><span class="title"><i>Incremental Zone Transfer in <acronym class="acronym">DNS</acronym></i>. </span><span class="pubdate">August 1996. </span></p>
</div>
<div class="biblioentry">
<a name="id2593530"></a><p>[<abbr class="abbrev">RFC1996</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>A Mechanism for Prompt Notification of Zone Changes</i>. </span><span class="pubdate">August 1996. </span></p>
<a name="id2593830"></a><p>[<abbr class="abbrev">RFC1996</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>A Mechanism for Prompt Notification of Zone Changes</i>. </span><span class="pubdate">August 1996. </span></p>
</div>
<div class="biblioentry">
<a name="id2593554"></a><p>[<abbr class="abbrev">RFC2136</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">Y.</span> <span class="surname">Rekhter</span>, and <span class="firstname">J.</span> <span class="surname">Bound</span>. </span><span class="title"><i>Dynamic Updates in the Domain Name System</i>. </span><span class="pubdate">April 1997. </span></p>
<a name="id2593853"></a><p>[<abbr class="abbrev">RFC2136</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">Y.</span> <span class="surname">Rekhter</span>, and <span class="firstname">J.</span> <span class="surname">Bound</span>. </span><span class="title"><i>Dynamic Updates in the Domain Name System</i>. </span><span class="pubdate">April 1997. </span></p>
</div>
<div class="biblioentry">
<a name="id2593609"></a><p>[<abbr class="abbrev">RFC2671</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Extension Mechanisms for DNS (EDNS0)</i>. </span><span class="pubdate">August 1997. </span></p>
<a name="id2593909"></a><p>[<abbr class="abbrev">RFC2671</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Extension Mechanisms for DNS (EDNS0)</i>. </span><span class="pubdate">August 1997. </span></p>
</div>
<div class="biblioentry">
<a name="id2593636"></a><p>[<abbr class="abbrev">RFC2672</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span>. </span><span class="title"><i>Non-Terminal DNS Name Redirection</i>. </span><span class="pubdate">August 1999. </span></p>
<a name="id2593936"></a><p>[<abbr class="abbrev">RFC2672</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span>. </span><span class="title"><i>Non-Terminal DNS Name Redirection</i>. </span><span class="pubdate">August 1999. </span></p>
</div>
<div class="biblioentry">
<a name="id2593662"></a><p>[<abbr class="abbrev">RFC2845</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>, <span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, and <span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Secret Key Transaction Authentication for <acronym class="acronym">DNS</acronym> (TSIG)</i>. </span><span class="pubdate">May 2000. </span></p>
<a name="id2593962"></a><p>[<abbr class="abbrev">RFC2845</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>, <span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, and <span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Secret Key Transaction Authentication for <acronym class="acronym">DNS</acronym> (TSIG)</i>. </span><span class="pubdate">May 2000. </span></p>
</div>
<div class="biblioentry">
<a name="id2593724"></a><p>[<abbr class="abbrev">RFC2930</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Secret Key Establishment for DNS (TKEY RR)</i>. </span><span class="pubdate">September 2000. </span></p>
<a name="id2594024"></a><p>[<abbr class="abbrev">RFC2930</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Secret Key Establishment for DNS (TKEY RR)</i>. </span><span class="pubdate">September 2000. </span></p>
</div>
<div class="biblioentry">
<a name="id2593754"></a><p>[<abbr class="abbrev">RFC2931</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>DNS Request and Transaction Signatures (SIG(0)s)</i>. </span><span class="pubdate">September 2000. </span></p>
<a name="id2594054"></a><p>[<abbr class="abbrev">RFC2931</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>DNS Request and Transaction Signatures (SIG(0)s)</i>. </span><span class="pubdate">September 2000. </span></p>
</div>
<div class="biblioentry">
<a name="id2593784"></a><p>[<abbr class="abbrev">RFC3007</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Secure Domain Name System (DNS) Dynamic Update</i>. </span><span class="pubdate">November 2000. </span></p>
<a name="id2594084"></a><p>[<abbr class="abbrev">RFC3007</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Secure Domain Name System (DNS) Dynamic Update</i>. </span><span class="pubdate">November 2000. </span></p>
</div>
<div class="biblioentry">
<a name="id2593811"></a><p>[<abbr class="abbrev">RFC3645</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Kwan</span>, <span class="firstname">P.</span> <span class="surname">Garg</span>, <span class="firstname">J.</span> <span class="surname">Gilroy</span>, <span class="firstname">L.</span> <span class="surname">Esibov</span>, <span class="firstname">J.</span> <span class="surname">Westhead</span>, and <span class="firstname">R.</span> <span class="surname">Hall</span>. </span><span class="title"><i>Generic Security Service Algorithm for Secret
<a name="id2594110"></a><p>[<abbr class="abbrev">RFC3645</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Kwan</span>, <span class="firstname">P.</span> <span class="surname">Garg</span>, <span class="firstname">J.</span> <span class="surname">Gilroy</span>, <span class="firstname">L.</span> <span class="surname">Esibov</span>, <span class="firstname">J.</span> <span class="surname">Westhead</span>, and <span class="firstname">R.</span> <span class="surname">Hall</span>. </span><span class="title"><i>Generic Security Service Algorithm for Secret
Key Transaction Authentication for DNS
(GSS-TSIG)</i>. </span><span class="pubdate">October 2003. </span></p>
</div>
@ -298,19 +314,19 @@
<h3 class="title">
<acronym class="acronym">DNS</acronym> Security Proposed Standards</h3>
<div class="biblioentry">
<a name="id2593893"></a><p>[<abbr class="abbrev">RFC3225</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Conrad</span>. </span><span class="title"><i>Indicating Resolver Support of DNSSEC</i>. </span><span class="pubdate">December 2001. </span></p>
<a name="id2594193"></a><p>[<abbr class="abbrev">RFC3225</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Conrad</span>. </span><span class="title"><i>Indicating Resolver Support of DNSSEC</i>. </span><span class="pubdate">December 2001. </span></p>
</div>
<div class="biblioentry">
<a name="id2593920"></a><p>[<abbr class="abbrev">RFC3833</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Atkins</span> and <span class="firstname">R.</span> <span class="surname">Austein</span>. </span><span class="title"><i>Threat Analysis of the Domain Name System (DNS)</i>. </span><span class="pubdate">August 2004. </span></p>
<a name="id2594288"></a><p>[<abbr class="abbrev">RFC3833</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Atkins</span> and <span class="firstname">R.</span> <span class="surname">Austein</span>. </span><span class="title"><i>Threat Analysis of the Domain Name System (DNS)</i>. </span><span class="pubdate">August 2004. </span></p>
</div>
<div class="biblioentry">
<a name="id2593956"></a><p>[<abbr class="abbrev">RFC4033</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>DNS Security Introduction and Requirements</i>. </span><span class="pubdate">March 2005. </span></p>
<a name="id2594324"></a><p>[<abbr class="abbrev">RFC4033</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>DNS Security Introduction and Requirements</i>. </span><span class="pubdate">March 2005. </span></p>
</div>
<div class="biblioentry">
<a name="id2594021"></a><p>[<abbr class="abbrev">RFC4044</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Resource Records for the DNS Security Extensions</i>. </span><span class="pubdate">March 2005. </span></p>
<a name="id2594389"></a><p>[<abbr class="abbrev">RFC4044</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Resource Records for the DNS Security Extensions</i>. </span><span class="pubdate">March 2005. </span></p>
</div>
<div class="biblioentry">
<a name="id2594086"></a><p>[<abbr class="abbrev">RFC4035</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Protocol Modifications for the DNS
<a name="id2594454"></a><p>[<abbr class="abbrev">RFC4035</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Protocol Modifications for the DNS
Security Extensions</i>. </span><span class="pubdate">March 2005. </span></p>
</div>
</div>
@ -318,146 +334,146 @@
<h3 class="title">Other Important RFCs About <acronym class="acronym">DNS</acronym>
Implementation</h3>
<div class="biblioentry">
<a name="id2594160"></a><p>[<abbr class="abbrev">RFC1535</abbr>] <span class="author"><span class="firstname">E.</span> <span class="surname">Gavron</span>. </span><span class="title"><i>A Security Problem and Proposed Correction With Widely
<a name="id2594596"></a><p>[<abbr class="abbrev">RFC1535</abbr>] <span class="author"><span class="firstname">E.</span> <span class="surname">Gavron</span>. </span><span class="title"><i>A Security Problem and Proposed Correction With Widely
Deployed <acronym class="acronym">DNS</acronym> Software.</i>. </span><span class="pubdate">October 1993. </span></p>
</div>
<div class="biblioentry">
<a name="id2594185"></a><p>[<abbr class="abbrev">RFC1536</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Kumar</span>, <span class="firstname">J.</span> <span class="surname">Postel</span>, <span class="firstname">C.</span> <span class="surname">Neuman</span>, <span class="firstname">P.</span> <span class="surname">Danzig</span>, and <span class="firstname">S.</span> <span class="surname">Miller</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Implementation
<a name="id2594621"></a><p>[<abbr class="abbrev">RFC1536</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Kumar</span>, <span class="firstname">J.</span> <span class="surname">Postel</span>, <span class="firstname">C.</span> <span class="surname">Neuman</span>, <span class="firstname">P.</span> <span class="surname">Danzig</span>, and <span class="firstname">S.</span> <span class="surname">Miller</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Implementation
Errors and Suggested Fixes</i>. </span><span class="pubdate">October 1993. </span></p>
</div>
<div class="biblioentry">
<a name="id2594253"></a><p>[<abbr class="abbrev">RFC1982</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Elz</span> and <span class="firstname">R.</span> <span class="surname">Bush</span>. </span><span class="title"><i>Serial Number Arithmetic</i>. </span><span class="pubdate">August 1996. </span></p>
<a name="id2594690"></a><p>[<abbr class="abbrev">RFC1982</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Elz</span> and <span class="firstname">R.</span> <span class="surname">Bush</span>. </span><span class="title"><i>Serial Number Arithmetic</i>. </span><span class="pubdate">August 1996. </span></p>
</div>
<div class="biblioentry">
<a name="id2594289"></a><p>[<abbr class="abbrev">RFC4074</abbr>] <span class="authorgroup"><span class="firstname">Y.</span> <span class="surname">Morishita</span> and <span class="firstname">T.</span> <span class="surname">Jinmei</span>. </span><span class="title"><i>Common Misbehaviour Against <acronym class="acronym">DNS</acronym>
<a name="id2594725"></a><p>[<abbr class="abbrev">RFC4074</abbr>] <span class="authorgroup"><span class="firstname">Y.</span> <span class="surname">Morishita</span> and <span class="firstname">T.</span> <span class="surname">Jinmei</span>. </span><span class="title"><i>Common Misbehaviour Against <acronym class="acronym">DNS</acronym>
Queries for IPv6 Addresses</i>. </span><span class="pubdate">May 2005. </span></p>
</div>
</div>
<div class="bibliodiv">
<h3 class="title">Resource Record Types</h3>
<div class="biblioentry">
<a name="id2594334"></a><p>[<abbr class="abbrev">RFC1183</abbr>] <span class="authorgroup"><span class="firstname">C.F.</span> <span class="surname">Everhart</span>, <span class="firstname">L. A.</span> <span class="surname">Mamakos</span>, <span class="firstname">R.</span> <span class="surname">Ullmann</span>, and <span class="firstname">P.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>New <acronym class="acronym">DNS</acronym> RR Definitions</i>. </span><span class="pubdate">October 1990. </span></p>
<a name="id2594771"></a><p>[<abbr class="abbrev">RFC1183</abbr>] <span class="authorgroup"><span class="firstname">C.F.</span> <span class="surname">Everhart</span>, <span class="firstname">L. A.</span> <span class="surname">Mamakos</span>, <span class="firstname">R.</span> <span class="surname">Ullmann</span>, and <span class="firstname">P.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>New <acronym class="acronym">DNS</acronym> RR Definitions</i>. </span><span class="pubdate">October 1990. </span></p>
</div>
<div class="biblioentry">
<a name="id2594460"></a><p>[<abbr class="abbrev">RFC1706</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">R.</span> <span class="surname">Colella</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> NSAP Resource Records</i>. </span><span class="pubdate">October 1994. </span></p>
<a name="id2594828"></a><p>[<abbr class="abbrev">RFC1706</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">R.</span> <span class="surname">Colella</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> NSAP Resource Records</i>. </span><span class="pubdate">October 1994. </span></p>
</div>
<div class="biblioentry">
<a name="id2594498"></a><p>[<abbr class="abbrev">RFC2168</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Daniel</span> and <span class="firstname">M.</span> <span class="surname">Mealling</span>. </span><span class="title"><i>Resolution of Uniform Resource Identifiers using
<a name="id2594866"></a><p>[<abbr class="abbrev">RFC2168</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Daniel</span> and <span class="firstname">M.</span> <span class="surname">Mealling</span>. </span><span class="title"><i>Resolution of Uniform Resource Identifiers using
the Domain Name System</i>. </span><span class="pubdate">June 1997. </span></p>
</div>
<div class="biblioentry">
<a name="id2594533"></a><p>[<abbr class="abbrev">RFC1876</abbr>] <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Davis</span>, <span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">T.</span>, and <span class="firstname">I.</span> <span class="surname">Dickinson</span>. </span><span class="title"><i>A Means for Expressing Location Information in the
<a name="id2594901"></a><p>[<abbr class="abbrev">RFC1876</abbr>] <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Davis</span>, <span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">T.</span>, and <span class="firstname">I.</span> <span class="surname">Dickinson</span>. </span><span class="title"><i>A Means for Expressing Location Information in the
Domain
Name System</i>. </span><span class="pubdate">January 1996. </span></p>
</div>
<div class="biblioentry">
<a name="id2594587"></a><p>[<abbr class="abbrev">RFC2052</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>A <acronym class="acronym">DNS</acronym> RR for Specifying the
<a name="id2594955"></a><p>[<abbr class="abbrev">RFC2052</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>A <acronym class="acronym">DNS</acronym> RR for Specifying the
Location of
Services.</i>. </span><span class="pubdate">October 1996. </span></p>
</div>
<div class="biblioentry">
<a name="id2594626"></a><p>[<abbr class="abbrev">RFC2163</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Allocchio</span>. </span><span class="title"><i>Using the Internet <acronym class="acronym">DNS</acronym> to
<a name="id2594994"></a><p>[<abbr class="abbrev">RFC2163</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Allocchio</span>. </span><span class="title"><i>Using the Internet <acronym class="acronym">DNS</acronym> to
Distribute MIXER
Conformant Global Address Mapping</i>. </span><span class="pubdate">January 1998. </span></p>
</div>
<div class="biblioentry">
<a name="id2594651"></a><p>[<abbr class="abbrev">RFC2230</abbr>] <span class="author"><span class="firstname">R.</span> <span class="surname">Atkinson</span>. </span><span class="title"><i>Key Exchange Delegation Record for the <acronym class="acronym">DNS</acronym></i>. </span><span class="pubdate">October 1997. </span></p>
<a name="id2595019"></a><p>[<abbr class="abbrev">RFC2230</abbr>] <span class="author"><span class="firstname">R.</span> <span class="surname">Atkinson</span>. </span><span class="title"><i>Key Exchange Delegation Record for the <acronym class="acronym">DNS</acronym></i>. </span><span class="pubdate">October 1997. </span></p>
</div>
<div class="biblioentry">
<a name="id2594677"></a><p>[<abbr class="abbrev">RFC2536</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>DSA KEYs and SIGs in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
<a name="id2595045"></a><p>[<abbr class="abbrev">RFC2536</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>DSA KEYs and SIGs in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
</div>
<div class="biblioentry">
<a name="id2594704"></a><p>[<abbr class="abbrev">RFC2537</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>RSA/MD5 KEYs and SIGs in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
<a name="id2595072"></a><p>[<abbr class="abbrev">RFC2537</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>RSA/MD5 KEYs and SIGs in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
</div>
<div class="biblioentry">
<a name="id2594730"></a><p>[<abbr class="abbrev">RFC2538</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Storing Certificates in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
<a name="id2595098"></a><p>[<abbr class="abbrev">RFC2538</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Storing Certificates in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
</div>
<div class="biblioentry">
<a name="id2594770"></a><p>[<abbr class="abbrev">RFC2539</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Storage of Diffie-Hellman Keys in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
<a name="id2595138"></a><p>[<abbr class="abbrev">RFC2539</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Storage of Diffie-Hellman Keys in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
</div>
<div class="biblioentry">
<a name="id2594800"></a><p>[<abbr class="abbrev">RFC2540</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Detached Domain Name System (DNS) Information</i>. </span><span class="pubdate">March 1999. </span></p>
<a name="id2595168"></a><p>[<abbr class="abbrev">RFC2540</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Detached Domain Name System (DNS) Information</i>. </span><span class="pubdate">March 1999. </span></p>
</div>
<div class="biblioentry">
<a name="id2594829"></a><p>[<abbr class="abbrev">RFC2782</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span>. </span><span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="author"><span class="firstname">L.</span> <span class="surname">Esibov</span>. </span><span class="title"><i>A DNS RR for specifying the location of services (DNS SRV)</i>. </span><span class="pubdate">February 2000. </span></p>
<a name="id2595197"></a><p>[<abbr class="abbrev">RFC2782</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span>. </span><span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="author"><span class="firstname">L.</span> <span class="surname">Esibov</span>. </span><span class="title"><i>A DNS RR for specifying the location of services (DNS SRV)</i>. </span><span class="pubdate">February 2000. </span></p>
</div>
<div class="biblioentry">
<a name="id2594872"></a><p>[<abbr class="abbrev">RFC2915</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Mealling</span>. </span><span class="author"><span class="firstname">R.</span> <span class="surname">Daniel</span>. </span><span class="title"><i>The Naming Authority Pointer (NAPTR) DNS Resource Record</i>. </span><span class="pubdate">September 2000. </span></p>
<a name="id2595240"></a><p>[<abbr class="abbrev">RFC2915</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Mealling</span>. </span><span class="author"><span class="firstname">R.</span> <span class="surname">Daniel</span>. </span><span class="title"><i>The Naming Authority Pointer (NAPTR) DNS Resource Record</i>. </span><span class="pubdate">September 2000. </span></p>
</div>
<div class="biblioentry">
<a name="id2594905"></a><p>[<abbr class="abbrev">RFC3110</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)</i>. </span><span class="pubdate">May 2001. </span></p>
<a name="id2595273"></a><p>[<abbr class="abbrev">RFC3110</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)</i>. </span><span class="pubdate">May 2001. </span></p>
</div>
<div class="biblioentry">
<a name="id2594932"></a><p>[<abbr class="abbrev">RFC3123</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Koch</span>. </span><span class="title"><i>A DNS RR Type for Lists of Address Prefixes (APL RR)</i>. </span><span class="pubdate">June 2001. </span></p>
<a name="id2595300"></a><p>[<abbr class="abbrev">RFC3123</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Koch</span>. </span><span class="title"><i>A DNS RR Type for Lists of Address Prefixes (APL RR)</i>. </span><span class="pubdate">June 2001. </span></p>
</div>
<div class="biblioentry">
<a name="id2594955"></a><p>[<abbr class="abbrev">RFC3596</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">C.</span> <span class="surname">Huitema</span>, <span class="firstname">V.</span> <span class="surname">Ksinant</span>, and <span class="firstname">M.</span> <span class="surname">Souissi</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Extensions to support IP
<a name="id2595323"></a><p>[<abbr class="abbrev">RFC3596</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">C.</span> <span class="surname">Huitema</span>, <span class="firstname">V.</span> <span class="surname">Ksinant</span>, and <span class="firstname">M.</span> <span class="surname">Souissi</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Extensions to support IP
version 6</i>. </span><span class="pubdate">October 2003. </span></p>
</div>
<div class="biblioentry">
<a name="id2595013"></a><p>[<abbr class="abbrev">RFC3597</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Gustafsson</span>. </span><span class="title"><i>Handling of Unknown DNS Resource Record (RR) Types</i>. </span><span class="pubdate">September 2003. </span></p>
<a name="id2595381"></a><p>[<abbr class="abbrev">RFC3597</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Gustafsson</span>. </span><span class="title"><i>Handling of Unknown DNS Resource Record (RR) Types</i>. </span><span class="pubdate">September 2003. </span></p>
</div>
</div>
<div class="bibliodiv">
<h3 class="title">
<acronym class="acronym">DNS</acronym> and the Internet</h3>
<div class="biblioentry">
<a name="id2595045"></a><p>[<abbr class="abbrev">RFC1101</abbr>] <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Encoding of Network Names
<a name="id2595413"></a><p>[<abbr class="abbrev">RFC1101</abbr>] <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Encoding of Network Names
and Other Types</i>. </span><span class="pubdate">April 1989. </span></p>
</div>
<div class="biblioentry">
<a name="id2595070"></a><p>[<abbr class="abbrev">RFC1123</abbr>] <span class="author"><span class="surname">Braden</span>. </span><span class="title"><i>Requirements for Internet Hosts - Application and
<a name="id2595438"></a><p>[<abbr class="abbrev">RFC1123</abbr>] <span class="author"><span class="surname">Braden</span>. </span><span class="title"><i>Requirements for Internet Hosts - Application and
Support</i>. </span><span class="pubdate">October 1989. </span></p>
</div>
<div class="biblioentry">
<a name="id2595093"></a><p>[<abbr class="abbrev">RFC1591</abbr>] <span class="author"><span class="firstname">J.</span> <span class="surname">Postel</span>. </span><span class="title"><i>Domain Name System Structure and Delegation</i>. </span><span class="pubdate">March 1994. </span></p>
<a name="id2595461"></a><p>[<abbr class="abbrev">RFC1591</abbr>] <span class="author"><span class="firstname">J.</span> <span class="surname">Postel</span>. </span><span class="title"><i>Domain Name System Structure and Delegation</i>. </span><span class="pubdate">March 1994. </span></p>
</div>
<div class="biblioentry">
<a name="id2595116"></a><p>[<abbr class="abbrev">RFC2317</abbr>] <span class="authorgroup"><span class="firstname">H.</span> <span class="surname">Eidnes</span>, <span class="firstname">G.</span> <span class="surname">de Groot</span>, and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Classless IN-ADDR.ARPA Delegation</i>. </span><span class="pubdate">March 1998. </span></p>
<a name="id2595484"></a><p>[<abbr class="abbrev">RFC2317</abbr>] <span class="authorgroup"><span class="firstname">H.</span> <span class="surname">Eidnes</span>, <span class="firstname">G.</span> <span class="surname">de Groot</span>, and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Classless IN-ADDR.ARPA Delegation</i>. </span><span class="pubdate">March 1998. </span></p>
</div>
<div class="biblioentry">
<a name="id2595162"></a><p>[<abbr class="abbrev">RFC2826</abbr>] <span class="authorgroup"><span class="surname">Internet Architecture Board</span>. </span><span class="title"><i>IAB Technical Comment on the Unique DNS Root</i>. </span><span class="pubdate">May 2000. </span></p>
<a name="id2595530"></a><p>[<abbr class="abbrev">RFC2826</abbr>] <span class="authorgroup"><span class="surname">Internet Architecture Board</span>. </span><span class="title"><i>IAB Technical Comment on the Unique DNS Root</i>. </span><span class="pubdate">May 2000. </span></p>
</div>
<div class="biblioentry">
<a name="id2595186"></a><p>[<abbr class="abbrev">RFC2929</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, <span class="firstname">E.</span> <span class="surname">Brunner-Williams</span>, and <span class="firstname">B.</span> <span class="surname">Manning</span>. </span><span class="title"><i>Domain Name System (DNS) IANA Considerations</i>. </span><span class="pubdate">September 2000. </span></p>
<a name="id2595554"></a><p>[<abbr class="abbrev">RFC2929</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, <span class="firstname">E.</span> <span class="surname">Brunner-Williams</span>, and <span class="firstname">B.</span> <span class="surname">Manning</span>. </span><span class="title"><i>Domain Name System (DNS) IANA Considerations</i>. </span><span class="pubdate">September 2000. </span></p>
</div>
</div>
<div class="bibliodiv">
<h3 class="title">
<acronym class="acronym">DNS</acronym> Operations</h3>
<div class="biblioentry">
<a name="id2595243"></a><p>[<abbr class="abbrev">RFC1033</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Lottor</span>. </span><span class="title"><i>Domain administrators operations guide.</i>. </span><span class="pubdate">November 1987. </span></p>
<a name="id2595611"></a><p>[<abbr class="abbrev">RFC1033</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Lottor</span>. </span><span class="title"><i>Domain administrators operations guide.</i>. </span><span class="pubdate">November 1987. </span></p>
</div>
<div class="biblioentry">
<a name="id2595267"></a><p>[<abbr class="abbrev">RFC1537</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Beertema</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Data File
<a name="id2595635"></a><p>[<abbr class="abbrev">RFC1537</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Beertema</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Data File
Configuration Errors</i>. </span><span class="pubdate">October 1993. </span></p>
</div>
<div class="biblioentry">
<a name="id2595293"></a><p>[<abbr class="abbrev">RFC1912</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Barr</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Operational and
<a name="id2595661"></a><p>[<abbr class="abbrev">RFC1912</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Barr</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Operational and
Configuration Errors</i>. </span><span class="pubdate">February 1996. </span></p>
</div>
<div class="biblioentry">
<a name="id2595320"></a><p>[<abbr class="abbrev">RFC2010</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Operational Criteria for Root Name Servers.</i>. </span><span class="pubdate">October 1996. </span></p>
<a name="id2595688"></a><p>[<abbr class="abbrev">RFC2010</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Operational Criteria for Root Name Servers.</i>. </span><span class="pubdate">October 1996. </span></p>
</div>
<div class="biblioentry">
<a name="id2595356"></a><p>[<abbr class="abbrev">RFC2219</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Hamilton</span> and <span class="firstname">R.</span> <span class="surname">Wright</span>. </span><span class="title"><i>Use of <acronym class="acronym">DNS</acronym> Aliases for
<a name="id2595724"></a><p>[<abbr class="abbrev">RFC2219</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Hamilton</span> and <span class="firstname">R.</span> <span class="surname">Wright</span>. </span><span class="title"><i>Use of <acronym class="acronym">DNS</acronym> Aliases for
Network Services.</i>. </span><span class="pubdate">October 1997. </span></p>
</div>
</div>
<div class="bibliodiv">
<h3 class="title">Internationalized Domain Names</h3>
<div class="biblioentry">
<a name="id2595402"></a><p>[<abbr class="abbrev">RFC2825</abbr>] <span class="authorgroup"><span class="surname">IAB</span> and <span class="firstname">R.</span> <span class="surname">Daigle</span>. </span><span class="title"><i>A Tangled Web: Issues of I18N, Domain Names,
<a name="id2595770"></a><p>[<abbr class="abbrev">RFC2825</abbr>] <span class="authorgroup"><span class="surname">IAB</span> and <span class="firstname">R.</span> <span class="surname">Daigle</span>. </span><span class="title"><i>A Tangled Web: Issues of I18N, Domain Names,
and the Other Internet protocols</i>. </span><span class="pubdate">May 2000. </span></p>
</div>
<div class="biblioentry">
<a name="id2595434"></a><p>[<abbr class="abbrev">RFC3490</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Faltstrom</span>, <span class="firstname">P.</span> <span class="surname">Hoffman</span>, and <span class="firstname">A.</span> <span class="surname">Costello</span>. </span><span class="title"><i>Internationalizing Domain Names in Applications (IDNA)</i>. </span><span class="pubdate">March 2003. </span></p>
<a name="id2595802"></a><p>[<abbr class="abbrev">RFC3490</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Faltstrom</span>, <span class="firstname">P.</span> <span class="surname">Hoffman</span>, and <span class="firstname">A.</span> <span class="surname">Costello</span>. </span><span class="title"><i>Internationalizing Domain Names in Applications (IDNA)</i>. </span><span class="pubdate">March 2003. </span></p>
</div>
<div class="biblioentry">
<a name="id2595480"></a><p>[<abbr class="abbrev">RFC3491</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Hoffman</span> and <span class="firstname">M.</span> <span class="surname">Blanchet</span>. </span><span class="title"><i>Nameprep: A Stringprep Profile for Internationalized Domain Names</i>. </span><span class="pubdate">March 2003. </span></p>
<a name="id2595848"></a><p>[<abbr class="abbrev">RFC3491</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Hoffman</span> and <span class="firstname">M.</span> <span class="surname">Blanchet</span>. </span><span class="title"><i>Nameprep: A Stringprep Profile for Internationalized Domain Names</i>. </span><span class="pubdate">March 2003. </span></p>
</div>
<div class="biblioentry">
<a name="id2595515"></a><p>[<abbr class="abbrev">RFC3492</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Costello</span>. </span><span class="title"><i>Punycode: A Bootstring encoding of Unicode
<a name="id2595883"></a><p>[<abbr class="abbrev">RFC3492</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Costello</span>. </span><span class="title"><i>Punycode: A Bootstring encoding of Unicode
for Internationalized Domain Names in
Applications (IDNA)</i>. </span><span class="pubdate">March 2003. </span></p>
</div>
@ -473,50 +489,47 @@
</p>
</div>
<div class="biblioentry">
<a name="id2595560"></a><p>[<abbr class="abbrev">RFC1464</abbr>] <span class="author"><span class="firstname">R.</span> <span class="surname">Rosenbaum</span>. </span><span class="title"><i>Using the Domain Name System To Store Arbitrary String
<a name="id2595928"></a><p>[<abbr class="abbrev">RFC1464</abbr>] <span class="author"><span class="firstname">R.</span> <span class="surname">Rosenbaum</span>. </span><span class="title"><i>Using the Domain Name System To Store Arbitrary String
Attributes</i>. </span><span class="pubdate">May 1993. </span></p>
</div>
<div class="biblioentry">
<a name="id2595582"></a><p>[<abbr class="abbrev">RFC1713</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Romao</span>. </span><span class="title"><i>Tools for <acronym class="acronym">DNS</acronym> Debugging</i>. </span><span class="pubdate">November 1994. </span></p>
<a name="id2595950"></a><p>[<abbr class="abbrev">RFC1713</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Romao</span>. </span><span class="title"><i>Tools for <acronym class="acronym">DNS</acronym> Debugging</i>. </span><span class="pubdate">November 1994. </span></p>
</div>
<div class="biblioentry">
<a name="id2595608"></a><p>[<abbr class="abbrev">RFC1794</abbr>] <span class="author"><span class="firstname">T.</span> <span class="surname">Brisco</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Support for Load
<a name="id2595976"></a><p>[<abbr class="abbrev">RFC1794</abbr>] <span class="author"><span class="firstname">T.</span> <span class="surname">Brisco</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Support for Load
Balancing</i>. </span><span class="pubdate">April 1995. </span></p>
</div>
<div class="biblioentry">
<a name="id2595634"></a><p>[<abbr class="abbrev">RFC2240</abbr>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Legal Basis for Domain Name Allocation</i>. </span><span class="pubdate">November 1997. </span></p>
<a name="id2596002"></a><p>[<abbr class="abbrev">RFC2240</abbr>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Legal Basis for Domain Name Allocation</i>. </span><span class="pubdate">November 1997. </span></p>
</div>
<div class="biblioentry">
<a name="id2595657"></a><p>[<abbr class="abbrev">RFC2345</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>, <span class="firstname">T.</span> <span class="surname">Wolf</span>, and <span class="firstname">G.</span> <span class="surname">Oglesby</span>. </span><span class="title"><i>Domain Names and Company Name Retrieval</i>. </span><span class="pubdate">May 1998. </span></p>
<a name="id2596025"></a><p>[<abbr class="abbrev">RFC2345</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>, <span class="firstname">T.</span> <span class="surname">Wolf</span>, and <span class="firstname">G.</span> <span class="surname">Oglesby</span>. </span><span class="title"><i>Domain Names and Company Name Retrieval</i>. </span><span class="pubdate">May 1998. </span></p>
</div>
<div class="biblioentry">
<a name="id2595703"></a><p>[<abbr class="abbrev">RFC2352</abbr>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Convention For Using Legal Names as Domain Names</i>. </span><span class="pubdate">May 1998. </span></p>
<a name="id2596071"></a><p>[<abbr class="abbrev">RFC2352</abbr>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Convention For Using Legal Names as Domain Names</i>. </span><span class="pubdate">May 1998. </span></p>
</div>
<div class="biblioentry">
<a name="id2595726"></a><p>[<abbr class="abbrev">RFC3071</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>. </span><span class="title"><i>Reflections on the DNS, RFC 1591, and Categories of Domains</i>. </span><span class="pubdate">February 2001. </span></p>
<a name="id2596094"></a><p>[<abbr class="abbrev">RFC3071</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>. </span><span class="title"><i>Reflections on the DNS, RFC 1591, and Categories of Domains</i>. </span><span class="pubdate">February 2001. </span></p>
</div>
<div class="biblioentry">
<a name="id2595753"></a><p>[<abbr class="abbrev">RFC3258</abbr>] <span class="authorgroup"><span class="firstname">T.</span> <span class="surname">Hardie</span>. </span><span class="title"><i>Distributing Authoritative Name Servers via
<a name="id2596121"></a><p>[<abbr class="abbrev">RFC3258</abbr>] <span class="authorgroup"><span class="firstname">T.</span> <span class="surname">Hardie</span>. </span><span class="title"><i>Distributing Authoritative Name Servers via
Shared Unicast Addresses</i>. </span><span class="pubdate">April 2002. </span></p>
</div>
<div class="biblioentry">
<a name="id2595779"></a><p>[<abbr class="abbrev">RFC3901</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Durand</span> and <span class="firstname">J.</span> <span class="surname">Ihren</span>. </span><span class="title"><i>DNS IPv6 Transport Operational Guidelines</i>. </span><span class="pubdate">September 2004. </span></p>
</div>
<div class="biblioentry">
<a name="id2595815"></a><p>[<abbr class="abbrev">RFC2352</abbr>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Convention For Using Legal Names as Domain Names</i>. </span><span class="pubdate">May 1998. </span></p>
<a name="id2596147"></a><p>[<abbr class="abbrev">RFC3901</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Durand</span> and <span class="firstname">J.</span> <span class="surname">Ihren</span>. </span><span class="title"><i>DNS IPv6 Transport Operational Guidelines</i>. </span><span class="pubdate">September 2004. </span></p>
</div>
</div>
<div class="bibliodiv">
<h3 class="title">Obsolete and Unimplemented Experimental RFC</h3>
<div class="biblioentry">
<a name="id2595846"></a><p>[<abbr class="abbrev">RFC1712</abbr>] <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Farrell</span>, <span class="firstname">M.</span> <span class="surname">Schulze</span>, <span class="firstname">S.</span> <span class="surname">Pleitner</span>, and <span class="firstname">D.</span> <span class="surname">Baldoni</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Encoding of Geographical
<a name="id2596190"></a><p>[<abbr class="abbrev">RFC1712</abbr>] <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Farrell</span>, <span class="firstname">M.</span> <span class="surname">Schulze</span>, <span class="firstname">S.</span> <span class="surname">Pleitner</span>, and <span class="firstname">D.</span> <span class="surname">Baldoni</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Encoding of Geographical
Location</i>. </span><span class="pubdate">November 1994. </span></p>
</div>
<div class="biblioentry">
<a name="id2595904"></a><p>[<abbr class="abbrev">RFC2673</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span>. </span><span class="title"><i>Binary Labels in the Domain Name System</i>. </span><span class="pubdate">August 1999. </span></p>
<a name="id2596248"></a><p>[<abbr class="abbrev">RFC2673</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span>. </span><span class="title"><i>Binary Labels in the Domain Name System</i>. </span><span class="pubdate">August 1999. </span></p>
</div>
<div class="biblioentry">
<a name="id2595930"></a><p>[<abbr class="abbrev">RFC2874</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span> and <span class="firstname">C.</span> <span class="surname">Huitema</span>. </span><span class="title"><i>DNS Extensions to Support IPv6 Address Aggregation
<a name="id2596275"></a><p>[<abbr class="abbrev">RFC2874</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span> and <span class="firstname">C.</span> <span class="surname">Huitema</span>. </span><span class="title"><i>DNS Extensions to Support IPv6 Address Aggregation
and Renumbering</i>. </span><span class="pubdate">July 2000. </span></p>
</div>
</div>
@ -530,39 +543,39 @@
</p>
</div>
<div class="biblioentry">
<a name="id2595978"></a><p>[<abbr class="abbrev">RFC2065</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">C.</span> <span class="surname">Kaufman</span>. </span><span class="title"><i>Domain Name System Security Extensions</i>. </span><span class="pubdate">January 1997. </span></p>
<a name="id2596323"></a><p>[<abbr class="abbrev">RFC2065</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">C.</span> <span class="surname">Kaufman</span>. </span><span class="title"><i>Domain Name System Security Extensions</i>. </span><span class="pubdate">January 1997. </span></p>
</div>
<div class="biblioentry">
<a name="id2596018"></a><p>[<abbr class="abbrev">RFC2137</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Secure Domain Name System Dynamic Update</i>. </span><span class="pubdate">April 1997. </span></p>
<a name="id2596362"></a><p>[<abbr class="abbrev">RFC2137</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Secure Domain Name System Dynamic Update</i>. </span><span class="pubdate">April 1997. </span></p>
</div>
<div class="biblioentry">
<a name="id2596044"></a><p>[<abbr class="abbrev">RFC2535</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Domain Name System Security Extensions</i>. </span><span class="pubdate">March 1999. </span></p>
<a name="id2596389"></a><p>[<abbr class="abbrev">RFC2535</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Domain Name System Security Extensions</i>. </span><span class="pubdate">March 1999. </span></p>
</div>
<div class="biblioentry">
<a name="id2596074"></a><p>[<abbr class="abbrev">RFC3008</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Domain Name System Security (DNSSEC)
<a name="id2596419"></a><p>[<abbr class="abbrev">RFC3008</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Domain Name System Security (DNSSEC)
Signing Authority</i>. </span><span class="pubdate">November 2000. </span></p>
</div>
<div class="biblioentry">
<a name="id2596100"></a><p>[<abbr class="abbrev">RFC3090</abbr>] <span class="authorgroup"><span class="firstname">E.</span> <span class="surname">Lewis</span>. </span><span class="title"><i>DNS Security Extension Clarification on Zone Status</i>. </span><span class="pubdate">March 2001. </span></p>
<a name="id2596444"></a><p>[<abbr class="abbrev">RFC3090</abbr>] <span class="authorgroup"><span class="firstname">E.</span> <span class="surname">Lewis</span>. </span><span class="title"><i>DNS Security Extension Clarification on Zone Status</i>. </span><span class="pubdate">March 2001. </span></p>
</div>
<div class="biblioentry">
<a name="id2596126"></a><p>[<abbr class="abbrev">RFC3445</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Massey</span> and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Limiting the Scope of the KEY Resource Record (RR)</i>. </span><span class="pubdate">December 2002. </span></p>
<a name="id2596471"></a><p>[<abbr class="abbrev">RFC3445</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Massey</span> and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Limiting the Scope of the KEY Resource Record (RR)</i>. </span><span class="pubdate">December 2002. </span></p>
</div>
<div class="biblioentry">
<a name="id2596163"></a><p>[<abbr class="abbrev">RFC3655</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span> and <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Redefinition of DNS Authenticated Data (AD) bit</i>. </span><span class="pubdate">November 2003. </span></p>
<a name="id2596507"></a><p>[<abbr class="abbrev">RFC3655</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span> and <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Redefinition of DNS Authenticated Data (AD) bit</i>. </span><span class="pubdate">November 2003. </span></p>
</div>
<div class="biblioentry">
<a name="id2596199"></a><p>[<abbr class="abbrev">RFC3658</abbr>] <span class="authorgroup"><span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Delegation Signer (DS) Resource Record (RR)</i>. </span><span class="pubdate">December 2003. </span></p>
<a name="id2596544"></a><p>[<abbr class="abbrev">RFC3658</abbr>] <span class="authorgroup"><span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Delegation Signer (DS) Resource Record (RR)</i>. </span><span class="pubdate">December 2003. </span></p>
</div>
<div class="biblioentry">
<a name="id2596226"></a><p>[<abbr class="abbrev">RFC3755</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Weiler</span>. </span><span class="title"><i>Legacy Resolver Compatibility for Delegation Signer (DS)</i>. </span><span class="pubdate">May 2004. </span></p>
<a name="id2596570"></a><p>[<abbr class="abbrev">RFC3755</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Weiler</span>. </span><span class="title"><i>Legacy Resolver Compatibility for Delegation Signer (DS)</i>. </span><span class="pubdate">May 2004. </span></p>
</div>
<div class="biblioentry">
<a name="id2596252"></a><p>[<abbr class="abbrev">RFC3757</abbr>] <span class="authorgroup"><span class="firstname">O.</span> <span class="surname">Kolkman</span>, <span class="firstname">J.</span> <span class="surname">Schlyter</span>, and <span class="firstname">E.</span> <span class="surname">Lewis</span>. </span><span class="title"><i>Domain Name System KEY (DNSKEY) Resource Record
<a name="id2596597"></a><p>[<abbr class="abbrev">RFC3757</abbr>] <span class="authorgroup"><span class="firstname">O.</span> <span class="surname">Kolkman</span>, <span class="firstname">J.</span> <span class="surname">Schlyter</span>, and <span class="firstname">E.</span> <span class="surname">Lewis</span>. </span><span class="title"><i>Domain Name System KEY (DNSKEY) Resource Record
(RR) Secure Entry Point (SEP) Flag</i>. </span><span class="pubdate">April 2004. </span></p>
</div>
<div class="biblioentry">
<a name="id2596297"></a><p>[<abbr class="abbrev">RFC3845</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Schlyter</span>. </span><span class="title"><i>DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format</i>. </span><span class="pubdate">August 2004. </span></p>
<a name="id2596642"></a><p>[<abbr class="abbrev">RFC3845</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Schlyter</span>. </span><span class="title"><i>DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format</i>. </span><span class="pubdate">August 2004. </span></p>
</div>
</div>
</div>
@ -583,14 +596,14 @@
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2596339"></a>Other Documents About <acronym class="acronym">BIND</acronym>
<a name="id2596683"></a>Other Documents About <acronym class="acronym">BIND</acronym>
</h3></div></div></div>
<p></p>
<div class="bibliography">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2596348"></a>Bibliography</h4></div></div></div>
<a name="id2596693"></a>Bibliography</h4></div></div></div>
<div class="biblioentry">
<a name="id2596350"></a><p><span class="authorgroup"><span class="firstname">Paul</span> <span class="surname">Albitz</span> and <span class="firstname">Cricket</span> <span class="surname">Liu</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></i>. </span><span class="copyright">Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. </span></p>
<a name="id2596695"></a><p><span class="authorgroup"><span class="firstname">Paul</span> <span class="surname">Albitz</span> and <span class="firstname">Cricket</span> <span class="surname">Liu</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></i>. </span><span class="copyright">Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. </span></p>
</div>
</div>
</div>

2
contrib/bind9/doc/arm/Bv9ARM.ch10.html
View File

@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: Bv9ARM.ch10.html,v 1.2.2.6.10.1 2007/07/09 02:25:52 marka Exp $ -->
<!-- $Id: Bv9ARM.ch10.html,v 1.2.2.6 2007/01/30 00:23:46 marka Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">

145
contrib/bind9/doc/arm/Bv9ARM.html
View File

@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: Bv9ARM.html,v 1.85.18.57.10.1 2007/07/09 02:25:52 marka Exp $ -->
<!-- $Id: Bv9ARM.html,v 1.85.18.68 2007/10/31 01:35:59 marka Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@ -40,7 +40,7 @@
<div class="titlepage">
<div>
<div><h1 class="title">
<a name="id2563411"></a>BIND 9 Administrator Reference Manual</h1></div>
<a name="id2563155"></a>BIND 9 Administrator Reference Manual</h1></div>
<div><p class="copyright">Copyright © 2004-2007 Internet Systems Consortium, Inc. ("ISC")</p></div>
<div><p class="copyright">Copyright © 2000-2003 Internet Software Consortium.</p></div>
</div>
@ -51,39 +51,39 @@
<dl>
<dt><span class="chapter"><a href="Bv9ARM.ch01.html">1. Introduction</a></span></dt>
<dd><dl>
<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564115">Scope of Document</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564138">Organization of This Document</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2563472">Conventions Used in This Document</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564813">The Domain Name System (<acronym class="acronym">DNS</acronym>)</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564117">Scope of Document</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564140">Organization of This Document</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2563474">Conventions Used in This Document</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564816">The Domain Name System (<acronym class="acronym">DNS</acronym>)</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564835">DNS Fundamentals</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564869">Domains and Domain Names</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564953">Zones</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567283">Authoritative Name Servers</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567524">Caching Name Servers</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567586">Name Servers in Multiple Roles</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564837">DNS Fundamentals</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564871">Domains and Domain Names</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567208">Zones</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567285">Authoritative Name Servers</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567526">Caching Name Servers</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567588">Name Servers in Multiple Roles</a></span></dt>
</dl></dd>
</dl></dd>
<dt><span class="chapter"><a href="Bv9ARM.ch02.html">2. <acronym class="acronym">BIND</acronym> Resource Requirements</a></span></dt>
<dd><dl>
<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567620">Hardware requirements</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567646">CPU Requirements</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567659">Memory Requirements</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567686">Name Server Intensive Environment Issues</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567697">Supported Operating Systems</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567622">Hardware requirements</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567649">CPU Requirements</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567661">Memory Requirements</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567688">Name Server Intensive Environment Issues</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567699">Supported Operating Systems</a></span></dt>
</dl></dd>
<dt><span class="chapter"><a href="Bv9ARM.ch03.html">3. Name Server Configuration</a></span></dt>
<dd><dl>
<dt><span class="sect1"><a href="Bv9ARM.ch03.html#sample_configuration">Sample Configurations</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2568002">A Caching-only Name Server</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2568018">An Authoritative-only Name Server</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2568004">A Caching-only Name Server</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2568020">An Authoritative-only Name Server</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568040">Load Balancing</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568464">Name Server Operations</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568042">Load Balancing</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568465">Name Server Operations</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2568469">Tools for Use With the Name Server Daemon</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2570039">Signals</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2568470">Tools for Use With the Name Server Daemon</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2570184">Signals</a></span></dt>
</dl></dd>
</dl></dd>
<dt><span class="chapter"><a href="Bv9ARM.ch04.html">4. Advanced DNS Features</a></span></dt>
@ -92,33 +92,34 @@
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dynamic_update">Dynamic Update</a></span></dt>
<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#journal">The journal file</a></span></dt></dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#incremental_zone_transfers">Incremental Zone Transfers (IXFR)</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2570428">Split DNS</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2570642">Split DNS</a></span></dt>
<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570660">Example split DNS setup</a></span></dt></dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#tsig">TSIG</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570948">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571021">Copying the Shared Secret to Both Machines</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571032">Informing the Servers of the Key's Existence</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571140">Instructing the Server to Use the Key</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571197">TSIG Key Based Access Control</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571242">Errors</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571095">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571169">Copying the Shared Secret to Both Machines</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571179">Informing the Servers of the Key's Existence</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571219">Instructing the Server to Use the Key</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571413">TSIG Key Based Access Control</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571458">Errors</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571256">TKEY</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571305">SIG(0)</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571472">TKEY</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571521">SIG(0)</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571578">Generating Keys</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571648">Signing the Zone</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571726">Configuring Servers</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571725">Generating Keys</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571795">Signing the Zone</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571874">Configuring Servers</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571801">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2572153">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572000">Address Lookups Using AAAA Records</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572021">Address to Name Lookups Using Nibble Format</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572215">Address Lookups Using AAAA Records</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572236">Address to Name Lookups Using Nibble Format</a></span></dt>
</dl></dd>
</dl></dd>
<dt><span class="chapter"><a href="Bv9ARM.ch05.html">5. The <acronym class="acronym">BIND</acronym> 9 Lightweight Resolver</a></span></dt>
<dd><dl>
<dt><span class="sect1"><a href="Bv9ARM.ch05.html#id2572054">The Lightweight Resolver Library</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch05.html#id2572269">The Lightweight Resolver Library</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch05.html#lwresd">Running a Resolver Daemon</a></span></dt>
</dl></dd>
<dt><span class="chapter"><a href="Bv9ARM.ch06.html">6. <acronym class="acronym">BIND</acronym> 9 Configuration Reference</a></span></dt>
@ -126,83 +127,83 @@
<dt><span class="sect1"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573333">Comment Syntax</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573480">Comment Syntax</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574013"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574092"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#acl"><span><strong class="command">acl</strong></span> Statement Definition and
Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574203"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574282"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span><strong class="command">controls</strong></span> Statement Definition and
Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574632"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574647"><span><strong class="command">include</strong></span> Statement Definition and
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574711"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574726"><span><strong class="command">include</strong></span> Statement Definition and
Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574670"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574692"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574782"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574908"><span><strong class="command">logging</strong></span> Statement Definition and
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574749"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574771"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574930"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575056"><span><strong class="command">logging</strong></span> Statement Definition and
Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576395"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576469"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576533"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576577"><span><strong class="command">masters</strong></span> Statement Definition and
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576406"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576480"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576544"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576587"><span><strong class="command">masters</strong></span> Statement Definition and
Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576592"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576602"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#options"><span><strong class="command">options</strong></span> Statement Definition and
Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span><strong class="command">server</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span><strong class="command">server</strong></span> Statement Definition and
Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2585031"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2585080"><span><strong class="command">trusted-keys</strong></span> Statement Definition
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2585361"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2585410"><span><strong class="command">trusted-keys</strong></span> Statement Definition
and Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#view_statement_grammar"><span><strong class="command">view</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2585228"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2585490"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span><strong class="command">zone</strong></span>
Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2586599"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2586798"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2588791">Zone File</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2589080">Zone File</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590812">Discussion of MX Records</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591101">Discussion of MX Records</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591432">Inverse Mapping in IPv4</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591559">Other Zone File Directives</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591816"><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591653">Inverse Mapping in IPv4</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591848">Other Zone File Directives</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2592173"><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zonefile_format">Additional File Formats</a></span></dt>
</dl></dd>
</dl></dd>
<dt><span class="chapter"><a href="Bv9ARM.ch07.html">7. <acronym class="acronym">BIND</acronym> 9 Security Considerations</a></span></dt>
<dd><dl>
<dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2592492"><span><strong class="command">chroot</strong></span> and <span><strong class="command">setuid</strong></span></a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2592714"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2592569">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2592629">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2592791">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2592851">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
</dl></dd>
<dt><span class="chapter"><a href="Bv9ARM.ch08.html">8. Troubleshooting</a></span></dt>
<dd><dl>
<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2592709">Common Problems</a></span></dt>
<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch08.html#id2592714">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2592726">Incrementing and Changing the Serial Number</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2592743">Where Can I Get Help?</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2592999">Common Problems</a></span></dt>
<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch08.html#id2593004">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2593016">Incrementing and Changing the Serial Number</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2593033">Where Can I Get Help?</a></span></dt>
</dl></dd>
<dt><span class="appendix"><a href="Bv9ARM.ch09.html">A. Appendices</a></span></dt>
<dd><dl>
<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2593078">Acknowledgments</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2593300">Acknowledgments</a></span></dt>
<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#historical_dns_information">A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></a></span></dt></dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2593172">General <acronym class="acronym">DNS</acronym> Reference Information</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2593472">General <acronym class="acronym">DNS</acronym> Reference Information</a></span></dt>
<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#ipv6addresses">IPv6 addresses (AAAA)</a></span></dt></dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch09.html#bibliography">Bibliography (and Suggested Reading)</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch09.html#rfcs">Request for Comments (RFCs)</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch09.html#internet_drafts">Internet Drafts</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2596339">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2596683">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt>
</dl></dd>
</dl></dd>
<dt><span class="reference"><a href="Bv9ARM.ch10.html">I. Manual pages</a></span></dt>

15306
contrib/bind9/doc/arm/Bv9ARM.pdf
View File

File diff suppressed because one or more lines are too long

4
contrib/bind9/doc/arm/Makefile.in
View File

@ -1,7 +1,7 @@
# Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2001, 2002 Internet Software Consortium.
#
# Permission to use, copy, modify, and distribute this software for any
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
@ -13,7 +13,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: Makefile.in,v 1.12.18.7 2007/02/07 23:57:58 marka Exp $
# $Id: Makefile.in,v 1.12.18.8 2007/08/28 07:20:03 tbox Exp $
srcdir = @srcdir@
VPATH = @srcdir@

46
contrib/bind9/doc/arm/man.dig.html
View File

@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: man.dig.html,v 1.2.2.37.10.1 2007/07/09 02:25:53 marka Exp $ -->
<!-- $Id: man.dig.html,v 1.2.2.48 2007/10/31 01:35:59 marka Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@ -52,7 +52,7 @@
<div class="cmdsynopsis"><p><code class="command">dig</code> [global-queryopt...] [query...]</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2564026"></a><h2>DESCRIPTION</h2>
<a name="id2564025"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dig</strong></span>
(domain information groper) is a flexible tool
for interrogating DNS name servers. It performs DNS lookups and
@ -68,7 +68,7 @@
arguments, it also has a batch mode of operation for reading lookup
requests from a file. A brief summary of its command-line arguments
and options is printed when the <code class="option">-h</code> option is given.
Unlike earlier versions, the BIND9 implementation of
Unlike earlier versions, the BIND 9 implementation of
<span><strong class="command">dig</strong></span> allows multiple lookups to be issued
from the
command line.
@ -98,7 +98,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2575037"></a><h2>SIMPLE USAGE</h2>
<a name="id2569712"></a><h2>SIMPLE USAGE</h2>
<p>
A typical invocation of <span><strong class="command">dig</strong></span> looks like:
</p>
@ -144,7 +144,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2575148"></a><h2>OPTIONS</h2>
<a name="id2623002"></a><h2>OPTIONS</h2>
<p>
The <code class="option">-b</code> option sets the source IP address of the query
to <em class="parameter"><code>address</code></em>. This must be a valid
@ -157,7 +157,7 @@
The default query class (IN for internet) is overridden by the
<code class="option">-c</code> option. <em class="parameter"><code>class</code></em> is
any valid
class, such as HS for Hesiod records or CH for CHAOSNET records.
class, such as HS for Hesiod records or CH for Chaosnet records.
</p>
<p>
The <code class="option">-f</code> option makes <span><strong class="command">dig </strong></span>
@ -165,7 +165,7 @@
in batch mode by reading a list of lookup requests to process from the
file <em class="parameter"><code>filename</code></em>. The file contains a
number of
queries, one per line. Each entry in the file should be organised in
queries, one per line. Each entry in the file should be organized in
the same way they would be presented as queries to
<span><strong class="command">dig</strong></span> using the command-line interface.
</p>
@ -188,7 +188,7 @@
The <code class="option">-t</code> option sets the query type to
<em class="parameter"><code>type</code></em>. It can be any valid query type
which is
supported in BIND9. The default query type "A", unless the
supported in BIND 9. The default query type is "A", unless the
<code class="option">-x</code> option is supplied to indicate a reverse lookup.
A zone transfer can be requested by specifying a type of AXFR. When
an incremental zone transfer (IXFR) is required,
@ -199,11 +199,11 @@
</p>
<p>
The <code class="option">-q</code> option sets the query name to
<em class="parameter"><code>name</code></em>. This useful do distingish the
<em class="parameter"><code>name</code></em>. This useful do distinguish the
<em class="parameter"><code>name</code></em> from other arguments.
</p>
<p>
Reverse lookups - mapping addresses to names - are simplified by the
Reverse lookups &#8212; mapping addresses to names &#8212; are simplified by the
<code class="option">-x</code> option. <em class="parameter"><code>addr</code></em> is
an IPv4
address in dotted-decimal notation, or a colon-delimited IPv6 address.
@ -244,7 +244,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2649141"></a><h2>QUERY OPTIONS</h2>
<a name="id2649413"></a><h2>QUERY OPTIONS</h2>
<p><span><strong class="command">dig</strong></span>
provides a number of query options which affect
the way in which lookups are made and the results displayed. Some of
@ -267,7 +267,7 @@
<dt><span class="term"><code class="option">+[no]tcp</code></span></dt>
<dd><p>
Use [do not use] TCP when querying name servers. The default
behaviour is to use UDP unless an AXFR or IXFR query is
behavior is to use UDP unless an AXFR or IXFR query is
requested, in
which case a TCP connection is used.
</p></dd>
@ -380,7 +380,7 @@
</p></dd>
<dt><span class="term"><code class="option">+[no]cmd</code></span></dt>
<dd><p>
toggles the printing of the initial comment in the output
Toggles the printing of the initial comment in the output
identifying
the version of <span><strong class="command">dig</strong></span> and the query
options that have
@ -412,7 +412,7 @@
This query option toggles the printing of statistics: when the
query
was made, the size of the reply and so on. The default
behaviour is
behavior is
to print the query statistics.
</p></dd>
<dt><span class="term"><code class="option">+[no]qr</code></span></dt>
@ -451,8 +451,8 @@
<dd><p>
Sets the timeout for a query to
<em class="parameter"><code>T</code></em> seconds. The default time
out is 5 seconds.
<em class="parameter"><code>T</code></em> seconds. The default
timeout is 5 seconds.
An attempt to set <em class="parameter"><code>T</code></em> to less
than 1 will result
in a query timeout of 1 second being applied.
@ -517,7 +517,7 @@
default is
to not try the next server which is the reverse of normal stub
resolver
behaviour.
behavior.
</p></dd>
<dt><span class="term"><code class="option">+[no]besteffort</code></span></dt>
<dd><p>
@ -553,7 +553,7 @@
</dd>
<dt><span class="term"><code class="option">+[no]topdown</code></span></dt>
<dd><p>
When chasing DNSSEC signature chains perform a top down
When chasing DNSSEC signature chains perform a top-down
validation.
Requires dig be compiled with -DDIG_SIGCHASE.
</p></dd>
@ -563,7 +563,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2650059"></a><h2>MULTIPLE QUERIES</h2>
<a name="id2650468"></a><h2>MULTIPLE QUERIES</h2>
<p>
The BIND 9 implementation of <span><strong class="command">dig </strong></span>
supports
@ -609,7 +609,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2650213"></a><h2>IDN SUPPORT</h2>
<a name="id2650553"></a><h2>IDN SUPPORT</h2>
<p>
If <span><strong class="command">dig</strong></span> has been built with IDN (internationalized
domain name) support, it can accept and display non-ASCII domain names.
@ -623,14 +623,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2650242"></a><h2>FILES</h2>
<a name="id2650582"></a><h2>FILES</h2>
<p><code class="filename">/etc/resolv.conf</code>
</p>
<p><code class="filename">${HOME}/.digrc</code>
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2650263"></a><h2>SEE ALSO</h2>
<a name="id2650603"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">host</span>(1)</span>,
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
@ -638,7 +638,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2650300"></a><h2>BUGS</h2>
<a name="id2650641"></a><h2>BUGS</h2>
<p>
There are probably too many query options.
</p>

26
contrib/bind9/doc/arm/man.dnssec-keygen.html
View File

@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: man.dnssec-keygen.html,v 1.2.2.37.10.1 2007/07/09 02:25:53 marka Exp $ -->
<!-- $Id: man.dnssec-keygen.html,v 1.2.2.47 2007/10/31 01:35:59 marka Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@ -50,15 +50,15 @@
<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> {-a <em class="replaceable"><code>algorithm</code></em>} {-b <em class="replaceable"><code>keysize</code></em>} {-n <em class="replaceable"><code>nametype</code></em>} [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k</code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2597558"></a><h2>DESCRIPTION</h2>
<a name="id2597830"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-keygen</strong></span>
generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
and RFC &lt;TBA\&gt;. It can also generate keys for use with
and RFC 4034. It can also generate keys for use with
TSIG (Transaction Signatures), as defined in RFC 2845.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2597572"></a><h2>OPTIONS</h2>
<a name="id2597844"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd>
@ -166,7 +166,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2598052"></a><h2>GENERATED KEYS</h2>
<a name="id2598187"></a><h2>GENERATED KEYS</h2>
<p>
When <span><strong class="command">dnssec-keygen</strong></span> completes
successfully,
@ -186,7 +186,7 @@
</p></li>
</ul></div>
<p><span><strong class="command">dnssec-keygen</strong></span>
creates two file, with names based
creates two files, with names based
on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>
contains the public key, and
<code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
@ -200,19 +200,19 @@
statement).
</p>
<p>
The <code class="filename">.private</code> file contains algorithm
specific
The <code class="filename">.private</code> file contains
algorithm-specific
fields. For obvious security reasons, this file does not have
general read permission.
</p>
<p>
Both <code class="filename">.key</code> and <code class="filename">.private</code>
files are generated for symmetric encryption algorithm such as
files are generated for symmetric encryption algorithms such as
HMAC-MD5, even though the public and private key are equivalent.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2598160"></a><h2>EXAMPLE</h2>
<a name="id2598295"></a><h2>EXAMPLE</h2>
<p>
To generate a 768-bit DSA key for the domain
<strong class="userinput"><code>example.com</code></strong>, the following command would be
@ -229,11 +229,11 @@
In this example, <span><strong class="command">dnssec-keygen</strong></span> creates
the files <code class="filename">Kexample.com.+003+26160.key</code>
and
<code class="filename">Kexample.com.+003+26160.private</code>
<code class="filename">Kexample.com.+003+26160.private</code>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2600196"></a><h2>SEE ALSO</h2>
<a name="id2600195"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 2535</em>,
@ -242,7 +242,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2600227"></a><h2>AUTHOR</h2>
<a name="id2600226"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>

63
contrib/bind9/doc/arm/man.dnssec-signzone.html
View File

@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: man.dnssec-signzone.html,v 1.2.2.35.10.1 2007/07/09 02:25:53 marka Exp $ -->
<!-- $Id: man.dnssec-signzone.html,v 1.2.2.46 2007/10/31 01:35:59 marka Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@ -50,7 +50,7 @@
<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code> [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-p</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-t</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] {zonefile} [key...]</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2598407"></a><h2>DESCRIPTION</h2>
<a name="id2598823"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-signzone</strong></span>
signs a zone. It generates
NSEC and RRSIG records and produces a signed version of the
@ -61,7 +61,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2598426"></a><h2>OPTIONS</h2>
<a name="id2598842"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-a</span></dt>
<dd><p>
@ -117,7 +117,7 @@
The name of the output file containing the signed zone. The
default is to append <code class="filename">.signed</code> to
the
input file.
input filename.
</p></dd>
<dt><span class="term">-h</span></dt>
<dd><p>
@ -127,7 +127,7 @@
<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
<dd>
<p>
When a previously signed zone is passed as input, records
When a previously-signed zone is passed as input, records
may be resigned. The <code class="option">interval</code> option
specifies the cycle interval as an offset from the current
time (in seconds). If a RRSIG record expires after the
@ -163,8 +163,8 @@
When signing a zone with a fixed signature lifetime, all
RRSIG records issued at the time of signing expires
simultaneously. If the zone is incrementally signed, i.e.
a previously signed zone is passed as input to the signer,
all expired signatures has to be regenerated at about the
a previously-signed zone is passed as input to the signer,
all expired signatures have to be regenerated at about the
same time. The <code class="option">jitter</code> option specifies a
jitter window that will be used to randomize the signature
expire time, thus spreading incremental signature
@ -250,47 +250,52 @@
</p></dd>
<dt><span class="term">key</span></dt>
<dd><p>
The keys used to sign the zone. If no keys are specified, the
default all zone keys that have private key files in the
current directory.
Specify which keys should be used to sign the zone. If
no keys are specified, then the zone will be examined
for DNSKEY records at the zone apex. If these are found and
there are matching private keys, in the current directory,
then these will be used for signing.
</p></dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2622323"></a><h2>EXAMPLE</h2>
<a name="id2641307"></a><h2>EXAMPLE</h2>
<p>
The following command signs the <strong class="userinput"><code>example.com</code></strong>
zone with the DSA key generated in the <span><strong class="command">dnssec-keygen</strong></span>
man page. The zone's keys must be in the zone. If there are
<code class="filename">keyset</code> files associated with child
zones,
they must be in the current directory.
<strong class="userinput"><code>example.com</code></strong>, the following command would be
issued:
</p>
<p><strong class="userinput"><code>dnssec-signzone -o example.com db.example.com
Kexample.com.+003+26160</code></strong>
zone with the DSA key generated by <span><strong class="command">dnssec-keygen</strong></span>
(Kexample.com.+003+17247). The zone's keys must be in the master
file (<code class="filename">db.example.com</code>). This invocation looks
for <code class="filename">keyset</code> files, in the current directory,
so that DS records can be generated from them (<span><strong class="command">-g</strong></span>).
</p>
<pre class="programlisting">% dnssec-signzone -g -o example.com db.example.com \
Kexample.com.+003+17247
db.example.com.signed
%</pre>
<p>
The command would print a string of the form:
</p>
<p>
In this example, <span><strong class="command">dnssec-signzone</strong></span> creates
In the above example, <span><strong class="command">dnssec-signzone</strong></span> creates
the file <code class="filename">db.example.com.signed</code>. This
file
should be referenced in a zone statement in a
file should be referenced in a zone statement in a
<code class="filename">named.conf</code> file.
</p>
<p>
This example re-signs a previously signed zone with default parameters.
The private keys are assumed to be in the current directory.
</p>
<pre class="programlisting">% cp db.example.com.signed db.example.com
% dnssec-signzone -o example.com db.example.com
db.example.com.signed
%</pre>
</div>
<div class="refsect1" lang="en">
<a name="id2641229"></a><h2>SEE ALSO</h2>
<a name="id2641380"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 2535</em>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2652723"></a><h2>AUTHOR</h2>
<a name="id2641404"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>

16
contrib/bind9/doc/arm/man.host.html
View File

@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: man.host.html,v 1.2.2.36.10.1 2007/07/09 02:25:53 marka Exp $ -->
<!-- $Id: man.host.html,v 1.2.2.46 2007/10/31 01:35:59 marka Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@ -50,7 +50,7 @@
<div class="cmdsynopsis"><p><code class="command">host</code> [<code class="option">-aCdlnrsTwv</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-N <em class="replaceable"><code>ndots</code></em></code>] [<code class="option">-R <em class="replaceable"><code>number</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-W <em class="replaceable"><code>wait</code></em></code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-4</code>] [<code class="option">-6</code>] {name} [server]</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2596661"></a><h2>DESCRIPTION</h2>
<a name="id2597000"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">host</strong></span>
is a simple utility for performing DNS lookups.
It is normally used to convert names to IP addresses and vice versa.
@ -143,7 +143,7 @@
attempt to resolve <em class="parameter"><code>name</code></em>. The
<code class="option">-r</code> option enables <span><strong class="command">host</strong></span>
to mimic
the behaviour of a name server by making non-recursive queries and
the behavior of a name server by making non-recursive queries and
expecting to receive answers to those queries that are usually
referrals to other name servers.
</p>
@ -161,7 +161,7 @@
</p>
<p>
The <code class="option">-t</code> option is used to select the query type.
<em class="parameter"><code>type</code></em> can be any recognised query
<em class="parameter"><code>type</code></em> can be any recognized query
type: CNAME,
NS, SOA, SIG, KEY, AXFR, etc. When no query type is specified,
<span><strong class="command">host</strong></span> automatically selects an appropriate
@ -192,7 +192,7 @@
The <code class="option">-s</code> option tells <span><strong class="command">host</strong></span>
<span class="emphasis"><em>not</em></span> to send the query to the next nameserver
if any server responds with a SERVFAIL response, which is the
reverse of normal stub resolver behaviour.
reverse of normal stub resolver behavior.
</p>
<p>
The <code class="option">-m</code> can be used to set the memory usage debugging
@ -202,7 +202,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2597312"></a><h2>IDN SUPPORT</h2>
<a name="id2597514"></a><h2>IDN SUPPORT</h2>
<p>
If <span><strong class="command">host</strong></span> has been built with IDN (internationalized
domain name) support, it can accept and display non-ASCII domain names.
@ -216,12 +216,12 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2597340"></a><h2>FILES</h2>
<a name="id2597543"></a><h2>FILES</h2>
<p><code class="filename">/etc/resolv.conf</code>
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2599061"></a><h2>SEE ALSO</h2>
<a name="id2597557"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>,
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>.
</p>

19
contrib/bind9/doc/arm/man.named-checkconf.html
View File

@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: man.named-checkconf.html,v 1.2.2.38.10.1 2007/07/09 02:25:53 marka Exp $ -->
<!-- $Id: man.named-checkconf.html,v 1.2.2.49 2007/10/31 01:35:59 marka Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@ -50,18 +50,18 @@
<div class="cmdsynopsis"><p><code class="command">named-checkconf</code> [<code class="option">-v</code>] [<code class="option">-j</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] {filename} [<code class="option">-z</code>]</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2599724"></a><h2>DESCRIPTION</h2>
<a name="id2599604"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">named-checkconf</strong></span>
checks the syntax, but not the semantics, of a named
configuration file.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2599738"></a><h2>OPTIONS</h2>
<a name="id2599618"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
chroot to <code class="filename">directory</code> so that
Chroot to <code class="filename">directory</code> so that
include
directives in the configuration file are processed as if
run by a similarly chrooted named.
@ -73,8 +73,8 @@
</p></dd>
<dt><span class="term">-z</span></dt>
<dd><p>
Perform a check load the master zonefiles found in
<code class="filename">named.conf</code>.
Perform a test load of all master zones found in
<code class="filename">named.conf</code>.
</p></dd>
<dt><span class="term">-j</span></dt>
<dd><p>
@ -88,20 +88,21 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2599840"></a><h2>RETURN VALUES</h2>
<a name="id2599720"></a><h2>RETURN VALUES</h2>
<p><span><strong class="command">named-checkconf</strong></span>
returns an exit status of 1 if
errors were detected and 0 otherwise.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2599853"></a><h2>SEE ALSO</h2>
<a name="id2599734"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">named-checkzone</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2599875"></a><h2>AUTHOR</h2>
<a name="id2599764"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>

21
contrib/bind9/doc/arm/man.named-checkzone.html
View File

@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: man.named-checkzone.html,v 1.2.2.40.10.1 2007/07/09 02:25:53 marka Exp $ -->
<!-- $Id: man.named-checkzone.html,v 1.2.2.52 2007/10/31 01:35:59 marka Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@ -51,7 +51,7 @@
<div class="cmdsynopsis"><p><code class="command">named-compilezone</code> [<code class="option">-d</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-C <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-o <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {zonename} {filename}</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2601347"></a><h2>DESCRIPTION</h2>
<a name="id2600689"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">named-checkzone</strong></span>
checks the syntax and integrity of a zone file. It performs the
same checks as <span><strong class="command">named</strong></span> does when loading a
@ -65,13 +65,13 @@
Additionally, it applies stricter check levels by default,
since the dump output will be used as an actual zone file
loaded by <span><strong class="command">named</strong></span>.
When manaully specified otherwise, the check levels must at
When manually specified otherwise, the check levels must at
least be as strict as those specified in the
<span><strong class="command">named</strong></span> configuration file.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2601397"></a><h2>OPTIONS</h2>
<a name="id2600739"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-d</span></dt>
<dd><p>
@ -97,7 +97,7 @@
<dt><span class="term">-i <em class="replaceable"><code>mode</code></em></span></dt>
<dd>
<p>
Perform post load zone integrity checks. Possible modes are
Perform post-load zone integrity checks. Possible modes are
<span><strong class="command">"full"</strong></span> (default),
<span><strong class="command">"full-sibling"</strong></span>,
<span><strong class="command">"local"</strong></span>,
@ -119,7 +119,7 @@
<p>
Mode <span><strong class="command">"full"</strong></span> checks that delegation NS
records refer to A or AAAA record (both in-zone and out-of-zone
hostnames). It also checks that glue addresses records
hostnames). It also checks that glue address records
in the zone match those advertised by the child.
Mode <span><strong class="command">"local"</strong></span> only checks NS records which
refer to in-zone hostnames or that some required glue exists,
@ -213,7 +213,7 @@
</p></dd>
<dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
chroot to <code class="filename">directory</code> so that
Chroot to <code class="filename">directory</code> so that
include
directives in the configuration file are processed as if
run by a similarly chrooted named.
@ -251,21 +251,22 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2654948"></a><h2>RETURN VALUES</h2>
<a name="id2655177"></a><h2>RETURN VALUES</h2>
<p><span><strong class="command">named-checkzone</strong></span>
returns an exit status of 1 if
errors were detected and 0 otherwise.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2654962"></a><h2>SEE ALSO</h2>
<a name="id2655191"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">named-checkconf</span>(8)</span>,
<em class="citetitle">RFC 1035</em>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2654986"></a><h2>AUTHOR</h2>
<a name="id2655224"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>

41
contrib/bind9/doc/arm/man.named.html
View File

@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: man.named.html,v 1.2.2.43.10.1 2007/07/09 02:25:53 marka Exp $ -->
<!-- $Id: man.named.html,v 1.2.2.53 2007/10/31 01:35:59 marka Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@ -47,10 +47,10 @@
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">named</code> [<code class="option">-4</code>] [<code class="option">-6</code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>debug-level</code></em></code>] [<code class="option">-f</code>] [<code class="option">-g</code>] [<code class="option">-n <em class="replaceable"><code>#cpus</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-s</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>] [<code class="option">-v</code>] [<code class="option">-x <em class="replaceable"><code>cache-file</code></em></code>]</p></div>
<div class="cmdsynopsis"><p><code class="command">named</code> [<code class="option">-4</code>] [<code class="option">-6</code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>debug-level</code></em></code>] [<code class="option">-f</code>] [<code class="option">-g</code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-n <em class="replaceable"><code>#cpus</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-s</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>] [<code class="option">-v</code>] [<code class="option">-x <em class="replaceable"><code>cache-file</code></em></code>]</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2601554"></a><h2>DESCRIPTION</h2>
<a name="id2601798"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">named</strong></span>
is a Domain Name System (DNS) server,
part of the BIND 9 distribution from ISC. For more
@ -65,7 +65,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2601585"></a><h2>OPTIONS</h2>
<a name="id2601829"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-4</span></dt>
<dd><p>
@ -106,6 +106,17 @@
Run the server in the foreground and force all logging
to <code class="filename">stderr</code>.
</p></dd>
<dt><span class="term">-m <em class="replaceable"><code>flag</code></em></span></dt>
<dd><p>
Turn on memory usage debugging flags. Possible flags are
<em class="replaceable"><code>usage</code></em>,
<em class="replaceable"><code>trace</code></em>,
<em class="replaceable"><code>record</code></em>,
<em class="replaceable"><code>size</code></em>, and
<em class="replaceable"><code>mctx</code></em>.
These correspond to the ISC_MEM_DEBUGXXXX flags described in
<code class="filename">&lt;isc/mem.h&gt;</code>.
</p></dd>
<dt><span class="term">-n <em class="replaceable"><code>#cpus</code></em></span></dt>
<dd><p>
Create <em class="replaceable"><code>#cpus</code></em> worker threads
@ -135,7 +146,7 @@
</dd>
<dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
<dd>
<p><code class="function">chroot()</code>
<p>Chroot
to <em class="replaceable"><code>directory</code></em> after
processing the command line arguments, but before
reading the configuration file.
@ -146,7 +157,7 @@
This option should be used in conjunction with the
<code class="option">-u</code> option, as chrooting a process
running as root doesn't enhance security on most
systems; the way <code class="function">chroot()</code> is
systems; the way <code class="function">chroot(2)</code> is
defined allows a process with root privileges to
escape a chroot jail.
</p>
@ -154,7 +165,7 @@
</dd>
<dt><span class="term">-u <em class="replaceable"><code>user</code></em></span></dt>
<dd>
<p><code class="function">setuid()</code>
<p>Setuid
to <em class="replaceable"><code>user</code></em> after completing
privileged operations, such as creating sockets that
listen on privileged ports.
@ -164,7 +175,7 @@
<p>
On Linux, <span><strong class="command">named</strong></span> uses the kernel's
capability mechanism to drop all root privileges
except the ability to <code class="function">bind()</code> to
except the ability to <code class="function">bind(2)</code> to
a
privileged port and set process resource limits.
Unfortunately, this means that the <code class="option">-u</code>
@ -172,7 +183,7 @@
run
on kernel 2.2.18 or later, or kernel 2.3.99-pre3 or
later, since previous kernels did not allow privileges
to be retained after <code class="function">setuid()</code>.
to be retained after <code class="function">setuid(2)</code>.
</p>
</div>
</dd>
@ -198,7 +209,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2602364"></a><h2>SIGNALS</h2>
<a name="id2604492"></a><h2>SIGNALS</h2>
<p>
In routine operation, signals should not be used to control
the nameserver; <span><strong class="command">rndc</strong></span> should be used
@ -219,7 +230,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2602414"></a><h2>CONFIGURATION</h2>
<a name="id2604542"></a><h2>CONFIGURATION</h2>
<p>
The <span><strong class="command">named</strong></span> configuration file is too complex
to describe in detail here. A complete description is provided
@ -228,7 +239,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2602434"></a><h2>FILES</h2>
<a name="id2604562"></a><h2>FILES</h2>
<div class="variablelist"><dl>
<dt><span class="term"><code class="filename">/etc/named.conf</code></span></dt>
<dd><p>
@ -241,10 +252,12 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2603911"></a><h2>SEE ALSO</h2>
<a name="id2604605"></a><h2>SEE ALSO</h2>
<p><em class="citetitle">RFC 1033</em>,
<em class="citetitle">RFC 1034</em>,
<em class="citetitle">RFC 1035</em>,
<span class="citerefentry"><span class="refentrytitle">named-checkconf</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">named-checkzone</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">lwresd</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>,
@ -252,7 +265,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2603962"></a><h2>AUTHOR</h2>
<a name="id2604881"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>

12
contrib/bind9/doc/arm/man.rndc-confgen.html
View File

@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: man.rndc-confgen.html,v 1.2.2.44.10.1 2007/07/09 02:25:53 marka Exp $ -->
<!-- $Id: man.rndc-confgen.html,v 1.2.2.55 2007/10/31 01:35:59 marka Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@ -48,7 +48,7 @@
<div class="cmdsynopsis"><p><code class="command">rndc-confgen</code> [<code class="option">-a</code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-c <em class="replaceable"><code>keyfile</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [<code class="option">-s <em class="replaceable"><code>address</code></em></code>] [<code class="option">-t <em class="replaceable"><code>chrootdir</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>]</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2603716"></a><h2>DESCRIPTION</h2>
<a name="id2605524"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">rndc-confgen</strong></span>
generates configuration files
for <span><strong class="command">rndc</strong></span>. It can be used as a
@ -64,7 +64,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2604055"></a><h2>OPTIONS</h2>
<a name="id2605590"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-a</span></dt>
<dd>
@ -171,7 +171,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2606557"></a><h2>EXAMPLES</h2>
<a name="id2606454"></a><h2>EXAMPLES</h2>
<p>
To allow <span><strong class="command">rndc</strong></span> to be used with
no manual configuration, run
@ -188,7 +188,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2606614"></a><h2>SEE ALSO</h2>
<a name="id2609036"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
@ -196,7 +196,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2606652"></a><h2>AUTHOR</h2>
<a name="id2609075"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>

18
contrib/bind9/doc/arm/man.rndc.conf.html
View File

@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: man.rndc.conf.html,v 1.2.2.43.10.1 2007/07/09 02:25:53 marka Exp $ -->
<!-- $Id: man.rndc.conf.html,v 1.2.2.55 2007/10/31 01:35:59 marka Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@ -50,7 +50,7 @@
<div class="cmdsynopsis"><p><code class="command">rndc.conf</code> </p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2599206"></a><h2>DESCRIPTION</h2>
<a name="id2603676"></a><h2>DESCRIPTION</h2>
<p><code class="filename">rndc.conf</code> is the configuration file
for <span><strong class="command">rndc</strong></span>, the BIND 9 name server control
utility. This file has a similar structure and syntax to
@ -105,7 +105,7 @@
name of a key statement in the file. The port number
specifies the port to connect to. If an <code class="option">addresses</code>
clause is supplied these addresses will be used instead of
the server name. Each address can take a optional port.
the server name. Each address can take an optional port.
If an <code class="option">source-address</code> or <code class="option">source-address-v6</code>
of supplied then these will be used to specify the IPv4 and IPv6
source addresses respectively.
@ -135,7 +135,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2603201"></a><h2>EXAMPLE</h2>
<a name="id2604121"></a><h2>EXAMPLE</h2>
<pre class="programlisting">
options {
default-server localhost;
@ -171,7 +171,7 @@
key testkey {
algorithm hmac-md5;
secret "R3HI8P6BKw9ZwXwN3VZKuQ==";
}
};
</pre>
<p>
</p>
@ -198,7 +198,7 @@
A complete <code class="filename">rndc.conf</code> file, including
the
randomly generated key, will be written to the standard
output. Commented out <code class="option">key</code> and
output. Commented-out <code class="option">key</code> and
<code class="option">controls</code> statements for
<code class="filename">named.conf</code> are also printed.
</p>
@ -209,7 +209,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2603459"></a><h2>NAME SERVER CONFIGURATION</h2>
<a name="id2604994"></a><h2>NAME SERVER CONFIGURATION</h2>
<p>
The name server must be configured to accept rndc connections and
to recognize the key specified in the <code class="filename">rndc.conf</code>
@ -219,7 +219,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2603484"></a><h2>SEE ALSO</h2>
<a name="id2605019"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">mmencode</span>(1)</span>,
@ -227,7 +227,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2603523"></a><h2>AUTHOR</h2>
<a name="id2605058"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>

33
contrib/bind9/doc/arm/man.rndc.html
View File

@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: man.rndc.html,v 1.2.2.42.10.1 2007/07/09 02:25:53 marka Exp $ -->
<!-- $Id: man.rndc.html,v 1.2.2.54 2007/10/31 01:35:59 marka Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@ -50,7 +50,7 @@
<div class="cmdsynopsis"><p><code class="command">rndc</code> [<code class="option">-b <em class="replaceable"><code>source-address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key-file</code></em></code>] [<code class="option">-s <em class="replaceable"><code>server</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-V</code>] [<code class="option">-y <em class="replaceable"><code>key_id</code></em></code>] {command}</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2602522"></a><h2>DESCRIPTION</h2>
<a name="id2603169"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">rndc</strong></span>
controls the operation of a name
server. It supersedes the <span><strong class="command">ndc</strong></span> utility
@ -64,7 +64,7 @@
communicates with the name server
over a TCP connection, sending commands authenticated with
digital signatures. In the current versions of
<span><strong class="command">rndc</strong></span> and <span><strong class="command">named</strong></span> named
<span><strong class="command">rndc</strong></span> and <span><strong class="command">named</strong></span>,
the only supported authentication algorithm is HMAC-MD5,
which uses a shared secret on each end of the connection.
This provides TSIG-style authentication for the command
@ -79,7 +79,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2602572"></a><h2>OPTIONS</h2>
<a name="id2603219"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-b <em class="replaceable"><code>source-address</code></em></span></dt>
<dd><p>
@ -106,13 +106,12 @@
</p></dd>
<dt><span class="term">-s <em class="replaceable"><code>server</code></em></span></dt>
<dd><p><em class="replaceable"><code>server</code></em> is
the name or address of the server which matches a
the name or address of the server which matches a
server statement in the configuration file for
<span><strong class="command">rndc</strong></span>. If no server is supplied on
the
<span><strong class="command">rndc</strong></span>. If no server is supplied on the
command line, the host named by the default-server clause
in the option statement of the configuration file will be
used.
in the options statement of the <span><strong class="command">rndc</strong></span>
configuration file will be used.
</p></dd>
<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
<dd><p>
@ -125,15 +124,15 @@
<dd><p>
Enable verbose logging.
</p></dd>
<dt><span class="term">-y <em class="replaceable"><code>keyid</code></em></span></dt>
<dt><span class="term">-y <em class="replaceable"><code>key_id</code></em></span></dt>
<dd><p>
Use the key <em class="replaceable"><code>keyid</code></em>
Use the key <em class="replaceable"><code>key_id</code></em>
from the configuration file.
<em class="replaceable"><code>keyid</code></em>
<em class="replaceable"><code>key_id</code></em>
must be
known by named with the same algorithm and secret string
in order for control message validation to succeed.
If no <em class="replaceable"><code>keyid</code></em>
If no <em class="replaceable"><code>key_id</code></em>
is specified, <span><strong class="command">rndc</strong></span> will first look
for a key clause in the server statement of the server
being used, or if no server statement is present for that
@ -152,7 +151,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2602928"></a><h2>LIMITATIONS</h2>
<a name="id2603512"></a><h2>LIMITATIONS</h2>
<p><span><strong class="command">rndc</strong></span>
does not yet support all the commands of
the BIND 8 <span><strong class="command">ndc</strong></span> utility.
@ -166,16 +165,16 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2602958"></a><h2>SEE ALSO</h2>
<a name="id2603543"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>
<span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>,
<span class="citerefentry"><span class="refentrytitle">ndc</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2603005"></a><h2>AUTHOR</h2>
<a name="id2603590"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>

4
contrib/bind9/doc/misc/Makefile.in
View File

@ -1,7 +1,7 @@
# Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2001 Internet Software Consortium.
#
# Permission to use, copy, modify, and distribute this software for any
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
@ -13,7 +13,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: Makefile.in,v 1.3.18.2 2007/01/30 23:52:53 marka Exp $
# $Id: Makefile.in,v 1.3.18.3 2007/08/28 07:20:03 tbox Exp $
srcdir = @srcdir@
VPATH = @srcdir@

12
contrib/bind9/doc/misc/migration
View File

@ -1,4 +1,4 @@
Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC")
Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC")
Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
@ -134,9 +134,8 @@ characters.
3.1. EDNS0
BIND 9 uses EDNS0 (RFC2671) to advertise its receive buffer size. It
also sets an EDNS flag bit in queries to indicate that it wishes to
receive DNSSEC responses; this flag bit usage is not yet standardised,
but we hope it will be.
also sets DO EDNS flag bit in queries to indicate that it wishes to
receive DNSSEC responses.
Most older servers that do not support EDNS0, including prior versions
of BIND, will send a FORMERR or NOTIMP response to these queries.
@ -173,6 +172,8 @@ http://support.microsoft.com/default.aspx?scid=kb;en-us;297936
4. Unrestricted Character Set
BIND 9.2 only
BIND 9 does not restrict the character set of domain names - it is
fully 8-bit clean in accordance with RFC2181 section 11.
@ -192,6 +193,7 @@ no-check-names" in resolv.conf. BIND 9 provides no such protection;
if applications with these flaws are still being used, they should
be upgraded.
BIND 9.3 onwards implements check-names.
5. Server Administration Tools
@ -252,4 +254,4 @@ necessary, the umask should be set explicitly in the script used to
start the named process.
$Id: migration,v 1.45.18.1 2004/11/22 22:32:19 marka Exp $
$Id: migration,v 1.45.18.2 2007/09/07 06:34:21 marka Exp $

6
contrib/bind9/doc/rfc/index
View File

@ -105,4 +105,10 @@
4255: Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints
4343: Domain Name System (DNS) Case Insensitivity Clarification
4367: What's in a Name: False Assumptions about DNS Names
4398: Storing Certificates in the Domain Name System (DNS)
4431: The DNSSEC Lookaside Validation (DLV) DNS Resource Record
4408: Sender Policy Framework (SPF) for Authorizing Use of Domains
in E-Mail, Version 1
4470: Minimally Covering NSEC Records and DNSSEC On-line Signing
4634: US Secure Hash Algorithms (SHA and HMAC-SHA)
4641: DNSSEC Operational Practices

955
contrib/bind9/doc/rfc/rfc4398.txt Normal file
View File

@ -0,0 +1,955 @@
Network Working Group S. Josefsson
Request for Comments: 4398 March 2006
Obsoletes: 2538
Category: Standards Track
Storing Certificates in the Domain Name System (DNS)
Status of This Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2006).
Abstract
Cryptographic public keys are frequently published, and their
authenticity is demonstrated by certificates. A CERT resource record
(RR) is defined so that such certificates and related certificate
revocation lists can be stored in the Domain Name System (DNS).
This document obsoletes RFC 2538.
Josefsson Standards Track [Page 1]
RFC 4398 Storing Certificates in the DNS February 2006
Table of Contents
1. Introduction ....................................................3
2. The CERT Resource Record ........................................3
2.1. Certificate Type Values ....................................4
2.2. Text Representation of CERT RRs ............................6
2.3. X.509 OIDs .................................................6
3. Appropriate Owner Names for CERT RRs ............................7
3.1. Content-Based X.509 CERT RR Names ..........................8
3.2. Purpose-Based X.509 CERT RR Names ..........................9
3.3. Content-Based OpenPGP CERT RR Names ........................9
3.4. Purpose-Based OpenPGP CERT RR Names .......................10
3.5. Owner Names for IPKIX, ISPKI, IPGP, and IACPKIX ...........10
4. Performance Considerations .....................................11
5. Contributors ...................................................11
6. Acknowledgements ...............................................11
7. Security Considerations ........................................12
8. IANA Considerations ............................................12
9. Changes since RFC 2538 .........................................13
10. References ....................................................14
10.1. Normative References .....................................14
10.2. Informative References ...................................15
Appendix A. Copying Conditions ...................................16
Josefsson Standards Track [Page 2]
RFC 4398 Storing Certificates in the DNS February 2006
1. Introduction
Public keys are frequently published in the form of a certificate,
and their authenticity is commonly demonstrated by certificates and
related certificate revocation lists (CRLs). A certificate is a
binding, through a cryptographic digital signature, of a public key,
a validity interval and/or conditions, and identity, authorization,
or other information. A certificate revocation list is a list of
certificates that are revoked, and of incidental information, all
signed by the signer (issuer) of the revoked certificates. Examples
are X.509 certificates/CRLs in the X.500 directory system or OpenPGP
certificates/revocations used by OpenPGP software.
Section 2 specifies a CERT resource record (RR) for the storage of
certificates in the Domain Name System [1] [2].
Section 3 discusses appropriate owner names for CERT RRs.
Sections 4, 7, and 8 cover performance, security, and IANA
considerations, respectively.
Section 9 explains the changes in this document compared to RFC 2538.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [3].
2. The CERT Resource Record
The CERT resource record (RR) has the structure given below. Its RR
type code is 37.
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| type | key tag |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| algorithm | /
+---------------+ certificate or CRL /
/ /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
The type field is the certificate type as defined in Section 2.1
below.
The key tag field is the 16-bit value computed for the key embedded
in the certificate, using the RRSIG Key Tag algorithm described in
Appendix B of [12]. This field is used as an efficiency measure to
Josefsson Standards Track [Page 3]
RFC 4398 Storing Certificates in the DNS February 2006
pick which CERT RRs may be applicable to a particular key. The key
tag can be calculated for the key in question, and then only CERT RRs
with the same key tag need to be examined. Note that two different
keys can have the same key tag. However, the key MUST be transformed
to the format it would have as the public key portion of a DNSKEY RR
before the key tag is computed. This is only possible if the key is
applicable to an algorithm and complies to limits (such as key size)
defined for DNS security. If it is not, the algorithm field MUST be
zero and the tag field is meaningless and SHOULD be zero.
The algorithm field has the same meaning as the algorithm field in
DNSKEY and RRSIG RRs [12], except that a zero algorithm field
indicates that the algorithm is unknown to a secure DNS, which may
simply be the result of the algorithm not having been standardized
for DNSSEC [11].
2.1. Certificate Type Values
The following values are defined or reserved:
Value Mnemonic Certificate Type
----- -------- ----------------
0 Reserved
1 PKIX X.509 as per PKIX
2 SPKI SPKI certificate
3 PGP OpenPGP packet
4 IPKIX The URL of an X.509 data object
5 ISPKI The URL of an SPKI certificate
6 IPGP The fingerprint and URL of an OpenPGP packet
7 ACPKIX Attribute Certificate
8 IACPKIX The URL of an Attribute Certificate
9-252 Available for IANA assignment
253 URI URI private
254 OID OID private
255 Reserved
256-65279 Available for IANA assignment
65280-65534 Experimental
65535 Reserved
These values represent the initial content of the IANA registry; see
Section 8.
The PKIX type is reserved to indicate an X.509 certificate conforming
to the profile defined by the IETF PKIX working group [8]. The
certificate section will start with a one-octet unsigned OID length
and then an X.500 OID indicating the nature of the remainder of the
Josefsson Standards Track [Page 4]
RFC 4398 Storing Certificates in the DNS February 2006
certificate section (see Section 2.3, below). (NOTE: X.509
certificates do not include their X.500 directory-type-designating
OID as a prefix.)
The SPKI and ISPKI types are reserved to indicate the SPKI
certificate format [15], for use when the SPKI documents are moved
from experimental status. The format for these two CERT RR types
will need to be specified later.
The PGP type indicates an OpenPGP packet as described in [5] and its
extensions and successors. This is used to transfer public key
material and revocation signatures. The data is binary and MUST NOT
be encoded into an ASCII armor. An implementation SHOULD process
transferable public keys as described in Section 10.1 of [5], but it
MAY handle additional OpenPGP packets.
The ACPKIX type indicates an Attribute Certificate format [9].
The IPKIX and IACPKIX types indicate a URL that will serve the
content that would have been in the "certificate, CRL, or URL" field
of the corresponding type (PKIX or ACPKIX, respectively).
The IPGP type contains both an OpenPGP fingerprint for the key in
question, as well as a URL. The certificate portion of the IPGP CERT
RR is defined as a one-octet fingerprint length, followed by the
OpenPGP fingerprint, followed by the URL. The OpenPGP fingerprint is
calculated as defined in RFC 2440 [5]. A zero-length fingerprint or
a zero-length URL are legal, and indicate URL-only IPGP data or
fingerprint-only IPGP data, respectively. A zero-length fingerprint
and a zero-length URL are meaningless and invalid.
The IPKIX, ISPKI, IPGP, and IACPKIX types are known as "indirect".
These types MUST be used when the content is too large to fit in the
CERT RR and MAY be used at the implementer's discretion. They SHOULD
NOT be used where the DNS message is 512 octets or smaller and could
thus be expected to fit a UDP packet.
The URI private type indicates a certificate format defined by an
absolute URI. The certificate portion of the CERT RR MUST begin with
a null-terminated URI [10], and the data after the null is the
private format certificate itself. The URI SHOULD be such that a
retrieval from it will lead to documentation on the format of the
certificate. Recognition of private certificate types need not be
based on URI equality but can use various forms of pattern matching
so that, for example, subtype or version information can also be
encoded into the URI.
Josefsson Standards Track [Page 5]
RFC 4398 Storing Certificates in the DNS February 2006
The OID private type indicates a private format certificate specified
by an ISO OID prefix. The certificate section will start with a
one-octet unsigned OID length and then a BER-encoded OID indicating
the nature of the remainder of the certificate section. This can be
an X.509 certificate format or some other format. X.509 certificates
that conform to the IETF PKIX profile SHOULD be indicated by the PKIX
type, not the OID private type. Recognition of private certificate
types need not be based on OID equality but can use various forms of
pattern matching such as OID prefix.
2.2. Text Representation of CERT RRs
The RDATA portion of a CERT RR has the type field as an unsigned
decimal integer or as a mnemonic symbol as listed in Section 2.1,
above.
The key tag field is represented as an unsigned decimal integer.
The algorithm field is represented as an unsigned decimal integer or
a mnemonic symbol as listed in [12].
The certificate/CRL portion is represented in base 64 [16] and may be
divided into any number of white-space-separated substrings, down to
single base-64 digits, which are concatenated to obtain the full
signature. These substrings can span lines using the standard
parenthesis.
Note that the certificate/CRL portion may have internal sub-fields,
but these do not appear in the master file representation. For
example, with type 254, there will be an OID size, an OID, and then
the certificate/CRL proper. However, only a single logical base-64
string will appear in the text representation.
2.3. X.509 OIDs
OIDs have been defined in connection with the X.500 directory for
user certificates, certification authority certificates, revocations
of certification authority, and revocations of user certificates.
The following table lists the OIDs, their BER encoding, and their
length-prefixed hex format for use in CERT RRs:
Josefsson Standards Track [Page 6]
RFC 4398 Storing Certificates in the DNS February 2006
id-at-userCertificate
= { joint-iso-ccitt(2) ds(5) at(4) 36 }
== 0x 03 55 04 24
id-at-cACertificate
= { joint-iso-ccitt(2) ds(5) at(4) 37 }
== 0x 03 55 04 25
id-at-authorityRevocationList
= { joint-iso-ccitt(2) ds(5) at(4) 38 }
== 0x 03 55 04 26
id-at-certificateRevocationList
= { joint-iso-ccitt(2) ds(5) at(4) 39 }
== 0x 03 55 04 27
3. Appropriate Owner Names for CERT RRs
It is recommended that certificate CERT RRs be stored under a domain
name related to their subject, i.e., the name of the entity intended
to control the private key corresponding to the public key being
certified. It is recommended that certificate revocation list CERT
RRs be stored under a domain name related to their issuer.
Following some of the guidelines below may result in DNS names with
characters that require DNS quoting as per Section 5.1 of RFC 1035
[2].
The choice of name under which CERT RRs are stored is important to
clients that perform CERT queries. In some situations, the clients
may not know all information about the CERT RR object it wishes to
retrieve. For example, a client may not know the subject name of an
X.509 certificate, or the email address of the owner of an OpenPGP
key. Further, the client might only know the hostname of a service
that uses X.509 certificates or the Key ID of an OpenPGP key.
Therefore, two owner name guidelines are defined: content-based owner
names and purpose-based owner names. A content-based owner name is
derived from the content of the CERT RR data; for example, the
Subject field in an X.509 certificate or the User ID field in OpenPGP
keys. A purpose-based owner name is a name that a client retrieving
CERT RRs ought to know already; for example, the host name of an
X.509 protected service or the Key ID of an OpenPGP key. The
content-based and purpose-based owner name may be the same; for
example, when a client looks up a key based on the From: address of
an incoming email.
Implementations SHOULD use the purpose-based owner name guidelines
described in this document and MAY use CNAME RRs at content-based
owner names (or other names), pointing to the purpose-based owner
name.
Josefsson Standards Track [Page 7]
RFC 4398 Storing Certificates in the DNS February 2006
Note that this section describes an application-based mapping from
the name space used in a certificate to the name space used by DNS.
The DNS does not infer any relationship amongst CERT resource records
based on similarities or differences of the DNS owner name(s) of CERT
resource records. For example, if multiple labels are used when
mapping from a CERT identifier to a domain name, then care must be
taken in understanding wildcard record synthesis.
3.1. Content-Based X.509 CERT RR Names
Some X.509 versions, such as the PKIX profile of X.509 [8], permit
multiple names to be associated with subjects and issuers under
"Subject Alternative Name" and "Issuer Alternative Name". For
example, the PKIX profile has such Alternate Names with an ASN.1
specification as follows:
GeneralName ::= CHOICE {
otherName [0] OtherName,
rfc822Name [1] IA5String,
dNSName [2] IA5String,
x400Address [3] ORAddress,
directoryName [4] Name,
ediPartyName [5] EDIPartyName,
uniformResourceIdentifier [6] IA5String,
iPAddress [7] OCTET STRING,
registeredID [8] OBJECT IDENTIFIER }
The recommended locations of CERT storage are as follows, in priority
order:
1. If a domain name is included in the identification in the
certificate or CRL, that ought to be used.
2. If a domain name is not included but an IP address is included,
then the translation of that IP address into the appropriate
inverse domain name ought to be used.
3. If neither of the above is used, but a URI containing a domain
name is present, that domain name ought to be used.
4. If none of the above is included but a character string name is
included, then it ought to be treated as described below for
OpenPGP names.
5. If none of the above apply, then the distinguished name (DN)
ought to be mapped into a domain name as specified in [4].
Example 1: An X.509v3 certificate is issued to /CN=John Doe /DC=Doe/
DC=com/DC=xy/O=Doe Inc/C=XY/ with Subject Alternative Names of (a)
string "John (the Man) Doe", (b) domain name john-doe.com, and (c)
URI <https://www.secure.john-doe.com:8080/>. The storage locations
recommended, in priority order, would be
Josefsson Standards Track [Page 8]
RFC 4398 Storing Certificates in the DNS February 2006
1. john-doe.com,
2. www.secure.john-doe.com, and
3. Doe.com.xy.
Example 2: An X.509v3 certificate is issued to /CN=James Hacker/
L=Basingstoke/O=Widget Inc/C=GB/ with Subject Alternate names of (a)
domain name widget.foo.example, (b) IPv4 address 10.251.13.201, and
(c) string "James Hacker <hacker@mail.widget.foo.example>". The
storage locations recommended, in priority order, would be
1. widget.foo.example,
2. 201.13.251.10.in-addr.arpa, and
3. hacker.mail.widget.foo.example.
3.2. Purpose-Based X.509 CERT RR Names
Due to the difficulty for clients that do not already possess a
certificate to reconstruct the content-based owner name,
purpose-based owner names are recommended in this section.
Recommendations for purpose-based owner names vary per scenario. The
following table summarizes the purpose-based X.509 CERT RR owner name
guidelines for use with S/MIME [17], SSL/TLS [13], and IPsec [14]:
Scenario Owner name
------------------ ----------------------------------------------
S/MIME Certificate Standard translation of an RFC 2822 email
address. Example: An S/MIME certificate for
"postmaster@example.org" will use a standard
hostname translation of the owner name,
"postmaster.example.org".
TLS Certificate Hostname of the TLS server.
IPsec Certificate Hostname of the IPsec machine and/or, for IPv4
or IPv6 addresses, the fully qualified domain
name in the appropriate reverse domain.
An alternate approach for IPsec is to store raw public keys [18].
3.3. Content-Based OpenPGP CERT RR Names
OpenPGP signed keys (certificates) use a general character string
User ID [5]. However, it is recommended by OpenPGP that such names
include the RFC 2822 [7] email address of the party, as in "Leslie
Example <Leslie@host.example>". If such a format is used, the CERT
ought to be under the standard translation of the email address into
Josefsson Standards Track [Page 9]
RFC 4398 Storing Certificates in the DNS February 2006
a domain name, which would be leslie.host.example in this case. If
no RFC 2822 name can be extracted from the string name, no specific
domain name is recommended.
If a user has more than one email address, the CNAME type can be used
to reduce the amount of data stored in the DNS. For example:
$ORIGIN example.org.
smith IN CERT PGP 0 0 <OpenPGP binary>
john.smith IN CNAME smith
js IN CNAME smith
3.4. Purpose-Based OpenPGP CERT RR Names
Applications that receive an OpenPGP packet containing encrypted or
signed data but do not know the email address of the sender will have
difficulties constructing the correct owner name and cannot use the
content-based owner name guidelines. However, these clients commonly
know the key fingerprint or the Key ID. The key ID is found in
OpenPGP packets, and the key fingerprint is commonly found in
auxiliary data that may be available. In this case, use of an owner
name identical to the key fingerprint and the key ID expressed in
hexadecimal [16] is recommended. For example:
$ORIGIN example.org.
0424D4EE81A0E3D119C6F835EDA21E94B565716F IN CERT PGP ...
F835EDA21E94B565716F IN CERT PGP ...
B565716F IN CERT PGP ...
If the same key material is stored for several owner names, the use
of CNAME may help avoid data duplication. Note that CNAME is not
always applicable, because it maps one owner name to the other for
all purposes, which may be sub-optimal when two keys with the same
Key ID are stored.
3.5. Owner Names for IPKIX, ISPKI, IPGP, and IACPKIX
These types are stored under the same owner names, both purpose- and
content-based, as the PKIX, SPKI, PGP, and ACPKIX types.
Josefsson Standards Track [Page 10]
RFC 4398 Storing Certificates in the DNS February 2006
4. Performance Considerations
The Domain Name System (DNS) protocol was designed for small
transfers, typically below 512 octets. While larger transfers will
perform correctly and work is underway to make larger transfers more
efficient, it is still advisable at this time that every reasonable
effort be made to minimize the size of certificates stored within the
DNS. Steps that can be taken may include using the fewest possible
optional or extension fields and using short field values for
necessary variable-length fields.
The RDATA field in the DNS protocol may only hold data of size 65535
octets (64kb) or less. This means that each CERT RR MUST NOT contain
more than 64kb of payload, even if the corresponding certificate or
certificate revocation list is larger. This document addresses this
by defining "indirect" data types for each normal type.
Deploying CERT RRs to support digitally signed email changes the
access patterns of DNS lookups from per-domain to per-user. If
digitally signed email and a key/certificate lookup based on CERT RRs
are deployed on a wide scale, this may lead to an increased DNS load,
with potential performance and cache effectiveness consequences.
Whether or not this load increase will be noticeable is not known.
5. Contributors
The majority of this document is copied verbatim from RFC 2538, by
Donald Eastlake 3rd and Olafur Gudmundsson.
6. Acknowledgements
Thanks to David Shaw and Michael Graff for their contributions to
earlier works that motivated, and served as inspiration for, this
document.
This document was improved by suggestions and comments from Olivier
Dubuisson, Scott Hollenbeck, Russ Housley, Peter Koch, Olaf M.
Kolkman, Ben Laurie, Edward Lewis, John Loughney, Allison Mankin,
Douglas Otis, Marcos Sanz, Pekka Savola, Jason Sloderbeck, Samuel
Weiler, and Florian Weimer. No doubt the list is incomplete. We
apologize to anyone we left out.
Josefsson Standards Track [Page 11]
RFC 4398 Storing Certificates in the DNS February 2006
7. Security Considerations
By definition, certificates contain their own authenticating
signatures. Thus, it is reasonable to store certificates in
non-secure DNS zones or to retrieve certificates from DNS with DNS
security checking not implemented or deferred for efficiency. The
results may be trusted if the certificate chain is verified back to a
known trusted key and this conforms with the user's security policy.
Alternatively, if certificates are retrieved from a secure DNS zone
with DNS security checking enabled and are verified by DNS security,
the key within the retrieved certificate may be trusted without
verifying the certificate chain if this conforms with the user's
security policy.
If an organization chooses to issue certificates for its employees,
placing CERT RRs in the DNS by owner name, and if DNSSEC (with NSEC)
is in use, it is possible for someone to enumerate all employees of
the organization. This is usually not considered desirable, for the
same reason that enterprise phone listings are not often publicly
published and are even marked confidential.
Using the URI type introduces another level of indirection that may
open a new vulnerability. One method of securing that indirection is
to include a hash of the certificate in the URI itself.
If DNSSEC is used, then the non-existence of a CERT RR and,
consequently, certificates or revocation lists can be securely
asserted. Without DNSSEC, this is not possible.
8. IANA Considerations
The IANA has created a new registry for CERT RR: certificate types.
The initial contents of this registry is:
Decimal Type Meaning Reference
------- ---- ------- ---------
0 Reserved RFC 4398
1 PKIX X.509 as per PKIX RFC 4398
2 SPKI SPKI certificate RFC 4398
3 PGP OpenPGP packet RFC 4398
4 IPKIX The URL of an X.509 data object RFC 4398
5 ISPKI The URL of an SPKI certificate RFC 4398
6 IPGP The fingerprint and URL RFC 4398
of an OpenPGP packet
7 ACPKIX Attribute Certificate RFC 4398
8 IACPKIX The URL of an Attribute RFC 4398
Certificate
Josefsson Standards Track [Page 12]
RFC 4398 Storing Certificates in the DNS February 2006
9-252 Available for IANA assignment
by IETF Standards action
253 URI URI private RFC 4398
254 OID OID private RFC 4398
255 Reserved RFC 4398
256-65279 Available for IANA assignment
by IETF Consensus
65280-65534 Experimental RFC 4398
65535 Reserved RFC 4398
Certificate types 0x0000 through 0x00FF and 0xFF00 through 0xFFFF can
only be assigned by an IETF standards action [6]. This document
assigns 0x0001 through 0x0008 and 0x00FD and 0x00FE. Certificate
types 0x0100 through 0xFEFF are assigned through IETF Consensus [6]
based on RFC documentation of the certificate type. The availability
of private types under 0x00FD and 0x00FE ought to satisfy most
requirements for proprietary or private types.
The CERT RR reuses the DNS Security Algorithm Numbers registry. In
particular, the CERT RR requires that algorithm number 0 remain
reserved, as described in Section 2. The IANA will reference the
CERT RR as a user of this registry and value 0, in particular.
9. Changes since RFC 2538
1. Editorial changes to conform with new document requirements,
including splitting reference section into two parts and
updating the references to point at latest versions, and to add
some additional references.
2. Improve terminology. For example replace "PGP" with "OpenPGP",
to align with RFC 2440.
3. In Section 2.1, clarify that OpenPGP public key data are binary,
not the ASCII armored format, and reference 10.1 in RFC 2440 on
how to deal with OpenPGP keys, and acknowledge that
implementations may handle additional packet types.
4. Clarify that integers in the representation format are decimal.
5. Replace KEY/SIG with DNSKEY/RRSIG etc, to align with DNSSECbis
terminology. Improve reference for Key Tag Algorithm
calculations.
6. Add examples that suggest use of CNAME to reduce bandwidth.
7. In Section 3, appended the last paragraphs that discuss
"content-based" vs "purpose-based" owner names. Add Section 3.2
for purpose-based X.509 CERT owner names, and Section 3.4 for
purpose-based OpenPGP CERT owner names.
8. Added size considerations.
9. The SPKI types has been reserved, until RFC 2692/2693 is moved
from the experimental status.
10. Added indirect types IPKIX, ISPKI, IPGP, and IACPKIX.
Josefsson Standards Track [Page 13]
RFC 4398 Storing Certificates in the DNS February 2006
11. An IANA registry of CERT type values was created.
10. References
10.1. Normative References
[1] Mockapetris, P., "Domain names - concepts and facilities",
STD 13, RFC 1034, November 1987.
[2] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, November 1987.
[3] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", BCP 14, RFC 2119, March 1997.
[4] Kille, S., Wahl, M., Grimstad, A., Huber, R., and S. Sataluri,
"Using Domains in LDAP/X.500 Distinguished Names", RFC 2247,
January 1998.
[5] Callas, J., Donnerhacke, L., Finney, H., and R. Thayer,
"OpenPGP Message Format", RFC 2440, November 1998.
[6] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA
Considerations Section in RFCs", BCP 26, RFC 2434,
October 1998.
[7] Resnick, P., "Internet Message Format", RFC 2822, April 2001.
[8] Housley, R., Polk, W., Ford, W., and D. Solo, "Internet X.509
Public Key Infrastructure Certificate and Certificate
Revocation List (CRL) Profile", RFC 3280, April 2002.
[9] Farrell, S. and R. Housley, "An Internet Attribute Certificate
Profile for Authorization", RFC 3281, April 2002.
[10] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifier (URI): Generic Syntax", STD 66, RFC 3986,
January 2005.
[11] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
"DNS Security Introduction and Requirements", RFC 4033,
March 2005.
[12] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
"Resource Records for the DNS Security Extensions", RFC 4034,
March 2005.
Josefsson Standards Track [Page 14]
RFC 4398 Storing Certificates in the DNS February 2006
10.2. Informative References
[13] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0",
RFC 2246, January 1999.
[14] Kent, S. and K. Seo, "Security Architecture for the Internet
Protocol", RFC 4301, December 2005.
[15] Ellison, C., Frantz, B., Lampson, B., Rivest, R., Thomas, B.,
and T. Ylonen, "SPKI Certificate Theory", RFC 2693,
September 1999.
[16] Josefsson, S., "The Base16, Base32, and Base64 Data Encodings",
RFC 3548, July 2003.
[17] Ramsdell, B., "Secure/Multipurpose Internet Mail Extensions
(S/MIME) Version 3.1 Message Specification", RFC 3851,
July 2004.
[18] Richardson, M., "A Method for Storing IPsec Keying Material in
DNS", RFC 4025, March 2005.
Josefsson Standards Track [Page 15]
RFC 4398 Storing Certificates in the DNS February 2006
Appendix A. Copying Conditions
Regarding the portion of this document that was written by Simon
Josefsson ("the author", for the remainder of this section), the
author makes no guarantees and is not responsible for any damage
resulting from its use. The author grants irrevocable permission to
anyone to use, modify, and distribute it in any way that does not
diminish the rights of anyone else to use, modify, and distribute it,
provided that redistributed derivative works do not contain
misleading author or version information. Derivative works need not
be licensed under similar terms.
Author's Address
Simon Josefsson
EMail: simon@josefsson.org
Josefsson Standards Track [Page 16]
RFC 4398 Storing Certificates in the DNS February 2006
Full Copyright Statement
Copyright (C) The Internet Society (2006).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Acknowledgement
Funding for the RFC Editor function is provided by the IETF
Administrative Support Activity (IASA).
Josefsson Standards Track [Page 17]

2691
contrib/bind9/doc/rfc/rfc4408.txt Normal file
View File

File diff suppressed because it is too large Load Diff

451
contrib/bind9/doc/rfc/rfc4470.txt Normal file
View File

@ -0,0 +1,451 @@
Network Working Group S. Weiler
Request for Comments: 4470 SPARTA, Inc.
Updates: 4035, 4034 J. Ihren
Category: Standards Track Autonomica AB
April 2006
Minimally Covering NSEC Records and DNSSEC On-line Signing
Status of This Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2006).
Abstract
This document describes how to construct DNSSEC NSEC resource records
that cover a smaller range of names than called for by RFC 4034. By
generating and signing these records on demand, authoritative name
servers can effectively stop the disclosure of zone contents
otherwise made possible by walking the chain of NSEC records in a
signed zone.
Table of Contents
1. Introduction ....................................................1
2. Applicability of This Technique .................................2
3. Minimally Covering NSEC Records .................................2
4. Better Epsilon Functions ........................................4
5. Security Considerations .........................................5
6. Acknowledgements ................................................6
7. Normative References ............................................6
1. Introduction
With DNSSEC [1], an NSEC record lists the next instantiated name in
its zone, proving that no names exist in the "span" between the
NSEC's owner name and the name in the "next name" field. In this
document, an NSEC record is said to "cover" the names between its
owner name and next name.
Weiler & Ihren Standards Track [Page 1]
RFC 4470 NSEC Epsilon April 2006
Through repeated queries that return NSEC records, it is possible to
retrieve all of the names in the zone, a process commonly called
"walking" the zone. Some zone owners have policies forbidding zone
transfers by arbitrary clients; this side effect of the NSEC
architecture subverts those policies.
This document presents a way to prevent zone walking by constructing
NSEC records that cover fewer names. These records can make zone
walking take approximately as many queries as simply asking for all
possible names in a zone, making zone walking impractical. Some of
these records must be created and signed on demand, which requires
on-line private keys. Anyone contemplating use of this technique is
strongly encouraged to review the discussion of the risks of on-line
signing in Section 5.
1.2. Keywords
The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [4].
2. Applicability of This Technique
The technique presented here may be useful to a zone owner that wants
to use DNSSEC, is concerned about exposure of its zone contents via
zone walking, and is willing to bear the costs of on-line signing.
As discussed in Section 5, on-line signing has several security
risks, including an increased likelihood of private keys being
disclosed and an increased risk of denial of service attack. Anyone
contemplating use of this technique is strongly encouraged to review
the discussion of the risks of on-line signing in Section 5.
Furthermore, at the time this document was published, the DNSEXT
working group was actively working on a mechanism to prevent zone
walking that does not require on-line signing (tentatively called
NSEC3). The new mechanism is likely to expose slightly more
information about the zone than this technique (e.g., the number of
instantiated names), but it may be preferable to this technique.
3. Minimally Covering NSEC Records
This mechanism involves changes to NSEC records for instantiated
names, which can still be generated and signed in advance, as well as
the on-demand generation and signing of new NSEC records whenever a
name must be proven not to exist.
Weiler & Ihren Standards Track [Page 2]
RFC 4470 NSEC Epsilon April 2006
In the "next name" field of instantiated names' NSEC records, rather
than list the next instantiated name in the zone, list any name that
falls lexically after the NSEC's owner name and before the next
instantiated name in the zone, according to the ordering function in
RFC 4034 [2] Section 6.1. This relaxes the requirement in Section
4.1.1 of RFC 4034 that the "next name" field contains the next owner
name in the zone. This change is expected to be fully compatible
with all existing DNSSEC validators. These NSEC records are returned
whenever proving something specifically about the owner name (e.g.,
that no resource records of a given type appear at that name).
Whenever an NSEC record is needed to prove the non-existence of a
name, a new NSEC record is dynamically produced and signed. The new
NSEC record has an owner name lexically before the QNAME but
lexically following any existing name and a "next name" lexically
following the QNAME but before any existing name.
The generated NSEC record's type bitmap MUST have the RRSIG and NSEC
bits set and SHOULD NOT have any other bits set. This relaxes the
requirement in Section 2.3 of RFC4035 that NSEC RRs not appear at
names that did not exist before the zone was signed.
The functions to generate the lexically following and proceeding
names need not be perfect or consistent, but the generated NSEC
records must not cover any existing names. Furthermore, this
technique works best when the generated NSEC records cover as few
names as possible. In this document, the functions that generate the
nearby names are called "epsilon" functions, a reference to the
mathematical convention of using the greek letter epsilon to
represent small deviations.
An NSEC record denying the existence of a wildcard may be generated
in the same way. Since the NSEC record covering a non-existent
wildcard is likely to be used in response to many queries,
authoritative name servers using the techniques described here may
want to pregenerate or cache that record and its corresponding RRSIG.
For example, a query for an A record at the non-instantiated name
example.com might produce the following two NSEC records, the first
denying the existence of the name example.com and the second denying
the existence of a wildcard:
exampld.com 3600 IN NSEC example-.com ( RRSIG NSEC )
\).com 3600 IN NSEC +.com ( RRSIG NSEC )
Weiler & Ihren Standards Track [Page 3]
RFC 4470 NSEC Epsilon April 2006
Before answering a query with these records, an authoritative server
must test for the existence of names between these endpoints. If the
generated NSEC would cover existing names (e.g., exampldd.com or
*bizarre.example.com), a better epsilon function may be used or the
covered name closest to the QNAME could be used as the NSEC owner
name or next name, as appropriate. If an existing name is used as
the NSEC owner name, that name's real NSEC record MUST be returned.
Using the same example, assuming an exampldd.com delegation exists,
this record might be returned from the parent:
exampldd.com 3600 IN NSEC example-.com ( NS DS RRSIG NSEC )
Like every authoritative record in the zone, each generated NSEC
record MUST have corresponding RRSIGs generated using each algorithm
(but not necessarily each DNSKEY) in the zone's DNSKEY RRset, as
described in RFC 4035 [3] Section 2.2. To minimize the number of
signatures that must be generated, a zone may wish to limit the
number of algorithms in its DNSKEY RRset.
4. Better Epsilon Functions
Section 6.1 of RFC 4034 defines a strict ordering of DNS names.
Working backward from that definition, it should be possible to
define epsilon functions that generate the immediately following and
preceding names, respectively. This document does not define such
functions. Instead, this section presents functions that come
reasonably close to the perfect ones. As described above, an
authoritative server should still ensure than no generated NSEC
covers any existing name.
To increment a name, add a leading label with a single null (zero-
value) octet.
To decrement a name, decrement the last character of the leftmost
label, then fill that label to a length of 63 octets with octets of
value 255. To decrement a null (zero-value) octet, remove the octet
-- if an empty label is left, remove the label. Defining this
function numerically: fill the leftmost label to its maximum length
with zeros (numeric, not ASCII zeros) and subtract one.
In response to a query for the non-existent name foo.example.com,
these functions produce NSEC records of the following:
Weiler & Ihren Standards Track [Page 4]
RFC 4470 NSEC Epsilon April 2006
fon\255\255\255\255\255\255\255\255\255\255\255\255\255\255
\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
\255.example.com 3600 IN NSEC \000.foo.example.com ( NSEC RRSIG )
\)\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
\255\255.example.com 3600 IN NSEC \000.*.example.com ( NSEC RRSIG )
The first of these NSEC RRs proves that no exact match for
foo.example.com exists, and the second proves that there is no
wildcard in example.com.
Both of these functions are imperfect: they do not take into account
constraints on number of labels in a name nor total length of a name.
As noted in the previous section, though, this technique does not
depend on the use of perfect epsilon functions: it is sufficient to
test whether any instantiated names fall into the span covered by the
generated NSEC and, if so, substitute those instantiated owner names
for the NSEC owner name or next name, as appropriate.
5. Security Considerations
This approach requires on-demand generation of RRSIG records. This
creates several new vulnerabilities.
First, on-demand signing requires that a zone's authoritative servers
have access to its private keys. Storing private keys on well-known
Internet-accessible servers may make them more vulnerable to
unintended disclosure.
Second, since generation of digital signatures tends to be
computationally demanding, the requirement for on-demand signing
makes authoritative servers vulnerable to a denial of service attack.
Last, if the epsilon functions are predictable, on-demand signing may
enable a chosen-plaintext attack on a zone's private keys. Zones
using this approach should attempt to use cryptographic algorithms
that are resistant to chosen-plaintext attacks. It is worth noting
that although DNSSEC has a "mandatory to implement" algorithm, that
is a requirement on resolvers and validators -- there is no
requirement that a zone be signed with any given algorithm.
The success of using minimally covering NSEC records to prevent zone
walking depends greatly on the quality of the epsilon functions
Weiler & Ihren Standards Track [Page 5]
RFC 4470 NSEC Epsilon April 2006
chosen. An increment function that chooses a name obviously derived
from the next instantiated name may be easily reverse engineered,
destroying the value of this technique. An increment function that
always returns a name close to the next instantiated name is likewise
a poor choice. Good choices of epsilon functions are the ones that
produce the immediately following and preceding names, respectively,
though zone administrators may wish to use less perfect functions
that return more human-friendly names than the functions described in
Section 4 above.
Another obvious but misguided concern is the danger from synthesized
NSEC records being replayed. It is possible for an attacker to
replay an old but still validly signed NSEC record after a new name
has been added in the span covered by that NSEC, incorrectly proving
that there is no record at that name. This danger exists with DNSSEC
as defined in [3]. The techniques described here actually decrease
the danger, since the span covered by any NSEC record is smaller than
before. Choosing better epsilon functions will further reduce this
danger.
6. Acknowledgements
Many individuals contributed to this design. They include, in
addition to the authors of this document, Olaf Kolkman, Ed Lewis,
Peter Koch, Matt Larson, David Blacka, Suzanne Woolf, Jaap Akkerhuis,
Jakob Schlyter, Bill Manning, and Joao Damas.
In addition, the editors would like to thank Ed Lewis, Scott Rose,
and David Blacka for their careful review of the document.
7. Normative References
[1] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
"DNS Security Introduction and Requirements", RFC 4033, March
2005.
[2] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
"Resource Records for the DNS Security Extensions", RFC 4034,
March 2005.
[3] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
"Protocol Modifications for the DNS Security Extensions", RFC
4035, March 2005.
[4] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", BCP 14, RFC 2119, March 1997.
Weiler & Ihren Standards Track [Page 6]
RFC 4470 NSEC Epsilon April 2006
Authors' Addresses
Samuel Weiler
SPARTA, Inc.
7075 Samuel Morse Drive
Columbia, Maryland 21046
US
EMail: weiler@tislabs.com
Johan Ihren
Autonomica AB
Bellmansgatan 30
Stockholm SE-118 47
Sweden
EMail: johani@autonomica.se
Weiler & Ihren Standards Track [Page 7]
RFC 4470 NSEC Epsilon April 2006
Full Copyright Statement
Copyright (C) The Internet Society (2006).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Acknowledgement
Funding for the RFC Editor function is provided by the IETF
Administrative Support Activity (IASA).
Weiler & Ihren Standards Track [Page 8]

6051
contrib/bind9/doc/rfc/rfc4634.txt Normal file
View File

File diff suppressed because it is too large Load Diff

1963
contrib/bind9/doc/rfc/rfc4641.txt Normal file
View File

File diff suppressed because it is too large Load Diff

2
contrib/bind9/lib/bind/api
View File

@ -1,3 +1,3 @@
LIBINTERFACE = 4
LIBREVISION = 6
LIBREVISION = 10
LIBAGE = 0

3
contrib/bind9/lib/bind/config.h.in
View File

@ -11,6 +11,8 @@
#undef POSIX_GETPWNAM_R
#undef POSIX_GETGRGID_R
#undef POSIX_GETGRNAM_R
#undef HAVE_MEMMOVE
#undef HAVE_MEMCHR
#undef NEED_SETGROUPENT
#undef NEED_GETGROUPLIST
@ -38,6 +40,7 @@
#undef HAS_PW_CLASS
#undef ssize_t
#undef uintptr_t
/* Shut up warnings about sputaux in stdio.h on BSD/OS pre-4.1 */

Some files were not shown because too many files have changed in this diff Show More